Why Security Observability Is a Viable Alternative to SIEM Tools

Jeremy Burton
Observe
Learn more about Observe

We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.


It Starts With a Single Central Data Lake

Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.

Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.

An SIEM That's Not A SIEM?

Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.

In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.

Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?

So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.

Cloud Changes Everything

The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.

SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.

Jeremy Burton is CEO of Observe

Related Links

Hot Topics

Related Vendors

The Latest

Manufacturing Organizations Doubled AI Investment Yet Only 37% Fully Prepared to Operationalize AI

While 87% of manufacturing leaders and technical specialists report that ROI from their AIOps initiatives has met or exceeded expectations, only 37% say they are fully prepared to operationalize AI at scale, according to The Future of IT Operations in the AI Era, a report from Riverbed ...

Optimizing Decisions with Edge-First Cognitive Intelligence

Many organizations rely on cloud-first architectures to aggregate, analyze, and act on their operational data ... However, not all environments are conducive to cloud-first architectures ... There are limitations to cloud-first architectures that render them ineffective in mission-critical situations where responsiveness, cost control, and data sovereignty are non-negotiable; these limitations include ...

The New Perimeter Is the User: Why Identity Is the Real Network Edge

For years, cybersecurity was built around a simple assumption: protect the physical network and trust everything inside it. That model made sense when employees worked in offices, applications lived in data centers, and devices rarely left the building. Today's reality is fluid: people work from everywhere, applications run across multiple clouds, and AI-driven agents are beginning to act on behalf of users. But while the old perimeter dissolved, a new one quietly emerged ...

When AI Infrastructure Stops Behaving Like Infrastructure

For years, infrastructure teams have treated compute as a relatively stable input. Capacity was provisioned, costs were forecasted, and performance expectations were set based on the assumption that identical resources behaved identically. That mental model is starting to break down. AI infrastructure is no longer behaving like static cloud capacity. It is increasingly behaving like a market ...

Enterprise Resilience: Understanding the Shift from Static to Dynamic

Resilience can no longer be defined by how quickly an organization recovers from an incident or disruption. The effectiveness of any resilience strategy is dependent on its ability to anticipate change, operate under continuous stress, and adapt confidently amid uncertainty ...

Mobile Users Expect Perfection in 2026

Mobile users are less tolerant of app instability than ever before. According to a new report from Luciq, No Margin for Error: What Mobile Users Expect and What Mobile Leaders Must Deliver in 2026, even minor performance issues now result in immediate abandonment, lost purchases, and long-term brand impact ...

AI Confidence Is High. Readiness Is Not. What the Data Tells Us - and Why It Matters

Artificial intelligence (AI) has become the dominant force shaping enterprise data strategies. Boards expect progress. Executives expect returns. And data leaders are under pressure to prove that their organizations are "AI-ready" ...

Agentic AI, Realistic Expectations and the Future of IT Operations in 2026

Agentic AI is a major buzzword for 2026. Many tech companies are making bold promises about this technology, but many aren't grounded in reality, at least not yet. This coming year will likely be shaped by reality checks for IT teams, and progress will only come from a focus on strong foundations and disciplined execution ...

Trust, But Verify: Building Confidence in AI Through Human Oversight

AI systems are still prone to hallucinations and misjudgments ... To build the trust needed for adoption, AI must be paired with human-in-the-loop (HITL) oversight, or checkpoints where humans verify, guide, and decide what actions are taken. The balance between autonomy and accountability is what will allow AI to deliver on its promise without sacrificing human trust ...

Data Centers Plan to Reduce Reliance on Grid

More data center leaders are reducing their reliance on utility grids by investing in onsite power for rapidly scaling data centers, according to the Data Center Power Report from Bloom Energy ...

Why Security Observability Is a Viable Alternative to SIEM Tools

Jeremy Burton
Observe
Learn more about Observe

We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.


It Starts With a Single Central Data Lake

Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.

Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.

An SIEM That's Not A SIEM?

Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.

In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.

Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?

So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.

Cloud Changes Everything

The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.

SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.

Jeremy Burton is CEO of Observe

Related Links

Hot Topics

Related Vendors

The Latest

Manufacturing Organizations Doubled AI Investment Yet Only 37% Fully Prepared to Operationalize AI

While 87% of manufacturing leaders and technical specialists report that ROI from their AIOps initiatives has met or exceeded expectations, only 37% say they are fully prepared to operationalize AI at scale, according to The Future of IT Operations in the AI Era, a report from Riverbed ...

Optimizing Decisions with Edge-First Cognitive Intelligence

Many organizations rely on cloud-first architectures to aggregate, analyze, and act on their operational data ... However, not all environments are conducive to cloud-first architectures ... There are limitations to cloud-first architectures that render them ineffective in mission-critical situations where responsiveness, cost control, and data sovereignty are non-negotiable; these limitations include ...

The New Perimeter Is the User: Why Identity Is the Real Network Edge

For years, cybersecurity was built around a simple assumption: protect the physical network and trust everything inside it. That model made sense when employees worked in offices, applications lived in data centers, and devices rarely left the building. Today's reality is fluid: people work from everywhere, applications run across multiple clouds, and AI-driven agents are beginning to act on behalf of users. But while the old perimeter dissolved, a new one quietly emerged ...

When AI Infrastructure Stops Behaving Like Infrastructure

For years, infrastructure teams have treated compute as a relatively stable input. Capacity was provisioned, costs were forecasted, and performance expectations were set based on the assumption that identical resources behaved identically. That mental model is starting to break down. AI infrastructure is no longer behaving like static cloud capacity. It is increasingly behaving like a market ...

Enterprise Resilience: Understanding the Shift from Static to Dynamic

Resilience can no longer be defined by how quickly an organization recovers from an incident or disruption. The effectiveness of any resilience strategy is dependent on its ability to anticipate change, operate under continuous stress, and adapt confidently amid uncertainty ...

Mobile Users Expect Perfection in 2026

Mobile users are less tolerant of app instability than ever before. According to a new report from Luciq, No Margin for Error: What Mobile Users Expect and What Mobile Leaders Must Deliver in 2026, even minor performance issues now result in immediate abandonment, lost purchases, and long-term brand impact ...

AI Confidence Is High. Readiness Is Not. What the Data Tells Us - and Why It Matters

Artificial intelligence (AI) has become the dominant force shaping enterprise data strategies. Boards expect progress. Executives expect returns. And data leaders are under pressure to prove that their organizations are "AI-ready" ...

Agentic AI, Realistic Expectations and the Future of IT Operations in 2026

Agentic AI is a major buzzword for 2026. Many tech companies are making bold promises about this technology, but many aren't grounded in reality, at least not yet. This coming year will likely be shaped by reality checks for IT teams, and progress will only come from a focus on strong foundations and disciplined execution ...

Trust, But Verify: Building Confidence in AI Through Human Oversight

AI systems are still prone to hallucinations and misjudgments ... To build the trust needed for adoption, AI must be paired with human-in-the-loop (HITL) oversight, or checkpoints where humans verify, guide, and decide what actions are taken. The balance between autonomy and accountability is what will allow AI to deliver on its promise without sacrificing human trust ...

Data Centers Plan to Reduce Reliance on Grid

More data center leaders are reducing their reliance on utility grids by investing in onsite power for rapidly scaling data centers, according to the Data Center Power Report from Bloom Energy ...