This is the 1st entry in our 3-post series, "Identity is the New Perimeter—So Why Are We Still Burying It in Logs?"
-----
For decades, cybersecurity has leaned on the trusty Security Information and Event Management (SIEM) platform as a key part of the central nervous system of the enterprise Security Operations Center (SOC). It collects logs, correlates events, and tries to surface actionable insights. It’s been a workhorse—and a bottleneck.
The problem is that today’s adversaries aren’t tripping traditional alerts. They’re logging in, not breaking in. They’re using valid credentials, minted by internally trusted IAM systems and Identity Providers, and moving through systems like legitimate users. And every time they do, those breadcrumbs—the identity signals—get dumped into SIEMs as “just another log line.”
By the time those signals are correlated, analyzed, and prioritized—if they’re seen at all—it’s often too late.
SIEMs weren’t built for behavioral nuance. They treat identity the same way they treat firewall logs and DNS requests: timestamped, siloed, and disconnected. That’s a huge issue in a world where lateral movement and persistence are accomplished using “clean” identities. You can’t detect impersonation, MFA bypass, or privilege escalation through static logs alone.
And while SIEM vendors will be quick to talk up their “user and entity behavior analytics” (UEBA) capabilities, let’s be real: bolting on ML after the fact doesn’t give them real-time context, especially when identity telemetry is often delayed or poorly structured.
To compound matters further, the vendors minting identities—IAM and IDP platforms like Okta, Ping Identity, ForgeRock, and even Microsoft Entra—have been, to be candid, a bit asleep at the wheel. They’ve focused primarily on authentication success, not behavioral integrity. As long as a user can pass those gates (username, password, token), these platforms issue tokens and move on.
No anomaly detection. No chaining of events. No graphing of behavior over time. Just trust, verify, and forget.
IAM vendors need to be careful not to become the dinosaurs of the security stack: big, slow, and increasingly irrelevant in the face of modern, dynamic threats. Their failure to evolve has been noticed by cybercriminals and the resulting year-over-year 3X+ increase in attacks is one damning piece of evidence.
-----
In PART 2, we explore why behavioral analysis—rooted in identity—is the only way forward to address these challenges, and how a new approach is needed rather than continued legacy thinking from IAM vendors and SIEM providers.
In PART 3, we look at what the future of identity security really looks like—and why organizations need to treat identity signals as first-class threat intel, rather than be lulled into more log fodder.