Skip to main content

Why Security Observability Is a Viable Alternative to SIEM Tools

Jeremy Burton
Observe

We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.


It Starts With a Single Central Data Lake

Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.

Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.

An SIEM That's Not A SIEM?

Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.

In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.

Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?

So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.

Cloud Changes Everything

The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.

SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.

Jeremy Burton is CEO of Observe

The Latest

AI is the catalyst for significant investment in data teams as enterprises require higher-quality data to power their AI applications, according to the State of Analytics Engineering Report from dbt Labs ...

Misaligned architecture can lead to business consequences, with 93% of respondents reporting negative outcomes such as service disruptions, high operational costs and security challenges ...

A Gartner analyst recently suggested that GenAI tools could create 25% time savings for network operational teams. Where might these time savings come from? How are GenAI tools helping NetOps teams today, and what other tasks might they take on in the future as models continue improving? In general, these savings come from automating or streamlining manual NetOps tasks ...

IT and line-of-business teams are increasingly aligned in their efforts to close the data gap and drive greater collaboration to alleviate IT bottlenecks and offload growing demands on IT teams, according to The 2025 Automation Benchmark Report: Insights from IT Leaders on Enterprise Automation & the Future of AI-Driven Businesses from Jitterbit ...

A large majority (86%) of data management and AI decision makers cite protecting data privacy as a top concern, with 76% of respondents citing ROI on data privacy and AI initiatives across their organization, according to a new Harris Poll from Collibra ...

According to Gartner, Inc. the following six trends will shape the future of cloud over the next four years, ultimately resulting in new ways of working that are digital in nature and transformative in impact ...

2020 was the equivalent of a wedding with a top-shelf open bar. As businesses scrambled to adjust to remote work, digital transformation accelerated at breakneck speed. New software categories emerged overnight. Tech stacks ballooned with all sorts of SaaS apps solving ALL the problems — often with little oversight or long-term integration planning, and yes frequently a lot of duplicated functionality ... But now the music's faded. The lights are on. Everyone from the CIO to the CFO is checking the bill. Welcome to the Great SaaS Hangover ...

Regardless of OpenShift being a scalable and flexible software, it can be a pain to monitor since complete visibility into the underlying operations is not guaranteed ... To effectively monitor an OpenShift environment, IT administrators should focus on these five key elements and their associated metrics ...

An overwhelming majority of IT leaders (95%) believe the upcoming wave of AI-powered digital transformation is set to be the most impactful and intensive seen thus far, according to The Science of Productivity: AI, Adoption, And Employee Experience, a new report from Nexthink ...

Overall outage frequency and the general level of reported severity continue to decline, according to the Outage Analysis 2025 from Uptime Institute. However, cyber security incidents are on the rise and often have severe, lasting impacts ...

Why Security Observability Is a Viable Alternative to SIEM Tools

Jeremy Burton
Observe

We increasingly see companies using their observability data to support security use cases. It's not entirely surprising given the challenges that organizations have with legacy SIEMs. We wanted to dig into this evolving intersection of security and observability, so we surveyed 500 security professionals — 40% of whom were either CISOs or CSOs — for our inaugural State of Security Observability report.


It Starts With a Single Central Data Lake

Security observability is about using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. We see more and more customers using a single, central, data lake for their security and operational log data, which can deliver the benefits of shared infrastructure cost and search language cross-training. But, security data is all about voluminous logs with massive variability — and the volume of security data often leads to unacceptable storage costs. That's painful for customers and so they're forced to roll data off to cold storage after a few days. Re-hydrating from cold storage on demand is even worse than the bad old days of tape backup, because it adds the challenge of drifting search-time schema definitions. To have a real security data lake, all that data needs to be always hot, always searchable.

Security professionals are also hurt by the inability of many incumbent tools to analyze metrics alongside logs, so the operations team pushes back when asked to get onboard with a single tool for operational and security data. This hits the smaller organizations really hard, which is why you see such variability in their budgets — across three recent surveys of US companies, average security budgets range from 10% to 24% of the IT budget. A review of LinkedIn data indicates that the lower third of organizations by size doesn't allocate any security budget at all.

An SIEM That's Not A SIEM?

Almost everyone in the survey has an SIEM, uses an SIEM, and is investing a lot in manipulating data to their SIEM's standards to make the rules work so the analysts can see the massive numbers of alerts. There's a lot of SIEM hate out there, and lots of people looking for alternative solutions. I think there's great hunger for the SIEM that's not a SIEM — customers want to be able to search and correlate log events without the noisy ticket generation machine.

