SIEM is dead? That is doubtful

Every couple years, a vendor comes along and declares a specific security technology or process dead. There was IDS and pen testing. Now it's Security Information and Event Management(SIEM).

That, according to eIQnetworks.

In this case, the company uses a survey as evidence. From the press release:

Two-thirds [65 percent] of senior security professionals at Global 5000 and federal organizations say traditional Security Information and Event Management (SIEM) products no longer provide enterprises and government agencies with the ability to tackle modern cyber threats and insider attacks.

According to a recent survey conducted by eIQnetworks, while point SIEM products provide useful data, they lack visibility across a broader set of security elements needed to detect the increasing number of data breaches and other successful cyber attacks on corporate and government enterprises.

As a result, these products fail to provide timely and accurate actionable information that would quickly allow them to identify an attack while it is taking place, and enable security professionals to repel or mitigate the attack before significant damage is done.

John Linkous, vice president and chief security and compliance officer at eIQnetworks, explains, “Just as signature-based technologies long ago stopped being the only effective line of defense for enterprise and government networks, the SIEM approach of relying entirely on logs and other event-based information to effectively address modern enterprise threats is now dead, as well. The tremendous number of successful, advanced persistent attacks in the last six months have demonstrated that SIEM products alone simply do not provide the capability for security analysts and system administrators to timely and accurately identify an attack, and take action in real time.

“Our survey suggests that security professionals are looking for a new approach to securing large distributed networks that gives security analysts visibility of all security and compliance data - not just logs and events - in a unified view via a single, integrated console. It also appears that they are not alone in this opinion – Gartner released a research note in July, ‘Delivering Situational Awareness’ (ID# G00214313), highlighting the need for situational awareness in large distributed networks.”

So here's where I have my doubts:

1.) Whenever someone declares a technology or process dead, it's usually some vendor hooey to drum up publicity. When Fortify co-founder and chief scientist Brian Chess predicted that pen testing would be dead in 2009, he was speaking as someone who believed his company's products would render pen testing obsolete. It's 2011 and pen testing is alive and well. The earlier prediction that IDS was dead hasn't come to pass, either.

2.) eIQnetworks is doing more of the same here. It considers its SecureVue platform superior to SIEM technology; the next step in the evolution of security technology, really. Fewer SIEM users means more potential customers for them. I don't fault them for wanting it to be this way. But wishing something dead rarely makes it so.

3.) If you look at the language of the survey results, nobody specifically says SIEM is dead. The exact language is that "traditional SIEM products no longer provide enterprises and government agencies with the ability to tackle modern cyber threats and insider attacks." If every technology that failed to keep up died, antivirus would have been dead a long time ago. It is still with us, as imperfect as it may be.

The more security practitioners I talk to, the more I have to conclude that every type of security technology is imperfect. Even if it were perfect, humans are not and would find a way to screw something up.

It's better to find ways to get the most out of these imperfect machines than to declare them dead. They're not going anywhere so we may as well use them as best we can.

Besides, last time I checked the economy was still fragile, so we can't really afford perfection anyway.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web