This is going to be a short one: why do you think the SIEM vendors f*cked up application log analysis so badly?
Think about it, SIEM technology started roughly in 1997, so 20 years ago. 20 years is like 2 gazillion years in “IT years.” But even today I see a lot of people who equate SIEM with “IT infrastructure monitoring” (i.e. routers, servers, security appliances) or, worse, think that “SIEM is a network security technology.” I’ve long fought this view, but I essentially lost this battle …
So, now, I am sitting here listening to UEBA / UBA clients gush about how great their UEBA is with application log analysis and application security monitoring. They bring up all sorts of esoteric applications (machine parts management, medical research support, financial transaction processing, etc) and then wax poetic about how great their UEBA tool is for revealing insights from the log data and how it saved them so much dough, despite the fact that they paid $1,000,000 for their UEBA.
Why is that? What do UEBA tools know that SIEMs miss?
If you think, “but wait, UEBA has ML and magic AI stuff”, think again. Well, it does, but some of the use cases are very rule-based and do not extend beyond the “IF <this> AND <that> THEN <whatever>” correlations.
So, what is to blame here? Perhaps, some of these …
- SIEM historical association with IT infrastructure, not business application, monitoring
- Lack of schema support for business application log data
- The very requirement to shove the data into a standard schema
- Obvious lack of out-of-the-box content (rules, alerts, dashboards, etc) for custom application security monitoring
- Heavy role of identity and entitlement data in application monitoring
- Requirements for inclusion of non-IT data in analysis
- Or even … customers never pushing SIEM vendors to “do applications”?
… or even something completely different. All in all, it feels like the SIEM guys blew this one as well… and now need to catch up with the UEBAs.
Related blog posts about security analytics:
- On UEBA / UBA Use Cases
- UEBA Clearly Defined, Again?
- Comparing UEBA Solutions (by Augusto)
- What Should Your UEBA Show: Indications or Conclusions?
- UEBA Shines Where SIEM Whines?
- The Coming UBA / UEBA – SIEM War!
- Next Research: Back to Security Analytics and UBA/UEBA
- Sad Hilarity of Predictive Analytics in Security?
- Security Analytics Webinar Questions – Answered
- On Unknown Operational Effectiveness of Security Analytics Tooling
- My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes
- Now That We Have All That Data What Do We Do, Revisited
- Killed by AI Much? A Rise of Non-deterministic Security!
- Those Pesky Users: How To Catch Bad Usage of Good Accounts
- Security Analytics Lessons Learned — and Ignored!
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market? <- important read for VCs and investors!
- More On Big Data Security Analytics Readiness
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.