When Is Enough Enough?

When Is Enough Enough?

Are SIEMs the foundation to build on or are they empty promises?

With more complex cyberattacks on the rise, and with COVID-19 adding additional challenges to protecting the enterprise, is the SIEM the go-forward core of a next-gen security operations center (SOC), or is it time to consider new ideas?

We discuss daily the cybersecurity challenges with global thought leaders, but we wanted to get better insights into this challenge question to better understand the market. To that end, we contracted LeadtoMarket to perform a study with customers who have industry-leading SIEM platforms, to understand what is needed for customers to rethink their SOC practices and to consider a means to radically reduce costs and dramatically improve performance by reducing the complexity of day-to-day cybersecurity operations. The survey assumes the SIEM is foundational to the organization’s SOC today.

Nearly 50 of companies were contacted in the United States and Canada, including organizations from higher education, finance, healthcare, services and state/local government. Security decision makers were interviewed. In terms of installed base, 54% of disclosed responses used QRadar as their SIEM; 46% were Splunk customers.

Change is possible when…

Customers always tell us it can take up to 2 years to remove a vendor, adding in the real and intangible costs of training and best practices transfer. It’s no wonder that 52% of respondents will consider replacing their SIEM  if the new platform reduces costs over 50% AND significantly reduces complexity.

Skills gap?

One of the premises we tried to test was the idea of a cybersecurity skills gap. We all talk to how hard it is to find skilled security analysts to run the SOC, do thoughtful and timely investigations and stop really bad breaches from happening.

With only three outliers, the average score of current SIEM overall satisfaction based on five criteria ranges from 7.6 to 8.5, or translating to a grade scale : C+/B-. These data tell an interesting story of ‘good enough,’ yet when combined with the responses above regarding Change, you might scratch your head and ask, “why?” Our take is that change is costly, and even ‘good enough’ is exactly that, good enough. Change might make things better, and then again, it might not. This is why the answer of getting both better costs and less complexity with cybersecurity tools makes sense. Enterprises want to see a much better improvement than just cost or complexity.

The outlying data mentioned also tells a story. There were some 10s and there were a few 4s and 5s. We mapped the differences to the availability of SIEM talent, large states and metros had no challenge finding skilled cybersecurity analysts, whereas smaller cities and rural states had more challenges.

It’s a Journey to an Intelligent SOC

What we found was that no two SOCs  are alike, and the degree of additional cybersecurity tools or perceived future needs did not correlate to any particular variable such as organization size or vertical. Finance did stand out as having the most tools and it was easy to see they are much further along the path of defining a SOC to be SIEM + NTA + user / entity behavioral analysis (UEBA) + security orchestration automation and response (SOAR) as well as Threat Hunting.

Specially, 24% of respondents are open to exploring additional tools to complement their SIEM, such as network traffic analysis (NTA), UEBA, Threat Hunting and SOAR.

While the data clearly shows installed cybersecurity infrastructure is performing adequately, a majority of respondents will consider new ideas that deliver tangible value. Of particular interest are ideas that reduce complexity and disrupt the incumbent vendors’ cost structure.

One new idea to consider is Stellar Cyber’s Open XDR Security Platform. It can slash complexity and costs while improving cybersecurity defenses. No matter what your current SOC looks like, Stellar Cyber inserts itself to improve your existing tools and data feeds, while bringing in additional applications to accelerate your journey to an intelligent SOC – all with one platform, one AI engine, one data lake and one license.