Is SIEM Dead – Or Is SIEM Transforming?

Is SIEM dead?

Or is SIEM transforming?

For those not familiar with it, SIEM is a combination of security event management (SEM) and security information management (SIM).

SEM.  The SEM part of SIEM is focused on quasi real-time monitoring and correlation of security-relevant events and alerting and notification necessary to warn human operators - typically a trained security analyst - to pay attention and take action.

SIM.  The SIM part of SIEM is focused on storage and post-event analysis of SEM related data and reporting - often lumped together with security forensics - about the data aggregated through a SEM system.

The now commonplace rapid-fire media coverage of cyber-attacks, one after another, raises the question: is SIEM up to the job or not?

Is SIEM dead?

It's defenders - and certainly its makers - say that SIEM is an essential component (some go further and say it is a foundation) for cyber-defense.

Its proponents correctly point out that SIEM reduces the time to discovery of cyber-events.

Is SIEM essential, or not?

SIEM has become a bedrock foundation for collecting, aggregating and storing security-relevant events occurring across the enterprise network.

You can think of SIEM as a first generation of big data for security, but using highly structured data.

But aggregating data and analyzing it effectively are two very different things.

Using it effectively means its analytics are tuned to your business processes, risk priorities and the data fed to it.

In the old days - just four to five years ago - the time to discovery averaged many months: on the order of 6 to 9 months.

Now, where SIEM is used successfully, it reduces the time to discovery of security events to 15 minutes or less.

But SIEM is not present everywhere: its use is dominant among large enterprises, and declines thereafter as the size of organizations decline.

Those using SIEM effectively are estimated to be less than 25 percent of those that have it.

SIEM is transforming

The first generation of SIEMs are metamorphosing and due to two natural changes in a) technology and b) delivery.

Technology change transforming SIEM

Technology changes transforming SIEM include types of data collected and stored, the analytics feeding on and learning from the data fed to it, analytics that are learning from highly skilled security analyts, analytics that are performing low-level tasks, and whether the findings surfaced by SIEM are relevant to the business of the organization.

Delivery change. These include changes to SIEM being delivered and consumed as a service, both as a managed SOC (security operations center) service as well as a subscription service. Not only are the old days of high-priced capital going away, but the service delivery options now make it relatively easier - and less of a high-wire act - to turn SIEM on, which is already expanding market interest and expansion.

Is SIEM dead?

The first generation of SIEM is transforming and will never be the same.

The changes occurring to SIEM are of ones of evolution and natural selection.

First generation SIEM is dead.

May its offspring have a long and productive life.

Leave a Reply

You must be logged in to post a comment.

Featured Research

Spend on Security

Is your organization underspending on information security? If you’re like most, spending on information security lags far behind other priorities. Only during the past few years has spend on information security started to increase, but it still lags behind. In this Research Report, Wellington summarizes findings from research conducted with thousands of organizations to highlight

The Wizards of Tech

Find out how the unspoken issues of culture, incentives, business strategy, and people impact your life, and the utility of the technology products and services you rely on to operate your business. Download the full report – The Wizards of Tech – today!