Skip to content
    November 5, 2024

    WARNING: Some “SIEM” Vendors Are Not Actually Selling A SIEM

    Incomplete logs

    Why 100% Data Log Collection Matters: The Hidden Risks of Limited Security Logging

    As MSPs look to strengthen their security and compliance offerings, many EDR and MDR vendors are jumping on the SIEM bandwagon–launching products that claim to be SIEMs and promise comprehensive protection–while quietly limiting what data they collect and store. 

    These SIEM-ish solutions often tout simplified security logging but quietly drop up to 80% of your data logs after 30 days, making their own, often uninformed decisions about what is necessary to keep. This approach might seem efficient at first glance, but it creates dangerous blind spots that can leave you and your clients exposed when you need that data most.

    Maybe worst of all is the fact that it falls short of true SIEM functionality, but is being labeled a SIEM. These vendors are selling SIEM solutions that aren't really SIEMs at all–they're more like selective logging tools with an identity crisis. When your clients need historical data for an investigation or audit, 'we only kept 20% of the logs' isn't an explanation anyone wants to give.

    The Hidden Risks of Partial Security Logging

    A vendor making assumptions about your needs can severely impact your ability to conduct security investigations, meet compliance requirements, process insurance claims, or perform thorough forensic analysis. This of course could impact not only your own security posture, but your clients' environments as well.

    Critical Questions Every MSP Should Ask

    Before trusting a security solution with your clients' data, consider the following scenarios.

    What happens when:

    • Your client needs transaction logs from 9 months ago for a financial audit?
    • You need to investigate suspicious user behavior from three quarters back?
    • A cyber insurance provider asks for evidence of security controls from 6 months ago?
    • You uncover a breach that began 8 months ago and must trace its origin across multiple clients?
    • Your compliance audit requires historical data that wasn't deemed "necessary" by your vendor?

    The answers to these questions reveal whether your security solution is truly a SIEM or just a selective logging tool. Make sure you understand any limitations on data collection, retention periods, and access before it's too late.

    The Power of Full Log Retention

    A true SIEM solution provides benefits that SIEM-like products can't match. 

    Total system visibility and retention gives you:

    1. Better Incident Investigation
    • Track the full scope of security events
    • Understand how attackers moved through your environment
    • Document the impact for insurance claims
    2. Retroactive Threat Detection
    • Apply new threat detection rules to historical data
    • Identify previously unknown compromises
    • Understand patterns of suspicious behavior
    3. Compliance Requirements
    • Meet regulatory data retention requirements
    • Provide detailed audit trails when needed
    • Demonstrate security controls effectiveness
    4. Operational Insights
    • Track IT system changes over time
    • Support capacity planning decisions
    • Validate security policy enforcement

    Real MSP Success: The Difference Complete Data Makes

    Connect Cause, an MSP serving non-profit organizations, experienced these limitations firsthand.

    "Blackpoint Cyber had no SIEM or aggregation of log data that was immutable that I could go and see what had happened over the last year. It's an MDR product, but it's not collecting log data and keeping it," explains Aaron Cervasio, CISO at Connect Cause.

    After switching to Blumira’s SIEM solution, the difference was immediate.

    "We got alerts on a customer with plaintext password documents in their environment that [our previous solution] never alerted us to. This led to us upselling a customer on a password management service," Cervasio notes.

    Capturing all logs not only improved security but also created new business opportunities.

    What's more, Connect Cause found that having access to all system logs helped them prove their cybersecurity expertise.

    "Since I can integrate directly with firewalls, I was getting alerted to a hacker from Moldova who was conducting password-spraying attacks on a customer's firewall. I was able to find the IP address and block the attacks completely." 

    This level of visibility and response simply wasn't possible with their previous limited-logging solution.

    What True SIEM Capabilities Look Like

    A true comprehensive security platform should provide:

    • Collection of all log types, not just security events
    • Minimum one-year data retention
    • Easy access to historical data
    • Unlimited data ingestion
    • Predictable, user-based pricing
    • Quick access for investigations and reports

    The Insurance Industry Recognizes the Difference

    Leading cyber insurance providers are now adjusting their premiums based on an organization's logging and retention capabilities. Why? Because they know that comprehensive data collection and retention significantly reduces risk. Complete logging capabilities and longer retention periods often qualify both you and your clients for better rates and coverage.

    Taking Control of Your Data

    Don't let vendors decide what data is worth keeping–it's your MSP's reputation and your clients' security on the line. While solutions that limit log retention might seem cost-effective initially, they can prove extremely expensive when you need historical data that wasn't collected or was already deleted. As one MSP discovered during a security investigation, "You can't analyze what you don't have."

    Ready to experience true SIEM capabilities? Sign up for Not-For-Resale (NFR) licensing and see firsthand how complete visibility can transform your managed security operations: https://info.blumira.com/nfr

    Tag(s): SIEM XDR , MSP

    More from the blog

    View All Posts