When the bough breaks: The end of the SIEM era and rise of ELK

The story behind the mass exodus of enterprises from SIEM to Elastic

"It is not the strongest or the most intelligent who will survive, but those who can best manage change." -Leon C. Megginson


In my Ashes to Ashes article, I talked about how the event fatigue problem perpetuated by SIEM solutions requires SOAR to help address the problem, which also expands and improves SecOps, mechanizing and organizing activities previously relied on by the human analyst across all sense and response actions. SOAR effectively takes SIEM further by combining data collection, threat and vulnerability management, incident response and case management, workflow, and analytics to provide organizations the ability to implement autonomous workflow, and process execution and response actions through what are referred to as "playbooks."

A survey by FireEye polled C-level security executives at large enterprises worldwide found that 36% of respondents receive more than 10,000 alerts each month from their SIEM, of those alerts, 52% were false positives and 64% were redundant costing companies an average of $1.27 Mn every year.

It goes without saying that SIEMs have quickly lost their sex appeal as security analysts continue to take fire from their SIEM of false positives on a daily basis or from the MSSP they had to retain for the daily care and feeding and 24x7 monitoring. It quickly became evident that a SIEM required daily, round-the-clock tuning by a seasoned staff capable of creating rules for that specific platform in order to lower the amount of noise with no end in sight. The dream of effective centralized monitoring of events in the enterprise would need to be reimagined.

But as with everything in life, it isn't that simple. What about the growing cost of big data SIEM solutions that charge for the amount of data ingest per month? The average amount of data an enterprise manages is 347.56TB of data, seven times as much data as the average SMB with 47.81 TB with the expectation by organizations of all sizes that the amount of data is set to increase considerable in a relatively short timeframe according to recent IDG survey on Data and Analytics.