Legacy SIEMs are Stuck in the Past

Finding a mechanism to collect, store and analyze security data is relatively simple. There is no shortage of options for storing data. Collecting all security relevant data and turning all that data into actionable intelligence, however, is a completely different matter.


Many Security Operations Centers (SOCs) that invested in Security Information & Event Management (SIEM) platforms have discovered this fundamental truth the hard way. After spending a significant amount of time and money to record security events, the trouble is that not only did it take a long time to ingest all that data, but the underlying data system used to create the SIEM tends to be static.

Worse yet, the data available to analyze is based only on security events. That makes it difficult to correlate security events against what’s occurring across the rest of an IT environment. When there’s an issue, investigating a security event takes precious time most organizations can’t afford. In addition, the SIEM system can’t keep pace with the rate at which security events need to be investigated. The continued adoption of cloud services expands the threat vectors. SOC’s now need to monitor user activity, behavior, application access across key cloud and SaaS services, as well as on-premise services, to determine the full scope of potential threats and attacks.


What SOCs require today is a simple way to correlate information across all security relevant data that enables them to manage their security posture. Instead of merely watching events after they occur, an IT department should anticipate their occurrence and implement measures to limit their vulnerability in real time. For that, SOCs need an analytics-driven SIEM platform.

An analytics-driven SIEM allows IT to monitor threats in real time and respond quickly to incidents so that damage can be avoided or limited. But not all attacks are external—IT needs a way to monitor user activity so that it can minimize the risks from insider threat or accidental compromise. Threat intelligence is critical to understand the nature of the broader threat environment and put those threats into context for the organization. An analytics-driven SIEM must naturally excel at security analytics, giving IT teams the power to use sophisticated quantitative methods to gain insight into and prioritize efforts. Finally, a SIEM today must include the specialized tools needed to combat advanced threats as part of the core platform.

Read successful stories on how other companies have replaced their legacy SIEM by the analytics-driven SIEM Splunk Enterprise Security. A luxury retailer, a financial services provider and an energy company explain how they benefit from an analytics-driven SIEM.


There are six essential capabilities of an analytics-driven SIEM. Do you want to know which ones? Download the whitepaper today!


April 2018