Three Reasons why SIEMs are not Enough

Blog

Security Information and Event Management (SIEM) tools are often used to detect threats. Rules are set up to monitor the environment and once a rule is violated, it triggers an alert. Security Operation Centers spend months configuring the rules to ensure that they are triggered only when malicious behavior is present. However, as you will learn from this blog, it is very easy to break rules and the SOC doesn’t even know! So, when there are fewer rules being triggered which means fewer alerts, the SOC doesn’t realize that there are actually threat actors in the environment, and that is not good.

  1. 25% of the time, the rules are broken.
    1. The rules, out-of-the box, are not suitable for the environment, and are broken. The SOC team needs to configure the rules to customize them to the environment. Additionally, patches, updates, and new software when introduced to the environment can all break the rules as well! After the SOC team has spent so much time carefully configuring the rules, a simple patch can cause a change in the cloud architecture that the rule does not recognize, so the rule no longer fires. This can give the SOC a false sense of security as they are not getting alerts, so they assume all is well. It could actually be a dire situation as not only are threat actors likely to be in the environment, they are moving about the cloud completely undetected with rules no longer able to effectively monitor the cloud.
  2. Constant management increases operational costs.
    1. With it being so easy to break the SIEM rules, this means the SOC really needs to examine all the changes in the environment and review how this impacts rules. Security teams must constantly review patches, updates, application changes, and development changes and review which rules are impacted and then update those rules. This operational overhead is just exhausting. It is also expensive – with 75% of the total cost being for installation, management, and staffing!
  3. Without intent or context, the SOC can waste significant amounts of time chasing alerts.
    1. Rules are a black and white response to a security issue. The intent behind the activity is not a factor into whether or not a rule triggers an alert, in some cases, it was found that only 15% of rules was creating 95% of alerts! These noisy rules means that security analysts are wasting their time on benign activities. Adding insult to injury, during this time, a threat actor could be moving about their environment.

SIEMs can help organizations that have many behaviors or activities that are binary in terms of their response. However, for organizations that have more complex clouds, and most do, those teams really need a platform that looks at the context, the intent behind the activity, and tells the attack story. This makes it easy for SOC to understand why a behavior is concerning, so they know how to address and can do so quickly.

To learn more about Skyhawk Synthesis Security Platform which leverages AI and ML to identify malicious behaviors and the intent behind them, check out our whitepaper on the Three Common Use Cases for Cloud Threat Detection.

Blog

Skyhawk Security has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that Skyhawk has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM). CSA STAR Level 1 (self-assessment) documents the security controls provided

Cloud Security
Blog

Skyhawk Security recently announced at RSA 2025 an expansion of our AI-Powered Purple Team to secure cloud applications and how they interact with the cloud infrastructure they are hosted on. This new capability identifies weaponized risks in cloud applications, the

Cloud Security
Blog

There are several reasons why cloud security is so challenging, and the leading issue is roles and responsibilities. In the cloud there are three main groups that interact when securing the cloud: Cloud Security Team, Security Operations Center, and DevOps.

Management
Blog

As Skyhawk Security wraps up another RSA, we can reflect on the conversations, learnings, and fun. The conversations at the booth are always good, and it is clear that organizations are looking for a preemptive approach to cloud security. Several

Cloud Security
Blog

This blog was written by Asaf Shahar, VP, Products at Skyhawk Security The UK Information Commissioner’s Office (ICO) recently fined Liverpool-based law firm DDP Law £60,000 following a ransomware attack that exposed highly sensitive criminal case data. The investigation revealed

AICloud BreachData BreachLLMsThreat Detection
Blog

Skyhawk Security is at the collision of two trends within cloud security – for more than a decade it is clear that the cloud is perimeter less, attackers are logging in and not breaking in, and in addition, threat actors

AICloud BreachData BreachLLMsThreat Detection
See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.