GUEST ESSAY: The Top 5 myths about SIEM –‘security information and event management’

One of the most commonly repeated phrases in the security industry is, “Security teams hate their SIEM!”

Related: The unfolding SIEM renaissance

Security Information and Event Management (SIEM) is not what it was 20 years ago. Don’t get me wrong, SIEMs do take work through deployment, maintenance, and tuning. They also require strategic planning. Yet, much to the chagrin of everyone who believed the vendor hype, they fail to provide the “single pane of glass” for all tasks in security operations promised so long ago.

With all that said, there are some aspects of the SIEM that have improved significantly over the past 20 years, despite a barrage of security marketing suggesting otherwise.

Further, there are innovations happening in the market today to bring forth a new era for the SIEM. This evolution is more aptly named security analytics platforms, which not only handle log ingestion and storage, but also more effectively address the detection and response use cases SOCs need.

Security analytics platforms combine SIEM, SOAR, and UEBA to cover the complete incident response lifecycle from detection, investigation, and response, in conjunction with other important use cases like compliance.

Below, I take a page from the book of my old combinatorics class and provide a disproof by counterexample (in some cases x2). Here are five misconceptions, or myths, related to the SIEM, now security analytics platforms:

SIEMs are only good for compliance. Security analytics platforms are pushing hard for differentiation in the detection and response space, with solutions like Exabeam, Securonix, and IBM Security making it a point of contrast in the latest Forrester Wave: Security Analytics report. In addition, even as recently as 2019, solutions like Microsoft Sentinel are roaring into the space, purpose-built for security use cases.

Furthermore, the general sentiment in the market does not actually reflect this misconception. This is exemplified in a recent survey I ran, which found that over 80% of practitioner respondents stated they use their SIEM primarily for detection and response use cases.

SIEMs don’t scale. Querying at scale is a long-recognized challenge of legacy SIEM solutions; when you intentionally create a big data problem, you must also find a way to solve it. What many security teams find is they often struggle with scaling the SIEM because of the way they approach log collection — instead of thinking about it strategically, it becomes all or nothing.

However, there are cases where enterprises, like large players in the financial services vertical, simply need to collect ridiculously vast amounts of data. There are incredibly fast products on the market (along with significant innovation happening in this space today) to address this with security analytics platforms like Devo and Chronicle.

•Security teams hate their SIEM.  Let me just say it outright: there are practitioners that love their SIEM. And it’s not just anecdotal data driving this notion – according to a recent Forrester poll of practitioners, over 50% of respondents like or love their SIEM.

•SIEMs don’t do orchestration of response. The myth that SIEMs don’t do orchestration of response seemed sort of true a few years ago, but is mostly untrue at this point.

Ultimately, SOAR technology has been or is being absorbed by larger security analytics platform players, to the point where many security analytics platforms incorporate automation and orchestration natively. This is quantified in the latest Forrester Security Analytics Wave and exemplified in solutions like FireEye Helix, Microsoft Sentinel, and IBM QRadar.

SIEM is dead.The misconception that SIEM is dead is just a tad ridiculous and overblown. SIEMs remain a core part of the security operations technology stack for most mid to large enterprises, and, according to Forrester’s State of Network Security Report, security teams that experience a breach are expanding their security monitoring, not stifling it. Ultimately, Security analytics platforms remains the backbone of the SOC and aren’t going away, despite challengers like XDR rising up as competition.


Are there challenges with security analytics platforms and their predecessors, SIEMs? Absolutely. This is in no way a tacit endorsement or defense of the shortcomings of SIEM technology.

However, this is to say that the way we thought about SIEM years ago is not representative of the multi-faceted tool security teams use today. Security analytics platforms are widely used in the SOC and, with a focus on innovation in detection, exceptional user experience, and automation for investigation and response, can continue to be.

About the essayist: Allie Mellen is an analyst at Forrester; she covers security infrastructure and operations, including SOC, SIEM, SUBA, SA, SOAR, EDR and XDR.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: