Three Reasons why SIEMs are not Enough

Blog

Security Information and Event Management (SIEM) tools are often used to detect threats. Rules are set up to monitor the environment and once a rule is violated, it triggers an alert. Security Operation Centers spend months configuring the rules to ensure that they are triggered only when malicious behavior is present. However, as you will learn from this blog, it is very easy to break rules and the SOC doesn’t even know! So, when there are fewer rules being triggered which means fewer alerts, the SOC doesn’t realize that there are actually threat actors in the environment, and that is not good.

  1. 25% of the time, the rules are broken.
    1. The rules, out-of-the box, are not suitable for the environment, and are broken. The SOC team needs to configure the rules to customize them to the environment. Additionally, patches, updates, and new software when introduced to the environment can all break the rules as well! After the SOC team has spent so much time carefully configuring the rules, a simple patch can cause a change in the cloud architecture that the rule does not recognize, so the rule no longer fires. This can give the SOC a false sense of security as they are not getting alerts, so they assume all is well. It could actually be a dire situation as not only are threat actors likely to be in the environment, they are moving about the cloud completely undetected with rules no longer able to effectively monitor the cloud.
  2. Constant management increases operational costs.
    1. With it being so easy to break the SIEM rules, this means the SOC really needs to examine all the changes in the environment and review how this impacts rules. Security teams must constantly review patches, updates, application changes, and development changes and review which rules are impacted and then update those rules. This operational overhead is just exhausting. It is also expensive – with 75% of the total cost being for installation, management, and staffing!
  3. Without intent or context, the SOC can waste significant amounts of time chasing alerts.
    1. Rules are a black and white response to a security issue. The intent behind the activity is not a factor into whether or not a rule triggers an alert, in some cases, it was found that only 15% of rules was creating 95% of alerts! These noisy rules means that security analysts are wasting their time on benign activities. Adding insult to injury, during this time, a threat actor could be moving about their environment.

SIEMs can help organizations that have many behaviors or activities that are binary in terms of their response. However, for organizations that have more complex clouds, and most do, those teams really need a platform that looks at the context, the intent behind the activity, and tells the attack story. This makes it easy for SOC to understand why a behavior is concerning, so they know how to address and can do so quickly.

To learn more about Skyhawk Synthesis Security Platform which leverages AI and ML to identify malicious behaviors and the intent behind them, check out our whitepaper on the Three Common Use Cases for Cloud Threat Detection.

Blog

As Skyhawk Security wraps up another RSA, we can reflect on the conversations, learnings, and fun. The conversations at the booth are always good, and it is clear that organizations are looking for a preemptive approach to cloud security. Several

Cloud Security
Blog

This blog was written by Asaf Shahar, VP, Products at Skyhawk Security The UK Information Commissioner’s Office (ICO) recently fined Liverpool-based law firm DDP Law £60,000 following a ransomware attack that exposed highly sensitive criminal case data. The investigation revealed

AICloud BreachData BreachLLMsThreat Detection
Blog

Skyhawk Security is at the collision of two trends within cloud security – for more than a decade it is clear that the cloud is perimeter less, attackers are logging in and not breaking in, and in addition, threat actors

AICloud BreachData BreachLLMsThreat Detection
Blog

In an increasingly cloud-dependent business landscape, a disturbing trend has emerged that threatens the very foundation of cloud security: credential theft. Recent incidents and reports indicate a dramatic surge in credential theft attacks and subsequent abuse. This indicates potentially devastating

Blog

For the second year in a row, Skyhawk Security stands out in a competitive market! The organization is proud to announce that it has been named a finalist in the 2025 Cloud Security Awards program in two categories: Best Cybersecurity

Blog

Skyhawk Security started in the 3rd generation of Cloud Threat Detection and Response (CDR) platforms at its inception in May of 2022, supporting AWS, Azure, and Google Cloud to deliver a robust Preemptive Cloud Security Platform. The several layers of

See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.