Any Alternatives to ‘Traditional’ SIEM Solutions?
Meeting Customers & Getting Feedback on SIEM Solutions
I spent the last 2 weeks visiting customers and partners in the US, Austin, San Francisco, Washington DC and New York. Lot of time spent in pretty crowded airplanes, some of the internal flights in the US can be tough going. Flying from Newark to Austin for example always seems to be in a small jet and takes an age. Transatlantic flights are fine, even coach, just always try to get seat 21F, great leg room, AND recline.
One of the trends I noticed was the number of customers deploying or talking about SIEM solutions (Security Information and Event Management). Well known products from companies like IBM, HP, Splunk, etc. It seems like all of the users I spoke with were not happy:
- ‘We should not have purchased it in the first place, we’re too small, we do not have the people’
- ‘We were here until midnight last night with the consultant trying to deploy it, she is in here again today so I have to cut our meeting short’
- ‘Yes, it is very expensive but we got a good deal’
- ‘We have got rid of it, it’s too expensive especially with the amounts of data we were throwing at it and their pricing model. We are looking at SIEM alternatives including open source now’
- ‘I don’t like it, it is too complex, was here when I joined. We will look at other SIEM options next year’
- ‘We can’t use it, I have asked for meaningful data and it did not happen, we are now looking for a managed service to look after it’.
Network Traffic Analysis – A viable alternative for SIEM solutions?
It looks like almost everybody these days is talking about or thinking about logs, SIEM, etc. Probably because security, visibility is driving demand and they think it is the only option? But there are alternatives to SIEM, for example network traffic analysis.
Some really useful metadata, actionable readable data (not just streams of bytes), can be extracted from network traffic (also known as wire data analytics). Data suitable for many security AND operational use cases because of the rich detail it contains which can also be easily retained for long periods and is ideal for forensics.
There is also a very strong case for combining wire data AND log data in one central location or SIEM, the combination of both can offer a very flexible alternative and total visibility, granular detail and data for a variety of use cases.
I also just cannot understand why these organization purchase some of these monsters, they usually cost a fortune, take an age even with the help of a consultant to deploy and eventually just sit there because nobody can use them. I guess they are OK for large enterprise who have the personnel but I bet they still struggle. Usability is an absolute priority but not easy to get right. But deploying ‘traditional SIEM’ across medium or small organizations, I really have my doubts.
Make sure your try products before you buy them
Do the people making the decision ask for references, current users they can talk to, roughly the same size, with similar resources? We are sometimes asked for references when in the final stages of a deal. But as prospects can also download and easily deploy our LANGuardian on their own hardware or VMWare, see it in action on their own network, use it in anger that is usually all the validation they need. Great model for both parties I think. If you cannot easily TRY a product, see it in action yourself, actually use it with very little training, then it could be time to start asking hard questions.