Decoupled SIEM: Brilliant or Stupid?

Frankly, not sure why I am writing this, I get a sense that this esoteric topic is of interest to a very small number of people. But hey … LinkedIn made me do it 🙂 And many of those few people are my friends or at least close industry peers.

So, the topic is so-called “decoupled SIEM” (I probably made up the term, but …hey… at least this is not an acronym like EDR so YMMV). In my mind, “Decoupled SIEM” is a way to deliver Security Information and Event Management (SIEM) technology where the data management (a) and threat analysis (b) are provided by different vendors.

Actually, you can decouple even more, such as into buckets like log collection/normalization, then storage/retention, and then detection content and hunting/investigations (What about the workflow? Well, that one often gets missed by the “decouplers”… then again you can try to buy a standalone SOAR for that!)

Peculiarly, my first experience with decoupled SIEM was many years ago when a SIEM (SIM, actually) installer CD (yes, it was a thing in the Stone Age, a trained mammoth would bring you a stone tablet that you insert into your cave computer…) told me to “take me out, and insert the Oracle installer CD instead.”

This reminds us that the current fascination with decoupled SIEM is a pendulum swing! Most “original SIEM” (not to be confused with original sin…) tools that started in the late 1990s started essentially decoupled (“here, go install this RDBMS” or “here, we can helpfully install this database for you, just bring a CD”). Later on, the limits of off-the-shelf databases piled up, splunk invented log search, and most vendors slowly moved to custom-made log storage and abandoned separate databases.

To be fair, what killed this approach the first time was not its decoupled nature, but the fact that a classic relational database is abysmally bad for scalable log retention, and SQL is abysmally bad for log analysis. Then a few more years passed, and our fascination with data lakes led us straight back to “but can’t we use existing cloud-scale storage platform” theme. And so we are here discussing it!

The romantic ideal behind this approach is that scalable data management and threat analysis are dramatically differe

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Security Boulevard

Read the original article: