I never complained about the cost of SIEM, and I fully understand the load it can possibly take from having a dedicated resource watching logs. I am speaking from the standpoint of a reseller, and I am referring to what I hear from clients. Heck, I used to be a client, and I complained about it then as well.

A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result.

And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects.

And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn't quantify (and I should have – sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices "should" be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That's what I meant when I said we will always have that gap.

BTW, I work for Accuvant, and we are a Q1 partner (and you probably already knew that). I saw your stuff at that same client. I didn't get a close enough look at it, but the dashboard is very nice, and it seemed to do a good job at auto-recognizing logs coming different devices being fed from a Syslog NG server.

Michael