Can You Do a SIEM-less SOC?

by Anton Chuvakin on June 26, 2018

Along the lines of this post where we discussed the concept of “SIEM alternatives”, let’s discuss this in the context of a modern SOC.

Will I ever do or recommend a SIEM-less SOC? — As you can guess from the above, my answer is ‘it depends on what you mean by “SIEM.”’

So:

#1 Will I ever do a SOC without any log analysis capability? — Sorry, EDR and NTA vendors, my answer is “HELL NO!” for the reasons covered here and there. To be fair, we do see increased reliance on EDR for SOC functions, and we see more “EDR as the 1st SOC tool” too, but I’d not go as far as to run my SOC without any log collection and analysis.

#2 Will I ever do a SOC without a commercial SIEM product? — Well, perhaps. I’ve seen solid SOCs with Elastic stack, splunk [reminder: without ES, splunk is not a SIEM], Hadoop and home-grown security data lakes, etc. It can be done. Later, we can debate whether it should be done and whether it is a good idea under various circumstances. I see workflow functions picked by a SOAR tool, alert triage enabled by EDR, and an occasional log review backed up by a simple log management tool. So, yes, it can work. And, yes, I’ve seen it work well for some people under some circumstances.

Sponsorships Available

Naturally, somebody will say “I can run a SOC without a SIEM if I use an MSSP/MDR for everything.” Just as naturally, they’d be wrong. Except for “hybrid SOC” scenarios where you have a SOC and use an MSSP/MDR for some functions (the case that is, to be fair, growing in importance), using an MSSP generally means choosing not to build a SOC. But, yes, I think today this whole SOC+/vs MSSP thing has this answer: it’s complicated