Best-Of-Breed Security Is Always Important—but for SIEM, It’s Imperative

Which approach provides superior cybersecurity: a single-vendor platform portfolio or a multivendor best-of-breed ecosystem?

Superficially, single-vendor platforms seem to have various advantages:

• Organizations can rein in the number of contractors they work with
• Enterprise vendors have well-established credibility in the industry
• Their suites of tools seem to cover most core cybersecurity needs
• They can package all their products together with discount pricing

But take a closer look, and glaring gaps appear. Multiple, headline-grabbing security incidents have involved large platform players, and if you’re a seasoned cybersecurity leader, you should consider the risks associated with putting all your eggs in one basket.

Security information and event management (SIEM) is one capability where CISOs can’t settle for second best. Also, these types of large platform technology purchases are often overseen by the CIO or CFO; as a CISO, you’re likely leery of placing the success of your security stack, and your career, in the hands of a non-security stakeholder.

The Single-Vendor Portfolio: A Cure or a Curse?

What are these glaring gaps in large enterprise vendors, and why are they there to begin with? The short answer is that their vast suites of tools generally consist of products gathered through acquisitions, which were never part of these vendors’ core focus. They don’t invest the time, talent, or resources to grow and develop them in a way that would make them market-leading solutions.

They don’t have an incentive to, either. These large portfolio players are so dominant in the market that there’s no need for them to be agile and differentiate themselves through groundbreaking innovation. They answer to shareholders and investors who care about minimizing input and maximizing output—which is why for them, “good enough” is typically good enough. Their portfolio of bolted-on products and add-ons is relatively stagnant, so it ultimately ends up as an under-realized portfolio that locks their customers in and promises more than it delivers.

But security professionals know that “good enough” will never be good enough in today’s dynamic security environment. Even more precarious is that large enterprise vendors offering a single platform approach make attractive targets for threat actors. If an exploitable vulnerability is found and exploited, it can result in numerous security compromises.

One way to solve the problem of a single point of failure is to have a multivendor security stack. It’s far less likely to be taken offline if one element is compromised and, therefore has a greater degree of redundancy built in. It allows you to take a best-of-breed approach to building a security stack so that the most potent available solutions can fulfill core functions—and all those solutions can work together harmoniously.

SIEM: A Must-Have or a Nice-To-Have Capability?

Among these core security functions, SIEM represents the foundation for threat detection, investigation, and response (TDIR) workflows because it aggregates data and logs across the entire on-premises and cloud estates. This represents a significant amount of data for most enterprises to collect, monitor, and store.

Modern, best-in-class SIEM solutions are able to parse this data and, with the help of user and entity behavior analytics (UEBA), can proactively and retroactively flag anomalous user and device activity. This is why it’s critical to have a sophisticated SIEM that’s vendor-agnostic—but unfortunately, the SIEM tools provided by enterprise vendors specialize in collecting logs and data from products within the vendor’s portfolio. Sources outside of it are either excluded or entail a heap of extra costs.

So CISOs and their teams must take a good long look at their priorities and ask themselves:

1. Is having some SIEM functionality sufficient, even if it doesn’t cover everything?
2. How much will it cost if it requires a lot of add-ons to work correctly?
3. How good is the user experience, and could inefficiencies result in more costs?

Every piece of data that enters a SIEM is important. There aren’t many cases where a serious intrusion could be traced to a single incident; breaches involve multiple steps and stages, and a SIEM shows and tells that larger story. That’s why the SOC requires a SIEM tool that provides the telemetry necessary to monitor the entire environment. This is also a keystone for building more advanced capabilities, such as monitoring for insider threats—and, generally speaking, such capabilities go well beyond what single-vendor portfolio SIEM tools can provide.

The Takeaway: Don’t Let TDIR Be an Afterthought

What kind of security portfolio do you want for your organization? One where average—or even underrealized—products from one vendor promise to provide a perfunctory level of protection? Or one where you can evaluate and understand each unique security need for your organization and choose a tool that effectively solves it and operates compatibly with your other tools?

The best-of-breed approach is more sound when it comes to SIEM. If your SIEM comes from a large single-vendor platform, and that platform experiences an outage or breach, the last thing you want is for TDIR capabilities to be compromised right when they’re needed most.

When organizations take a best-of-breed approach to SIEM that operates in a vendor-agnostic technology stack, they have a much better chance of maintaining robust TDIR processes during a critical event. It also enables the SOC to adopt and integrate more best-in-class tools, which enhances the organization’s security posture, maturity, and strategy. This builds the resilience, contingency, and inherent abstraction between systems that organizations need to help keep potentially catastrophic incidents at bay.

Download our new whitepaper for a more complete assessment of the costs and benefits of a single-vendor security stack versus a best-of-breed approach and how security leaders can make a stronger case for the tools and capabilities the SOC needs.