Good security monitoring is at the core of any security team’s mission, and SIEM platforms are most commonly used as the foundational tool to support that mission.
However, as cloud infrastructure has become the default in more and more organizations, the amount of security-relevant data that security teams need to collect and query has grown exponentially. With this data explosion, many security teams are struggling to get the visibility, speed and scale they need from their SIEM.
We wanted to understand the state of SIEM today, and where security practitioners feel they are, or aren’t getting what they need. So, we surveyed over 400 security professionals who are actively using a SIEM platform and published the top findings in our recent State of SIEM 2021 report.
Among the findings, there were 6 key take-aways that stood out to me, and underscore our mission at Panther – to provide a security monitoring platform with the scalability, visibility, speed, and flexibility that modern security teams need to secure their enterprise environments.
Read on to learn more about what the IT security professionals we surveyed told us about what prevents them from being as effective as they could be, and how we at Panther are striving to change that.
1 – Deployment and implementation can be 12 months or longer.
Over 18 percent of respondents indicated that the time required to receive high-value alerts — from deployment to implementation — was 12 months or longer.
A SIEM platform is one of the primary tools detection and response teams use to secure enterprise environments. It must be deployed and configured as quickly as possible. Without visibility into your security-relevant data, you are, as a pilot in a cloud bank, flying blind. Without the ability to receive high-fidelity alerts over all your data, your risk of becoming the next cyber breach headline increases dramatically.
Panther was designed with speed to full deployment in mind. We provide pre-built detections to identify suspicious activity across cloud, SaaS, and endpoint data sources. The time from the purchase of Panther to receiving high-value alerts from all your relevant data is measured in hours or days, not weeks and months.
2 – Alert fatigue is real.
Nearly a quarter of the respondents said that the biggest challenge with their current SIEM platform is receiving too many alerts.
I have seen firsthand what happens when security teams are faced with too many false alerts. Alert fatigue sets in, and effectiveness falls dramatically. Panther was developed to provide a better alternative to either hiring more personnel to validate signals or accepting unnecessary risk.
Detection-as-code allows analysts to use Python and robust CI/CD workflows to easily create powerful and flexible custom detections tailored to work for your specific environment.
3 – Cost versus capabilities don’t align.
Over 40 percent of the IT security professionals surveyed said their organization was overpaying for their SIEM relative to the system’s capabilities.
No one wants to pay too much, and when nearly half of the users of a given technology feel taken advantage of by their providers, it should be a wake-up call for the industry.
The problem is that traditional SIEM platforms are built on outdated, inefficient data storage architectures, causing costs to skyrocket with the exponential growth of security relevant data from cloud applications. As a result, many teams find themselves in the unenviable position of needing to carefully choose what data they monitor to control costs. It is untenable for security professionals to try and guess what security data will or won’t be needed for a future incident investigation.
4 – Poor network visibility is the top complaint of traditional SIEMs.
When asked to rate their satisfaction with SIEM capabilities, the largest percentage of respondents indicated they were unsatisfied with their current SIEM platform’s network visibility capabilities. Monitoring networks requires collecting a massive amount of data that’s primarily used during investigations. Because traditional SIEMs fail at scale, most security teams don’t even bother, which creates gaps further down the line during incident response.
Security teams are small, understaffed, and generally not experienced in DevOps or software engineering. Yet, high-scale visibility requires these skill sets in addition to a lot of tribal knowledge of system instrumentation. To get the data they need, detection and response teams must build reliable, fault-tolerant, and elastic data processing pipelines to handle all their data. They are ill-equipped for this task, and traditional log analytics and SIEM tools do the bare minimum to help them get the data in and do not provide repeatability, best practices, or structured data.
5 – Big data and scalability are the most desired capabilities.
Nearly 30 percent — the largest group — said that big data infrastructure and scalability would be the two most essential capabilities to evaluate a new SIEM vendor. The rapid rise in data-oriented SaaS services, such as Snowflake and Databricks, has also opened the door for new technology to take advantage of these platforms, to run at a massive scale with a small team.
The C-suite must listen to those on the front lines of cyber protection. For all the same reasons they invest in cloud infrastructure for their operations and web environments, security information and management must follow suit. I believe Panther can serve as the foundation for modern organizations to quickly deploy detection and response programs and secure cloud environments.
6 – Most users are unhappy with their current SIEM vendor.
The fact that over 50 percent of our respondents said they are not happy with their current SIEM vendor confirms what many in the industry have intuited anecdotally. All the incumbent platforms do a poor job at providing a robust enough platform for detection at scale. If you look at the evolution of well-known products, you’ll see that they all started as general-purpose log collection & correlation solutions. Unfortunately, these platforms can’t get anywhere close to the scale/flexibility needed to support real-time threat detection and response.
Panther was born from the struggles recounted above by a team of veteran security practitioners who lived these problems and have now built a solution. Detection is a data problem, and we need to treat it like one. Our platform is built with speed, scale, and flexibility in mind. We are applying lessons from high-performing production environments to enable security teams to send either 1GB, 1TB, or 1PB of data, all with the same configuration.
The results of our inaugural State of SIEM report confirm the premise we have been operating under since our inception. If you haven’t done so yet, I encourage you to take a look at Panther and see how you can make security monitoring fast, flexible and scalable.