SIEM: Dead or alive?
Security practitioners defend the value of SIEM after elQnetworks declares the technology dead.
By Taylor Armerding
September 22, 2011 — CSO —
Is SIEM dead?
That depends on who is taking its pulse. The press release this past week from eIQnetworks reads a bit like an obituary for Security Information and Event Management. According to a recent survey the company conducted with senior security professionals at Global 5000 and federal organizations, SIEM has joined signature-based technologies on the ash heap of IT history.
"The SIEM approach of relying entirely on logs and other event-based information to effectively address modern enterprise threats is now dead," said John Linkous, elQnetworks vice-president and chief security and compliance officer.
Instead, Linkous said, an elQnetworks product called SecureVue delivers, "a true unified situational awareness platform that delivers comprehensive security intelligence and provides the real-time information that defenders need to identify, prioritize and respond to modern security threats."
But other infosec experts say they don't expect to be attending a funeral for SIEM anytime soon. The claims of its death, they say, amount to little more than marketing hype for a product.
Dr. Anton Chuvakin, research director at Stamford, Conn.-based Gartner, says no single security measure is adequate on its own, but that SIEM is a tool, and still a good one. "If the question is, 'Does it stop hackers?' then the answer is no. It's not supposed to stop anything," he says. "It is a monitoring technology, and it is still effective -- more so than before."
Linkous acknowledges that SIEM still has value, but says the point elQnetworks is making is that, by itself, it does not offer the protection that enterprises need against the kinds of threats they now face.
"Nobody is advocating that you pull the firewall (or other security tools) out of your environment," he says, "but if you're relying on that, you're screwed. It has to be part of a layered strategy, but it is only a part."
So, perhaps it's all, or mostly, semantics.
Ed Bellis, CEO of HoneyApps Inc., notes that, "every year we go 'round and 'round, saying 'X' technology is dead," but he says the reality is what he declared in a recent speech: "The era of declaring a specific technology dead is dead."
He and others note that the elQnetworks press release has some qualifiers in it, saying that relying "entirely" on SIEM is no longer effective. SIEM advocates have never claimed it is the only necessary tool in the box.
And Linkous stops short of saying SIEM is useless and will disappear. Chuvakin says, and Linkous agrees in part, that SIEM is "a foundation for situational awareness."