COMMENTARY: A conflict has unfolded within the security operations center (SOC). For decades, security teams have balanced their financial needs and security needs to determine which data they should use and maintain to secure their organizations. However, as data volumes and storage costs continue to soar, this imperfect approach has led to one of the SOC’s biggest challenges: the data paradox.
The data paradox refers to the struggle between the need to collect and analyze vast amounts of data for security purposes, and the growing cost and complexity of managing that data. The evolving speed and sophistication of our adversaries has exacerbated the problem: The average breakout time observed in 2023 was down to 62 minutes, according to our recent research, and the fastest recorded attack was only 2 minutes and 7 seconds.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Adversaries are only getting faster, and it’s imperative that SOC teams match their speed. However, as organizations migrate to the cloud and adopt SaaS and AI technologies, security teams struggle to detect, investigate and respond to threats because of the massive amounts of data that teams must ingest and analyze. As a result, many are losing the race against adversaries.
Why legacy SIEMs failed
One culprit responsible for the data paradox are the security information and event management (SIEM) tools that were originally designed two decades ago to centralize data from disparate tools so teams could use it to secure their businesses. However, these SIEM tools were built for a time when log volumes and adversary speed were a fraction of what they are today. They have failed to evolve and scale alongside the exponential growth of data volumes and changing adversary sophistication.
Imagine the team need to investigate an incident, and it wants immediate access to all of the company’s data to gain a full picture of the incident and determine next steps. It’s now unattainable for many SOC teams because ingesting all of the necessary data for a full investigation is too time-consuming and costly when using legacy SIEM tools. SOC teams are forced to make budget-conscious choices on which data to analyze, leading to an incomplete picture, inadequate investigation and response, and insufficient protection against breaches.
To gain the data and visibility they need, security teams have created patchwork architectures consisting of legacy SIEMs, multiple data lakes, and detection and response tools. This approach has become problematic because security analysts are relegated to “data wranglers” who spend their time navigating multiple consoles and manually correlating data. As a result, they are diverted from their core mission of protecting the business.
Break the data paradox with Next-Gen SIEM
A new generation of SIEM (Next-Gen SIEM) has emerged to help security teams scale and ingest every source of data they have without breaking the bank. These cloud-native tools are fundamentally changing how the SOC operates, allowing them to finally break free of the data paradox problem.
Security teams no longer need to make tradeoffs on which data to use or discard based on budget considerations. With a Next-Gen SIEM’s scalable cloud architecture, there’s no need for additional servers and manpower to handle growing data volumes. Additionally, with innovative compression technology, SOC teams can now keep data for months and even years at costs lower than those of legacy SIEMs.
These Next-Gen SIEM tools promise consolidation to help accelerate investigations and drive faster detection. Analysts no longer need to pivot between consoles and manually piece together data. There’s no need to forward and periodically retrieve EDR, cloud workload or identity protection logs, and no worries about network latency or backlogs because important data is already in the platform and available for correlation, reducing the mean time to detect.
With rapid data growth and an evolving threat landscape, it’s imperative that the SOC address the conflict between the desire to ingest and store all of its data and the need to control ingestion and storage costs. Placing SOC teams in a constant state of making crucial decisions on data has far-reaching implications, such as security blind spots, slow investigation times and SOC analyst fatigue, which all heighten the risk of a breach. It’s time that we move away from legacy SIEMs and embrace Next-Gen SIEMs to improve SOC performance.
Ajit Sancheti, general manager, Falcon Next-Gen SIEM, CrowdStrike
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
