A Security Information and Event Management (SIEM) system collects, manages, and correlates security data from firewalls, endpoints, and security systems in an organization’s digital environment. The centralized log files, events, and security alerts are then monitored by security analysts in a security operations center (SOC) for suspicious activity and signs of possible threats within an organization. SIEM is an essential technology – but how much is too much when it comes to the number of alerts? 

Sometimes it’s possible to have too much of a good thing. Consider a SIEM, for instance. A SIEM can be a security analyst’s best friend or worst nightmare depending on the volume and quality of alerts it produces. 

Alert fatigue is real, and in cybersecurity, it occurs when individuals are exposed to frequent and large volumes of alerts – so much so that they become desensitized to the “noise.” The problem is that real threats can be hidden amid the persistent flood of false positives – and can be easily missed by analysts that are overwhelmed by the constant barrage. 

Fortunately, alert fatigue can be prevented. Following are six ways to ensure that your SIEM is producing the right volume and quality of alerts for your security or SOC team and your organization:

1. What are your goals?
   Establish a clear and defined set of requirements while setting up your SIEM. It is best to identify what are you trying to detect, prevent, and act upon from the start. 
2. What devices need to be monitored?
   First, specify assets based on any compliance requirements that you need to follow. Then, determine the additional devices and business-critical assets that you should be monitoring in your SIEM. 
3. What rules do you have enabled?
   Create a set of rules based on your defined goals. SIEM tools usually include out-of-the-box rules, so consider each one and determine whether it should be enabled. Test a rule before enabling operations – it is one of the best ways to prevent a flood of alerts.  
4. Who manages your SIEM?
   A designated team or individual should be responsible for the SIEM. This role is vital to ensure that the SIEM is maintained consistently and aligned to the goals of the organization.
5. What processes are in place for alert volume monitoring?
   A SIEM subscription can be expensive. Some providers bill based on Events per Second (EPS), others bill based on the number of log sources. Despite the cost difference, the volume should always be monitored and aligned with your goals. Review alert volume regularly and thoroughly. Identify common alerts and rules that are frequently triggering in your SIEM to see if they need to be adjusted.
6. Have you ever heard of tuning?
   Tuning is a critical way to prevent alert fatigue. There are several areas you can adjust:
   • Within your SIEM – Tune rules, criteria, correlation, and scoring 
   • In your log collection – Tune common log patterns, signatures, and log types 
   • On your device – Tune log severity and event types 

A SIEM is a helpful tool and assists analysts in the heavy-lifting process of detecting and responding to threats. Just like any other tool, though, it does not work without human intervention. Processes, including regular maintenance, should be in place to ensure that the SIEM is producing quality alerts for effective detection by skilled SOC analysts. But it’s a delicate balance. Monitoring, review, and tuning should be performed regularly so you get the right amount of a good thing. 

SilverSky Managed SIEM takes the complexity out of managing this essential tool. Achieve the balance you need and ensure your SIEM is optimized for detecting threats in your unique environment. Learn more here.