Security information and event management (SIEM) is still integral to digital security. However, newer entrants to the market claim SIEM as we know it is dead. It seems like every year, another vendor rings the death bells for SIEM.

Yet even groups adopting new tools, like extended detection and response (XDR), see SIEM as an important component of the new stack. SIEM is very much alive. So, why does this popular and effective service get a bad rap?

Let’s debunk some common SIEM myths.

SIEM Can Serve Businesses of Any Size

Myth: SIEM is only for large enterprises. Since most large employers use SIEM tools, SIEM is therefore only useful for large entities with advanced IT teams.

Fact: The best SIEM for you is the one that can adapt to your needs in a modular fashion. While not every business needs all of the bells and whistles, small and medium-sized businesses can perform the essentials to keep their business secure and compliant. Smaller groups without a more robust defense function can find value in out-of-the-box content and analytics to cover standard use cases, such as threat detection, compliance and monitoring.

In addition, businesses don’t stay small forever. You should select a vendor that can fulfill your needs over time as you scale. Larger groups need a platform to expand coverage for more advanced use cases — often augmenting network, user and domain name system analytics. Just because the bells and whistles exist doesn’t mean you need them to get value from your SIEM system. For most, out of the box will be enough.

SIEM Can Be Affordable

Myth: SIEM is too expensive. SIEM requires a large amount of data, and the cost will rise as you scale, becoming too expensive along the way.

Fact: Older SIEM pricing models can often make SIEM more expensive than it needs to be. While not all vendors price SIEM the same way, vendors that use storage-based pricing will become expensive very quickly. Likewise, vendors who use throughput (often measured in events per second) or per-user pricing have been common in the market.

However, in 2020, many vendors have adjusted SIEM pricing models to compensate for the steady increase in data being produced. Some vendors have shifted to non-capacity-based pricing models, often charging by the number of managed hosts, allowing users to more easily predict the cost.

Before you begin to think price, you should ask yourself what data you need for your use cases. The SIEM doesn’t need to crunch all of your data. Instead, you should focus on the data needed for use cases most important to you. For compliance and data retention, it is best to look for a data lake option. Many vendors offer this for low-cost log storage. By offloading commodity logs to a data lake, you can quickly make SIEM projects more feasible and cost-efficient.

Responding to New Threats

Myth: SIEM security tools can only detect known threats. SIEM only uses correlation rules, so it is only good for detecting what you already know.

Fact: While that statement may have been true in 2005, SIEM tools, like the threats they detect, have evolved. Now, SIEM uses multiple types of analytics for cross-layered coverage for different use cases. Correlation is most often used for detecting a known malicious behavior — for example, if a malicious IP or hash file shows up in your environment. These types of analytics often work best with threat intelligence, performing correlation against reputation and threat feeds.

In addition, SIEM can utilize anomaly detection, which is a statistical method used to tell if there are deviations from a baseline. This method is useful in spotting assets sending large volumes of data over the network or using different ports and protocols. Finally, SIEM can use machine learning to model other things, such as user behavior. User behavior analytics within the SIEM system create profiles of users to detect changes that could signal danger, like an insider threat. This mix provides a robust toolkit for detecting both known and unknown threats.

Fact: SIEM is here to stay. SIEM isn’t dead. It’s still a key resource and will continue to be in the future. While the market dynamics have changed, reports, such as the 2020 Gartner Magic Quadrant for SIEM, can help you identify the SIEM solution that best meets your needs.

To learn more about SIEM myths, check out the blog “Six Myths of SIEM.”

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today