惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
Security Archives - TechRepublic
Security Archives - TechRepublic
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Last Week in AI
Last Week in AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
WordPress大学
WordPress大学
爱范儿
爱范儿
J
Java Code Geeks
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
宝玉的分享
宝玉的分享
博客园 - 【当耐特】
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Help Net Security
Help Net Security
Hacker News: Ask HN
Hacker News: Ask HN
月光博客
月光博客
S
Secure Thoughts
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 聂微东
Hugging Face - Blog
Hugging Face - Blog
V
Visual Studio Blog
博客园 - 三生石上(FineUI控件)
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
N
News and Events Feed by Topic
腾讯CDC
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Webroot Blog
Webroot Blog
博客园 - Franky
有赞技术团队
有赞技术团队
美团技术团队
Jina AI
Jina AI
S
Security @ Cisco Blogs
博客园 - 叶小钗
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园_首页
C
CERT Recently Published Vulnerability Notes
T
Threat Research - Cisco Blogs
Project Zero
Project Zero
A
Arctic Wolf
大猫的无限游戏
大猫的无限游戏
Latest news
Latest news
小众软件
小众软件
IT之家
IT之家
S
Security Affairs

Search Security Resources and Information from TechTarget

How to operationalize threat modeling with AI | TechTarget CISO First fully agentic ransomware attack sparks readiness concerns | TechTarget Evaluating secure enterprise browsers vs. security plugins | TechTarget The AI vulnerability storm is here: Is your security program ready? | TechTarget Perimeter to posture: A roadmap to zero trust maturity | TechTarget TLS certificate lifetime changes: What CISOs must do now | TechTarget The agentic AI 8 key aspects of a mobile device security audit program | TechTarget Why mobile security audits are important in the enterprise | TechTarget Beyond the perimeter: The shift to data-centric protection | TechTarget How agentic AI threat intelligence aids NGO cyber defense: Case study | TechTarget How to conduct a mobile app security audit | TechTarget NO FAKES Act advances: What CISOs need to know | TechTarget What CISOs should know about AI runtime security | TechTarget As Q-Day looms, 90% of systems are unprepared for PQC | TechTarget A CISO Most security pros say their culture is Zscaler lays out its vision to secure the AI era at Zenith Live | TechTarget The OpenClaw security risks every CISO needs to know | TechTarget Cloud security metrics and KPIs: A CISO Florida public sector training on SimSpace cyber range: Case study | TechTarget Reporters' Notebook — Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion How to find cyber-risk data sources for a FAIR analysis Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
The breakup: Why CISOs are decoupling data from their SIEMs | TechTarget
John Burke · 2026-05-10 · via Search Security Resources and Information from TechTarget

Breaking up is hard to do -- but some CISOs find that decoupling SIEMs from security log data feeds is worth it. Learn about the benefits and challenges.

The traditional enterprise SIEM pulls security log data from sources across the IT environment, then normalizes it, analyzes it and retains it. But because SIEM providers typically charge more to hold more data, organizations generally must retain less data than they would prefer and accept the limitations of subsequent analyses.

Additionally, SIEMs retain data in their own, often proprietary formats. In fact, how SIEM vendors parse and normalize data is one way they differentiate themselves from competitors. Each seeks to use unique schemas, compression techniques and specialized databases to improve both result quality and speed. Consequently, enterprises have limited input into how their data is ingested and digested, and proprietary parsing and formats can make it harder to change vendors.

Some CISOs -- finding the limitations and trade-offs of data ingestion and retention in SIEM too constricting -- are choosing to decouple their security log data feeds from their SIEMs. By doing so, they typically gain freer access to the data, increase control over retention timelines, improve analytical capabilities, rein in SIEM costs and break free of vendor lock-in. But decoupling data from the SIEM also has its challenges and requires significant commitment, investment and planning.

How decoupling data from the SIEM works

To decouple security data sources from the SIEM, security teams insert systems that they control in the middle of these data flows. In practice, this means establishing a separate, dedicated data store to hold the security log data, typically a data lake living in a comparatively inexpensive cloud storage service. It also means establishing a new data pipeline that takes in log data, preprocesses and normalizes it and then dumps it in the data lake. The enterprise then feeds its SIEM with data from the lake.

Benefits of decoupling SIEMs from data pipelines and storage

Establishing an independent, enterprise-controlled data layer between the sources of security log data and the applications that consume it -- e.g., SIEMs and other tools such as user and entity behavior and analytics -- enables the enterprise to do the following:

  • Dictate the data schema for log records.
  • Completely control filtering of records and easily vary it by destination.
  • Completely control the retention horizons for every kind of data from each platform.
  • Accurately and easily track all security data sources and all security data consumers.
  • Easily enforce consistent adherence to institutional polices on data collection and retention.
  • Easily add new security tools that need access to existing data feeds.
  • Easily change -- and even drop -- SaaS and SIEM vendors without losing data.

Trading costlier SIEM-based storage for cheaper cloud bulk storage will also probably reduce the cost of storing security data, per se. But -- and this is important to understand -- that cost reduction might not result in net savings, as new tools or services and staff time costs could overbalance those savings.

Challenges of decoupling SIEM from the data layer

Of course, along with its benefits, decoupling data from SaaS or SIEM platforms also comes with challenges. These include the following:

  • Designing a powerful, secure, scalable and cost-efficient data lake and data pipeline, including selecting appropriate data exchange protocols and data storage schemata.
  • Engineering a powerful, secure, scalable and cost-efficient data lake and data pipeline, including selecting tools and services with which to build it and testing it adequately before putting it into production.
  • Migrating to the new architecture without data loss or interruptions in security scanning.
  • Operating and supporting the data lake and pipeline efficiently, including ensuring backups and continuity of service in the face of disruptions.
  • Coping with latency created by interposing the new layer -- requiring attention in the design, engineering and operations phases, as well as continuous monitoring to ensure latency is within acceptable limits.
  • Coping with compliance, as the new data layer must respect and enforce any applicable requirements -- depending on company type, sector and geography -- for data at rest and in motion.

A decoupling toolbox

CISOs creating a new enterprise security data lake will need to determine their strategies in the following areas.

SaaS data extraction

SaaS data extraction tools can be built in house using SaaS APIs. Alternatively, third-party approaches include such proprietary SaaS security posture management platforms as Obsidian Security, NetSkope SSPM and AppOmni, as well as open source tools such as Mondoo and OpenASPM.

Data pipeline

The data pipeline is the ingestion and pre-processing tool that receives raw logs and spits out records for the data lake in standardized format(s). Commercial products here include Cribl, DataDog and Splunk. Open source options include Vector, Logstash and Fluentd.

Data storage

Most larger organizations already have experience with data lakes, as well as preferred vendors, such as Snowflake and Google BigQuery, or open source options, such as Apache HDFS or MinIO.

Enterprises also have to consider data formats. Open standards should be everyone's first choice: Open Cybersecurity Schema Format for the log records heading out to SIEMs or elsewhere, for example, and storage formats such as Apache Parquet or Delta Lake for the data lake proper.

By decoupling cybersecurity data ingestion and retention from their SIEM platforms, CISOs can gain control, flexibility and depth while potentially reducing costs. But they will have to invest significant resources to capture these benefits.

John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.

Dig Deeper on Security operations and management