Skip to content

SIEM Is Dead? Don’t Ask Us… Ask a CISO!

October 13, 2011

Earlier today, I was very privileged to have the opportunity to speak to a group of CISOs in a major U.S. market.  The subject of discussion?  The fact that “SIEM is Dead”, of course!  Over the course of the past few weeks, we’ve seen a flurry of responses – some fully in support, others more skeptical – of our claim that SIEM is dead.  While it’s easy to say those words, the real proof in the proverbial pudding is how security practitioners and executives respond to that claim.

During this morning’s event, we started out by identifying some points from the Verizon 2011 Data Breach report regarding the effectiveness – or rather, the lack thereof – of information security technologies including SIEM to discover realized threats, and give security professionals the information they need to mitigate them:

  • Successful data breach activity is up substantially, having more than doubled in the past year
  • 86% of breaches were discovered by a third party
  • 92% of attacks were classified by Verizon as “not highly difficult”
  • The failure to implement simple controls were at the heart of 96% of breaches

Clearly, if SIEM is supposed to detect these data breaches and help make organizations more secure, it’s failing miserably at it.

Fortunately, every one of these security executives agreed that there are problems with SIEM.  But the participants needed more convincing that situational awareness was the right approach: most felt these problems were solely due to implementation difficulty, lack of user knowledge, professional services costs, and other operational issues.  So, let’s look at some of the problems that make SIEM a systemic failure, not just an operational one:

  • SIEM is laser-focused only on event-based data, and looks at everything as if it’s an event.  As one participant asked on today’s call, “What else is needed?”  The answer is, “a lot”.  Information security is fundamentally a discipline of discovering and analyzing the abnormal.  If everything worked as it’s supposed to, there would be little need for security practitioners.  However, that’s not the case: we have a constantly increasing base of threats and risks, coupled with a growing set of regulatory and compliance requirements.  This means you need visibility into all security-related data: certainly you need events, but you also need visibility into asset and configuration state, network traffic, performance metrics, and many other pieces of data that are not events – and should not be treated like events.
  • A bunch of point tools do not make situational awareness.  Gartner made this clear in their recent “Delivering Situational Awareness” research note.  Collecting data from SIEM and other tools is a great first step, but the ability to correlate all that data – both events and non-event information – is absolutely critical.  SIEM simply doesn’t do this.  Without that capability, you really only have a lot of tools that give you visibility into a piece of the puzzle, but not the whole thing.

There are many other reasons why SIEM is dead; I encourage you to read up on the differences between SIEM and a platform that can deliver true situational awareness on the eIQnetworks website.

In the end, the majority of participants on this morning’s call agreed that SIEM simply doesn’t work as advertised due to not only architecture and implementation problems, but due to a fundamental lack of capability.  The consensus was that something more is needed, that takes into consideration all aspects of security, and does so in an efficient, user-friendly manner.  Fortunately, we know just such a solution.

So, is SIEM really dead?  We think so.  Want more evidence?  Give us a call (+1.978.266.9933) or drop us an e-mail, and give us 60 minutes of your time to demonstrate the world’s first unified situational awareness platform.  You’ll be glad you did.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: