It has been several years since SIEM emerged into the Security industry as an “Security Alerting” system. Since then, it has grown into a huge market with several vendors like ArcSight , QRadar, Splunk, Nitro, becoming successful since they were the first movers. Today, in 2020, they are becoming more and more obsolete. While people still buy SIEM for compliance needs, the real question to ask is “Is the SIEM dead?”
What does a SIEM do?
SIEM by definition does the following:
- Log Collection from multiple devices/vendors
- Log Parsing and normalization into proprietary formats
- Log Aggregation
- Log Storage across a variety of data stores
- Rules Engine
- Management workflows
- API Driven Integration
Every vendor does all the above in different ways with varying degree of efficiency. However all the vendors have some common issues as well:
- Poor Scalability: By definition, SIEM products scale very well in the Log Collection and Aggregation department. However, when it comes to Correlation, the SIEM falls short on Scale. Use case based Correlation rules, Log Filtering, Tuning etc need to be performed with ruthless focus on minimizing the need to scale the Correlation engine. While “on paper” vendors claim their correlation engines can be scaled, however, in practical use and effectiveness they fail.
- Poor Intelligence: Contrary to popular belief, the Rules engine has no intelligence at all. All out of the box rules are stock compliance driven or basic security best practice driven. The pattern recognition rules are so archaic that seldom do organization detect any malicious attacker in the network using them.
- Limited scope: Outside of Security operations centers (SOC), there is not much of a scope for SIEM to be relevant and valuable. This is primarily because while they are good at alarm based event management, they are miserable at “Event Searches” and “Reporting” thereby making it less and less attractive outside of the SOC realm.
- Steep Learning curve: Every SIEM product suffers from the steep learning curve. The learning curve on “General Use” is comparatively easy however, the “Power Use” and “Admin” is steep. Often times organization rely on a very small set of people (often 1 person) who is an expert on the product to keep this beast of a system up and running.
- Maintenance Nightmare: The more you scale the SIEM, the more the maintenance needed to keep it up and running. This is especially a huge problem when you have mission critical functions depending on alerting and monitoring from SIEM. The amount of engineering resources burnt on this is significant.
- Poor Analytics: While the SIEM vendors claim to be “Analytics” providers, what they provide is sub-par. Analytics requires the ability to analyse large volumes of data and run meaningful queries, however, most of the SIEM vendors because of “Poor scalability” , can’t process, store and provide analytical output on large volumes of data. Splunk for sure is an exception on this point as they are an Analytics platform first and a SIEM (poorly) later.
- Poor ITSM capabilities: Again, SIEM vendors don’t do cases management as well as ITSM tools, thereby relying on 3rd party integrations which often times is a “one-way” integration, meaning cases can be created, but updates cannot be tracked in return.
- Poor Automation: Reliance on 3rd party automation & response tools makes the SIEM ecosystem even more complex.
There are probably a few more issues depending on the SIEM vendors we see, but in general the above are the most common ones.
So the question is “Is the SIEM dead”??
Let me know in the comments section
yes it is…. it has since replaced by a complex mix of evolving technologies as cyber defence center.
Decently sized full stack of Qradar environment here (25k EPS, 450k FPM). Pre-SSD era, I would say performance at scale became somewhat of an issue while searching, filtering, correlating and we were ready to ditch.
However, with the surge of cheap and fast storage (and AMD providing cheap horsepower), we actually started using Qradar for more departments and heavily invested in built-in REST API usage (basic stuff like creating tickets based on Qradar alarms, they get ack-cleared when tickets are closed and less basic like quarantining ports on a switch or whole subnets with firewall rule creation).
Behaviour Analytics has caught over 230 non-signature real-threats in the past year in our corporation, wouldn’t exactly call it just archaic rules.
Learning curve is there like with any decently complicated system (be it an NMS, Surveillance systems or NACs), it is okay to require two trained people for a critical system.
Maintenence became a breeze as soon as everything was virtualized and maintenence workflows defined, if it is a “nightmare”, that is more likely to do with the processes or lack thereof.
Overall, in my perspective, SIEMs in requiem was in order about two years ago, but recent developments have proven to be more of a reneissance for SIEMs.
Hi Nimitt,
In my opinion saying SIEM is dead may not be the right analogy. At least you need the logs collated somewhere to do analytics. However from decision support and automated actions point of view SIEM ha slimited capabilities and reasons are:
a) Reactive approach- You need to know what you wnat to do, configure and then it will work for you
b) For everything you need people for configuration etc.
So, AI & ML decision making and automation enabled tools may compliment SIEM. A typical example is SOAR build upon SIEM.