Initially, I wanted to name this post “My SIEM Is Too Slow | My SIEM Is Too Dumb”, but then I decided to go for a milder version, because – against all odds – I still love SIEM.
So, now that we are wrapping up our cloud and VA/VM research, it is time to plan for our “Summer of SIEM” — a project to update a few of our SIEM documents – and write some new ones (meanwhile the SIEM Magic Quadrant 2017 is being cooked in parallel).
Specifically, we are going to update our SIEM technology analysis (with exciting vendor profiles of the real players!) and our mammoth [not in the extinct sense, but size-wise :-)] SIEM Evaluation Criteria. We are also thinking of a whole new document on SaaS SIEM (yay!!!) and perhaps co-managed SIEM too.
To prepare for this, I have “retired” to my backyard with a huge pot of coffee and did some thinking. As you know, I’ve been involved with SIEM for 15 years and know where all its skeletons are buried. This carries advantages – but also risks of falling into “pre-set” thinking.
As a result, I realized that most legitimate (i.e. not from people who failed to even turn theirs on …) complaints about SIEM operations I encountered over the years fit these two big buckets:
- my SIEM is too slow – reports take hours, searches take minutes, my collectors buffer, unless my retention is short nothing really works, etc
- my SIEM is too dumb – it just gives me rule matches and search results, little value from data, have data – but no knowledge, what should I look at, no long-term insights, etc
Naturally, I touched on both of these in my many blog posts (example, another, also), but it is easy to notice that people building SIEMs today (either from scratch, or based on UEBA) are well aware of these. And so are the “legacy” SIEM vendors. This means…ahem…that we can make SIEM great again 🙂
Finally, I want to pour some manure on the “SIEM is dead” crowd. The fact is, SIEM serves an essential security monitoring need. Therefore, if you create an “NG-SIEM” or another replacement technology, you will need to overcome some of the same challenges that SIEM has been struggling for. Or, as I said to one UEBA vendor, “Want to replace a SIEM? Come back when your Windows log collector actually works. And, BTW, it took a leading SIEM vendor 4 years to debug theirs…”
Select related blog posts:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Well said, Anton. Eagerly awaiting the reports..
Well, first, you’d see our tough questions… and only later reports 🙂
Looking forward to hearing from the ‘roll your own’ crowd when it’s released.