You wrote that SIEM is the likely product to support system of record for security. Any particular reason you selected SIEM! Then why SIEMS are not doing it now?
Note that a System of Record is usually where the data sits, then all the other tools tie into it. That feels like a SIEM to me. Of course there are also VM systems and firewall logs and netflow recordings. Invariably the SIEM vendor attempts to incorporate them all.
Love the post, Richard, really well thought out. The question about why SIEMs haven't managed to become the SoR, however, remains.
One guess is the SIEM is focused in only one class of data (or records), the events. That leaves room for other categories to keep data relates to states (vulnerability management, exposure management, etc), intel etc. Those eventually become big enough to start challenging the SIEM for relevance.
Another alternative is simply scale. The amount of data on a SIEM seems to be larger than those other SoRs you mentioned in the SaaS space. That makes it too expensive to consolidate data, so organizations end up keeping separate silos of data, always denying the SIEMs the scale to reach the point where data gravity makes them the single, unified SoR.
Finally, there's also the schizophrenic nature of SIEM; the SEM+SIM amalgamation that makes it something trying to be a SoR and a SoD. Technical requirements (and expertise) are so different that makes it an impossible target to achieve, so they remain mediocre at both.
Could not agree more Augusto. IS it also a problem that SIEMs are also a log management tool? Because of compliance you have to log everything and therefore end up keeping a lot of useless data.
Investments in cybersecurity should always be based on mitigating risks in your cybersecurity program - not because of a fancy product feature.
Thanks for sharing, Richard
And never on something that makes procurement's job easier. :-)
Absolutely! :-)
You wrote that SIEM is the likely product to support system of record for security. Any particular reason you selected SIEM! Then why SIEMS are not doing it now?
Note that a System of Record is usually where the data sits, then all the other tools tie into it. That feels like a SIEM to me. Of course there are also VM systems and firewall logs and netflow recordings. Invariably the SIEM vendor attempts to incorporate them all.
A system of record - I'd agree.
But a system of decision; i.e. a BI tool - isn't that what SIEMs are? Just a BI tool for security events?
Agree but a very poor BI tool.
Love the post, Richard, really well thought out. The question about why SIEMs haven't managed to become the SoR, however, remains.
One guess is the SIEM is focused in only one class of data (or records), the events. That leaves room for other categories to keep data relates to states (vulnerability management, exposure management, etc), intel etc. Those eventually become big enough to start challenging the SIEM for relevance.
Another alternative is simply scale. The amount of data on a SIEM seems to be larger than those other SoRs you mentioned in the SaaS space. That makes it too expensive to consolidate data, so organizations end up keeping separate silos of data, always denying the SIEMs the scale to reach the point where data gravity makes them the single, unified SoR.
Finally, there's also the schizophrenic nature of SIEM; the SEM+SIM amalgamation that makes it something trying to be a SoR and a SoD. Technical requirements (and expertise) are so different that makes it an impossible target to achieve, so they remain mediocre at both.
Could not agree more Augusto. IS it also a problem that SIEMs are also a log management tool? Because of compliance you have to log everything and therefore end up keeping a lot of useless data.
Great points. Love this quote and it is so true "What is not OK is when the CEO falls for their own marketing and the fantasy becomes the strategy. "