Is SIEM The Best Threat Detection Technology, Ever?

That’d be a “NO” – those of my readers who are “anti-SIEM” can calm down now :–) Well…. let me explain and perhaps you will see that the answer evolves closer to “sort of” or “in some sense, perhaps” :-)

My recent exchanges on Twitter led me to believe that a percentage of my peers (some intelligent and well-informed and some perhaps not so well informed ;-)) still perceive SIEM as “a compliance technology” with “no security value” (or, perhaps, with security value, but much lower value compared to its cost/burden). To me, such thinking indicates they are stuck about 7-10 years in the past, or maybe they had been scarred for life with a particularly broken SIEM implementation.

Presumably, these people rely on other technologies for detecting and investigating threats – or maybe they rely on their overly developed ESP….

So, lets analyze this a bit:

  1. I do most of my threat detection with SIEM
  2. I do most of my threat detection with log / event analysis, but not using a SIEM
  3. I do most of my threat detection on the network, with some form of traffic analysis (what we now call “NTA” here)
  4. I do most of my threat detection on the endpoint, with some form of endpoint visibility tools, such as EDR
  5. I do most of my threat detection as a perfect balance of logs, traffic and endpoint
  6. I do most of my threat detection somewhere else (where?)
  7. (for completeness) Screw threat detection, I have a BIG firewall!!

With me so far?

From the depth of my experience, I’d argue that the best answer for most organizations embarking on the journey to improve their threat detection would in fact be #1 or #2 – i.e. using logs.

So, no, I won’t hate you if you do your log analysis not in a SIEM. Frankly, the #5 answer is a good one too, but it is unlikely where you’d start – this is probably where you will end up over time.

However, network- and endpoint-heavy approaches (compared to logs) suffer from major weaknesses, unless you also do log monitoring. For example, many folks hate agents with a passion, and SSL generally ruins layer 7 traffic analysis.

Based on this logic, log analysis (perhaps using SIEM … or not) is indeed “best” beginner threat detection. On top of this, SIEM will help you centralize and organize your other alerts (produced by other tools) hence providing value with alert workflow and not just as a with log-based threat detection and – gasp! – with compliance reporting too.

Please argue….? In fact, let me help you do this … try “real hackers don’t get logged” argument :-)

Recent blog posts about SIEM:

Select popular blog posts about SIEM: