top of page

When the bough breaks: The end of the SIEM era and rise of ELK

The story behind the mass exodus of enterprises from SIEM to Elastic

"It is not the strongest or the most intelligent who will survive, but those who

can best manage change." -Leon C. Megginson


In my Ashes to Ashes article, I talked about how the event fatigue problem perpetuated by SIEM solutions requires SOAR to help address the problem, which also expands and improves SecOps, mechanizing and organizing activities previously relied on by the human analyst across all sense and response actions. SOAR effectively takes SIEM further by combining data collection, threat and vulnerability management, incident response and case management, workflow, and analytics to provide organizations the ability to implement autonomous workflow, and process execution and response actions through what are referred to as "playbooks."

A survey by FireEye polled C-level security executives at large enterprises worldwide found that 36% of respondents receive more than 10,000 alerts each month from their SIEM, of those alerts, 52% were false positives and 64% were redundant costing companies an average of $1.27 Mn every year.

It goes without saying that SIEMs have quickly lost their sex appeal as security analysts continue to take fire from their SIEM of false positives on a daily basis or from the MSSP they had to retain for the daily care and feeding and 24x7 monitoring. It quickly became evident that a SIEM required daily, round-the-clock tuning by a seasoned staff capable of creating rules for that specific platform in order to lower the amount of noise with no end in sight. The dream of effective centralized monitoring of events in the enterprise would need to be reimagined.

But as with everything in life, it isn't that simple. What about the growing cost of big data SIEM solutions that charge for the amount of data ingest per month? The average amount of data an enterprise manages is 347.56TB of data, seven times as much data as the average SMB with 47.81 TB with the expectation by organizations of all sizes that the amount of data is set to increase considerable in a relatively short timeframe according to recent IDG survey on Data and Analytics.

The Elastic Stack

Enter elastic. Elastic is a stack of three open source projects: Elasticsearch, Logstash, and Kibana, often referred to as the ELK stack. The ELK stack effectively enables organizations to ingest any data, in any format, from any source, then perform search queries on it for further analysis and visualization in real-time. Does this sound strangely familiar with what SIEM solutions do? The number of features in the Elastic Stack are too numerous to mention here, but feel free to read them in their entirety on the official Elastic web site.

I've created an illustration below that demonstrates how the ELK stack ingests and allows for the processing and visualization of data at each layer in the stack.

But what exactly does each layer of the ELK stack do? What is Kibana? What is Beats? Aren't those the earphones created by Dr. Dre? Well yes and no, but I'm more of an Airpods girl, but I digress. As an aside, Beats was created to address the gap needed for systems needing a data shipper, effectively able to send data from thousands of endpoints to Logstash or Elasticsearch.

The Pink Elephant

There are also numerous companies building commercial products powered by an ELK backend, including network detection and response (NDR) solutions such as Lastline. Look, let's point the pink elephant out in the room. Big data SIEM is expensive -- very expensive. It's an ongoing challenge for organizations who are using SIEM solutions that charge based on the amount of data you send it to try and limit how much data they send with some organizations paying north of $100,000 in costs just for data ingestion.

Much of the impetus behind the migration to ELK for many CISOs I've spoken to is the growing exorbitant costs of sending data to Splunk. Some CISOs, such as Deepak Wadhwani, engineering manager for the Observability Team at Box has sighted a cost reduction per-terabyte by more than 50% after moving to ELK. As a former SOC analyst, how is it that we've now entered an era where the costs of a SIEM for data ingestion is actually causing organizations to limit or even turn away log sources due to costs, effectively negating the very premise behind having a SIEM in the first place?

The fact of the matter is, enterprises are continuously looking to reduce their CAPX and OPX spending on their security controls to invest more in "warm butts in seats."


The net-net is that managed security service providers (MSSPs) must evolve or die by providing monitoring and management services of ELK stacks and companies need to begin to take a serious look at divesting in their current big data SIEM. Companies should seriously consider ELK as a cost effective alternative to a growing cost problem with their big data SIEM, potentially even moving to MDR lest they continue to deal with a growing event fatigue problem leading to higher mean time to response (MTTR) actions. Ask yourself the hard question of whether or not you actually are getting the ROI on your big data SIEM infrastructure you thought you were getting.

In the next article of this ELK series, I will provide the field manual for the implementation of an ELK stack for your on-prem and cloud assets.

Like and Share

The best way you can support me in my continued content development and influencer efforts in cybersecurity is to like and share my article. Please do it now!

Subscribe and Follow

Subscribe to my YouTube channel to get notifications of my VLOG, live streams, and Vodcast/Podcast episodes uploaded weekly and follow me on Twitter. To view my latest content calendar, visit our firm's web site at Knight Ink.

29 views0 comments

Recent Posts

See All

SMTP Smuggling

What is SMTP Smuggling? SMTP smuggling involves exploiting vulnerabilities in mail servers to bypass security measures. Attackers manipulate the interaction between mail servers, leading to unauthoriz


bottom of page