Skip to content

We were right… SIEM is Dead!

March 7, 2012

At the end of last year we announced our belief that SIEM, as an effective tool for protecting large distributed networks against cyber or insider attack, was dead.  We cited the growing complexity of attacks, driven in part by:

–   An increased complexity in network architectures;

–   The inability of signature-based technologies to identify zero-day and advanced persistent threats;

–   The need to collect ALL security data (not just log and event data);

–   The effective end of perimeter security as a way of stopping breaches from happening; and

–   The need for a way to correlate increasing volumes of security data in its native format, to provide security analysts with the intelligence they need to proactively mitigate the damage done by an attacks and protect critical data assets.

Sure, there’s still a place for point SIEM tools in the information security equation – but effectively only as data collectors, and only for event-based data; as we all know, system state data, network traffic, performance metrics, and other security data elements are not events… and SIEM platforms that try to treat them as such are of minimal use.  So again, we say that SIEM – as it was intended and sold to customers as a panacea for security threat detection – is indeed dead!

So what’s the next step?  We’ve put forward our vision of the future: something known as Situational Awareness.  Organizations with a situational awareness capability have the ability to see the inner workings of their network in real-time.  They can see, specifically, where an attack entered their environment, how it is propagating within it and identify the most likely target.  This enables them to proactively take steps to stop an attack from doing damage or accessing critical systems and data.

Some questioned our assessment of the SIEM market; some questioned our credibility – citing billion dollar investments by the likes of McAfee and IBM as evidence that SIEM was far from dead.  But, wandering the halls, hearing the conversations in the coffee shops one of the buzz phrases at this year’s RSA Conference is… wait for it… Situational Awareness.

Have no doubt: whether it is trying to shoehorn features into a SIEM to deliver a situational awareness-like capability (oh, and good luck with that!), or simply rephrasing old marketing collaterals by plastering “situational awareness” all over them, vendors are rapidly assimilating and speaking the situational awareness message.  Of course, the real question is, can they deliver on it?  Well, we certainly know of one company that has been delivering real situational awareness capabilities through a unified platform purpose-built for enterprise-grade security analysis, compliance automation, scalability, and reliability.  But otherwise, the landscape looks to be littered with a lot of dead SIEM vendors.

One Comment leave one →
  1. Axel T. permalink
    March 20, 2012 5:51 am

    The reality is that SIEMs were never bought for securities reasons in the first place 🙂

    They main purpose in life was corporate compliance. Let’s face it, who in corporate America’s IT department believes that they have security threats?

    Of course there are no security problems at retailers, financial institutions ….. that’s why I receive on the average every 3-4 month new credit card(s) because they were compromised. Naturally “compromised” is not a security threat 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: