Para além dos SIEMs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.

(...)

Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.

(...)

"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data, it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kind of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.