SIEM overview and limitations
A security information and event management (SIEM) solution enables organisations to capture and analyse a wide variety of security event data to support early detection of attacks and breaches. SIEM systems collect, store, investigate and report on security data for threat mitigation, incident response, forensics and regulatory compliance. This technology aggregates event data produced by security devices, network infrastructure, host and endpoint systems, applications and cloud services. The primary data source is log data, but SIEM technology can also process other forms of data, such as JSON structured data and trace data as well as network telemetry (ie, flows) and metadata.
With hundreds of thousands of dollars or more spent every year on purchases, maintenance and upgrades, IT views their SIEM tools as both an essential and expensive component of their security infrastructure. SIEM solutions are priced based on data volume ingestion, with add-on reporting functionality options. They can ingest raw packets as an add-on front-end function, but this is prohibitively expensive and virtually never done. Traditionally, they take in large amounts of NetFlow and log data, which can easily drive up licensing costs and overwhelm their storage.
Another concern with SIEMs is they often depend on unreliable sources of data. NetFlow is frequently limited to ‘5-tuple’ details that lacks thorough insights and is typically sampled. Generated logs suffer from information gaps. Such gaps can be a consequence of how logs are created:
Please download our white paper to learn more.
Share