Security information and event management (SIEM) is still integral to digital security. However, newer entrants to the market claim SIEM as we know it is dead. If this sounds familiar, you may remember the infamous statement in 2015 by the chief information security officer (CISO) of RSA, Eddie Schwartz, that SIEM was dead.
It seems like every year after that another vendor rang the death bells for SIEM. Yet even groups adopting new tools, like extended detection and response (XDR), see SIEM as an important component of the new stack. SIEM is very much alive. So, why does this popular and effective service get a bad rap?
Let’s debunk some common SIEM myths.
SIEM Can Serve Businesses of Any Size
Myth: SIEM is only for large enterprises. Since most large employers use SIEM tools, SIEM is therefore only useful for large entities with advanced IT teams.
Fact: The best SIEM for you is the one that can adapt to your needs in a modular fashion. While not every business needs all of the bells and whistles, small and medium-sized businesses can perform the essentials to keep their business secure and compliant. Smaller groups without a more robust defense function can find value in out-of-the-box content and analytics to cover standard use cases, such as threat detection, compliance and monitoring.
In addition, businesses don’t stay small forever. You should select a vendor that can fulfill your needs over time as you scale. Larger groups need a platform to expand coverage for more advanced use cases — often augmenting network, user and domain name system analytics. Just because the bells and whistles exist doesn’t mean you need them to get value from your SIEM system. For most, out of the box will be enough.
SIEM Can Be Affordable
Myth: SIEM is too expensive. SIEM requires a large amount of data, and the cost will rise as you scale, becoming too expensive along the way.
Fact: Older SIEM pricing models can often make SIEM more expensive than it needs to be. While not all vendors price SIEM the same way, vendors that use storage-based pricing will become expensive very quickly. Likewise, vendors who use throughput (often measured in events per second) or per-user pricing have been common in the market.
However, in 2020, many vendors have adjusted SIEM pricing models to compensate for the steady increase in data being produced. Some vendors have shifted to non-capacity-based pricing models, often charging by the number of managed hosts, allowing users to more easily predict the cost.
Before you begin to think price, you should ask yourself what data you need for your use cases. The SIEM doesn’t need to crunch all of your data. Instead, you should focus on the data needed for use cases most important to you. For compliance and data retention, it is best to look for a data lake option. Many vendors offer this for low-cost log storage. By offloading commodity logs to a data lake, you can quickly make SIEM projects more feasible and cost-efficient.
Responding to New Threats
Myth: SIEM security tools can only detect known threats. SIEM only uses correlation rules, so it is only good for detecting what you already know.
Fact: While that statement may have been true in 2005, SIEM tools, like the threats they detect, have evolved. Now, SIEM uses multiple types of analytics for cross-layered coverage for different use cases. Correlation is most often used for detecting a known malicious behavior — for example, if a malicious IP or hash file shows up in your environment. These types of analytics often work best with threat intelligence, performing correlation against reputation and threat feeds.
In addition, SIEM can utilize anomaly detection, which is a statistical method used to tell if there are deviations from a baseline. This method is useful in spotting assets sending large volumes of data over the network or using different ports and protocols. Finally, SIEM can use machine learning to model other things, such as user behavior. User behavior analytics within the SIEM system create profiles of users to detect changes that could signal danger, like an insider threat. This mix provides a robust toolkit for detecting both known and unknown threats.
Fact: SIEM is here to stay. SIEM isn’t dead. It’s still a key resource and will continue to be in the future. While the market dynamics have changed, reports, such as the 2020 Gartner Magic Quadrant for SIEM, can help you identify the SIEM solution that best meets your needs.
To learn more about SIEM myths, check out the blog “Six Myths of SIEM.”
This post appeared first on Security Intelligence
Author: Jeremy Goldstein