While security information and event management (SIEM) solutions often serve as the central tool for organizations’ security operations centers (SOCs), this established approach is not sustainable for modern organizations, which are grappling with a massive amount of data and different security tools.
More and more, organizations are looking to decentralize or decouple their SIEM data. But what exactly does this mean and what does it look like in practice? And more importantly, why should an organization consider this approach?
The SIEM’s many data challenges
Among the challenges of SIEMs today are:
Data silos persist in multiple layers. Valuable security data from the various, but disparate tools remain isolated and difficult to unify into a meaningful view. Aside from security data, data from business tools also experience silos that prevent them from enriching security insights. When companies can combine enterprise and security data, they can get greater clarity about where they stand in terms of security, risk and compliance.
With a SIEM, it’s hard to know whether an organization has the correct data. Security leaders may have blind spots due to outdated or incomplete data sources or be missing high-volume log sources that are too large or costly to store in the SIEM, but that still have value for security analytics.
Slow and limited
Threat hunters face data challenges like time-consuming data preparation for hunting and high-latency from compute-intensive queries.
Legacy SIEMs are limited in their data retention and storage capabilities, leading to delays during time-sensitive investigations and coordination challenges in rehydrating data from long-term storage.
The decoupling process
Decoupling the analytics and storage from the SIEM is one way to overcome these challenges but still enjoy the advantages of a SIEM. Because a SIEM gathers data from several sources, the decoupling process entails dividing the SIEM capabilities from the data platform. This can provide you with a comprehensive view of all your security tools so you know whether security leaders are making the most of each one.
Enterprises may have scores of security tools; what they don’t have is clarity about which data should go into the SIEM, which data should come out and which data is being used for reporting, compliance or security analytics.
Security leaders can evaluate their data once they have decoupled it from their SIEM. With the goal of achieving an integrated data layer in which the data from many sources gets consolidated, security leaders can clean, de-duplicate and enrich that data.
The data layer decoupling framework
Decoupling the data layer starts with analyzing the whereabouts of data silos and then dismantling them. After finding these silos for each team and the data they need, security leaders will have clarity about how and why employees are using this data.
Once security leaders have this clarity, they can begin to optimize data, not only for threat hunters and security analysts but also for governance, risk and compliance (GRC) or other business teams. This process will help security leaders prioritize use cases and data projects. And of course, don’t forget data governance.
This framework necessitates a novel method for gathering all the data cost-effectively: creating a security data fabric that benefits from a data lake. With this in place, security leaders can combine, analyze and manage security data to allow for keener security insights because the data is enriched, cleansed and easy to use.
By decoupling data from the SIEM, security leaders can gather the business context needed for their security, risk and compliance teams to defend their people and their network. The SIEM and other security solutions will still play their parts, but it doesn’t make sense to put all other data there.