How to Build a SIEM-less Architecture for Your Small Business
If you’re a smaller organization doing business in 2024, chances are you’ve got the basics down: A firewall; something like EDR on the endpoints; MFA where it counts. The logical next step is to gain network visibility, and you’ve probably got ideas of how to do that, too. Traditionally, companies turn to a Security Information and Event Management (SIEM) platform to fill that role, but their cost and complexity make that a tall order for most SMBs.
Here are some points to consider before investing in a SIEM, and an introduction to alternatives (like Network Detection and Response (NDR)) that might be better for your small business.
Why people have traditionally opted for SIEMs
A SIEM typically collects and aggregates log data from firewalls, switches, endpoints, and other devices spread across an organization’s infrastructure. The SIEM then uses that information to log, identify, categorize, and analyze security incidents and other network events.
In other words, a SIEM’s primary advantage is its ability to bring together data from different sources across your network, correlate events, and spot otherwise undetected issues. Why undetected? Because, as the theory goes, sometimes it takes the whole network picture to spot a potential problem, and SIEMs (theoretically) are in a good position to take on that challenge. They also offer (again, theoretically) a complete historical picture, which can be useful for incident response and forensics.
This is why SIEMs have traditionally been so important. They helped to correlate events across devices, which provides greater visibility into attackers that might be using multiple footholds spread across different environments in an organization’s infrastructure.
Why SIEMs are falling out of favor
That said, in the news and in our experience, SIEMs have been recently falling out of favor. Here’s why.
They’re too expensive, even for the big guys. On the one hand, we have larger organizations that already have a SIEM and that have simply had enough. Experience tells them that SIEMs are simply too expensive in their current state. In a 2021 study covered by CPO Magazine, for instance, 43% of IT security professionals said that their organization is paying too much for their current SIEM solution relative to its capabilities and value delivered. That was three years ago, and it’s only gotten worse. These responses underscore just how many organizations are fed up with the pricing model for the traditional SIEM. Here’s CPO Magazine with more:
Data volumes have increased exponentially, yet antiquated pricing models remain the same. The limitation of using an outdated cost structure applied to cloud-scale data volumes creates a situation where security teams are under pressure to stay below price plan limits by picking and choosing the log data they will monitor. This is called guessing. Guessing what data will contain indications to warn against the threats they face—guessing is not acceptable with security.
They lack flexibility, and you can’t customize them. CPO Magazine also pointed out that many traditional SIEMs lack flexibility and customization. Specifically, it’s not always easy for security teams to write custom detections. This makes it more difficult for those teams to protect their organizations against relevant threats without needing to comb through a deluge of alerts.
They create too much noise. SIEMs are also frequently criticized for being too noisy. AT&T Cybersecurity wrote that many SIEMs err on the side of caution and alert on items that might not be relevant to an organization’s security priorities unless properly configured. The issue is that those alerts frequently lack the context for security analysts to tell the difference, so they need to examine them all to identify what might be indicative of a security issue.
They’re too resource-intensive for SMBs. Of course, we don’t only serve organizations that can afford costly (and noisy) SIEMs, either. We also have smaller organizations that have found it too difficult to take the plunge and invest in a SIEM. Some of them have found it to be too expensive, while others might have found it too complicated or intimidating for them to derive any benefit.
How Network Detection and Response (NDR) is stepping up
Organizations are actively searching for SIEM alternatives to solve their ongoing visibility problem. As it turns out, they’re finding the answer in Network Detection and Response.
Packets Don’t Lie. First of all, packets don’t lie. Going beyond device logs and getting an independent perspective from the network flows between endpoints can help spot network anomalies, too. This, in addition to the endpoint perspective (from an EDR tool, for example) can be an extremely powerful combination.
NDR can be a more complete view. SIEMs work by collecting logs for you to analyze. That’s great, but they’re only getting you the logs from devices you know you have and have configured to do so. There are a couple of problems with that.
- What if there are devices you don’t know about? The news is full of stories about Shadow IT, and the best way to capture this traffic is through network flows.
- What if there are devices that can’t send logs or even install EDR due to technical limitations? We’re looking at you, IoT and SCADA.
A flow archive can check the same boxes as a SIEM. Another “unique” benefit of SIEMs is that it keeps the logs and allows you to review data from events that happened in the past, but they can be clunky and slow. Tools like Nomic Insight (our NDR solution) replace device logs with network flows, and make them easy to interrogate, search, and filter. They can serve the same purpose (to a certain degree) as a SIEM’s logs, and provide a user-friendly pivot point for analysts as they review interesting or anomalous behavior.
NDR is SMB-friendly. NDR and SIEM are technically not the same thing, but they can both be an answer to the question of network visibility and anomaly detection. SMBs will find that NDR is most likely the more cost-effective and simple solution, particularly when it’s bundled with a managed service.
Got questions?
Ready to explore NDR but don’t know where to start? Nomic’s got you covered.
Our Insight solution provides unique visibility that a SIEM simply doesn’t offer, while running leaner and requiring less out of already-strained SMBs. This Managed Network Detection and Response solution runs in-house with our team of qualified experts here to support you – however much or however little you need – on a 24/7 basis. With our complete suite of products, you can not only gain network visibility between the endpoints but also:
- Keep network history with lookback
- Reduce the load on your firewall by 70%
- Identify network misconfigurations and other weaknesses
- Reduce your public attack surface to zero
If you’re considering a visibility tool, consider NDR – and our Insight suite, specifically – as a SIEM alternative for any company looking to do more with less.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.