Why SIEM is Difficult

Webinar Registration

Gartner coined the term SIEM in 2005 so this is not a new technology. However, meeting goals and expectations for SIEM technology remains notoriously difficult to achieve. Why is this?

To begin with, it’s a tall order to detect breaches from raw log data because raw log data is very, very … raw. Log data is cryptic, redundant, poorly formatted and varies widely from source to source. Log data is also untrustworthy. You must know so much about the idiosyncrasies of each log source in order to interpret it.

Then there’s the problem of scale. Logs are huge in 3-dimensional terms:

Sheer volume of events to process per second
Sheer volume of mass storage needed to archive events
Sheer quantity of endpoint log sources

Of course, this means that storage, processing, bandwidth requirements of SIEM are big but so are the care and feeding. Most SIEMs tend to be pretty high maintenance – requiring arcane knowledge and skillsets just to keep the SIEM processing logs. I know of a very successful consulting firm that can’t keep up with the demand for their SIEM maintenance service.

Finally, there’s the actual dollar costs. Most SIEMs charge you based on amount of data processed and that’s hard enough to swallow but most SIEMs leave you responsible for the care and feeding costs too which tend to be linear with log volume, so you pay more than once for every gigabyte of data you ingest.

Having absorbed these costs, we have yet to get any value – other than perhaps checking a box on a compliance check list for audit log archival. Someone has to be using the SIEM – investigating alerts and doing threat hunting. SOC Analyst and Threat Hunter are another highly specialized skillset distinct from SIEM administration.

So, it’s no surprise that organizations struggle to really get ROI on SIEM.

In this real training for free event, we will look at the challenges to SIEM success and explore opportunities for overcoming them – and possibly even eliminating some of the classic problems with SIEM altogether.

LogRhythm is our sponsor for this training session. LogRhythm is a long time innovator in the SIEM market and Kevin Kirkwood will take over after my session to debut their new cloud-native SIEM – Axon.

Please join us for this real training for free session.

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Country:	Required
State:	Required
Zip/Postal Code:	Required
Job Title:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.