Currently enterprise cybersecurity spend is higher than ever, but despite multi-million dollar cybersecurity investments, organizations remain vulnerable to attacks. More spend does not equal more security. Traditional security vendors offering solutions like SIEM (Security Information and Event Management) are overpromising on analytics while also requiring massive spend on basic log storage, incremental analytics, maintenance costs, and supporting resources. In a recent report, Ritu Jyoti, VP analyst at IDC stated “Billions of dollars are spent on products like SIEM that do not operate efficiently because they are ingesting too much data and delivering an overwhelming number of false positives…garbage in garbage out.” The result of this problem is ultimately massive increase in costs and resource deployment for the enterprise who adopts the SIEM as is evident by a Ponemon Institute study, which states that a mere 25 percent of SIEM costs are tied up in the initial purchase, while the remaining 75 percent go toward installation, maintenance, storage, and
Security analysts have been urging organizations to “upgrade” their SIEM deployments to include NDR (Network Detection and Response) or NTA (Network Traffic Analysis) capabilities. NTA/NDR, they promise, will add the kind of real-time protection SIEM alone can’t achieve. This claim is revealing on at least a few fronts:
1. SIEM vendors have been proven ineffective in arguing that their platforms can analyze real-time data to predict behaviors or tag true positives. The architecture and intent of a traditional SIEM tech is dependent on historical aggregate log data, making
it outdated as an effective security tool before it even goes live.
2. SIEM analytics are dependent on legacy log data, predefined rules, and alerts. Modernizing legacy SIEM solutions with additive analytics and dashboards, and intel feeds without addressing the limitations of normalized historic log data is fundamentally flawed. (SIEM Solutions don’t have a baseline, they are based on a collection of aggregate data, which you can run queries against.)
3. SIEM platforms originated as compliance search and investigation platforms and were not built for advanced analytics. SIEMs have no predictive or adaptive capabilities, so they are vulnerable to unknown zeroday or emerging threats. Cybersecurity professionals understand this, so they are looking for answers to these kind of
threats. If we’re to believe that next generation cybersecurity tools like AI powered NTA and NDR platforms truly add value for security teams, then SIEM, as it has been marketed, has failed.
The problem lies in the fact that although SIEM provides the necessary data through logs to identify and remediate threats, the time and resource intensive processes and need for human intervention to parse that data and gain actionable intelligence diminishes the value far too greatly.