Skip to main content

Why Security Observability Is a Viable Alternative to SIEM Tools

Jeremy Burton
Observe

We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.


It Starts With a Single Central Data Lake

Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.

Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.

An SIEM That's Not A SIEM?

Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.

In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.

Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?

So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.

Cloud Changes Everything

The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.

SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.

Jeremy Burton is CEO of Observe

The Latest

Businesses that face downtime or outages risk financial and reputational damage, as well as reducing partner, shareholder, and customer trust. One of the major challenges that enterprises face is implementing a robust business continuity plan. What's the solution? The answer may lie in disaster recovery tactics such as truly immutable storage and regular disaster recovery testing ...

IT spending is expected to jump nearly 10% in 2025, and organizations are now facing pressure to manage costs without slowing down critical functions like observability. To meet the challenge, leaders are turning to smarter, more cost effective business strategies. Enter stage right: OpenTelemetry, the missing piece of the puzzle that is no longer just an option but rather a strategic advantage ...

Amidst the threat of cyberhacks and data breaches, companies install several security measures to keep their business safely afloat. These measures aim to protect businesses, employees, and crucial data. Yet, employees perceive them as burdensome. Frustrated with complex logins, slow access, and constant security checks, workers decide to completely bypass all security set-ups ...

Image
Cloudbrink's Personal SASE services provide last-mile acceleration and reduction in latency

In MEAN TIME TO INSIGHT Episode 13, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses hybrid multi-cloud networking strategy ... 

In high-traffic environments, the sheer volume and unpredictable nature of network incidents can quickly overwhelm even the most skilled teams, hindering their ability to react swiftly and effectively, potentially impacting service availability and overall business performance. This is where closed-loop remediation comes into the picture: an IT management concept designed to address the escalating complexity of modern networks ...

In 2025, enterprise workflows are undergoing a seismic shift. Propelled by breakthroughs in generative AI (GenAI), large language models (LLMs), and natural language processing (NLP), a new paradigm is emerging — agentic AI. This technology is not just automating tasks; it's reimagining how organizations make decisions, engage customers, and operate at scale ...

In the early days of the cloud revolution, business leaders perceived cloud services as a means of sidelining IT organizations. IT was too slow, too expensive, or incapable of supporting new technologies. With a team of developers, line of business managers could deploy new applications and services in the cloud. IT has been fighting to retake control ever since. Today, IT is back in the driver's seat, according to new research by Enterprise Management Associates (EMA) ...

In today's fast-paced and increasingly complex network environments, Network Operations Centers (NOCs) are the backbone of ensuring continuous uptime, smooth service delivery, and rapid issue resolution. However, the challenges faced by NOC teams are only growing. In a recent study, 78% state network complexity has grown significantly over the last few years while 84% regularly learn about network issues from users. It is imperative we adopt a new approach to managing today's network experiences ...

Image
Broadcom

From growing reliance on FinOps teams to the increasing attention on artificial intelligence (AI), and software licensing, the Flexera 2025 State of the Cloud Report digs into how organizations are improving cloud spend efficiency, while tackling the complexities of emerging technologies ...

Today, organizations are generating and processing more data than ever before. From training AI models to running complex analytics, massive datasets have become the backbone of innovation. However, as businesses embrace the cloud for its scalability and flexibility, a new challenge arises: managing the soaring costs of storing and processing this data ...

Why Security Observability Is a Viable Alternative to SIEM Tools

Jeremy Burton
Observe

We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.


It Starts With a Single Central Data Lake

Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.

Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.

An SIEM That's Not A SIEM?

Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.

In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.

Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?

So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.

Cloud Changes Everything

The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.

SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.

Jeremy Burton is CEO of Observe

The Latest

Businesses that face downtime or outages risk financial and reputational damage, as well as reducing partner, shareholder, and customer trust. One of the major challenges that enterprises face is implementing a robust business continuity plan. What's the solution? The answer may lie in disaster recovery tactics such as truly immutable storage and regular disaster recovery testing ...

IT spending is expected to jump nearly 10% in 2025, and organizations are now facing pressure to manage costs without slowing down critical functions like observability. To meet the challenge, leaders are turning to smarter, more cost effective business strategies. Enter stage right: OpenTelemetry, the missing piece of the puzzle that is no longer just an option but rather a strategic advantage ...

Amidst the threat of cyberhacks and data breaches, companies install several security measures to keep their business safely afloat. These measures aim to protect businesses, employees, and crucial data. Yet, employees perceive them as burdensome. Frustrated with complex logins, slow access, and constant security checks, workers decide to completely bypass all security set-ups ...

Image
Cloudbrink's Personal SASE services provide last-mile acceleration and reduction in latency

In MEAN TIME TO INSIGHT Episode 13, Shamus McGillicuddy, VP of Research, Network Infrastructure and Operations, at EMA discusses hybrid multi-cloud networking strategy ... 

In high-traffic environments, the sheer volume and unpredictable nature of network incidents can quickly overwhelm even the most skilled teams, hindering their ability to react swiftly and effectively, potentially impacting service availability and overall business performance. This is where closed-loop remediation comes into the picture: an IT management concept designed to address the escalating complexity of modern networks ...

In 2025, enterprise workflows are undergoing a seismic shift. Propelled by breakthroughs in generative AI (GenAI), large language models (LLMs), and natural language processing (NLP), a new paradigm is emerging — agentic AI. This technology is not just automating tasks; it's reimagining how organizations make decisions, engage customers, and operate at scale ...

In the early days of the cloud revolution, business leaders perceived cloud services as a means of sidelining IT organizations. IT was too slow, too expensive, or incapable of supporting new technologies. With a team of developers, line of business managers could deploy new applications and services in the cloud. IT has been fighting to retake control ever since. Today, IT is back in the driver's seat, according to new research by Enterprise Management Associates (EMA) ...

In today's fast-paced and increasingly complex network environments, Network Operations Centers (NOCs) are the backbone of ensuring continuous uptime, smooth service delivery, and rapid issue resolution. However, the challenges faced by NOC teams are only growing. In a recent study, 78% state network complexity has grown significantly over the last few years while 84% regularly learn about network issues from users. It is imperative we adopt a new approach to managing today's network experiences ...

Image
Broadcom

From growing reliance on FinOps teams to the increasing attention on artificial intelligence (AI), and software licensing, the Flexera 2025 State of the Cloud Report digs into how organizations are improving cloud spend efficiency, while tackling the complexities of emerging technologies ...

Today, organizations are generating and processing more data than ever before. From training AI models to running complex analytics, massive datasets have become the backbone of innovation. However, as businesses embrace the cloud for its scalability and flexibility, a new challenge arises: managing the soaring costs of storing and processing this data ...