One of the biggest mainstays of an enterprise-level security program is a Security Information and Event Management (SIEM) tool. Just as a quick overview, a SIEM collects and aggregates log data from applications, firewalls, and other devices spread across an organization’s infrastructure. The SIEM then uses that information to identify, categorize, and analyze security incidents and other network events, per CSO.

A SIEM can benefit organizations in several ways by carrying out those functions. One of its primary advantages is the ability to spot otherwise undetected incidents. This gets down to the limitations host-based tools. As noted by TechTarget, hosts might have the ability to spot events and generate audit log entries for them, but there’s no network-wide incident detection going on. Sure, they can issue an alert for when an event that might be malicious occurs, but there’s no context involved. Which is why SIEMs have traditionally been so important. They helped to correlate events across hosts, which provides greater visibility into attacks that might be using multiple footholds spread across different environments in an organization’s infrastructure.

That said …

Change Is in the Air

We’ve had countless conversations with people around the subject of SIEM, and the how and why behind what function the SIEM is performing in their organizations.

However, what’s surprised us in recent years is the extent to which SIEMs have fallen out of favor. There are two things going on here. On the one hand, we have larger organizations that already have a SIEM and that have simply had enough. Experience tells them that SIEMs are simply too expensive in their current state.

In a 2021 study covered by CPO Magazine, for instance, 43% of IT security professionals said that their organization is paying too much for their current SIEM solution relative to its capabilities and value delivered. These responses underscore just how many organizations are fed up with the pricing model for the traditional SIEM. Here’s CPO Magazine with more:

Data volumes have increased exponentially, yet antiquated pricing models remain the same. The limitation of using an outdated cost structure applied to cloud-scale data volumes creates a situation where security teams are under pressure to stay below price plan limits by picking and choosing the log data they will monitor. This is called guessing. Guessing what data will contain indications to warn against the threats they face—guessing is not acceptable with security.

CPO Magazine also pointed out that many traditional SIEMs lack flexibility and customization. Specifically, it’s not always easy for security teams to write custom detections. This makes it more difficult for those teams to protect their organizations against relevant threats without needing to comb through a deluge of alerts.

Which ties into another issue with SIEMs: they’re too noisy. AT&T Cybersecurity wrote that many SIEMs err on the side of caution and alert on items that might not be relevant to an organization’s security priorities unless properly configured. The issue is that those alerts frequently lack the context for security analysts to tell the difference, so they need to examine them all to identify what might be indicative of a security issue.

Of course, we don’t just have organizations that have the experience of using costly and noisy SIEMs, either. We also have smaller organizations that have found it too difficult to take the plunge and invest in a SIEM. Some of them have found it to be too expensive, while others might have found it too complicated or intimidating for them to derive to derive any benefit.

Something Different This Way Comes

Organizations are actively searching for SIEM alternatives to solve their ongoing visibility problem. As it turns out, they’re finding the answer in managed network security monitoring tools and endpoint detection and response (EDR) …

I’ll save that discussion for Part II.