Why the SIEM Tool isn’t Enough

Published May 19, 2022

A long time ago, in a galaxy far, far away, log management was used to capture and store events for compliance and security use cases. As attacks grew in complexity and sophistication, log management gave way to security information and event management (SIEM) and it’s ability to tie in rule-based correlation to turn raw data into meaningful insights.

Fast forward to today’s post pandemic world – banks (organizations) moving to cloud to keep up with consumer preferences and remote work have contributed to a data explosion that is rapidly changing what security teams need to be successful. In fact, data growth statistics reveal that data creation will be over 180 zettabytes by 2025. That was about 118.8 zettabytes more than in 2020. (Source: Statista) These teams not only have to worry about the amount of data coming in, but a report by IDC estimates that 80-90% of all data is unstructured data – which adds more to the complexity security teams are facing today.

Given that context – organizations relying solely on a SIEM are facing increased costs, little return on their investments in that area, and failing to equip their security teams with the tools to prevent and respond to security threats. Average SIEM costs are now close to $1 million dollars annually (source) and that’s only licenses and hardware costs, SIEM talent and expertise are additional costs to consider. The inherent economics and functionality of these tools have led to an ROI issue reflected in a recent Panther Labs’ report on The State of SIEM that found, of the respondents who felt qualified to comment on the value of their SIEM relative to what they pay for the solution, over 50% believe they are overpaying. Less than 20% believe the value of their SIEM’s capabilities exceeds the cost!

Costs aside – SIEM tools are too narrow in terms of the type and amount of data they can ingest to give analysts a full picture of what is happening at any given time. Unstructured data sources from certain application and server log files, company emails, internal messaging transcripts, etc. are too complex for traditional SIEMS and the reality is most breaches are identified over the course of 287 days. Not having a historical lens of your data leaves you exposed and SIEMs are not built in a cost-effective way to analyze all those relevant data sources over that course of time.

Enter the Cyber Data Lake

Today, security teams are having to make decisions as to which data sources they can analyze without breaking the bank and based on the best information they have at hand. So how do you equip your security teams to adapt to the world they find themselves in? Part of the answer may lie in using data technology that has powered business intelligence and existed for years – data lakes.

A cyber data lake delivers a cost-effective and truly agile approach to proactive threat analysis and detection. With per second pricing from Snowflake or AWS, scaling up and down to reflect true TCO has never been easier – and the ability to take in data in its native form empowers teams to leverage AI to focus on more strategic activities

Future Proof your Security teams

Data breaches are more like that water mark that appears over time in your basement than walking into a flooded bathroom. Keeping up with these attacks means leaders must not only build a foundation rooted in what your data is telling you – but also find areas they can leverage automation and threat intelligence platforms. An IBM report on data breach costs found that organizations leveraging automation and AI/ML reduced costs by as much as 80%. Using your data lake in addition to a SIEM will help your teams stay prepared for attacks and find historical anomalies and the so-called ‘needles in the haystack’

Not without Challenges

While the cyber data lake has tremendous upside and potential, it is not without its obstacles. Organizations jumping in may find that data lakes can be expensive to implement and maintain, can take a while to ramp up before growing large enough to deliver real value, and although storage can be cheap – compute power can be expensive without proper management.

However, given the rapid changes to cloud and value of data over the last decade, there is an opportunity for security teams to piggyback on existing enterprise data lake projects. This would mean significantly less overhead and faster time to value for forward-looking executives but would require cross collaboration in large organizations where consensus can be difficult to achieve.

Where to Get Started

Teams looking to get started need to think about four key areas in establishing their security data lake:

  • What are the required use cases?
  • Do we have the right people today?
  • What data sources are going to be relevant to our security end goals?
  • How do we secure our data lake?

At Infinitive, our experts have supported our F500 client base with several of these questions. Whether you currently have your security teams leveraging a data lake with your SIEM and are looking to optimize or are starting to consider augmenting your current SIEM, Infinitive can help your organization get the value out of your cyber data today and arm your security teams for today and tomorrow. For more information, contact us today!

Are you ready to get more value out of your data?