In the report, respondents noted that half of their security data has to be transformed and half of security incidents have to be escalated. It's an exhausting amount of maintenance work that is difficult to justify in today's climate of constrained budgets. For small organizations with just a couple of admins, or large ones where multiple teams need to coordinate, it's hard for them to bite off that SIEM renewal without looking at alternatives.

Security Observability can be that alternative. Why Security Observability? Simple: because an outside-in approach based on large volumes of data you've already collected saves precious employee time and effort. It certainly beats the typical SIEM approach of normalizing data to an unrealistic, vendor-locked abstraction. That's beneficial to large customers, and absolutely critical to smaller companies who simply can't dedicate people to running specialized security tools — it's often a team effort by a group of generalists. And sure, large companies can technically afford a SIEM ... but why should they?

So often we see that there are multiple SIEM-like tools in place, duplicating data for the security operations center and the incident response teams. It's pure waste. It's easy to accidentally and needlessly duplicate data between observability and security tooling, or between multiple security tools, and then go looking for a search engine that can unify it. Since most organizations are expecting data to grow by 75% or more in the next year, this waste becomes more costly each year.

Cloud Changes Everything

The large cloud providers have certainly increased the volume of data needed to be collected, but they also have reduced the variety of data, thereby making it easier to work with the format they provide. There are no longer dozens of security vendors selling appliances, spewing syslog that you have to painstakingly curate into a common information model. Instead you're more likely to have a handful of data sources shepherding massive volumes within each cloud provider. It's much more productive to make sense of this data as it is, then to somehow normalize data from disparate sources and essentially fake an understanding of it.

SIEM simply doesn't make sense for cloud native companies. Aside from the huge implementation and maintenance cost, doing lots of normalization … to run lots of rules … that no one looks at anyway. Don't be wasteful — only run rules for what you're going to use.

Jeremy Burton is CEO of Observe

The Latest

AI is the catalyst for significant investment in data teams as enterprises require higher-quality data to power their AI applications, according to the State of Analytics Engineering Report from dbt Labs ...

Misaligned architecture can lead to business consequences, with 93% of respondents reporting negative outcomes such as service disruptions, high operational costs and security challenges ...

A Gartner analyst recently suggested that GenAI tools could create 25% time savings for network operational teams. Where might these time savings come from? How are GenAI tools helping NetOps teams today, and what other tasks might they take on in the future as models continue improving? In general, these savings come from automating or streamlining manual NetOps tasks ...

IT and line-of-business teams are increasingly aligned in their efforts to close the data gap and drive greater collaboration to alleviate IT bottlenecks and offload growing demands on IT teams, according to The 2025 Automation Benchmark Report: Insights from IT Leaders on Enterprise Automation & the Future of AI-Driven Businesses from Jitterbit ...

A large majority (86%) of data management and AI decision makers cite protecting data privacy as a top concern, with 76% of respondents citing ROI on data privacy and AI initiatives across their organization, according to a new Harris Poll from Collibra ...

According to Gartner, Inc. the following six trends will shape the future of cloud over the next four years, ultimately resulting in new ways of working that are digital in nature and transformative in impact ...

2020 was the equivalent of a wedding with a top-shelf open bar. As businesses scrambled to adjust to remote work, digital transformation accelerated at breakneck speed. New software categories emerged overnight. Tech stacks ballooned with all sorts of SaaS apps solving ALL the problems — often with little oversight or long-term integration planning, and yes frequently a lot of duplicated functionality ... But now the music's faded. The lights are on. Everyone from the CIO to the CFO is checking the bill. Welcome to the Great SaaS Hangover ...

Regardless of OpenShift being a scalable and flexible software, it can be a pain to monitor since complete visibility into the underlying operations is not guaranteed ... To effectively monitor an OpenShift environment, IT administrators should focus on these five key elements and their associated metrics ...

An overwhelming majority of IT leaders (95%) believe the upcoming wave of AI-powered digital transformation is set to be the most impactful and intensive seen thus far, according to The Science of Productivity: AI, Adoption, And Employee Experience, a new report from Nexthink ...

Overall outage frequency and the general level of reported severity continue to decline, according to the Outage Analysis 2025 from Uptime Institute. However, cyber security incidents are on the rise and often have severe, lasting impacts ...