SIEM is dead – Long live the new SIEM!

Companies have been promised everything that a SIEM (Security Information and Event Management) can do. An alarm system that only had to collect enough logs and, with a little configuration, would trigger the alarms as soon as an attacker tried to tamper with the data. The more logs collected, the clearer the picture would be, according to the tenor. We chased this idea like lemmings, collecting more and more logs, only to fall into a spiral of more and more logs, more human resources, more application monitoring, new so-called use cases, towards chaos ever faster.

If you’re happy with your SIEM, you’re not running it right. That’s the truth. Not only are the ever-increasing costs of more and more additional log sources eating into budgets at a sustained rate, but operation is no longer satisfactory. Rick Ferguson, a recognized security specialist, provocatively called for 1’736 SOC analysts to handle a company’s alerts. Even if we don’t follow the provocative thesis, it’s a simple calculation: Let’s assume that only 100 alarms occur in a SIEM per day. The majority of these are false positives. That leaves maybe 20 that need to be investigated. Each one then takes between hours and days to be fully analyzed. A SIEM as we know it has thus failed. Even a managed service does not change this. SIEM is dead!

So, what did we do wrong? A lot! For one, we tried to apply a technology from the turn of the millennium to modern dynamic IT processes. That’s kind of like trying to stop a car at 200 kph with a bow and arrow. Second, we’ve given little thought to what a SIEM’s goal should be but have always kept the hamster wheel turning nicely.

So, what to do? We need to rethink. What use cases do we really need? Over 90% of successful attacks use valid usernames and passwords. These attacks can only be countered with anomaly detection that learns automatically and dynamically. So, we have to ask ourselves how fit our SIEM is against Insider Threat and Compromised Credentials. Further, it needs well-rehearsed workflows that start when traditional SIEM solutions think they have done their job. What context do I need, how do I quickly get information on the extent of the attack, what countermeasures to take, etc.? So, we need use cases that are defined from end to end and do not leave the SOC analyst alone after the first 10%.

Now there is the question of whether an existing SIEM is old news, i.e. whether it needs to be replaced. It depends on what tasks the existing SIEM has. If all the compliance rules are mapped there, if IT operations processes are supported by it, then one would leave the installed SIEM in place, but supplement it with modern technologies that specialize precisely in the benefits described above. In any case, modernization is necessary to keep up with dynamic IT processes. Either with replacement or modernization, your SIEM will then be fit again for the present and the future. Long live the new SIEM!

So, what do you want to achieve? You want to automatically detect and analyze attacks on data and infrastructure and also initiate countermeasures right away. According to Gartner’s definition, this is an XDR (Extended Detection and Response) solution. But watch out! Only a few vendors, such as Exabeam, can handle log data in the same way across vendors and analyze it automatically. A so-called ‘vendor lock-in’ is therefore to be avoided at all costs. So SIEM has become Open-XDR, just as Anti-Virus has become EDR. SIEM is dead!

Learn more about how Exabeam helps security teams outsmart the odds by adding intelligence to their existing security tools with analytics and automation here or contact your local Exclusive Networks Account Manager.