(By Anton Chuvakin and originally posted at Anton on Security)
One thing I did not expect to see in 2021 is a lot of people complaining about how difficult their SIEM is to operate.
Let’s explore this topic for the (n+1)-th time. And let me tell you … that “n” is pretty damn large since my first involvement with SIEM in January 2002 (!) — examples, examples, examples.
Anton’s old SIEM presentation from 2012 (source, date: 2012)
Before we go, we need to separate the SIEM tool operation difficulties from the SIEM mission difficulties. To remind, the mission that the SIEM is aimed at is very difficult in today’s environments. The mission also evolved a lot over the years from alert aggregation to compliance and reporting to threat detection and response support. Note that even intelligently aggregating, cleaning and normalizing lots of logs coming from a broad range of systems, from mainframes to microservices is not that easy…
With that out of the way, SIEM detection challenges definitely do not mean that you need to spend hours patching a SIEM appliance, for example. Or tuning the backend to make sure that the searches are fast (fast being a relative term, longer than a coffee break, but shorter than a vacation for many tools).
Over the years — and recent years — mind you, I’ve heard people say things like (quotes are all fictitious, but all inspired by real examples; if you literally said the below, this is a coincidence):
- “We dread the day when our vendor releases a software update”
- “We have a small team and we have just enough people to keep the SIEM running but we have no time left to use it”
- “We spend 60% of our time keeping the tool running and the rest tuning and using it”
- “We only have enough people to keep the SIEM running, but not to configure the collectors properly”
Now, aren’t we all surprised that this is still an issue today in 2021? I recall the day when appliance “SEM” products have started replacing the old-style installable software SIM. The vendors were touting the fact that anybody with a screwdriver can install their SIEM right into a rack — and then magic happens.
But what happened instead was reality.
Anton’s old SIEM presentation from 2009 (source, date: 2009)
So, yes, even today’s SIEM tools produce the customer reactions I mentioned above. And open source — in this context — is occasionally worse, requiring even more work to keep it up and running, performing, and scaling.
OK, now guess which ONE THING solves most of the SIEM operation challenges?
Now, how to decide if cloud native security analytics is for you? Here are some arguments:
- You are “cloud first” or as Gartner says now “cloud smart” (because “cloud-first is so 2013”)
- You want your SIEM to always perform, even if you never “performance tuned it” (like Chronicle 0.25 seconds per any search)
- You want to have easier threat detection in cloud environments
- You want all the data to be available, possibly for years at low cost
- You are willing to tolerate a less mature and possibly less feature-rich product (fact: it is hard to write as much code in 2 years as somebody else wrote in 20)
- You have intense cloud fears, rational or irrational (here it does not really matter if the fears are rational; what matters if that your organizations acts on those fears)
- You require absolutely every bell and whistle that only a 20 year vendor can deliver.