Gartner coined the term SIEM in 2005 so this is not a new technology. However, meeting goals and expectations for SIEM technology remains notoriously difficult to achieve. Why is this?
To begin with, it’s a tall order to detect breaches from raw log data because raw log data is very, very … raw. Log data is cryptic, redundant, poorly formatted and varies widely from source to source. Log data is also untrustworthy. You must know so much about the idiosyncrasies of each log source in order to interpret it.
Then there’s the problem of scale. Logs are huge in 3-dimensional terms:
- Sheer volume of events to process per second
- Sheer volume of mass storage needed to archive events
- Sheer quantity of endpoint log sources
Of course, this means that storage, processing, bandwidth requirements of SIEM are big but so are the care and feeding. Most SIEMs tend to be pretty high maintenance – requiring arcane knowledge and skillsets just to keep the SIEM processing logs. I know of a very successful consulting firm that can’t keep up with the demand for their SIEM maintenance service.
Finally, there’s the actual dollar costs. Most SIEMs charge you based on amount of data processed and that’s hard enough to swallow but most SIEMs leave you responsible for the care and feeding costs too which tend to be linear with log volume, so you pay more than once for every gigabyte of data you ingest.
Having absorbed these costs, we have yet to get any value – other than perhaps checking a box on a compliance check list for audit log archival. Someone has to be using the SIEM – investigating alerts and doing threat hunting. SOC Analyst and Threat Hunter are another highly specialized skillset distinct from SIEM administration.
So, it’s no surprise that organizations struggle to really get ROI on SIEM.
In this real training for free event, we will look at the challenges to SIEM success and explore opportunities for overcoming them – and possibly even eliminating some of the classic problems with SIEM altogether.
LogRhythm is our sponsor for this training session. LogRhythm is a long time innovator in the SIEM market and Kevin Kirkwood will take over after my session to debut their new cloud-native SIEM – Axon.
Please join us for this real training for free session.