Last Updated on April 26, 2022
Security Information and Event Management (SIEM) is widely perceived as slow, expensive and ineffectual. For example, according to Panther Labs’ “State of SIEM” survey, about 20% of companies said their SIEM solution took 12 months or more to deploy. Yet the marketplace is flush with SIEM options. And security decision-makers are still out there trying to choose “a SIEM.”
What is a SIEM these days? What value does traditional SIEM actually add for security? Is it time for the marketplace to re-envision what SIEM can be?
To share the future of SIEM as “the heart of your security operations team,” Jack Naglieri, Founder and CEO at Panther Labs, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, is the host.
Pushing the boundaries of SIEM
The heart of something is its “central or innermost part.” Security operations run on data, so “the heart of your security operations team” must be the place where team members go to get answers from the data. This is Jack’s vision for Panther.
“I think about a Security Operations Center really being focused on detection, investigation and response,” says Jack. “The platform that supports it has to take in and normalize data. So, there’s a level of ETL that isn’t fully separate from SIEM. But at this scale, like SIEM based on a cloud data warehouse, you’re combining a lot of different things together: detection/response, ETL, data lake…”
With all these integrated on-cloud capabilities, Panther is more a security analytics platform or security operations platform than a SIEM in the conventional sense.
“Panther is really meant to be this generalized way to create security intelligence out of all your different data,” clarifies Jack. “That’s what I really think SIEM should be.”
Operate at the needed scale at a reasonable cost
Two of the things Panther is looking to change about SIEM is its high total cost and inadequate scalability.
“We’re making sure that we can at least operate at the scale that’s needed at a cost that’s reasonable,” Jack offers. “That’s the baseline. Then, how do we make the workflows as practical as possible to reflect what we see in reality, which is people want to use things like CI/CD for managing these detections. They want to programmatically interact with this security operations platform.”
Speed is also key
When you’re operating on a grand scale, plugged into a data warehouse, you also need some automation to streamline and accelerate detection processes.
“You have to automate things because we are defending against attackers that are using automation against us,” emphasizes Jack. “So, speed is very important. We need speed and visibility about everything that’s going on, and very sophisticated systems are required to do that.”
“That’s been the constant challenge in security,” Jack points out. “These architectural decisions that we chose allow us to get our arms around that and continue on this journey of being good defenders.”
Moving beyond SIEM
Panther does a lot of what a SIEM does today, only much better. So, why not call it something new and different?
Because, as John observes, “People are still going to the market looking for quote-unquote, ‘a SIEM.’ So, you have an educational selling challenge.”
Another challenge is the widespread negative connotation with SIEMs.
“Looking at the vast majority of SIEM projects that we did… long-term, they were failures,” acknowledges John. “Generally speaking, we were not able to keep a client happy. Even if you got the darn thing operational at one point in time, just the drift as the organization and its systems changed, the maintenance necessary was way too high.”
To hear the entire show with Panther CEO Jack Naglieri, click here.
Interested in best practices for configuring your SIEM? You’ll appreciate this post: A “Less is More” Mentality Will Save Your SIEM Deployment & Operation