Living with Multiple SIEMs

Image for post
Image for post
Source: Fickr Creative Common License

(By Anton Chuvakin, originally posted at

In a perfect world, nobody will run two SIEM tools in the same environment. Because if you dream of a single pane of glass, two is not better than one. Especially if one or both have broken glass. In fact, when researching this post, I found an old joke about it that made in 2006 (!) — see slide 14 in my ancient presentation.

On a more serious note, in the last 15+ years I’ve kept encountering the organizations with 2, 3, 4 or more than 4 (!) SIEMs. So, how do you live in a “multi-SIEM” environment, if you have to do it?

Before we go there, however, please make sure to refresh how SIEM is defined. Otherwise, you can be one of those embarrassing people who think that raw log search is the same as SIEM (it is not!). In light of this, combining a SIEM tool with a standalone User and Entity Behavior Analytics (UEBA, usually downstream or alongside the SIEM) or a central log manager (CLM, usually upstream or alongside the SIEM) is perfectly logical. Well, if you want to nitpick, as SIEM and UEBA merge together into a single solution type, combining a SIEM with a separate UEBA will become less common. Another logical case is to mix/match SIEM components.

OK, so now, how about a case where you have SIEM and SIEM (or: SIEM and SIEM and SIEM), rather than SIEM and CLM? Is there a sensible multi-SIEM strategy? I’d still say not as such (because there are no technical merits for multiple SIEMs, in my learned opinion), but it is very possible that this is a daily life in your SOC.

So, what to do if you are getting into a situation where you’d actively use two similar SIEM tools? Is that perhaps a transition state, from A to A+B to B? Or, are there legitimate reasons to have that as a long-term solution?

Let’s talk about this — and to make this real, I will use an example that is very loosely based on something I may have encountered recently.

Image for post
Image for post

SIEMs to be friendly … but will it SOAR?

The above setup is actually two setup choices (tagged with [1] and [2]) — either SIEM 1 talks to SIEM 2 (choice 1), or SOAR talks to both SIEM 1 and 2 (choice 2). So, what are the strengths and weaknesses of this setup?

The main weakness is:

  • Complexity and hence fragility of the multi-system setup (due to both data flow integration needs and detection content organization). Complexity kills security. In fact, complexity kills.

There are many strengths, however:

  • Cost savings due to license, hardware and maintenance costs of reduced data volumes flowing into a pricier SIEM (SIEM 1 above) — some reported cases I’ve seen involved savings of up to 90% of SIEM 1 cost.

The above list is not here to convince you that “two is better than one”, because philosophically this is not really true. However, it is here to convince you that if you have trouble with scaling and otherwise utilizing your SIEM, the answer may in fact be in getting another that works better for some tasks.

There are also a few prerequisites for this to work somewhat well in real life:

  • Robust APIs in both products. You do want your products working somewhat together here and this means APIs to enable cross query capabilities.

Admittedly, for many practical implementations of this setup — especially those for both detection and investigation — making detection content work on such “dual SIEM” setup is not easy. A trivial thing — for a SIEM in 2003! — a cross-device correlation rule running on normalized data will be either hard or impossible on this setup for some use cases.

Conclusion: if you have challenges with your SIEM, especially related to cost and/or pricing model, it is very possible that your short term answer is augmentation and not replacement. However, I’d stop short of calling this “a multi-SIEM” strategy, because, strategically speaking, you do not need more than one SIEM…

P.S. To quote and quip my former colleague Neil, “security is becoming a big data problem” but you are the one paying for it :-)

  • Anton Chuvakin, Chronicle

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store