Security information and event management (SIEM) is still integral to digital security. However, newer entrants to the market claim SIEM as we know it is dead. It seems like every year, another vendor rings the death bells for SIEM.

Yet even groups adopting new tools, like extended detection and response (XDR), see SIEM as an important component of the new stack. SIEM is very much alive. So, why does this popular and effective service get a bad rap?

Let’s debunk some common SIEM myths.

SIEM Can Serve Businesses of Any Size

Myth: SIEM is only for large enterprises. Since most large employers use SIEM tools, SIEM is therefore only useful for large entities with advanced IT teams.

Fact: The best SIEM for you is the one that can adapt to your needs in a modular fashion. While not every business needs all of the bells and whistles, small and medium-sized businesses can perform the essentials to keep their business secure and compliant. Smaller groups without a more robust defense function can find value in out-of-the-box content and analytics to cover standard use cases, such as threat detection, compliance and monitoring.

In addition, businesses don’t stay small forever. You should select a vendor that can fulfill your needs over time as you scale. Larger groups need a platform to expand coverage for more advanced use cases — often augmenting network, user and domain name system analytics. Just because the bells and whistles exist doesn’t mean you need them to get value from your SIEM system. For most, out of the box will be enough.

SIEM Can Be Affordable

Myth: SIEM is too expensive. SIEM requires a large amount of data, and the cost will rise as you scale, becoming too expensive along the way.

Fact: Older SIEM pricing models can often make SIEM more expensive than it needs to be. While not all vendors price SIEM the same way, vendors that use storage-based pricing will become expensive very quickly. Likewise, vendors who use throughput (often measured in events per second) or per-user pricing have been common in the market.

However, in 2020, many vendors have adjusted SIEM pricing models to compensate for the steady increase in data being produced. Some vendors have shifted to non-capacity-based pricing models, often charging by the number of managed hosts, allowing users to more easily predict the cost.

Before you begin to think price, you should ask yourself what data you need for your use cases. The SIEM doesn’t need to crunch all of your data. Instead, you should focus on the data needed for use cases most important to you. For compliance and data retention, it is best to look for a data lake option. Many vendors offer this for low-cost log storage. By offloading commodity logs to a data lake, you can quickly make SIEM projects more feasible and cost-efficient.

Responding to New Threats

Myth: SIEM security tools can only detect known threats. SIEM only uses correlation rules, so it is only good for detecting what you already know.

Fact: While that statement may have been true in 2005, SIEM tools, like the threats they detect, have evolved. Now, SIEM uses multiple types of analytics for cross-layered coverage for different use cases. Correlation is most often used for detecting a known malicious behavior — for example, if a malicious IP or hash file shows up in your environment. These types of analytics often work best with threat intelligence, performing correlation against reputation and threat feeds.

In addition, SIEM can utilize anomaly detection, which is a statistical method used to tell if there are deviations from a baseline. This method is useful in spotting assets sending large volumes of data over the network or using different ports and protocols. Finally, SIEM can use machine learning to model other things, such as user behavior. User behavior analytics within the SIEM system create profiles of users to detect changes that could signal danger, like an insider threat. This mix provides a robust toolkit for detecting both known and unknown threats.

Fact: SIEM is here to stay. SIEM isn’t dead. It’s still a key resource and will continue to be in the future. While the market dynamics have changed, reports, such as the 2020 Gartner Magic Quadrant for SIEM, can help you identify the SIEM solution that best meets your needs.

To learn more about SIEM myths, check out the blog “Six Myths of SIEM.”

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read