What Security Engineers Hate About SIEM
The security information and event management (SIEM) capabilities required to meet the demands of today’s data-intensive and threat-laden business environments are only now becoming a reality. As an industry, we have reached a point where the SIEM platforms of yesteryear are too difficult to deploy, too slow to react and too expensive to meet the needs of modern security teams.
Back when I was a security engineer at companies like Airbnb and Yahoo, I experienced firsthand the challenges of legacy SIEMs. I’m not the only one; modern security practitioners aren’t shy about discussing the challenges and capabilities of their current SIEM solution.
Security Professionals Believe They’re Overpaying for SIEM
Over the last several years, business data volumes have gone from GB/day to TB/day, yet traditional SIEM providers have not evolved to handle this scale of data in a cost-effective manner. As a result, organizations are forced to pay exorbitant licensing costs to keep up with cloud-scale data volumes. Even worse, security teams find it necessary to pick and choose what log data to ingest and what data to ignore to control costs.
Panther Labs’ recent research on The State of SIEM found that, of the respondents who felt qualified to comment on the value of their SIEM relative to what they pay for the solution, over 50% believe they are overpaying. Less than 20% believe the value of their SIEM’s capabilities exceeds the cost.
SIEM Satisfaction is Mediocre
When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of users’ needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools.
Data Coverage and Data Use
Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.
Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind.
These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.
OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.
Moving From Static to Dynamic
Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds.
SIEMs were designed over ten years ago when the world was a very different place. The technology hasn’t evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.