Mature doesn't equate to productive with SIEMs
The latest Gartner Hype Cycle for SecOps is a great reflection of the complexity and demands security teams are dealing with. In laying out a maturation timeline of all technologies available to support security operations, it provides a menu of technologies intended to help SOCs stay on top of current threats, and equip themselves to deal with emerging (and future) challenges.
SIEMs are facing an interesting dilemma. For years they were seen as the panacea of security operations. SIEM is about to vacate the “Slope of Enlightenment” and enter into the “Plateau of Productivity”. The challenge for vast numbers of organizations is that their SIEM deployments - including various types of SIEMs - are anything but productive or efficient. In fact, as the IT landscape has evolved, one could argue that SIEMs are now more of a hindrance than a help in threat detection and response efforts.
Originally designed as log collectors, SIEMs certainly expanded capabilities to include detection methods (notably UEBA), compliance monitoring and more. Fundamentally, and even as the more widely deployed SIEMs have ported to cloud, they have created more work and complicated threat detection and response efforts, and consume increasing portions of security budgets to unsustainable levels. So why is it that SIEMs have become problematic for secops modernization?
Core SIEM Challenges
The core issue is that SIEM detections are incredibly noisy in the alerts generated for security teams to triage and investigate, including UEBA detection. As more and more data is generated by security tools today, SIEMs are simply spewing out more alerts, overwhelming security analysts, leaving security operations with several challenges:
- Licensing costs continue to increase or stay high with the volume of data - whether the vendor is based on a data consumption model or has switched to a compute model to shift revenue under a different label.
- Per Gartner Hype Cycle, noted under Obstacles, “Getting a SIEM to perform well against detecting attacks requires dedication and sufficient staffing. Undermanaged SIEMs continue to plague many organizations.” Tools that have claimed to deliver “advanced” detection have pushed the burden onto the customer to staff and train on a tool to endlessly create and maintain detection rules, which is now producing an abundance of noise.
- SIEMs lack the insights or guidance to effectively filter the alert noise and offload or guide investigations. Another obstacle noted in Gartner Hype Cycle, “SIEM threat detection performance is dependent on not only SIEM and its configuration, but also the detection stack and all supporting telemetry chosen to be sent to the SIEM.”
The result is obvious and why the SIEM market is under duress - SIEMs are essentially moving from a mature state to an obsolete state, unable to counter the volume and variety of security data, requiring massive effort of detection engineering, and lacking the ability to effectively match the sophistication of attack activity that emerges anywhere across the ever-growing attack surface.
This realization is driving the shift to pure cloud security platforms. As Gartner notes “The need for more scale of compute and storage is a primary driver for most modern SIEMs to be delivered on a cloud platform, as a service. SaaS SIEM solutions in the cloud transfer the platform and infrastructure maintenance to the vendor, and allow for more predictable linear budgeting for growth.” The distinction is that SIEMs have been predominantly unsuccessful at rebuilding as a “SaaS SIEM” and security organizations are looking at solutions like Hunters SOC Platform to address the budget predictability, true offloading of detection engineering to a flexible detection-as-a-service, and go further in providing enriched auto-investigation capability to alleviate pains across data ingest, detection and investigation to facilitate operational efficiency long sought after in security.