Most organizations collect security logs and have at least some alerting, but consider this simple question: what do we do with those logs? Centrally ingesting them into a Security Information and Event Management (SIEM) platform is a frequent response. A SIEM is designed to index and search large volumes of logs across multiple systems, but how proactive is it? When faced with an all-too-common 10,000+ alerts per day, a recent survey found that nearly half of respondents dial down their high-volume alerts or hire more analysts. There is a better way, but first, let’s see what happens when your logs truly meet the cloud. 

For well over a decade, the mighty SIEM has reigned king as the de facto home for security logs. We’ve sent our firewall, antimalware, authentication, and myriad other data types into the system. Many extend that notion to include application logs, performance metrics, network flows, and the like since these may also contain clues of nefarious activity. These traditional sources generally have fixed addresses and names that may stay static from deployment to retirement, often for years at a time.