Over the past decade, I have repeatedly seen articles titled, “SIEM is dead. Long live the SIEM.”
Unfortunately, that title still rings true today. Why is that? Curious by nature, I asked a group of MSPs their thoughts by asking two simple questions:
- On a scale of one to five, how useful is your SIEM?
- On a scale of one to five, how likely are you to get rid of your SIEM?
The majority’s answer to both questions without hesitation: One.
These two unsatisfactory answers highlight the disconnect between how deeply SIEMs are embedded into and considered necessary for MSPs — and how utterly unhappy people are with the value the technology provides.
A Case for SIEM?
Why keep investing in SIEM tech even though it’s outdated? According to a Gartner report from last summer, the top five reasons for a SIEM were:
- Incident detection.
- Compliance and reporting.
- Log management.
- Incident investigation/forensics.
- Event correlation.
But, as reflected in that room full of MSPs, it doesn’t work.
SIEM High-cost Shortcomings
Brandon Dobrec
SIEM was neither built for the needs of the MSP nor appropriately priced for MSPs. It is the last generation’s technology, and ultimately, it isn’t great at catching the bad guys.
When it comes to incident detection, it’s no wonder people are dissatisfied. SIEMs traditionally require a large degree of configuration and ongoing management before seeing any value. The nature of SIEM itself gets in the way of incident detection.
First, you need all the log sources configured and stored for analysis, for which costs can skyrocket. Second, once all the data is flowing, you need the right rules in place. Otherwise, vital data may be overlooked, leading to substantial business consequences. Lastly, postprocessing this large volume of data is both expensive and time-consuming.
By the time you catch anything — presuming you can in the deluge of high-noise, low-value alerts — it’s probably too late to stop the bad guys.
Stuck in the Tech Stack
When dealing with this series of issues, it typically is filtered to the MSP through the proliferation of SIEM-based MDR providers. Yet, MSPs keep investing because they’re told SIEMs are key to compliance.
That’s frustrating. It’s the largest expense for a security team, yet it doesn’t really provide much security. Ultimately, it’s overengineered for what is necessary.
However, companies don’t remove it from their stack. They’re terrified that an incident will occur, and they won’t be able to fall back on the data for reporting and investigative purposes. You’ve probably all thought, “If the ‘I have a SIEM’ box isn’t checked, will I get my insurance payout?”
The way companies get around the inadequacies of data volume, low-fidelity alerts, and timeliness is to layer other point solutions in front of the SIEM. These additive solutions can perhaps make up for the SIEM shortcomings, handle the identification of critical alerts, and filter out alert noise.
As you can imagine, this causes costs to balloon even more. Ultimately, these SIEM-based MDR providers often nullify your SIEM-based headaches less than you think.
Choose Innovation
The disconnect between SIEMs’ perceived importance and actual utility highlights the need for innovation in cybersecurity solutions within the MSP industry.
The current cybersecurity landscape has outgrown what SIEM technology was built to do for one’s stack. Beyond that, it was designed for large enterprises, not MSPs. The band-aid that MSPs have applied — SIEM-based MDRs — isn’t working. They’re stuck suffering from all the existing issues, just with additional costs layered on top.
Looking ahead, MSPs must step out of their comfort zones and pursue cutting-edge solutions that deliver tangible security performance.
Are you ready to leave behind the tech and associated costs of yesteryear?
Brandon Dobrec is head of product for Blackpoint Cyber. He began his career as a technical practitioner before leading and driving product initiatives for several security companies.
Image: iStock
