1 These are the Top Five Ignories Security Vendors Say About The SIEM188.8.131.52.0.1 (A screenshot from my Twitter poll about the most common myths surrounding SIEM1.1 Lie number one: SIEMs are only good for compliance1.2 Second Lie: SIEMs don’t Scale1.3 […]
- 1 These are the Top Five Ignories Security Vendors Say About The SIEM
- 1.1 Lie number one: SIEMs are only good for compliance
- 1.2 Second Lie: SIEMs don’t Scale
- 1.3 Three-Fiveth Lie: Security Teams Hate Their SIEM
- 1.4 Fourth Lie: SIEMs don’t do Orchestration of Response
- 1.5 Lie No. Five: SIEM is Dead
- 1.6 In Conclusion
These are the Top Five Ignories Security Vendors Say About The SIEM
Although I have only been with Forrester for six month, I am already tired of hearing the phrase “If you tried that query in the SIEM it would take weeks!” and the “Security team hates their SIEM!”
SIEMs (security event management systems) are no longer the same as they were 10 to twenty years ago. To find out if this was a common misconception or a luxury for analysts, I conducted a survey asking #InfoSecTwitter to discover the most popular myths surrounding SIEMs. The results were strong.
(A screenshot from my Twitter poll about the most common myths surrounding SIEM
Many of the responses I received focused on the myths that SIEM vendors tell me about their products (often in sales and marketing messages). Many of these myths, including one by Katie Nickels, are true to my knowledge.
SIEMs are not easy to use. They require planning and strategic thinking. Unfortunately, they do not provide the single pane of glass promised by the vendors, much to the dismay of all who believed them.
These are not the myths that I will debunk today. That would be like pushing water uphill with your bare hands. This is impossible, especially with these uncalloused white-collar mitts.
All that being said, there are certain aspects of SIEM that have significantly improved over the past twenty years, despite security marketing urging otherwise. Below I will take a page out of my old combinatorics class to provide a disproof-by-counterexample (in some instances x2) for each one of these myths.
I decided to leave out links to vendor marketing messages pushing these myths. However, you can still search Google for every one of them.
Lie number one: SIEMs are only good for compliance
Security analytics platforms are striving to differentiate in the detection/response space with solutions such as IBM Security and Exabeam making it a contrast in the Forrester Wave(tm), evaluation of security analytics platforms. Solutions like Microsoft Sentinel, which are specifically designed for security applications, were also booming into the market as of 2019.
Second Lie: SIEMs don’t Scale
Legacy SIEM solutions have long recognized the challenges of querying at scale. You must find a solution to big data problems when you create them. Many security teams discover that scaling SIEMs is difficult because they don’t think strategically about log collection.
However, there are instances when enterprises such as financial service companies, large players, simply need to collect huge amounts of data. This problem can be addressed with fast solutions and innovative solutions such as Chronicle and Devo.
Three-Fiveth Lie: Security Teams Hate Their SIEM
Joseph Blankenship, my research director, would tell you that there are SIEM-loving practitioners at Splunk’s.conf events. This is not anecdotal data. A recent survey found that over half of respondents love or like their SIEM.
Fourth Lie: SIEMs don’t do Orchestration of Response
While this was true for a while, it is not the case anymore. Security orchestration, automation and response (SOAR), technology has been or is being absorbed into larger SIEM players to the point that many security analytics platforms include automation and orchestration. This is evident in the Forrester Wave evaluation of security analytics platforms. It can be seen in solutions such as FireEye Helix and Microsoft Sentinel and IBM QRadar.
Lie No. Five: SIEM is Dead
This is a ridiculous and exaggerated example. SIEMs are still a key part of security operations technology stacks for most mid-to large enterprises. According to Forrester’s report “The State Of Network Security 2020-2021“, security teams that suffer a breach expand their security monitoring, rather than stifling it. The SIEM is still the core operating system of security operations centers. This is despite the rise in competition from XDR (extended detection and response).
Do security analytics platforms/SIEMs present challenges? Yes. This is not a tacit endorsement of or defense of SIEM technology’s shortcomings. You came to this blog to learn how SIEM technology can bridge the gaps. Check out my webinar on XDR and SIEM’s collision course.
This post is meant to highlight that SIEM as we knew it 10 years ago does not reflect the multifaceted tool security teams use today. If security analytics platforms focus on innovation in detection, extraordinary user experience, and automated investigation and response, they have a strong chance of retaining their position in this space.
►►► ConnectPOS is a cloud-based POS software compatible with multiple platforms including Magento, Shopify & Shopify Plus, and BigCommerce.