Costly and struggling: the challenges of legacy SIEM solutions

Security information and event management (SIEM) solutions have been essential in cybersecurity for many years, but as the digital environment grows more complex older SIEM systems are posing significant challenges for the security professionals who manage them.

If you’re weighing the pros and cons of the replacing an older SIEM system, or you’re worried that yours is getting older, it may be worthwhile considering the drawbacks of not moving to a new solution before yours becomes a headache.

Legacy SIEM often struggles to handle the increasing volume of data and keep up with evolving cyberthreats. Maintaining these systems can be expensive and they may not integrate smoothly with newer security tools, creating inefficiencies.

One major drawback of older SIEMs is that they may not be designed to handle the dynamic scaling requirements of cloud environments, says Andrew Smeaton, CISO-in-residence at startup investment firm Merlin Ventures.

“They can struggle with the elasticity needed to manage sudden spikes in data volume or traffic,” he says.

Older SIEM typically has limited scalability and flexibility

The lack of scalability and flexibility in these older systems is largely due to the costs involved and not technological limitations, according to Aaron Weismann, CISO at Main Line Health, a nonprofit health system serving portions of Philadelphia and its suburbs.

“Without naming names, traditional heavyweights in the closed- and open-source solutions can perform to the level of what their managing analyst teams can drive,” he says. “We’re finding ourselves increasingly challenged by ingest and compute costs that far exceed the base infrastructure costs.”

Because some SIEM tools have been around for a long time, they often have trouble handling large amounts of data because of issues created by switching to using the cloud, says Allie Mellen, principal analyst at Forrester Research.

“Many of the [SIEM vendors] have struggled in the process to port the capabilities to the cloud,” Mellen says. “But they also struggled from the standpoint of needing to incorporate a bunch of acquisitions together, instead of having built tools that work together naturally and natively, and so that causes issues, especially for practitioners who find that they have to swivel between a bunch of different tools.”

Maintaining/updating legacy SIEM solutions

Experts say maintaining and updating legacy SIEM solutions can be challenging for a number of reasons, including the lack of experienced employees.

“This is going to depend on the SIEM, but generally speaking, finding experienced personnel to run and maintain some older legacy SIEMs is getting harder and harder for organizations,” says Kevin Schmidt, director analyst at Gartner.

Finding the personnel to maintain newer SIEM is easier but these individuals tend to be expensive, Schmidt says. It’s also challenging for vendors since they have to maintain and test two sets of capabilities: one for SaaS/cloud versions and another for on-premises versions where they exist. 

Maintaining and updating legacy SIEM solutions is a complex, resource-intensive, and costly task, says Bruce Young, program lead and instructor of cybersecurity and information assurance graduate studies at Harrisburg University of Science and Technology.

“These older systems often require frequent manual updates to remain effective, including staying current with new threat signatures and log source formats,” he says.

Unlike modern SIEMs, legacy solutions typically lack automated update features, forcing security teams to invest significant time and effort in patch management, system tuning, and configuration changes, Young adds.

“This manual upkeep not only consumes valuable resources but can also slow down response times and reduce the overall efficiency of security operations,” he says. “Organizations must ensure that archived data remains accessible and compatible with system upgrades, which often requires specialized processes and significant investments.”

Each version upgrade can introduce complexities in data migration, increasing the risk of data loss or corruption, Young says. “The cumulative impact of these maintenance demands makes it difficult for organizations to scale their security operations effectively, adding financial strain and operational overhead.”

Integrating older SIEM with other security tools

A common problem is integrating legacy SIEM systems with other security tools — something that’s not an issue with modern SIEM platforms, says Kevin Urbanowicz, a managing director in cyber defense and resilience at Deloitte & Touche LLP.

“Legacy SIEM requires point-to-point integration across a potentially diverse technology ecosystem and maintaining this integration over time requires constant engineering effort,” he says. “A modern SIEM platform is integrated by design, usually from the same vendor, allowing end users to take advantage of pre-built integrations without having to extensively custom engineer their tools.”

Sue Bergamo, CISO and CIO at BTE Partners, says a major problem with legacy technologies is that they often came as complete, expensive packages. “Vendors prefer not to break apart the suite to integrate with another vendor that may have better features,” she says.

One of the major challenges for Main Line Health is being able to easily bring in data and send it out to other systems, says Weismann. “It’s difficult to ingest and parse logs in a way that downstream platforms can cleanly use,” he says. “We’re leveraging technology like Realm.Security that creates a data fabric to normalize information prior to ingestion by an SIEM or other tool/system. That simplifies how we handle large data sets and route them for use.”

Young is on the same page — integrating legacy SIEMs with other security tools and systems is difficult because they aren’t always compatible and often use outdated methods to share data, he says.

“Many legacy SIEMs lack support for modern APIs and require custom connectors or middleware for integration with newer technologies,” Young says. “Developing and maintaining these custom connectors can be both time-consuming and expensive, adding to the operational burden for security teams.”

Integrating with cloud-based environments is a pain

Making legacy SIEM systems work with cloud environments and new technologies is challenging, says Rocco Grillo, managing director of Alvarez & Marsal’s disputes and investigations and head of the firm’s global cyber risk and incident response services.

“Compatibility and parsing of legacy SIEM solutions with cloud-native environments that are verbose by design and emerging technologies require significant investment in engineering resources and experience to continuously update SIEM integrations, says Kostas Georgakopoulos, global CTO and CISO at Mondelez International.

Young says legacy SIEMs face significant limitations when it comes to integrating with cloud-based environments and emerging technologies, such as containers, microservices, and serverless architectures.

“Many of these systems were developed before the widespread adoption of cloud services and are not equipped with the necessary APIs, connectors, or native support to seamlessly ingest data from modern cloud platforms,” he says. “This creates challenges in achieving comprehensive visibility across hybrid and multi-cloud environments, leading to blind spots that attackers can exploit.”

Older SIEM struggles to keep up with evolving cyber threats

The main problem organizations face with legacy SIEM systems is the massive amount of unstructured data they produce, making it hard to spot signs of advanced threats such as ransomware and advanced persistent threat groups.

“These systems were built primarily to detect known threats using signature-based approaches, which are insufficient against today’s sophisticated, constantly evolving attack techniques,” Young says. “Modern threats often employ subtle tactics that require advanced analytics, behavior-based detection, and proactive correlation across multiple data sources — capabilities that many legacy SIEMs lack.

In addition, legacy SIEM systems typically don’t support automated threat intelligence feeds, which are crucial for staying ahead of emerging threats, according to Young. “They also lack the ability to integrate with security orchestration, automation, and response tools, which help automate responses and streamline incident management.”

Without these modern features, legacy SIEMs often miss important warning signs of attacks and have trouble connecting different threat signals, making organizations more exposed to complex, multi-stage attacks.

Mellen says SIEMS are only as good as the work that companies put into them, which is the predominant feedback she’s received over the years from many practitioners.

“It takes a lot of work to get value out of the SIEM because you need to be constantly building new detections in order to make sure that you’re properly addressing modern attacks,” she says. “Some have out-of-the-box analytics that will help support detecting threats better, but either way, you still need a lot of manual work to constantly be building new detections.”

See also:

• What is SIEM? Improving security posture through event log data
• SIEM buyer’s guide: Top 15 security information and event management tools — and how to choose
• 4 key trends reshaping the SIEM market