Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

10 Reasons To Break Up With Your Legacy SIEM

The Value Most Organizations Get Out of Their SIEM Deployment is Far Lower Than it Used to Be

The Value Most Organizations Get Out of Their SIEM Deployment is Far Lower Than it Used to Be

Almost all security organizations of a certain size have a substantial and costly SIEM deployment. Historically, the SIEM has played a central role in security operations and incident response for a number of reasons.  But as time has gone on, the security operations workflow has grown more sophisticated and complex.  So much so that the value that most organizations get out of their SIEM deployment is far lower than it used to be.

I’m not suggesting that organizations suddenly give up on their SIEM deployments or rip them out entirely.  In fact, quite the opposite. What I’m suggesting is that organizations challenge their legacy SIEM providers to meet the operational needs of 2018, rather than those of 1998. And, in the event that those legacy players can’t meet today’s needs, perhaps the time to be open to other options has come.

In this spirit, I present “10 reasons to break up with your legacy SIEM”:

1. Attacks aren’t linear: Most SIEMs present the data they ingest line by line.  In other words, linearly – just as it was ingested. Unfortunately, attackers and attacks aren’t at all linear.  Staring at a list of events isn’t going to help uncover suspicious or malicious activity.

2. Focus on data value, not data volume:  You are certainly welcome to collect every data source you can get your hands on.  But have you thought about whether or not that data source you have access to provides value to security operations? If not, is it worth warehousing?  Each piece of data retained both shortens the retention period available with existing storage capacity and degrades performance when performing investigation and analysis. Collect smarter, not harder.

3. Too many tools: The number of security tools that most security organizations have is simply astounding. With so many tools, the time has come to demand that each tool address multiple different operational requirements. As security operations has matured as a field, the requirements for the SIEM have grown well beyond the capabilities found in most of the legacy providers.

4. Internal traffic: Many security solutions, SIEMs included, lean heavily on perimeter traffic for visibility. Unfortunately, there is also a lot of important stuff going on inside the perimeter.  Things like lateral movement, misuse of internal applications, and credential theft generally happen deep inside the organization.  Unfortunately, that is an area where many organizations struggle to gain adequate visibility. Organizations can’t simply turn a blind eye.

5. Slice and dice: Most of the security analysts I know are talented, clever, and creative. They need tools that allow them to build sophisticated queries to slice and dice data in ways that enable them to investigate suspicious activity and identify other activity requiring attention.  Further, speed and performance are key here.  No one should have to wait hours to know whether or not a given type of activity has been seen before.

6. Correlation: Security teams need their tools to help them connect the dots between related events. At a minimum, security tools need to aid, rather than fight the analyst in making these connections.  Beyond that though, modern tools need to connect some of the relevant dots automatically, before the analyst ever sets eyes on them.

7. Context:  Building the narrative around an event or events allows the security team to make timely and accurate decisions.  This involves putting together a delicate puzzle of supporting evidence from a variety of different data sources to bring important context to otherwise context-less events. Tools that don’t support this level of investigative freedom, or better yet, do some of it automatically, just don’t make the grade in 2018.

8. Smarter content development:  No matter how good an organization is at keeping up with the latest and greatest detection techniques, there is always room for improvement.  If you’ve got a smart team with great ideas, they are likely frustrated by the analytical limits and query power of legacy SIEMs.  Perhaps it is time to allow them to unleash their creativity on modern tools that empower them to discover and implement new detection techniques percolating inside their heads.

9. Smoother investigation: If you’ve ever tried investigating an incident using a legacy SIEM, you likely learned very quickly that the whole process was not exactly smooth. Today’s investigations require tools designed with enough flexibility and power to allow for incisive querying across a large volume and variety of data.

10. New approaches: Manually developing alert logic is an extremely important activity, but it can be an extremely bandwidth-limited activity as well. Automated analytical approaches have matured to the point where they can (if implemented correctly) add value to the security operations workflow by producing value-added alerts. Of course, there are tools that do not have enough analytical rigor and produce a large volume of false positives and noise. However, there are a select number of tools that can produce a reasonable volume of high fidelity, reliable alerting that might not have been identified by a human.  Slowly but surely, this capability is becoming a must have for the modern security team.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).