Gartner Blog Network


Can You Do a SIEM-less SOC?

by Anton Chuvakin  |  June 26, 2018  |  5 Comments

Along the lines of this post where we discussed the concept of “SIEM alternatives, let’s discuss this in the context of a modern SOC.

Will I ever do or recommend a SIEM-less SOC? — As you can guess from the above, my answer is ‘it depends on what you mean by “SIEM.”’

So:

#1 Will I ever do a SOC without any log analysis capability? — Sorry, EDR and NTA vendors, my answer is “HELL NO!” for the reasons covered here and there. To be fair, we do see increased reliance on EDR for SOC functions, and we see more “EDR as the 1st SOC tool” too, but I’d not go as far as to run my SOC without any log collection and analysis.

#2 Will I ever do a SOC without a commercial SIEM product?Well, perhaps. I’ve seen solid SOCs with Elastic stack, splunk [reminder: without ES, splunk is not a SIEM], Hadoop and home-grown security data lakes, etc. It can be done. Later, we can debate whether it should be done and whether it is a good idea under various circumstances. I see workflow functions picked by a SOAR tool, alert triage enabled by EDR, and an occasional log review backed up by a simple log management tool. So, yes, it can work. And, yes, I’ve seen it work well for some people under some circumstances.

Naturally, somebody will say “I can run a SOC without a SIEM if I use an MSSP/MDR for everything.” Just as naturally, they’d be wrong. Except for “hybrid SOC” scenarios where you have a SOC and use an MSSP/MDR for some functions (the case that is, to be fair, growing in importance), using an MSSP generally means choosing not to build a SOC. But, yes, I think today this whole SOC+/vs MSSP thing has this answer: it’s complicated :-)

Related blog posts:

Category: mssp  security  siem  soar  soc  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Can You Do a SIEM-less SOC?


  1. Bob Pratt says:

    I’m clearly biased, since I’ve spent most of the past 12 years building commercial SIEM products.

    My answer to #2 would be “yes, but you’ll end up replicating what a commercial SIEM product does for yourself”. For certain circumstances that can work out, as you get the benefits of choosing what functionality you really need and customizing everything to perfectly suit your environment and workflow.
    But I believe that for the majority of companies building your own SIEM makes no more sense than building your own servers in the data center. Sure, that way you can spec the precise motherboards best for your app and configure the memory, storage, etc exactly how you want it. But it’s a lot of effort vs buying off the shelf servers that are a 90% fit for your needs. Building an in-house SIEM is the same thing. It can be done, and you get a very custom fit, but is it worth the overall long term cost?

    • Well, I am trying to step away from my [same] bias and then you show up and reinforce it :-)

      In any case, you are right of course. I’ve seen too damn many cases of “we will use Hadoop to build a SIEM … circa 2005”

  2. […] Can You Do a SIEM-less SOC? (SOC research) […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.