10 Reasons SIEM Should Remain Dedicated to Security — Part 1
The Diverging Needs of Security, IT Operations, and Application Performance Management
When I was a Gartner analyst covering security operations, I would often collaborate with my colleagues covering adjacent topics. I came away convinced that it is a bad idea to use security information and event management (SIEM) solutions for IT operations management (ITOM) and application performance management (APM) use cases.
In this series of blogs, I will explain why.
Introduction
As organizations strive to streamline costs and unify their monitoring tools, decision makers might entertain the tempting idea of utilizing SIEM solutions for ITOM and APM use cases. Alternatively, they might consider deploying an ITOM tool for security purposes. This series of blogs serves as a cautionary guide, dismantling such notions by highlighting why they prove impractical and potentially detrimental.
Indeed, contrary to initial impressions, employing a single, multipurpose tool does not result in substantial cost savings in terms of licenses, storage, or computational resources. Furthermore, the risks and operational complications associated with deploying a single tool are considerable, and the organizational pitfalls overshadow any perceived financial benefits.
The myth of the one-size-fits-all tool
Consider a family asked to describe their perfect car. On the surface, it seems simple — after all, a car just needs four wheels, an engine, brakes and a steering wheel, right? But on deeper exploration, it becomes apparent that the “perfect car” differs drastically between the family members, each bringing unique needs and preferences to the table. Collectively, their demands might be something like this:
- Roomy enough for the whole family or equipment, yet compact enough for easy parking in tight spaces
- Robust and powerful for managing speed and hauling large loads, but also energy efficient for great mileage
- Versatile enough for daily errands, shuttling kids to soccer practice, off-roading on weekends, and the occasional race among friends
Does such a universally perfect car exist? The answer is a resounding “No.” That’s why we have options like Toyota Camrys and Honda Accords for everyday commuting, minivans for family outings, Jeeps for off-road adventures, and sports cars for racing. Just imagine the conflicts that would arise if this all-in-one car had to be shared among parents and teenage children.
Now, transpose this scenario to organizations in the context of big data analytics tools. At first glance, it might seem that all big data analytics solutions are fundamentally the same, featuring collection, ingestion, and storage of logs and events, plus some form of analytics and reporting, as well as case management. Therefore, shouldn’t we be able to use the same tool for ITOM, APM/observability, and security? When we consolidate the unique requirements of these distinct functions, we realize that no single tool can efficiently fulfill all of them:
- A tool to collect and manage all types of data, such as logs, traces, and context
- A single instance of data storage
- Efficient operation with a reasonable total cost of ownership (TCO)
- Capability to handle security needs, including threat detection, investigation, and response, case, and incident management
- Suitability for ITOM use cases such as capacity management
- Applicability for APM and observability teams to optimize diverse applications
- Ability for all teams to access the tool simultaneously, while adhering to role-based access control (RBAC) principles, separation of duties and compliance requirements
- Different alerting and notification needs, reporting requirements, and levels of business criticality and service level agreements (SLAs)
Is there such a comprehensive tool with a reasonable TCO? No. Likewise, your SIEM should not be used for ITOM or APM use cases.
In our next blog, we’ll dive right in the first three reasons.