Many traditional SIEMs fail because organisations simply don’t have the time, money, resources or processes to support the technology.
However, mid-sized organisations now have an affordable, user-friendly alternative.
Security information and event management (SIEM) is the fastest growing market segment, according to Gartner. This growth is driven by a combination of threat management and compliance requirements, and probably also because most traditional SIEM solutions have a shelf life of approximately 18-24 months before organisations give up and begin to look for another SIEM solution.
A recent study from 451 Research revealed that security managers reported significant obstacles in fully realising the benefits of SIEM because of lack of expertise (44 percent) and inadequate staffing (28 percent); only a little over 50% of the enterprises had the ability to devote more than one professional to their SIEM implementation and monitoring.
The reality is that most organisations, especially the mid-sized ones with small security teams, cannot support traditional SIEM deployments and many of them fail because organisations simply don’t have the time, money, resources or processes to support the technology.
It’s the inability of organisations to implement and tune the technology and not the SIEM solution itself that threatens the long-term value of a traditional SIEM.
The entire category of SIEM is flawed in its approach, especially in the mid-market where resources are often hard to come by, so we need rethink our approach to SIEM.
Here are five specific challenges of SIEM that your customers are trying to overcome or might be concerned about:
SIEM technology is expensive and has, in most cases, been cost-prohibitive for the mid-market customer who is looking to secure their organisation.
Costs associated with a traditional SIEM deployment include:
• Initial licensing costs
• Implementation and optimisation costs
• Ongoing management costs
• Renewal costs
• Integration of data sources from disparate security technologies
• Training of personnel
The hidden costs are what usually result in the demise of the traditional SIEM deployment – the very real and painful costs associated to deploying, integrating, using, managing, training, tuning, cursing, and potentially expanding the deployment.
These are the areas that have led to such dissatisfaction with the traditional SIEM approach. These are very real and evident in almost every organisation that has had experience with SIEM.
2. The user-hostile platform, especially with mid-sized businesses
Traditional SIEM solutions have been around for almost a decade. These same solutions were built to serve the largest of enterprises where resources and “dedicated” headcount are more the norm. When you understand “whom” these solutions were designed to serve, you can then understand why the vast majority of SIEM solutions are very difficult to use.
Despite this, according to a recent study, more than two thirds of companies have one or less full-time staff assigned to SIEM administration but they believe that they need additional staff to maximise its value.
3. Poor correlation
Organisations rely on the data collection and retention capabilities of the SIEM for the purpose of correlation. However, without a very strong custom correlation engine, detecting and responding to threats is nearly impossible. And, if an organisation wants to ensure the fidelity of their correlation logic, it must verify its custom correlation every time there is a change on the network, which generally requires professional services engagement and therefore additional on-going expenses.
It is the complexity of managing all of the changes in a typical network, including moves, adds, and edits to the data sources (such as servers, devices, and applications), that often proves to be prohibitively high for small and medium companies that simply don’t have the resources.
4. Low tolerance for mistakes
A “rules-based” approach supports only a go-forward view of security data. If your customers get a correlation rule wrong, they can’t adjust the model and reanalyse the data, because events that didn’t match the old rule have already been discarded. This is not the desired outcome, especially considering how much these traditional SIEM solutions cost.
5. Complicated and inflexible reporting
In a world where threats are increasingly dynamic, reporting must also be dynamic.
Traditional SIEMs often have a selection of canned reports, and are often not flexible enough to allow creation of new reports that can adjust to the rapidly changing conditions in today’s environments.
Canned reports can be useful, and may look great initially, but relying on a canned report to understand the end-to-end implications of a security event from the edge router to the application simply doesn’t work.
The Alternative: Unified Security Management
However, there is an alternative to the traditional SIEM deployment. AlienVault Unified Security Management (USM) builds all of the essential security capabilities your customers need into a single platform that is affordable, easy to use and easy to deploy.
This makes it a perfect fit for mid-market enterprises and organisations with limited budget and few in-house resources.
AlienVault USM Anywhere is a cloud-based security management solution that accelerates and centralises threat detection, incident response, and compliance management for your cloudand on-premises environments.
USM Anywhere includes purpose-built cloud sensors that natively monitor Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor virtual private cloud and physical IT infrastructure.
Your customer will have access to five essential security capabilities in a single SAAS platform:
- Asset discovery
- Vulnerability assessment
- Intrusion detection
- Behavioural monitoring
Considered the only visionary in the industry by Magic Quadrant for Security Information and Event Management published in 2016 , AlienVault offers a simplified licensing model based on utilised appliances, rather than based on event volume or the number of event sources.
Here are more reasons customers opt for the AlienVault USM solution:
Contact Wendy Hassard, our CMS Distribution Product Manager to learn more on the Unified Security Management (USM) and AlienVault’s Partner Program or register for an interactive demo.