The following is an excerpt from our recently published whitepaper, “The Failed Promises of SIEM: How Next-Generation Cybersecurity Platforms are Solving the Problems Created by Outdated Tools,” in which we discuss the ways in which SIEM has failed to deliver on promises made to the cybersecurity industry and why cyber teams must instead turn to a next generation platform powered by unsupervised AI to navigate the ever evolving threatscape of 2020 and effectively defend against modern threats and bad actors.
For all its promise, SOCs using SIEM inevitably face a clear and looming problem with this security advancement: to gain true visibility into network behavior, they must feed these systems a virtually endless stream of data.
Because the fundamental nature of SIEM requires infinite amounts of data, security teams are forced to constantly wrangle their network data and faced with an unmanageable number of false positive alerts. This means they have to devise efficient ways to collect, organize and store data, resulting in an incredible investment in human and financial resources.
Worse, because SIEM relies on log data, its capability to respond to events is limited to the accuracy and scope of its latest view of a network’s data. To be fair, SIEM has improved on this front since its inception in 2006. Today, SIEM software is quite capable of performing traditional searches and investigations.
However, the need to constantly add new sources severely restricts an organization’s ability to take in a holistic view of events.
Vendors Capitalize on SIEM’s Fundamental Flaws
SIEM customers often find themselves caught up in a never-ending cycle of collecting and storing data and then feeding it into the software quickly enough to maintain an acceptable level of network security and regulatory compliance around data privacy.
In answer to these concerns, vendors present the doomsday scenario, telling customers: “If you don’t have all of your endpoint data, and all of your internal data, and all of the information from all of these sources, you are inherently vulnerable. And if you don’t save that information in perpetuity, and you have some critical incident that you don’t have the data saved, this could represent a compliance violation.”
And it’s true. SIEM is fundamentally limited by its insatiable, incessant need for fresh data. Once they are locked into a specific SIEM, however, it’s extremely challenging for security teams to see a way out. SIEM is a database for machine-generated data, one optimized for search and investigative capabilities.
In order to get a quick return on queries or to address functional requirements like incident management and threat detection, customers and vendors add to a constantly-growing collection of queries and reports. This is the only way to obtain the data the SIEM needs to compare against historical data to detect anomalies.
Vendors fully understand how vital it is for organizations to adhere to today’s customer data compliance requirements. Their platforms are positioned in a way that requires customers to aggregate and format data into the vendor’s exclusive, proprietary format.
In the meantime, when organizations rely solely on SIEM, security lags behind modern, real-time solutions that feature predictive threat detection. SIEM data, by nature, has latency built in. It cannot provide real-time threat detection because of the time it takes to process, move, aggregate and normalize data.