Why did you buy a SIEM?

Why did you buy a SIEM?

Of course, you take cyber security seriously and have spent a lot of money on tech to help you detect threats and protect your business from ransomware, IP theft, data theft and loss of PII. You also need to be compliant to regulations that are specific to your industry and boy are you paying for it. Cyber security is one of the biggest spend categories in IT still and shows no signs of slowing.

Of course you have SIEM. Everyone has SIEM. SIEM has always promised much, but has it really delivered? What promises are you paying for and have those promises been kept? Maybe there are a few things that you really need from SIEM but are you still paying extra for the undelivered promises?

Every vendor telling you they have the magic bullet that can solve all your cyber problems just compounds the issue and adds to the fatigue of managing risk with too few resources and not enough money.

So, let’s look at core SIEM capability and see what we really need.

Log collection and correlation – secure and complete collection of logs, normalisation and parsing of log data for analysis
Alerting – customisable thresholds for real time alerts.
Drill down into events – threat hunting through a combination or drill down and query based searching
Log storage, retention and forensics – ability to efficiently store (data compression, filtration and truncation) of log data for compliance and forensics
User monitoring – who’s doing what, with what systems and with what privileges?
Reporting and compliance – out of the box compliance reports for a range of use cases
Dashboards & Analytics – visualisation of areas of concern and policy management

The Cost of Your SIEM + A SIEM Alternative

Ultimately for most it is about finding indicators of compromise and eliminating false positives and avoiding “alert fatigue”.

This is probably what you are getting from your SIEM, but are you also paying for “AI” or “Machine Learning”, “anomaly detection”, “advanced UEBA” or other advanced functionality even its it’s not mature and is still of questionable value, or if you don’t have the team available to take advantage of it?

That’s another thing, many of these SIEM systems are large, complex, technically difficult to deploy and manage, policy is hard to apply and you need someone “driving it” constantly. Probably a team of people.

Many customers are not even sure that they are collecting all the logs they should be, as there is no mechanism to check the log collection capability to ensure collection, or the secure encryption of those logs in transit. Or worse still, they simply can’t afford to collect all the logs because the SIEM vendor charges by the GB.

The other major issue I see in the market is that many companies don’t have a SIEM – they have three! Consolidating these systems, sending the same logs to multiple destinations (including their MSSP partner) is almost impossible. Migration from one platform to another is hard and the vendor has locked you in because you are using their tool to collect the logs. Dammit!

Maybe your company is mid-size, growing, but not yet on the Fortune 2000 list. You still need to comply with regulation but cant afford the bells, whistles and promises of the big SIEM vendors or the expensive and skilled staff to manage these systems. What do you do then? You need a SIEM alternative.

And so this brings us back to the original question. Why do you need (another) SIEM?

Maybe you don’t.

A very good Centralized Log Management platform (CLM) like Snare can give you all the core capability you need from SIEM at a fraction of the price and use a fraction of the resources. A good CLM can also add extra advanced functionality like File and Registry Monitoring (FIM & RIM) and Database Activity Monitoring (DAM) as well. You might even be able to rationalise some vendors with a good CLM like Snare and avoid vendor lock-in if you ever want to change.

So before you read the next “buyers guide” to selecting a SIEM – brought to you by “insert vendor here” have a look at a really good CLM platform like Snare as a SIEM alternative.

February 16, 2021/by Brad Thomas

Cookie and Privacy Settings

How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visist to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy