Will I ever do or recommend a SIEM-less SOC? — As you can guess from the above, my answer is ‘it depends on what you mean by “SIEM.”’
#1 Will I ever do a SOC without any log analysis capability? — Sorry, EDR and NTA vendors, my answer is “HELL NO!” for the reasons covered here and there. To be fair, we do see increased reliance on EDR for SOC functions, and we see more “EDR as the 1st SOC tool” too, but I’d not go as far as to run my SOC without any log collection and analysis.
#2 Will I ever do a SOC without a commercial SIEM product? — Well, perhaps. I’ve seen solid SOCs with Elastic stack, splunk [reminder: without ES, splunk is not a SIEM], Hadoop and home-grown security data lakes, etc. It can be done. Later, we can debate whether it should be done and whether it is a good idea under various circumstances. I see workflow functions picked by a SOAR tool, alert triage enabled by EDR, and an occasional log review backed up by a simple log management tool. So, yes, it can work. And, yes, I’ve seen it work well for some people under some circumstances.
Naturally, somebody will say “I can run a SOC without a SIEM if I use an MSSP/MDR for everything.” Just as naturally, they’d be wrong. Except for “hybrid SOC” scenarios where you have a SOC and use an MSSP/MDR for some functions (the case that is, to be fair, growing in importance), using an MSSP generally means choosing not to build a SOC. But, yes, I think today this whole SOC+/vs MSSP thing has this answer: it’s complicated 🙂
Related blog posts:
- SIEM Alternatives? What Are They? Do They Exist?
- Is Security Just Too Damn Hard? Is Product+Service The Future?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- SOC Webinar Questions Answered
- Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published (from 2016 – now the update is under development)