Since we are the distributor of an Audit product such as Lepide in Turkey, we receive many questions on this subject. So we have SIEM, is an Audit product necessary? Or are you giving us Lepide as if my SIEM need has been met? In fact, these two products seem to do basically the same thing, but in practice we get different results. Since there are so many areas where they intertwine, companies with limited budgets or personnel shortages have to make a choice at some point. SIEM in scope should actually be thought of as a universal set that includes Audit products, after all SIEM The products we call products are actually a system that centrally collects event logs, that is, logs of almost all systems that you can think of and integrate with your door access system, VPN, firewall, file server, mail server, website access logs. As such, you can monitor the changes in these products by purchasing an Audit product for these components used in many companies such as Active Directory, Exchange Server, Sharepoint, Office 365, Azure, File Server, SQL, and you can also do this with SIEM integration.
So why do banks, telecom, GSM and similar companies that have both budget and sufficient staff buy both? The main reason for this is that Audit products are more user-friendly, offering reports, screens and features specific to the product being monitored. In other words, while components or products such as “for exchange server” “for file server” “for office 365” are especially specialized products, systems such as SIEM, where you expect the door access system to receive logs while also receiving Azure Active Directory logs, cannot be so flexible. So the first reason is that Audit products are easier to use than SIEM products because they are more focused products.
The second biggest feature is speed. As you know, SIEM products require a serious system resource as they collect all logs and try to draw meaningful conclusions from these logs, i.e. correlation. Often these resources are unlikely to be available, or even if they are available when the first SIEM project goes live, after a few months or years the product suffers significant performance degradation. In this case, when you ask who made a simple GPO change, it is possible to get an answer like go today and come tomorrow, I am someone who personally received this answer in bank organizations. As you know, a bank is a big structure with a lot of money, a lot of staff, but also a lot of data. Of course, the project is well designed, but it is very difficult to keep the systems as they were on the first day of a possible cyber attack, transition, maintenance.
Another issue is specialized personnel. In other words, an expert staff is required for the SIEM to work brightly, to maintain its first day performance, to be constantly updated and to provide every log you want in the format you want. It is already extremely difficult to look at a system with millions of logs for personnel doing every job in SMEs and similar companies. The Audit system offers an advantage here again, it is small, it is already modular, for example, many of my customers only buy the modules that they need or can afford at the moment, such as SQL, File Server or Exchange Server, AD. The last difference is the price, of course. SIEM products are more expensive than Audit products because they offer a broader scope. If you need to summarize, if you have both money and personnel, SIEM + Audit products give excellent results and this scenario is actively working in many large organizations in Turkey.
