Blog post

Can You Do a SIEM-less SOC?

By Anton Chuvakin | June 26, 2018 | 2 Comments


Along the lines of this post where we discussed the concept of “SIEM alternatives, let’s discuss this in the context of a modern SOC.

Will I ever do or recommend a SIEM-less SOC? — As you can guess from the above, my answer is ‘it depends on what you mean by “SIEM.”’


#1 Will I ever do a SOC without any log analysis capability? — Sorry, EDR and NTA vendors, my answer is “HELL NO!” for the reasons covered here and there. To be fair, we do see increased reliance on EDR for SOC functions, and we see more “EDR as the 1st SOC tool” too, but I’d not go as far as to run my SOC without any log collection and analysis.

#2 Will I ever do a SOC without a commercial SIEM product?Well, perhaps. I’ve seen solid SOCs with Elastic stack, splunk [reminder: without ES, splunk is not a SIEM], Hadoop and home-grown security data lakes, etc. It can be done. Later, we can debate whether it should be done and whether it is a good idea under various circumstances. I see workflow functions picked by a SOAR tool, alert triage enabled by EDR, and an occasional log review backed up by a simple log management tool. So, yes, it can work. And, yes, I’ve seen it work well for some people under some circumstances.

Naturally, somebody will say “I can run a SOC without a SIEM if I use an MSSP/MDR for everything.” Just as naturally, they’d be wrong. Except for “hybrid SOC” scenarios where you have a SOC and use an MSSP/MDR for some functions (the case that is, to be fair, growing in importance), using an MSSP generally means choosing not to build a SOC. But, yes, I think today this whole SOC+/vs MSSP thing has this answer: it’s complicated 🙂

Related blog posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Bob Pratt says:

    I’m clearly biased, since I’ve spent most of the past 12 years building commercial SIEM products.

    My answer to #2 would be “yes, but you’ll end up replicating what a commercial SIEM product does for yourself”. For certain circumstances that can work out, as you get the benefits of choosing what functionality you really need and customizing everything to perfectly suit your environment and workflow.
    But I believe that for the majority of companies building your own SIEM makes no more sense than building your own servers in the data center. Sure, that way you can spec the precise motherboards best for your app and configure the memory, storage, etc exactly how you want it. But it’s a lot of effort vs buying off the shelf servers that are a 90% fit for your needs. Building an in-house SIEM is the same thing. It can be done, and you get a very custom fit, but is it worth the overall long term cost?

    • Well, I am trying to step away from my [same] bias and then you show up and reinforce it 🙂

      In any case, you are right of course. I’ve seen too damn many cases of “we will use Hadoop to build a SIEM … circa 2005”