Gartner Blog Network

Is SIEM The Best Threat Detection Technology, Ever?

by Anton Chuvakin  |  August 7, 2017  |  20 Comments

That’d be a “NO” – those of my readers who are “anti-SIEM” can calm down now :–) Well…. let me explain and perhaps you will see that the answer evolves closer to “sort of” or “in some sense, perhaps” :-)

My recent exchanges on Twitter led me to believe that a percentage of my peers (some intelligent and well-informed and some perhaps not so well informed ;-)) still perceive SIEM as “a compliance technology” with “no security value” (or, perhaps, with security value, but much lower value compared to its cost/burden). To me, such thinking indicates they are stuck about 7-10 years in the past, or maybe they had been scarred for life with a particularly broken SIEM implementation.

Presumably, these people rely on other technologies for detecting and investigating threats – or maybe they rely on their overly developed ESP….

So, lets analyze this a bit:

  1. I do most of my threat detection with SIEM
  2. I do most of my threat detection with log / event analysis, but not using a SIEM
  3. I do most of my threat detection on the network, with some form of traffic analysis (what we now call “NTA” here)
  4. I do most of my threat detection on the endpoint, with some form of endpoint visibility tools, such as EDR
  5. I do most of my threat detection as a perfect balance of logs, traffic and endpoint
  6. I do most of my threat detection somewhere else (where?)
  7. (for completeness) Screw threat detection, I have a BIG firewall!!

With me so far?

From the depth of my experience, I’d argue that the best answer for most organizations embarking on the journey to improve their threat detection would in fact be #1 or #2 – i.e. using logs.

So, no, I won’t hate you if you do your log analysis not in a SIEM. Frankly, the #5 answer is a good one too, but it is unlikely where you’d start – this is probably where you will end up over time.

However, network- and endpoint-heavy approaches (compared to logs) suffer from major weaknesses, unless you also do log monitoring. For example, many folks hate agents with a passion, and SSL generally ruins layer 7 traffic analysis.

Based on this logic, log analysis (perhaps using SIEM … or not) is indeed “best” beginner threat detection. On top of this, SIEM will help you centralize and organize your other alerts (produced by other tools) hence providing value with alert workflow and not just as a with log-based threat detection and – gasp! – with compliance reporting too.

Please argue….? In fact, let me help you do this … try “real hackers don’t get logged” argument :-)

Recent blog posts about SIEM:

Select popular blog posts about SIEM:

Category: endpoint  logging  monitoring  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Is SIEM The Best Threat Detection Technology, Ever?

  1. Stephen Owen says:

    Time to setup, configure a SIEM system and make updates, changes to them very time consuming. There is a better more automated way.

    • Norm says:

      Love to hear more on the automated way to do that detection. I’ve been using SIEM to alert of all detection tech, including Whitelisting, so called next Gen endorsement, firewalls, mobility, etc. It can be time consuming to maintain, but having all my logs in one place is invaluable.

      • (Disclaimer. I’m a vendor)
        Hi Norm,
        Unomaly is a Swedish tool that automates log analysis in realtime across all types of systems/applications without need for parsing/configuration and that detects anomalies based on a superb understanding of what normal is (>99,99999%). Anomalies are few and relevant and are presented to engineers based on “right data to the right person” principle. We believe too little focus has been on logs and that most threats can be detected using log analysis; with the right approach. Thanks.

      • Again, is “time consuming” due to A/ technology (SIEM) or B/the mission (security monitoring)?

    • For sure, it takes time, BUT to me the question is: is this an INHERENT challenge with security monitoring or a challenge with SIEM tech?

  2. Dori Fisher says:

    Network, Endpoint, Security and IT devices should report to a central location and use case and scenarios should be build in that location to assist in threat detection.
    That’s a SIEM.
    At the end of the day we want to create rules and workflows from the output of the cool additional devices that we bought. This happens in the SIEM.
    Skills shortage has made a lot of the SIEM implementations ineffective but this does not mean there is a technical solution that we can just sit down and relax while our logs are being analylised, many understood that and are turning to MSSPs / MDR services to transfer the burden.

    • Dori, thanks for the comment. Indeed, SIEM value is in both in alert aggregation and in primary threat detection.

      My fave QotD: “kills shortage has made a lot of the SIEM implementations ineffective but this does not mean there is a technical solution that we can just sit down and relax while our logs are being analylised”

  3. Mustafa Rassiwala says:

    Anton – I have worked at 3 leading SIEM vendors (Gartner MQ Leaders) – so while I agree with your perspective on the choice as #1 or #5 – the argument is more about the technology. The function that SIEM, NTA and EDR perform are about collecting lots of data (thats where NTA differs from EDR for obvious reasons), but all 3 solutions are the same when it comes to data analysis and detecting threats and automating threat triage. So instead of these as different choices, the choice is about technologies and fixing capabilities that have led to failed SIEM implementations. Also maybe its time Gartner and the market come up with a new name for this class of detection – SIEM (Security Incidence and Event Management) does not do justice – for starters lets get a category name that has the word detection in it.

  4. Kosh says:

    Define the threat / use case and impact then decide on the appropriate tool for detection. Is siem best tool for online fraud account take over detection..prob not . Best tool to detect unknown malware prob not as it relies on a log to detect . But then there loads of other threats that aren’t as sophisticated that a siem can do a pretty good job at detecting whether its through defined alerting rules or reporting on anomalies that an analyst with an inquisitive nature and idea of what bad looks like can dig into quickly using the data that’s fed into the siem.

  5. Rajat says:

    SIEM may not be the primary detection technology but it can be the primary threat reporting technology. The detection may happen elsewhere like IPS, Anti-malware, WAF, EDR etc or logs. Building use cases and rules on these data and triaging them is still best done in SIEM. The complexity/ time consuming part is mostly in creating these rules, which is more of security monitoring challenge and less of technology challenge.

    • Rajat, thanks for the comment. You are exactly right — EVEN IF your SIEM never detected a single threat on its own, some would say that its value in alert management (and reporting) is indeed very real.

      And: “which is more of security monitoring challenge and less of technology challenge.” — this is a phase I repeated a million times :-) I am very happy that it has finally becoming wide spread as a line of thinking!!!

  6. Ian McShane says:

    CLICK BAIT :-)

  7. Hello Anton,
    i agree with you that maybe the SIEM can still be the best response to the threat detection but then: what type of 2nd generation SIEM ? Must ingest logs, Flos, Packets, Machine-Data, Endpoint-Data (what type of Data?), etc. natively and fast and should not very, very expensive (…:-(…). How you see the technological market of these Next Generation SIEM? For me there is a great confusion…

    • Thanks for the comment. Indeed, collect more (flows, etc), analyze more (ML, etc) and with better workflow may well be that “NGSIEM” Lower price? Well…you can always hope….

  8. Sorry, Flows not Flos.

  9. […] I am going to do another “is this 2005?” kind of post, now that I riled everybody up with my previous […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.