Cloud Security Image

Why Security Practitioners Are Unhappy With Their Current SIEM

In this Expert Insight, Jack Naglieri, the CEO of Panther, writes about how today’s cloud-centric and data-driven environments make the SIEM technologies of the past inadequate and demand new approaches to security monitoring.

The tools security teams have at their disposal have not kept pace with the demands of today’s data-intensive and threat-ladened business environment. As an example, many SIEM platforms are still based on decades-old technology and outdated data storage models.

At Panther Labs, we wanted to better understand what security practitioners feel they are, or aren’t getting from their current SIEM providers, so we commissioned an independent study to look into this.

Jack Naglieri, Panther Labs
Jack is the CEO of Panther Labs.

To do this, we surveyed over 400 security professionals who actively use a SIEM platform as part of their job. This group included CISOs, CIOs, CTOs, security engineers, security analysts, and security architects.

Over 50 percent of the survey’s respondents said they are not happy with their current SIEM vendor. This large portion is unacceptable by any standard and is indicative of a technology that has fallen behind the changing needs of its users.

The results of our study were recently published in our State of SIEM report. This report provides valuable insight into why security practitioners are unhappy with their current SIEM providers. In this article, we’ll take a look at some of these findings.

Why are you unhappy with your current platform?

The survey asked respondents who indicated they were unhappy with their current platform why they were unsatisfied. “Cost” stood out as the most common source of dissatisfaction with many others ranking not far behind. Among other frustrations noted, two were complaints that we at Panther hear quite frequently from security practitioners – difficulty running at scale, and complications with adding new data feeds and logs.

All three of these frustrations are ultimately due to the fact that the server-based architecture of traditional SIEM platforms was not designed for the scale of today’s cloud workloads.  To address these challenges, Panther was built on a fully serverless architecture that enables higher scale, greater flexibility, and faster time-to-value with zero operational overhead.

By normalizing security data upon ingestion and storing it in a serverless data lake that decouples storage from compute, Panther offers security teams well-structured data and nearly infinite  compute resources to perform fast queries over terabytes of data. This on-demand scalability provides security teams the foundation they need to answer difficult questions quickly during an investigation, even when queries over months of data are required.

If happy, why would you switch to a new vendor?

Those respondents who indicated they were happy with their current vendor also said they would be willing to change vendors for a better price, improved usability, or less complexity.

A key issue facing security teams today is that high licensing costs disincentivize teams from sending all the security-relevant data they need to their SIEM platform. This introduces the risk of blind spots that impede the ability of security teams to detect and respond to threats appropriately. Data is growing exponentially, and security teams need visibility into all relevant data, without being buried by astronomical SIEM licensing costs.

Acknowledging that a cloud-centric solution would likely come with a better pricing model and less operational burden, nearly 35 percent said cost is the factor that would cause them to switch vendors. Over 11 percent said a solution with better usability would prompt them to change vendors. And, almost 9 percent are willing to replace their current vendor for a less complex solution.

What features and capabilities are most important to you?

The vast majority of those that intend to change vendors are most attracted to features and capabilities related to big data and scalability.

It is clear that the growth in data volumes is not stopping, and practitioners clearly understand this. When asked what features and capabilities would be most important to them when choosing a new SIEM platform, over 29 percent of the respondents said that big data infrastructure with unlimited scalability is most important to them. No other feature/capability option ranked even half as high.


(*) Disclosure: This article was sponsored by Panther. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.