I think there's a certain level of understanding your organisation's risk profile and CMMI required when making such an assessment. I think a SIEM still has a place if you have a suitable logging maturity level and deep knowledge of your exposures.

The catch is that usually applies to orgs with a small digital footprint with security-aware staff. This does not scale very well 🙂 

The other issue is cost. SIEMs cost a lot of money. but a SIEM with ML, EDR, SOAR etc are going to cost a whole lot more and the vendors have the advantage in knowing that platform changes do not come easily or cheaply. Sunk cost fallacy.

I think with a TA dwell time now within single minutes, even with machine learning and attacks going to be well underway/all over by the time the first incident responder can identify the alert and react.

I would say the SIEM has far more value as a forensics tool these days rather than your EDR of choice.

Just my opinion though 🙂 

So my experience with SIEMs is that they were difficult to implement (increase manpower to monitor and adjust, the continued risk of devices being added/removed, automated responses that can cause more issues) Of course, I am talking from the point of view of a heavy manufacturer where sometime endpoints were added or removed by OT.

We all know that budget is difficult to come by at times, and justifying additional staff for the maintenance of SIEMs (while critical) can be a very hard sell to management (remember in a ICS environment, Security does not make money).

Hopefully, AI could be leveraged the number of false positives that we currently see.  I see other benefits coming from scalability, and  potentially the automation.

AI should be far superior at Threat Detection.

Having said that, I do not see AI being the answer in the near future.

d