When security information and event management (SIEM) tools came to the market over a decade ago, many practitioners considered the combination of information management and event management groundbreaking. Since then, the technology has gone through iterations to improve and enhance its capabilities, including the incorporation of user and entity behavior analytics (UEBA), machine learning and AI capabilities, and “out-of-the-box” configurations for smaller organizations to rely on.
Despite these advances — and the fact that SIEM is a security mainstay for countless large enterprises’ security operations centers (SOC) — a SIEM’s role in security management can prove complicated due to the noise and volume of the information it produces. As a result, many security professionals may find themselves at odds with their SIEM. After investing extensive time, money, and resources to implement and operationalize a SIEM, they expect to see marked improvements and increased efficiency, but that’s not always the case.
As cloud-adoption rapidly increases — 84% of organizations are utilizing a multi-cloud strategy — legacy SIEMs are falling short when it comes to cloud security. According to a 2023 survey from a SIEM provider on the value organizations see in their SIEM solutions, SIEMs can create patchy coverage and false alarms, while lacking in functionality and increasing costs.
Threat actors continue to target the cloud as an attack vector. In the past year and a half, nearly 80% of companies suffered a cloud-based data breach.
Before diving into how these organizations can achieve better cloud security, it’s important to look at SIEMs holistically, and see where they excel and disappoint when it comes to SaaS applications.
The Benefits of a SIEM Security Platform
A SIEM does have many security benefits, the main advantage being its do-it-yourself model, which allows large enterprises full control over their SOC and security settings, strategies, and outcomes.
Other advantages include:
- Control. A SIEM is open by design, allowing internal teams to fine-tune the tool as desired
- Monitoring and visibility. A SIEM monitors multiple aspects of the environment, giving teams real-time visibility into their applications
- Threat detection. Rule-creation capabilities within a SIEM allow teams to specify normal behavior, which creates anomaly detection
- Compliance. A SIEM can comply with typical compliance reporting for common regulations
All of these advantages make a SIEM an alluring tool for organizations looking to increase their monitoring, meet compliance needs (such as HIPAA for large health organizations) and respond to threats before they turn into data breaches. But like many tools, the same capabilities that make a SIEM useful can also create issues for the security teams managing it.
The Disadvantages of a SIEM Security Platform
In theory, automating data collection, aggregation, and analysis from all the security tools sounds like every analyst’s dream. But because SIEM is open by design, having to take on the burden of configuring and maintaining every aspect of the tool internally can be a resource drain, leading to misconfigurations, alert fatigue, and other issues that can hinder security more than bolster it.
- Long deployment times. It can take security engineers six months to a year to deploy a SIEM, and that doesn’t include time needed to configure the SIEM to look for specific correlations within the environment.
- Constant maintenance needs. Security environments are dynamic, which means a SIEM will need consistent reconfigurations and adjustments based on new threat intelligence, data, or operational changes.
- False positives. Without the correct correlations, a SIEM will generate false positives, which take up valuable time and hinder visibility and incident response.
- Staffing needed. A SIEM is just a tool, which means it’s only as effective as the team operating it. Given the security skills gap and increased cost of hiring security professionals, staffing a SIEM may be a major challenge for many organizations.
- Alert volume. Given the risk of environmental changes and misconfigurations, the alerts a SIEM generates could easily overwhelm a security team, leading to missed incidents and alert fatigue.
These vast disadvantages can make an organization second guess if a SIEM is the right solution for them, especially as more streamlined, managed solutions have come on to the market, such as managed detection and response (MDR) and extended detection and response (XDR).
Given the nature of a SIEM, one thing is clear: It’s not the right solution for an organization’s SaaS security.
Why a SIEM Won’t Work for SaaS Security
With the introduction of SaaS and other cloud offerings, integrating and managing a legacy SIEM platform becomes a lot more complicated. Not only does the cloud add many new log sources, but the rules are also different from a hardware-based environment.
SIEM technology was originally created for on-premises security architecture, where the network perimeter is well-defined. On-prem SIEM configurations are not intended for hybrid cloud environments, where the perimeter is blurred as users access SaaS applications from anywhere and on multiple devices.
One of the biggest problems with ingesting cloud logs into SIEM is the additional, potentially massive, volumes of data that are generated. The traditional SIEM wasn’t built to keep pace with that level of data.
The SIEM is also not agile enough for cloud services like micro-services because in the on-premises, hardware-based environment, rules were typically based on problems that were known. That’s not the case in the cloud, where the threats are rapidly evolving.
As a result of these cloud-derived complexities, many organizations simply give up on the idea of using a SIEM to get visibility into their cloud infrastructure. That creates additional risk exposure, since cloud providers are not accountable for the security of your cloud assets.
However, SaaS-based SIEMs, designed exclusively for the cloud environment, are becoming more commonplace. But those have disadvantages as well, including possible outages, availability issues, misconfigurations, vendor issues, cost accumulations, and control issues. Whether on-prem or in the cloud, a SIEM still needs staffing and expertise to keep it functioning.
To properly maintain a cloud-based SIEM, an organization will need to:
- Continually update the SIEM to protect against cloud-based vulnerabilities and other security flaws
- Implement robust identity security strategies as many, if not all, of your users are logging onto your organization’s various SaaS applications
- Employ network segmentation and access controls
- Monitoring the SIEM continually for potential issues
That is all in addition to the work of configuring and maintaining the SIEM for your security, logging, and compliance needs, as well as migrating on-prem systems and data to the cloud-based SIEM. It’s a lot of work that can add more risk to your environment.
How Security Operations Addresses SIEM Challenges
SIEM still has a role to play in the SOC, but for small and medium-sized enterprises that need more agility and cost-efficiencies in a hybrid or cloud-first environment, it’s not a viable solution.
When you look at the sum total of the SIEM limitations and disadvantages — including staffing shortages, inaccuracies, manual tuning, and high time-to-value — it‘s clear that an alternative may be the best route to take.
A managed detection and response solution built on open-XDR architecture is rooted to the endpoint and will use the combination of technology and humans to detect and respond to threats, often by identifying the root cause and submitting automated workflow recommendations. By utilizing this kind of solution, an organization can free up their security teams to focus on what they want out of their SIEM, knowing their previous blind spots and threat detection gaps are now covered.
Arctic Wolf® Managed Detection and Response is cloud-native and monitors cloud applications in addition to networks, endpoints, and identities. In addition, Arctic Wolf® Cloud Detection and Response is uniquely designed to identify and stop threats across an organization’s IaaS and SaaS resources. The pricing is also based on stable parameters including users and servers, allowing businesses to fully secure environments while controlling costs.
Explore the benefits of utilizing a managed threat detection and response platform with our MDR Buyer’s Guide.
Learn more about the issues a SIEM can create with our guide, How to Define and Optimize Your Relationship with Your SIEM.