News

Why traditional SIEM is dead

When SIEM was first introduced to the world of computing by Mark Nicolett and Amrit Williams of Gartner, it revolutionized the way businesses and IT professionals approached systems security. 

By merging information storage/analysis functionality with real-time monitoring and notification of security events, SIEM strategies offer robust protection from both vulnerabilities caused by internal system errors and outside malicious actors.

However, many businesses find that their SIEM dashboards are struggling to maintain system security with the efficiency they once did. The global technological ecosystem is a very different place in 2021 from what it was in 2005. 

With increasingly cloud-based infrastructures, internet and user traffic at unparalleled levels, and new service-oriented architectures, can a traditional SIEM approach effectively monitor and protect against modern security threats?

 

SIEM – A revolution in cybersecurity

Before SIEM, information and event security management had to be handled through different platforms and software. The siloing of SIM and SEM made designing and implementing robust system security incredibly challenging. Without system information and logs, auditing and tracking circumstances leading to a security event required hours of manual input. Without events management, SIM logging offers little in the way of real-time protection.

SIEM dashboards allowed engineers to create intuitive alerting protocols and deploy use-appropriate configuration policies based on real-time and historical data. With SIEM, systems became more secure than ever, with an incredibly reduced investment of both time and finance necessary.

 

Where traditional SIEM fails

It is relatively straightforward to secure a system entirely hosted on an on-premise data center with external access to the company intranet only possible through the access gateway on the customer website API.

As the monolithic systems of yester-year upscaled, system security concerns usually could be addressed with a simple increase in capacity. Rarely did growth create multiple new attack surfaces with every deployment or implementation. The merging of SIM and SEM was enough of a step forward to keep up.

The simplicity of IT infrastructure in 2005 may be slightly exaggerated there, but the point still stands. The systems cybersecurity professionals and engineers need to secure in 2021 are vastly more complex than the average monolithic systems in use when SIEM first emerged. Just as modernity rendered SIM and SEM silos obsolete, advances in technology have made SIEM increasingly ineffective for a wide variety of reasons. 

 

SIEM dashboards are only as good as the data they’re fed

At its most basic level, a SIEM dashboard is a tool that ingests system/machine data and transforms it into alerts and organized datasets that can be searched and queried. However, the data sources SIEM dashboards rely heavily on are outdated for modern cloud and network-reliant systems. 

SIEM dashboards don’t traditionally use captured packets for alerting and response. In an ecosystem where cyberattacks originate from exploited network vulnerabilities, overlooking this crucial forensic evidence leaves systems open to repeat occurrences.

 

SIEM requires Use Cases to keep systems secure

A Use Case is a set of technical rules and actions converted from a business threat. Often these are existing threats, with Use Cases built to prevent a recurrence. Many SIEM tools can build Use Cases for your existing systems based on common threats and risks. 

Without Use Cases, your SIEM dashboard can’t create effective event alerts. Use Case necessity makes it a challenge to create alerting rules for potential events proactively. In a world where the threat landscape changes daily, this is a significant weakness.

 

SIEM dashboards accumulate superfluous data

PCAP (Packet Capture) methods used by traditional SIEM dashboards are ineffective in a world where machine analysis and automation are the norms. They lack sufficient functionality to flag irrelevant or bad data sources pre-ingestion, leading to unneeded and superfluous data reams. 

 

SIEM dashboards provide no context

Context is vital for effective event response. Knowing what happened teaches you very little if you don’t also know how and why.

Many SIEM dashboards are configured for hyper-efficient data collection but have a sub-standard capacity for log enrichment. Without enriched logging to provide context to event logs, it’s impossible to make effective and informed strategy decisions or policy implementation. 

Lack of context is an issue for alerting as well, with every slight deviation from a catch-all ruleset being flagged as suspicious.

 

SIEM is high maintenance

SIEM predates the widespread market penetration of AI, machine learning, and automation. As such, SIEM dashboards and functionality require significant security expertise and manual input from analysts and engineers.

From building Use Cases to manually updating configurations and rulesets every time a new system component is added, SIEM dashboards require much more maintenance and manual input than modern security solutions.

 

Observability platforms meet SIEMs shortcomings

In short, SIEMs ‘data in, events out’ approach is too simplistic and requires too much human input to create a fully secure system in today’s technical climate.

What’s needed is a solution that provides information and events management functionality in the contemporary threat landscape. For many engineers, observability platforms fill this need.

 

Observability platforms access a wide range of sources

Observability platforms provide more comprehensive system visibility for cloud-based and service-oriented architectures. They can harvest data from a wider variety of sources than a traditional SIEM dashboard and aggregate that data in a single cross-service platform. 

Ultimately, modern system security requires a greater emphasis on network security than traditional SIEM dashboards provide. A SIEM-inclusive observability platform enables the network-centric focus modern security solutions need.

 

Observability platforms are more intuitive than SIEM

Maintaining and configuring SIEM platforms requires significant system security expertise. In a recent survey, 44% of organizations stated they lacked the necessary staff expertise to operate their SIEM effectively. SIEM dashboards require financial investment not only in the dashboards themselves but in the staff to manage them. 

Observability platforms are much more intuitive. While they don’t simplify tasks to the point that non-IT staff could perform them, they make basic security activities such as deploying agents or parsing logs accessible to more engineers and administrators. 

 

Observability platforms have greater AI, automation and ML support

Traditional SIEM relies primarily on static alert thresholds. These require manual data and log analysis, followed by further manual Use Case creation. They also produce many false positives and can’t change and adapt with the broader network unless manually reconfigured.

Observability platforms, on the other hand, can automate everything from threat detection to multi-source log aggregation. What’s more, thanks to AI and ML capabilities, modern observability platforms don’t require Use Cases to create and implement new, proactive alerting policies. 

 

Observability platforms provide context for security events

Context is the key advantage observability platforms have over traditional SIEM. Observability platforms will include the same data types harvested by SIEM as part of an automated, system-wide monitoring platform. 

This provides the context to know why an event happened, how it happened, the impact it’s had on your systems and wider business, and what the best course of action is to prevent it from happening again.

 

Observability platforms are low-maintenance solutions

SIEM solutions are notoriously expensive. Hardware SIEM costs can start at a low end of $25,000. That’s before costs are factored in for the aforementioned SIEM expertise.

Because many observability platforms are available as a PaaS model, they come with significantly lower financial costs. Providers also deploy regular updates, bug fixes, and increased functionality. As an externally hosted service, maintenance costs are also eliminated.

 

Observability platforms are making traditional SIEM obsolete

Visibility and context are two of the most significant shortcomings of traditional SIEM. Modern observability platforms provide visibility, context, and AI-backed analytics and insight, to provide a comprehensive system security solution at a fraction of the labor/financial cost of SIEM. 

By opting for an observability platform inclusive of SIEM, instead of a SIEM dashboard exclusively, business owners and systems engineers can manage system security from an intuitive platform that allows pro-active strategy and implementation of new configurations and policies.

Back to top button