Hot Topics
Analytics & Intelligence Governance, Risk & Compliance Security Bloggers Network 
SBN

Debating SIEM in 2023, Part 2

by Anton Chuvakin on March 28, 2023

So, we went through “Debating SIEM in 2023, Part 1”, now let’s debate a bit more. At this point, everybody who didn’t “rage stop” reading it should be convinced that yes, SIEM does matter in 2023.

Debating SIEM in 2023, Part 1

But why? I bet the views on why SIEM matters differ a lot. So let’s dive into this!

Let’s start with this: why should anyone buy an SIEM tool in 2023? And please don’t say “because you are still SIEM-less” or “because you didn’t buy it in 2003, 2013, 2020, etc.” You are not taking aspirin because of low aspirin content in your blood (as my boss of many jobs ago used to say).

Before we go any further, some definitions. I used to say SIEM and SOAR, then I said SIEM/SOAR, and now I just say SIEM, but really mean an SIEM/SOAR combination, because ultimately this is what a vast majority of organizations are buying today.

OK, let’s start our analysis using this mini-framework I just created:

  1. What problems have you solved with SIEM historically?
  2. Do you actually have those problems in 2023?
  3. What are other ways of solving these same problems in 2023?
  4. What is the cost and risk of keeping these problems unsolved?

(Some of you may say that this is ass-backwards as one should think of the problems first and then figure out the best way to solve them, to which I’d say OF COURSE! However, in this blog I am exploring why a particular toolset — SIEM — has a place in today’s security arsenal so I am being inherently tool-centric, not problem-centric.)

Now, let’s go through the questions and think.

[1] What broad problems have you solved with a SIEM?

A decent list — well, I made it up, so it better be — is below:

  • Telemetry data (“logs+”) collection and retention
  • Threat detection (1st party i.e. SIEM content applied to telemetry resulting in detections)
  • Alerts centralization and triage (essentially, making 3rd party detections better)
  • Alert-related automation (using SOAR side of SIEM)
  • Incident investigation support
  • Threat hunting support
  • Activity reporting, dashboards, etc
  • Other security monitoring, other D&R workflows.

A very astute and meticulous reader will notice that some of these problems are only solved in order to solve other problems (e.g. you collect/retain logs likely in order to detect and investigate, or perhaps comply, you automate to better triage or investigate, etc).

[2] Are these the problems people have now?

I’d say most of them, yes! For many organizations, even the old compliance use case is still very much alive. Even in 2023, regulatory compliance is very much a thing. This question is definitely the easiest to answer from the framework.

[3] What are other ways of solving these problems?

Naturally, for many of the above there are other choices, but perhaps not for all of the above (see this humorous take on the same question)

What are other options for this, as I see them?

  1. Log management only
  2. EDR, and some log management
  3. XDR (however defined)
  4. EDR and NDR, and some log management
  5. Build your own SIEM-like or log management-like tool (you can even call it a security data lake, I won’t judge)
  6. Some other piece of technology that you refuse to call a SIEM but that “looks like a SIEM, swims like a SIEM, and quacks like a SIEM” And if you call it “not SIEM”, well, let’s just agree to disagree 🙂
  7. Hire an MDR or an MSSP

Did I miss anything? Probably nothing big, but there are perhaps hybrid / mixed answers too (see this discussion of SIEM alternatives too).

(BTW, I made a colossal number of snide remarks in my analyst days about people who confuse SIEM and log management. As a reminder, the “S” in SIEM stands for security, hence if your tool just collects logs and stores them, it is obviously not a SIEM. However, it is very possible that your particular problems are nicely solved by a log management tool and do not require a SIEM. This is OK, my rage was not aimed at SIEM or log management, but at people confusing the two)

[4] Can we refuse to solve them?

Frankly, it is very hard for a large, traditional organization to refuse to solve them. Both regulations and attackers will compel you to pay attention to these problems. While one can in theory organize your IT in a way that makes the broad problems never appear in the first place (e.g. be 100% “Chromebooks and SaaS”), it is probably not the choice a 200 year old bank in Belgium can take (but a Bay Area startup perhaps can).

Conclusion! So, why buy a SIEM in 2023? Well, it is the usual: detect, triage, investigate, respond, hunt. A modern SIEM remains a very useful tool for these very tasks and the tasks remain relevant, while true drop in replacements remains scarce. Also, it does not care if you don’t call it “SIEM” (well, maybe some future AGI-based SIEM can get mad at you for this, but I digress).

P.S. Ultimately, this post came out a bit less insightful and pithy than I hoped (and, no, I cannot blame Bard, this is all me). Still, there you have it. Maybe Part 3 would be better 🙂

Related posts:

Debating SIEM in 2023, Part 2 was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/debating-siem-in-2023-part-2-4f46e93faaf0?source=rss-11065c9e943e------2

Anton Chuvakin , ,