So why do banks, telecom, GSM and similar companies that have both budget and sufficient staff buy both? The main reason for this is that Audit products are more user-friendly, offering reports, screens and features specific to the product being monitored. In other words, while components or products such as “for exchange server” “for file server” “for office 365” are especially specialized products, systems such as SIEM, where you expect the door access system to receive logs while also receiving Azure Active Directory logs, cannot be so flexible. So the first reason is that Audit products are easier to use than SIEM products because they are more focused products.
The second biggest feature is speed. As you know, SIEM products require a serious system resource as they collect all logs and try to draw meaningful conclusions from these logs, i.e. correlation. Often these resources are unlikely to be available, or even if they are available when the first SIEM project goes live, after a few months or years the product suffers significant performance degradation. In this case, when you ask who made a simple GPO change, it is possible to get an answer like go today and come tomorrow, I am someone who personally received this answer in bank organizations. As you know, a bank is a big structure with a lot of money, a lot of staff, but also a lot of data. Of course, the project is well designed, but it is very difficult to keep the systems as they were on the first day of a possible cyber attack, transition, maintenance.
Another issue is specialized personnel. In other words, an expert staff is required for the SIEM to work brightly, to maintain its first day performance, to be constantly updated and to provide every log you want in the format you want. It is already extremely difficult to look at a system with millions of logs for personnel doing every job in SMEs and similar companies. The Audit system offers an advantage here again, it is small, it is already modular, for example, many of my customers only buy the modules that they need or can afford at the moment, such as SQL, File Server or Exchange Server, AD. The last difference is the price, of course. SIEM products are more expensive than Audit products because they offer a broader scope. If you need to summarize, if you have both money and personnel, SIEM + Audit products give excellent results and this scenario is actively working in many large organizations in Turkey.