So, what is this missing piece? Simply put, its a live person or a security analyst. The most sophisticated systems in the world still need a well trained individual to not only tune them but also to monitor their output and validate or even interpret it.
Typically when we put any such system in-place there is an involved process of understanding the normal traffic-patterns of the communication taking place on the existing network. This allows us to, over time, create a baseline and tune out any false-positive items that may be triggered by legitimate traffic and fine-tune other existing rules. Even after all fine-tuning is complete the system needs an individual to analyze output and validate any events that pose risk to the information systems and organization. Depending on the size of the network involved, this individual or individuals could range from the local network Administrator to a team of dedicated security analysts. In the instance of this individual being the local network Administrator there should be adequate training such that this individual is familiar with network security practices, standards, and the usage of the in-place monitoring systems. This training should be refreshed annually to insure that the administrator is kept up to date with newer techniques and technologies.
My main goal behind this article is to impress upon you the need for an analyst of some form. In the absence of an analyst and without proper maintenance, the system becomes useless and will not serve it's proper function.