Details of a 451 Research study, as shared by 451 Research Research Director of Information Security Scott Crawford in a guest blog post, show an overwhelming acknowledgment of the importance of security information and event management (SIEM) among organizations. Nearly three quarters say that it is “very important.”
However, there are organizations that express dissatisfaction over the quality of security data or insights they obtain through SIEM. Some organizations also have a hard time running SIEM due to high costs, skills shortage, and lack of integration. The 451 Research study also shows that only 21.6 percent believe that they are getting full value from the SIEM systems they use.
It is for these reasons that some organizations are looking for alternatives or replacements. The question, however, remains, whether there exists a viable SIEM replacement.
In search of an alternative
Given that nearly all organizations believe that SIEM is important, does it make sense for a SIEM replacement to exist? To answer this question, it is essential to separate opinions/beliefs from the facts regarding the benefits provided by SIEM and the challenges in running it.
What makes SIEM crucial to an organization’s security posture? Here’s a summary of the main benefits that make it almost indispensable to organizations:
- Compliance reporting streamlining – Most of the organizations that use SIEM rely on it for their compliance requirements, since it provides a centralized logging solution as well as detailed reports that cover different operating systems, applications, and other cybersecurity components.
- Detection of the typically undetected – SIEM platforms typically come with enhanced security incident detection functions capable of correlating events across hosts to detect what would otherwise be left undetected. They can make complex attacks with different paths on different hosts visible. They can reconstruct a series of events to determine the nature of an attack and examine if it resulted in a breach or not.
- Incident handling efficiency improvement – A SIEM platform makes security incident handling significantly more efficient by providing a unified interface for viewing all security logs from a multitude of hosts. It facilitates the quick identification of an attack’s route and the detection of hosts that have been exposed to an attack. It also provides automated ways to kill attacks.
Enjoying the benefits of SIEM, however, comes with some challenges. For one, running a SIEM is costly, but many organizations say they are not getting their money’s worth. They spend significant amounts on the purchase of the SIEM system, the hiring/training of qualified employees, and configuration and deployment but end up dissatisfied.
A Ponemon Institute study reveals while organizations value SIEM, they are searching for a more productive alternative. Only 48 percent of the study participants expressed satisfaction with the security intelligence they get from their SIEM operation. The more recent study by 451 Research shows an even lower satisfaction rate, at 31.9 percent.
Noise data is also a problem with conventional SIEM because it lacks the ability to prioritize more critical alerts and security incident data. Overwhelming alerts and security data are generated, but organizations only get to act on a small fraction of them. The more crucial alerts and data also tend to be concealed by less important ones.
Moreover, when it comes to standalone SIEM solutions, organizations also complain about workforce limitations, dynamic data constraints, missed threats, and false positives. Poor responsiveness to insider attacks is also a concern.
A potential alternative
So what does a potential SIEM replacement look like? It is arguably one that provides the same benefits while addressing the challenges listed above. It may be called by some other name, but it provides similar functions and resolves inadequacies or weaknesses in conventional SIEM.
One example of a potential SIEM alternative would be an Open XDR (eXtended Detection
and Response) platform that comes with AI-powered automated threat hunting and response, high-fidelity detection, and the ability to adopt best practices and security frameworks such as MITRE ATT&CK.
Just like SIEM, Open XDR provides a unified platform for security incident detection and response. It is designed to automatically collect and correlate security data across various security controls, including proprietary and single-vendor ones.
To clarify, Gartner’s definition of XDR back in 2020 only referred to proprietary security components. Open XDR covers not only proprietary controls but all the existing security components in an organization. It has a much broader scope and reaches as far as what SIEM is meant to reach. Additionally, its technical specifications call for high-fidelity correlated detections across various security solutions, automated detections powered by machine learning, intelligent incident response, the centralization, and normalization of data from all attack surfaces, and flexible deployability driven by a cloud-native microservice architecture.
Moreover, Open XDR’s architecture offers a number of advantages when compared to SIEM’s. These advantages are as follows:
- Data handling – In Open XDR, data is compulsorily centralized and normalized before they are stored in a data lake. This is important because it is not uncommon for data to be modeled differently in different deployments. Conventional SIEM does not undertake data normalization and enrichment by default, which also contributes to the difficulty in dealing with noise data.
- Use of AI – Open XDR takes advantage of artificial intelligence to automatically detect risks and threats and correlate alerts. It does not rely on human-configured rules just like what happens in conventional SIEM. It is possible to use AI in SIEM, but it would be difficult to scale because of its different data handling.
- Unified security operations – Open XDR brings together several tools needed in security operations such as user Big Data lake, entity and behavior analytics (UEBA), security orchestration, automation and response (SOAR), threat intelligence platform (TIP), network detection and response (NDR), and endpoint detection and response (EDR). With conventional SIEM, organizations need to figure out on their own how they can combine various security tools together.
- Correlation and response in the same platform – Another advantage of Open XDR is its correlation and response from the same platform. This results in the ability to quickly correlate multiple related alerts, hence faster and holistic incident response. In contrast, conventional SIEM typically needs to transmit alerts to a SOAR system first for the correlation of different alerts. This approach entails correlations that lack deep context.
High-fidelity detection and incident handling efficiency are not going to be an issue with Open XDR. It can even deliver better detection because of AI and the ability to correlate alerts and respond to incidents on the same platform. Also, Open XDR usually comes with out-of-the-box features that are based on what an organization needs. This is different from SIEM platforms, whose configuration, customization, and the addition of plugins are left to the users. As such, it is more complex and tedious to deploy SIEM compared to the prescriptive security nature of Open XDR.
Moreover, Open XDR may not be heavy on compliance reporting streamlining, but this can be easily addressed with additional features. Compliance is unlikely going to be a deal-breaker when deciding between conventional SIEM and an enhanced Open XDR platform.
A viable alternative
Is there a viable alternative to SIEM? Yes, there is. However, this alternative or replacement cannot be a purely distinct concept. XDR, for instance, cannot replace SIEM or offer advantages that make it superior, however; with an open architecture and broader scope (covering all security components, not just a specific class), XDR can rival SIEM’s benefits and even offer a few improvements.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.