This blog post was written by Karl Klaessig.
For the average security analyst, it’s no secret that their days are overloaded with more “hair on fire” moments than “Zen” moments.
The 2016 SANS Incident Response Survey paints a clear and sobering picture of the demands being placed on security analysts. The survey lists, in order, the following impediments to effective incident response:
- Lack of staffing and proper skills
- Not enough visibility across systems and domains
- Lack of budget for needed tools or technology
- Processes and owners not clearly defined
- Organizational siloes
- Difficulties in detecting sophisticated attacks
All of the above results in:
- Further weight on your analyst’s shoulders
- Too much dwell time in mean-time-to-remediate (MTTR)
So we get it. You’ve got too many unknowns, not enough relevant insight, and functions and technologies tripping over each other trying to help sort out what is really going on! Your analysts need a technology security partner to help detect, investigate and remediate today’s never-ending threat sources.
As the threats and responsibilities have expanded, the role of the security information and event management (SIEM) solution has morphed into one of the greatest assets an analyst has, becoming the Swiss Army Knife of incident response and orchestration. Further, you reach to your SIEM for advanced analytics including user and behavior analysis, real-time monitoring, and data and application monitoring. The problem, as Barbara Kay outlines in her blog, “Eating an Elephant: How the ESM 10 UX team reenergized SecOps,” is the amount of information that the average analyst has to retain as she or he swivels from incident response, to advanced threat management, to user monitoring.
So as your SOC makes the move to more proactive threat management and predictive, contextual analysis and orchestration, we’re evolving McAfee Enterprise Security Manager (ESM) to reduce the cognitive strain, and guide and automate more of the routine tasks, such as watchlist management, incident tracking and advanced correlation rule set-up, so that you can focus on the critical decision-making responsibilities. McAfee ESM 10.0 is an important step in that evolution.
As more changes are rolled out, we want to make it easier for you to find the information you need and to stay informed. So we are providing some new communications tools for you beginning this month.
We have heard from customer surveys and from calls to McAfee Support Services that you need more guidance on where to go for more information. So we have responded with a new SIEM Information Center page – your one-stop shop for all things SIEM. On this page, you’ll find the latest and greatest advice from our SIEM subject matter experts, as well as access to shared wisdom from our SIEM user community. To make such invaluable content easier to find, we are categorizing all of our SIEM content according to the commonly recognized SIEM capability categories and use cases that our customers reference.
As a member of our McAfee ESM user community, you will be interested in the McAfee SIEM Focus newsletter that debuts this month. For those of you who subscribe to the McAfee Support Notification Service, you know how valuable and timely the ProTips, Weekly Roundup, and monthly SNS Digest emails can be. Because of the fast-moving and complex environment in which security analysts and other SIEM users operate, we want to provide you with a dedicated newsletter featuring practical use cases, demonstrations, and other in-depth, roll-up-your-sleeves examples of how to get the most from the McAfee ESM solution.
Finally, don’t miss out on the action on our SIEM Community site. We encourage you to sign up and participate with our 219 active users. We are all learning from each other. Join today, stay connected and discover for yourself how Together is Power.