Skip to main content

Having Your Cake (Real-Time Visibility of all Network Flows) Without the Cost (SIEM Expenses)

By William Toll, Sr. Director, Product Marketing

Security tech stacks are evolving fast and driving up costs for legacy approaches


Enterprises face an ever-larger technology stack, and solutions to cover security use cases are among the fastest being added to the stack. Years of cloud and digital transformation projects have resulted in atomized networks that are DEED: Dispersed, Ephemeral, Encrypted, and Diverse. The result is security operations center (SOC), cloud operations (CloudOps), and IT teams that cannot see all users, apps, data, and devices, what they are doing, and what’s happening to them. This is primarily due to gaps between tools and the mountain of legacy solutions that were designed for yesterday  –before the Atomized Network.

Many solutions promise to close the visibility gaps; the most popular of which has been the security information and event management (SIEM) platforms. Their promise of capturing all telemetry and enabling threat hunters with the ability to find indicators of compromise (IoCs and other network-based tactics, techniques, and procedures (TTPs)) that adversaries use has long since proven to be a disappointment. Oceans of false positives, slow threat-hunting queries, and giant compute and storage bills have really driven a sea change in how teams view the value of their SIEM. These solutions are increasingly seen as too costly and too slow to be relevant in the age of modern threats and zero-day attacks.

Gaining visibility of all flow records takes the cake

The answer many teams are discovering lies in the value that network flow records provide. NetFlow, sFlow, and Cloud Flow are the keys that unleash superpowers for threat hunters. Simply gaining access to all flow records from dispersed, ephemeral, encrypted, and diverse  networks enables teams to see the entire attack path or threat continuum. They can more easily hunt for IoCs before an attack happens, during an attack, and after a compromise providing threat hunters with the ultimate ability to search millions of flow records in seconds. 

Atomized Visibility and Control Platforms (AVCP) that provide real-time visibility of all flow records, plus retrospective searches, provide more “at bats” to identify the presence of a threat actor post-compromise. This enables teams to scope, contain, and remediate attacks. But several of the core technologies scoped and responsible for network security— next-generation firewall (NGFW), intrusion prevention systems (IPS), network detection and response (NDR) and SIEM—are losing potency and becoming at risk of disappearing due to complex appliance-based deployments, encryption, and cost.

Modern teams, faced with today’s threats, need a modern technology stack.

The costs of an appliance-based architecture for ingestion are considerable. Physical devices must be shipped to locations when and where capabilities are required. Supporting infrastructure, including packet brokers and decryptors, must be in place. The ongoing lifecycle management of hardware and software, plus configuration and manual updates, limits agility and creates ongoing operational costs.

Having your cake and embracing flow will drive teams to look for a solution that is device-type and flow-type agnostic. It should ingest, enrich and normalize all flow data in real time and continuously. Teams need to be able to see all network traffic and get insights into North-South, East-West, On-Premises to Cloud, and Cloud to Cloud traffic. A solution that captures flow records in real-time and can cost-effectively scale across all of their Atomized Networks.