Blog post

Our SIEM Assessment paper update is out!

By Augusto Barros | October 15, 2017 | 2 Comments

siem and log management

The results of our “summer of SIEM” are starting to come up; our assessment document on SIEM (basically, a “what” and “why” paper, that sits besides our big “how” doc on the same topic) has been updated. It has some quite cool new stuff aligned to some of our most recent research on security analytics, UEBA, SOC and other things that often touch or is directly related to SIEM.

Some cool bits from the doc:

“Organizations considering SIEM should realize that using an SIEM tool is not about procuring an appliance or software, but about tying an SIEM product to an organization’s security operations. Such an operation may be a distinct SOC or simply a team (for smaller organizations, a team of one) involved with using the tool. Purchasing the tool will also be affected by the structure and size of an organization security operation: While some SIEM tools excel in a full enterprise SOC, others enable a smaller team to do security monitoring better.”

“While some question SIEM threat detection value, Gartner views SIEM as the best compromise technology for a broad set of threat detection use cases. Definitely, EDR works better for detecting threats on the endpoints, while NTA promises superior detection performance on network traffic metadata. However, network- and endpoint-heavy approaches (compared to logs) suffer from major weaknesses and are inadequate unless you also do log monitoring. For example, many organizations dislike endpoint agents (hence making EDR unpalatable), and growing use of Secure Sockets Layer and other network encryption generally ruins Layer 7 traffic analysis.”

“UEBA vendors have been frequently mentioned as interesting alternatives due to their different license models. While most SIEM vendors base their price on data volumes (such as by events per second or gigabytes of data indexed), these solutions focus on the number of users being monitored irrespective of the amount of data processed. This model has been seen as a more attractive model for organizations trying to expand their data collection without necessarily changing the number of users currently being monitored. (Note that UEBA vendors offer user-based pricing even for tools addressing traditional SIEM use cases.) UEBA products have also been offered as solutions with lower content development and tuning requirements due to their promised use of analytics instead of expert-written rules. This makes them attractive to organizations looking for an SIEM tool but concerned with the resource requirements associated with its operation. The delivery of that promise will, however, strongly depend on the use cases to be deployed.”

As usual, please don’t forget to provide us feedback about the papers!



Next wave of research: SOAR, MSS and Security Monitoring use cases! Here we go 🙂


Leave a Comment


  • Andre Gironda says:

    While I don’t agree with any of what you wrote, I can substantially say that I disagree and have a great argument against, “network encryption generally ruins Layer 7 traffic analysis”.

    This is incorrect. TLS is utilized by many detection projects to enhance analysis, especially —

    This is taught in nearly every SOC, SIEM, and detection course — and it is known by a growing majority of engineers. Why would Gartner recommend the opposite to decision makers? What’s your game here?

    Integrate off-the shelf tools to custom business processes?

    Endpoint security requires agents?

    Where are you getting this information?

    • Augusto Barros says:

      Well, many network based tools do user oriented monitoring, for example, extracting user identity from L7 data. If that data is not visible, you just cannot do it. Yes, there are some interesting data you can obtain even from TLS protected networks, but it’s certainly less that you could originally get from unencrypted traffic. That “generally” is not there for no reason, we recognize there are some analysis you can still do. What we are recommending is to avoid network only or endpoint only, and that SIEM is one of the best ways to compensate for some of the issues from those approaches. Nowhere in the text we say you shouldn’t do those. See the famous “SOC nuclear triad” post from Anton. There’s no “game” here.

      Yes, you can have some endpoint visibility without agents…like Outlier Security, for example. But for full visibility there you must have agents, or rely on all native auditing capabilities from the OSes, that are usually a nightmare to use and come with all sorts of performance issues. If this wasn’t true the EDR market wouldn’t be growing as it is.

      Where this is coming from? Research! We actually talk to a lot of people from different types and sizes of organizations.

      Thanks for the comment, BTW. No fun and value in comments like “yes, this is all great.”.