Depending on who you ask—and no matter where they live—it’s either an open secret or an obvious truth that legacy SIEM (Security Information and Event Management) hasn’t met expectations as a cybersecurity solution, let alone lived up to the hype that has surrounded it for what seems like forever.
Let’s quickly review why that’s the case and then turn to more important matters: how to achieve the desired security outcomes that once led us to consider SIEM in the first place.
How we got to now: a brief history of SIEM
The term “SIEM” itself first appeared in a 2005 Gartner Research report, capturing the amalgamation of Security Information Management (SIM) and Security Event Management (SEM)—functions which have existed in some form since the late 90s.
At inception, SIEM promised to aggregate security signals (primarily logs) and make them explorable via a single pane of glass. An admirable goal, but one that belies the complexity of the task and, rightly or wrongly, overlooks the key question of what one actually does with any insights that arise.
In pursuit of the one pane to rule them
goal, SIEM platforms include a collection of aggregation, correlation, and alerting functions. For 15 LONG years a pattern has repeated:
- Each SIEM generation strengthens these core functions
- The same problems refuse to disappear
- SIEM vendors promise that the next generation will finally deliver what’s needed
And all the while, digital transformation means that the threat surface expands and highly motivated threat actors relentlessly innovate.
The problems endemic to SIEM platforms are well-documented and include:
- It is very challenging and time-consuming to install, configure and (where applicable) customize a SIEM—even when the jobs are being performed by experts; like many security technologies, only the largest enterprises have the resources (financial and skillset) to succeed
- It is very hard to show quantitative—or even qualitative—results
- It is tremendously difficult to tune the SIEM to catch real security events while simultaneously limiting false positives and avoiding completely overwhelming the analysts who must examine the alerts; in fact, incident analysis of many high-profile breaches reveals that alerts were generated, but these important signals were missed in a sea of noise
- Even if a SIEM is perfectly configured and is generating actionable alerts, it doesn’t tell you how to respond to the threat or equip you with the tools to do so; that is, even in a best-case scenario, a SIEM is merely one tool of many that are needed
To try and overcome these last two issues, SIEM vendors around the globe have claimed to augment their platforms to provide, or are being integrated with, User and Event Behavioral Analytics (UEBA) and Security Orchestration, Automation and Response (SOAR) functionality. Like SIEM, each of these is simply another tool; moreover, bolting SIEM to UEBA and/or SOAR introduces still more complexity.
Despite these shortcomings, SIEM platforms often appear as a default entry on cybersecurity shopping lists—and in 2015, SIEM was the fastest-growing security market segment. In part, this earlier popularity can be attributed to a business need to answer compliance questions: practically every regulatory compliance body has some text about log collection and review capabilities. So, many organizations decided that even though a log manager would suffice, they would go full-SIEM and grow into it over time.
Time, however, has proven this approach to be hopeful at best and Quixotic at worst: we find ourselves in the fourth and fifth generation of SIEM and still waiting for these platforms to deliver what is promised. And remember, even at its best a SIEM platform is only a piece of the detection puzzle.
Achieving a top-level business outcome—preventing and rapidly containing threats—requires considerably more. Perhaps that’s why Managed Detection and Response services are experiencing explosive growth.
Achieving real business outcomes: why MDR provides the answer
In August 2020, Gartner released the fifth edition of its Market Guide for Managed Detection and Response Services.
According to the Guide, Gartner has observed “a 44 percent growth in end users’ inquiries into MDR services during the past 12 months,” and the firm anticipates that “by 2025, 50 percent of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment capabilities.”
The guide highlights that one driving factor behind the growth of MDR is that security leaders recognize that detecting a threat quickly is meaningless without the ability to quickly and effectively respond.
More generally, the wider IT community is accepting the painful reality that all organizations are under attack—whether opportunistic or targeted—and that the threat landscape is constantly changing.
There are a number of factors that continue to evolve that only serve to increase the burden for already overtaxed IT teams:
- The attack surface is increasing and the perimeter is dissolving; the rapid and widespread adoption of cloud services has created severe underhang in security coverage
- Many security technologies/solutions are hard to use, because they were designed for large enterprises; the vast majority of IT teams lack the resources and expertise to effectively use the wide range of cybersecurity tools needed to implement and maintain effective detection and response capabilities
- There is a severe shortage of cybersecurity experts, so it’s extremely challenging—and costly—for organizations to attract (whether net-new or to replace staff who exit) and retain professionals skilled enough to address their cybersecurity needs
- Security is increasingly a big data problem: aggregating and processing logs is only one small piece, and even a medium-sized business can generate billons of events and thousands of alerts per day
- Adversaries skillfully combine capable attackers and advanced technology—to efficient, scalable and devastating effect
In the modern security environment, SIEM is but one tool of many that make up or enable a multi-layered approach. And beyond the technology toolset, organizations need to also invest in people and processes: it takes all three to build and maintain a strong security posture.
Today’s organizations—especially small and medium businesses and the channels who serve them—are turning to MDR because of its proven ability to deliver real business results. MDR is able to do so because it overcomes the problems outlined above:
- MDR allows organizations to cover their entire threat surface
- MDR removes the complexity and expense of deploying and managing cybersecurity solutions
- MDR lets organizations benefit from the skills and knowledge of cybersecurity professionals, without needing to recruit, train and retain those professionals
- MDR offloads the big data problem onto the MDR provider, allowing the organization itself to focus only on security events that require attention
- MDR delivers the combination of people, processes and technology needed to detect and respond to threats effectively and at scale
And the proof is demonstrated in real world experience. In eSentire’s case, the average is 35 seconds to initiate action (respond) and 20 minutes to isolate and contain a threat.
SIEM is a tool; MDR is a solution
The bottom line when it comes to SIEM is that a SIEM platform is just a technology tool (or toolkit). Some organizations will get use out of it eventually, provided they have the resources to install, build, maintain and extend the platform. But the last decade has shown quite clearly that most organizations, and especially small and medium businesses, are unable to attain the results for which they hoped.
While it’s true that the price tag for SIEM platforms has been trending downward, that really only applies to the upfront cost; the backend complexity will remain.
At eSentire, we encourage companies to take a business outcome-oriented approach to their cybersecurity needs. If your desired business outcome is wholly addressed by aggregating security events and information, then a SIEM might well be the tool you need, but experience shows that this well-defined and limited need represents only the minority of cases (and if you’re looking for regulatory compliance, then a log manager might do the trick much more cost-effectively).
In fact, we use a commercial-grade SIEM as an element within our overall enabling architecture … alongside our Atlas platform, proprietary machine learning algorithms, copious automation technologies, massive investment in people and processes, wide array of sensors, embedded agents to enable rapid response and so on.
We needed a next-gen SIEM as a piece within a larger MDR service.
Your business, we can assure you, needs the full capabilities of adaptive Managed Detection and Response to be set for now and the future.
