We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.
It Starts With a Single Central Data Lake
Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.
Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.
An SIEM That's Not A SIEM?
Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.
In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.
Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?
So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.
Cloud Changes Everything
The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.
SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.
The Latest
Hybrid cloud architecture is breaking the backs of network engineering and operations teams. These teams are more successful when their companies go all-in with the cloud or stay out of it entirely. When companies maintain hybrid infrastructure, with applications and data residing across data centers and public cloud services, the network team struggles. This insight emerged in the newly published 2024 edition of Enterprise Management Associates' (EMA) Network Management Megatrends research ...
As IT practitioners, we often find ourselves fighting fires rather than proactively getting ahead ... Many spend countless hours managing several tools that give them different, fractured views of their own work — which isn't an effective use of time. Balancing daily technical tasks with long-term company goals requires a three-step approach. I'll share these steps and tips for others to do the same ...
IT service outages are more than a minor inconvenience. They can cost businesses millions while simultaneously leading to customer dissatisfaction and reputational damage. Moreover, the constant pressure of dealing with fire drills and escalations day and night can take a heavy toll on ITOps teams, leading to increased stress, human error, and burnout ...
Amid economic disruption, fintech competition, and other headwinds in recent years, banks have had to quickly adjust to the demands of the market. This adaptation is often reliant on having the right technology infrastructure in place ...
In MEAN TIME TO INSIGHT Episode 6, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses network automation ...
In the ever-evolving landscape of software development and infrastructure management, observability stands as a crucial pillar. Among its fundamental components lies log collection ... However, traditional methods of log collection have faced challenges, especially in high-volume and dynamic environments. Enter eBPF, a groundbreaking technology ...
Businesses are dazzled by the promise of generative AI, as it touts the capability to increase productivity and efficiency, cut costs, and provide competitive advantages. With more and more generative AI options available today, businesses are now investigating how to convert the AI promise into profit. One way businesses are looking to do this is by using AI to improve personalized customer engagement ...
In the fast-evolving realm of cloud computing, where innovation collides with fiscal responsibility, the Flexera 2024 State of the Cloud Report illuminates the challenges and triumphs shaping the digital landscape ... At the forefront of this year's findings is the resounding chorus of organizations grappling with cloud costs ...
Government agencies are transforming to improve the digital experience for employees and citizens, allowing them to achieve key goals, including unleashing staff productivity, recruiting and retaining talent in the public sector, and delivering on the mission, according to the Global Digital Employee Experience (DEX) Survey from Riverbed ...
