What makes a good SIEM in 2021?

Mikko Koivunen


Word Cloud

As anyone reading my blog or otherwise following me online knows, I have dedicated a lot of my efforts to a specific SIEM tool in the last two years, namely Azure Sentinel.

Coming from a background of both commercial and open source on-premise SIEM and log management tools, it has been an interesting journey for sure.

Azure Sentinel is not alone in the field, and it needs to be seen as part of a growing number of products transitioning SIEM to a new era. There is a lot of respectable competition from products that show what cloud delivered SIEM can be - Chronicle and Exabeam come to mind as examples.

So what makes a SIEM catch my attention, and what do I consider to be the core value it needs to provide today? Thats what I wanted to investigate with this blog post.

First of all, do we still have SIEMs?

Now that we have SOAR platforms and XDR, isn’t SIEM a legacy product? Or maybe so changed that it needs to be rebranded as “next-generation” or something?

Personally I still use the SIEM term and believe in the product category. I do not believe in compulsory renaming of things just because we have new features, if the provided core value of the product remains the same.

Legacy SIEM that was based on on-premise log collection and static correlation rules is mostly gone. Current SIEM products incorporate SaaS delivery models, UEBA, automation, threat intelligence, machine learning capabilities… These really have changed the face of the products.

But as long as the main job continues to be threat detection based on data from different sources, they can and should be called SIEM.

So what about SOAR and XDR?

SOAR in my personal vocabulary describes a platform used only for orchestration and automation of events in external systems. In my experience the true SOAR value is best realized in MSSP or other multi-tenancy use cases, where you need to integrate across trust boundaries to make a centralized security operations workflow possible.

If we are dealing with a single system that has automation capabilities as a feature, I skip the sometimes seen “SIEM and SOAR” combination naming and just stick with SIEM. After all, can’t Information and Event Management include automation, without the need of extra terminology?

XDR is vague to many, but my description is the following. It’s a centralized threat detection and response console for vendor-specific security tools. Usually in the scope of endpoint, cloud workload, email and collaboration protection, sometimes also including networking products.

The obvious practical example for XDR is Microsoft 365 Defender, which integrates the different Defender products to a unified experience. One of the core features of SIEM is that it should connect to pretty much anything, so there is a fundamental difference here.

What makes a good SIEM today?

Based on what we’ve discussed so far, what are the most important aspects of a SIEM at the moment? Here is my take on these, in a somewhat prioritized list of nine features.

There are also certain things that a good SIEM definitely should not be. The biggest one being a compliance dashboard. SIEM is for the SOC team, not for the auditors. But I prefer to think by positives here, so I will leave that as the only “SIEM anti-pattern” I mention.

Next up: what about Azure Sentinel?

What happens when we compare this list to my current SIEM tool-of-choice, Azure Sentinel? I am preparing another article as continuation piece, where I will discusss practical experiences from my past two years of building stuff with Sentinel.