Security and Information Event Management (SIEM) solutions have traditionally been at the center of the security operation. Ingesting firewall and endpoint logs from local and other sources, it serves as a unifying platform for security telemetry and a go-to place for security analysts to conduct investigations about incidents and alerts. However, as valuable as they are, security teams are increasingly reporting that SIEMs have become “expensive, complex, and resource-intensive” (ESG’s survey “The Impact of XDR in Modern SOC”).
If we break down the main use cases of SIEM, we could approach them from two main angles:
- Data aggregation and storage: collection, normalization and storage of all event logs, also used for auditing and compliance;
- Threat detection and responsebased on manual configuration of rules and alerts triggered by these rules or deviations from standard behavior.
But security practitioners are calling for a change: with siled security and organizational data, the overload of manual and time-consuming security scans, and prohibitive licensing models, security operations are only getting more difficult.