That’d be a “NO” – those of my readers who are “anti-SIEM” can calm down now :–) Well…. let me explain and perhaps you will see that the answer evolves closer to “sort of” or “in some sense, perhaps” 🙂
My recent exchanges on Twitter led me to believe that a percentage of my peers (some intelligent and well-informed and some perhaps not so well informed ;-)) still perceive SIEM as “a compliance technology” with “no security value” (or, perhaps, with security value, but much lower value compared to its cost/burden). To me, such thinking indicates they are stuck about 7-10 years in the past, or maybe they had been scarred for life with a particularly broken SIEM implementation.
Presumably, these people rely on other technologies for detecting and investigating threats – or maybe they rely on their overly developed ESP….
So, lets analyze this a bit:
- I do most of my threat detection with SIEM
- I do most of my threat detection with log / event analysis, but not using a SIEM
- I do most of my threat detection on the network, with some form of traffic analysis (what we now call “NTA” here)
- I do most of my threat detection on the endpoint, with some form of endpoint visibility tools, such as EDR
- I do most of my threat detection as a perfect balance of logs, traffic and endpoint
- I do most of my threat detection somewhere else (where?)
- (for completeness) Screw threat detection, I have a BIG firewall!!
With me so far?
From the depth of my experience, I’d argue that the best answer for most organizations embarking on the journey to improve their threat detection would in fact be #1 or #2 – i.e. using logs.
However, network- and endpoint-heavy approaches (compared to logs) suffer from major weaknesses, unless you also do log monitoring. For example, many folks hate agents with a passion, and SSL generally ruins layer 7 traffic analysis.
Based on this logic, log analysis (perhaps using SIEM … or not) is indeed “best” beginner threat detection. On top of this, SIEM will help you centralize and organize your other alerts (produced by other tools) hence providing value with alert workflow and not just as a with log-based threat detection and – gasp! – with compliance reporting too.
Please argue….? In fact, let me help you do this … try “real hackers don’t get logged” argument 🙂
Recent blog posts about SIEM:
- SIEM or Log Management?
- Action Item: SaaS SIEM Users Sought!
- Flashback 2014: SIEM Deployment Blueprint Visual
- Summer of SIEM 2017 Coming…
- SIEM Future: A UEBA Path or An MDR Way?
Select popular blog posts about SIEM:
- Popular SIEM Starter Use Cases
- Detailed SIEM Use Case Example
- SIEM Use Cases – And Other Security Monitoring Use Cases Too!
- Our 2016 SIEM Papers Are Out!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.