At this year's Infiltrate Security Conference in Miami, John Grigg walked the audience through a common target network where a known and commonly used SIEM had been integrated in order to show participants how to exploit onto the SIEM, find intel, and cover their tracks.
Though SIEM technologies are supposed to help secure the networks, Grigg said that they are often misconfigured, which creates more vulnerabilities.
Even though some of the legacy tools are pretty cool, Grigg said the problem is that no one really knows the platform that well. "The vendor who built it knows it from a design standpoint. Then there's the re-selllers, the guys who install it, the internal IT guys who inherit the systems, but they tend to never really focus on it."
By the time they have called in an expert to help fix a problem, they are at least a few degrees of separation away from the people who know the product.
Even though the designers and programmers know their piece really well, they aren't always seeing the big picture, said Grigg.
"A lot of the vulnerability is bad configurations which stem from poor consultancy. These things weren't meant for a huge company," Grigg said. He's hardly pointing the finger at anyone to lay blame, as Grigg said that in his earlier years he had likely provided some bad consultancy.
"I started to notice buddies of mine who were really good consultants, and watching them do their work, I thought, 'I probably shouldn't be allowed to touch this stuff'. Unfortunately, It's the norm to have bad consultants," Grigg said.
Many companies hire a third party to come in as the 'fix it' people. Those that specialized in SIEM platforms, as Grigg eventually did, found themselves "Fixing what was super messed up," he said.
Because so much of the SIEM industry is legacy software that was the same tool just redesigned and rebranded, Grigg said, "Those back doors still exist on there today."
Another issue is that, "A lot of SIEMs don't get patched because people don't want to make a mistake. They are a giant way into the network, and there are always new features being added in that present new vulnerabilities," Grigg said.
Forrester Research senior analyst Joseph Blankenship wrote in a recent report, "Vendor Landscape: Security Analytics (SA),"In its first incarnation, [SiM] failed to live up to its expectations because it lacked the ability to ingest, correlate, and analyze large amounts of data from a variety of sources."
However, the accuracy of the rules-based technology is not its only downfall. Mark Orlando, CTO at Raytheon Foreground Security, said, "One of the biggest ones is that in many cases the SIEM infrastructure isn’t managed like the rest of the network."
Sign up for Computerworld eNewsletters.