By Splunk July 13, 2017
Legacy security information and event management (SIEM) tools just can’t keep up with the pace and sophistication of modern day threats and attacks. Whether it’s failing to discover a cleverly disguised attack like Petya, WannaCry ransomware or privileged user monitoring, legacy SIEMs just cannot keep up and should be gracefully shut down.
We do realize that it’s not as easy as shutting off a switch when the legacy system was a good room heater for many years!
But did you know that your legacy SIEM might be weakening your security posture? It may be failing to detect modern threats and putting your entire business at risk. Or it could be burdening your security operations team by forcing them to chase false alarms while critical alerts go unattended.
In this blog post, I am sharing four examples of customers who have replaced their legacy SIEMs with the Splunk platform to solve a range of security use cases. These customer successes were driven by common problems related to scale, data ingest, slow investigations, instability, closed ecosystems and more.
The four scenarios—a financial services firm, a luxury retailer and two government agencies—demonstrate successful legacy SIEM replacements and migrations to the Splunk platform.
Financial Services Company Gains Actionable Security Intelligence
This Wall Street-based financial services company needed a new solution that could ingest growing volumes of data, minimize risk, speed security investigations and integrate with its governance, risk and compliance (GRC) solution. Since deploying Splunk Enterprise and Splunk Enterprise Security (ES) as its data analytics security platform, the company has seen the following benefits:
- Rapid implementation of more than 100 use cases
- Ability to ingest growing volumes of data
- Completes security searches and responds to actionable alerts in seconds
The company’s information security principal says, “Splunk Enterprise Security offers far more versatility than the rigid frameworks of legacy SIEM products. I have a dashboard showing the number of users entering our network from each of our VPN locations. Achieving such visibility with my legacy SIEM would be time-consuming and expensive. Instead, our Splunk platform gives us any views of our PCI controls that we require, enabling a small security team like ours to easily access and evaluate the data.”
Luxury Retailer Replaces Legacy SIEM with Analytics-Driven SIEM
A leading luxury retailer was concerned about security breaches negatively affecting its customers and brand reputation, so it replaced its legacy SIEM with Splunk ES. Since deploying Splunk ES, the retailer has seen the following benefits:
- Fast implementation – replaced underperforming SIEM in only six weeks
- Added capabilities to prevent security breaches, mitigate fraud and ensure Payment Card Industry (PCI) compliance
- Gained ability to protect customer data and company reputation
In only six weeks, the retailer migrated off its legacy SIEM—the solution it had relied on for 10 years—and implemented Splunk ES under a tight deadline.
The company’s security manager says, “There is no other vendor that would have come into our enterprise and helped us to the degree that Splunk did. Most of the others would have just waited around for us to fix our issues, twiddling their thumbs and doing nothing. Splunk was fantastic—a partner, not just a vendor.”
InfoTeK and Splunk Deliver Security Intelligence Platform for Public Sector Customer
A U.S. government agency had its mission hampered when its legacy SIEM software failed to live up to expectations. The agency turned to InfoTeK—a leading cybersecurity, software and systems engineering firm—to replace its SIEM. Since deploying the Splunk platform, the customer has experienced the following benefits:
- Deployed in one weekend and stopped an attack the next day
- Achieved a 75 percent cost reduction with new SIEM from Splunk
- Reduced number of tools required, including log aggregators and endpoint solutions
According to Jonathan Fair, senior incident handler and security engineer at InfoTeK, “Something that used to take hours, days or even weeks with other products or jumping between multiple tools can be done in seconds, minutes or hours with Splunk.” InfoTeK was able to provide ROI before the product was even fully purchased because the customer successfully stopped a threat that would have required a complete rebuild of the network.
US Government Cabinet-Level Department Reduces Costs, Improves Security Posture
One large U.S. cabinet-level department previously had a legacy SIEM, a slow and expensive tool that did not stand up to the needs of the agency. Since replacing it with Splunk software for security and compliance the department has seen benefits including:
- Saving $900,000 annually on software maintenance
- Improving security detection, response and remediation
- Reduced security investigation time from hours to minutes
Jonathan Margulies—originally a consultant with Qmulos, a premier Splunk partner—and his team of Splunk architects and developers manage a large Splunk deployment serving a federal department made up of approximately 40 agencies, upward of 200,000 hosts and 130,000 users. Before Margulies joined the organization, the department’s security operations center (SOC) was using HP ArcSight as its primary SIEM. “ArcSight was slow, difficult to develop on, and it was hard to find good experts who could use it,” says Margulies. “It was also very expensive and running typical investigations was an hours-long nightmare."
Top 7 Reasons Why Customers Are Replacing Their Legacy SIEMs
Organizations are often tied to the dated architectures of traditional SIEMs, which often use legacy products with architecture that does not scale and support modern investigation techniques. These databases can become a single point of failure or suffer from scale and performance limitations.
1. Limited Security Data Types
By limiting the type of data ingested there are significant limitations in detection, investigation and response times.
2. Inability to Effectively Ingest Data
The ingestion of data can be a laborious process and is very expensive.
3. Slow Investigations
Basic actions such as raw log searches can take a significant amount of time—often many hours and days to complete.
4. Instability and Scalability
As SQL-based databases grow, they become less stable. Customers often suffer from either poor performance or a large number of outages as spikes in events take servers down.
5. End-of-Life or Uncertain Roadmap
As legacy SIEM vendors change ownership, R&D slows to a crawl. Without continuous investment and innovation, security solutions fail to keep up with the growing threat landscape.
6. Closed Ecosystem
Legacy SIEM vendors often lack the ability to integrate with other tools in the market. Customers are forced to use what was included in the SIEM or spend more on custom development and professional services.
7. Limited to On-Premises
Legacy SIEMs are often limited to on-premises deployments. Security practitioners must be able to use cloud, on-premises and hybrid workloads.
Analytics-Driven SIEM
The Splunk Analytics-Driven SIEM uses a risk-based approach to provide businesses with detailed context and threat intelligence to make it relevant, actionable, and most importantly, enable users to gain valuable insights from their data.
Don’t risk the future of your organization to legacy solutions. You can immediately begin exploring the power of Splunk’s Analytics-Driven SIEM by signing up for 7 days of free access to the Splunk Enterprise Security online sandbox.
If you are looking to replace your SIEM or if you have any questions, contact a SIEM expert now.
Girish Bhat
Director, Security Product Marketing
Splunk Inc.
@girishb
----------------------------------------------------
Thanks!
Girish Bhat