Is SIEM dead?
That depends on who is taking its pulse. The press release this past week from eIQnetworks reads a bit like an obituary for Security Information and Event Management. According to a recent survey the company conducted with senior security professionals at Global 5000 and government organisations, SIEM has joined signature-based technologies on the ash heap of IT history.
"The SIEM approach of relying entirely on logs and other event-based information to effectively address modern enterprise threats is now dead," said John Linkous, eIQ vice president and chief security and compliance officer.
Instead, Linkous said, an iEQ product called SecureVue delivers, "a true unified situational awareness platform that delivers comprehensive security intelligence and provides the real-time information that defenders need to identify, prioritise and respond to modern security threats."
But other infosec experts say they don't expect to be attending a funeral for SIEM anytime soon. The claims of its death, they say, amount to little more than marketing hype for a product.
Dr. Anton Chuvakin, research director at Gartner, says no single security measure is adequate on its own, but that SIEM is a tool, and still a good one. "If the question is, 'Does it stop hackers?' then the answer is no. It's not supposed to stop anything," he says. "It is a monitoring technology, and it is still effective, more so than before."
Linkous acknowledges that SIEM still has value, but says the point iEQ is making is that, by itself, it does not offer the protection that enterprises need against the kinds of threats they now face. "Nobody is advocating that you pull the firewall (or other security tools) out of your environment," he says, "but if you're relying on that, you're screwed. It has to be part of a layered strategy, but it is only a part."
So, perhaps it's all, or mostly, semantics.
Ed Bellis, CEO of HoneyApps, notes that "every year we go 'round and 'round, saying 'X' technology is dead," but he says the reality is what he declared in a recent speech: "The era of declaring a specific technology dead is dead."
He and others note that the eIQ press release has some qualifiers in it, saying that relying "entirely" on SIEM is no longer effective. SIEM advocates have never claimed it is the only necessary tool in the box.
And Linkous stops short of saying SIEM is useless and will disappear. Chuvakin says, and Linkous agrees in part, that SIEM is "a foundation for situational awareness."
Both sides also agree that situational awareness is not a piece of software that can simply be dropped into a system to provide better security. "Situational awareness does not come in a box," Chuvakin says.
"SIEM is a point product," Linkous says, "which has a fixed function and purpose. Situational awareness is a more holistic function that uses SIEM, but uses dozens of other tools as well."
That is the view of Nicholas Brigman, senior director of security strategy at CompuCom Systems, which has been using SecureVue with a few of its clients for the past couple of years, but now plans to expand it.
"We had been waiting for a tool like this," he says, "not just to do log management, not just SIEM, but how do I look at network patterns? Now we can do that in an integrated way."
All of which points to a continuing evolution of security, but not to the death of SIEM.