Security and incident event management (SIEM) has been with us for quite some time, roughly 20 years. It’s still regularly promoted as an essential part of an organization’s threat detection and response capability. However, in practice, there’s a significant hidden cost related to the ongoing maintenance and tuning of the platform’s threat detection rules. This often leaves them gathering dust and not adding the value that they were supposed to deliver.
A Brief History of SIEM
The original drivers for implementing SIEM were rooted in centralized log management. Given many organizations' systems are all siloed, there’s a real need to have all your logs in one place. Centralizing everything makes it much easier to search and analyze business-critical data.
The threat detection capability came later, only once the organization's data was in one place, and technological advancements meant computer power was more readily available. These advancements allowed organizations to conduct real-time analysis on the centralized data to try and unearth threats. IT teams were then tasked with writing a rules engine on top of this data lake, hoping to generate real-time alerting of malicious and anomalous activity.
The Hidden Cost
SIEM solutions tend to come with a hefty price tag, yet some IT buyers can be persuaded that it’s all worth it if it solves their compliance and threat detection problems. While SIEMs are great for log storage, management and compliance, to fully utilize the SIEM’s threat detection capability requires significant input from skilled professionals (that hidden cost). Purchasing an expensive SIEM and assuming your threat detection worries will disappear is like buying an F1 car and thinking you'll be able to race like Lewis Hamilton. In reality, if you don’t have a capable driver and cannot maintain it, the race car will sit in the garage, gathering dust. Unfortunately, I’ve seen this happen with SIEMs time and time again.
SIEMs come with out-of-the-box rules, which help alleviate some of the pressure from in-house security teams, but the reality is that you’ll need talented individuals to constantly fine-tune and create threat detection content specific to your business context. Only then can you maximize the technology’s effectiveness. In most cases, you’ll need at least one full-time employee; a luxury that small — and stretched — infosec teams cannot afford.
If I Stop Using SIEM for Threat Detection, Where Does That Leave Me?
There’s a proliferation of very sophisticated security tooling available to purchase off-the-shelf, which can detect malicious or anomalous activity across the entire IT environment. At a high level, these tools work by first having their native threat detection engines — managed/tuned by the vendor — analyze the data and then generate alerts when their engines are triggered. Put differently, they detect threats based on a specific threat detection use case and then generate alerts as a result of this.
Sound familiar?
I like to call these tools mini-SIEMs.
Today’s vendor landscape looks very different from the one a decade ago. Today, if you want to embed a certain threat detection capability, you can choose from a plethora of products (mini-SIEMs). Whereas a decade ago, you would have had to choose a single SIEM for all your detection capability (and your vendor options were limited).
This means that for the stretched infosec team, the problem has fundamentally changed from writing and tuning rules within a central SIEM platform for threat detection to now needing to focus on responding to the alerts generated by these sophisticated threat detection products.
In a world where the threat detection capability we've associated with SIEMs is decentralized, investment should therefore be directed to the ’right‘ threat detection tools. Investment should go to tools that address your business’ specific threat detection use case concerns and should be combined with technology that will help you triage, investigate and respond effectively.
So, before diving headfirst and investing big in SIEM, only to creak more at the seams, consider your risk appetite and resource profile carefully. There are alternative — and more suitable — models out there for threat detection and response.