A lot of companies are now touting big data analytics that will find badness that your other security tools do not find. Almost every pitch I see has something very much like the SIEM Funnel from 2005. The assertion tends to say these solutions would have bubbled those two or three compromised Target servers up to the top. It will be interesting to see what this segment of the security market looks like in two years. For those of us that bought into the SIEM market, we found out that a SIEM is very needy in terms of man-hours. There are several reasons for this:
- Getting all the data feeds going (no small feat in most companies)
- Building network and asset models
- Creating rules, dashboards, reports, etc
- Tuning out false positives
- Troubleshooting the inherent performance problems of processing hundreds of millions of events per day
In short, you spend a lot of time up front getting the system going and on-going effort to keep it running.
These new products want all your SIEM data plus many other sources like DNS queries, and netflow. Think about that volume of data for a second.
Here are the typical promises for today's big data security platforms:
- No rules to create
- Zero (or very few) false positives
- Scalability - these systems will not be over-run with data
- Little to no analyst time required to find badness
- Full kill chain visibility for compromises
I suspect the majority of these systems will fall short of the promises laid out above. However, I do believe we will have some great tools a couple of years from now that will make us wonder if we really do need that SIEM. Oh, and by the way, this is not a "SIEM is dead" post by any means. There will almost always be a place for SIEM in the SOC environments.