Let’s talk about the elephant in the room. Raise your hand if you’ve been let down by your SIEM. Wow. That’s a lot of hands.
You're definitely not alone. Categorically, every organization we deal with says they are not getting value from their SIEM investment and that the cost to increase capacity was much higher than the perceived value.
In almost all cases the SIEM was being used for basic log management and compliance and not for threat analysis. The common issue amongst many of these organizations is twofold. Firstly, many of them aren’t large enough to warrant an investment in a SIEM and secondly, they simply haven’t invested in the skills to tune and operate their SIEM while large organizations and MSSPs deal with significant scalability and performance issues.
With most major MSSP’s you have dedicated SIEM Admin team who maintain the SIEM platform while another team tunes and develops rules for the SIEM while another 24/7 analyst team conducts the security monitoring. These are three separate skill sets requiring dedicated resources not present in most organizations.
One mid-size financial firm said their vendor had sold them a lemon, promising ease of use and magical powers of finding the needle in their haystack, but instead they were left to deal with more hay. Another executive of a major bank said they had invested millions in their SIEM solution and the experts to run it and they were yet to see evidence of any real-world benefits. They were still getting too many alerts even after spending years tuning it. They had an internal joke where they referred to their SIEM as the “Stupidly Irrelevant Electronic Messaging.”
At LMNTRIX, we don’t use a SIEM, however to ensure clients meet their logging and compliance requirements and do it without breaking the bank, we make available for a low monthly fee an all-you-can-eat search and analytics service called LMNTRIX ThinkGrid that allows for unlimited log capacity and the flexibility to deploy on premise or AWS.
Security information and event management is a crucial and widely used security technology, yet many security architects struggle to get value from their often expensive deployments.
– Gartner “SIEM technology. Market and vendor assessment", Anton Chunakin and Augusto Barros, February 10, 2016