Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

The Myth of the SIEM – Why Identity Signals Are Getting Lost

SIEMs fail to detect modern identity threats because they treat login data like ordinary logs instead of analyzing behavior in real time.
Written by
Mark Batchelor
Published on
July 22, 2025

This is the 1st entry in our 3-post series, "Identity is the New Perimeter—So Why Are We Still Burying It in Logs?"

-----

For decades, cybersecurity has leaned on the trusty Security Information and Event Management (SIEM) platform as a key part of the central nervous system of the enterprise Security Operations Center (SOC). It collects logs, correlates events, and tries to surface actionable insights. It’s been a workhorse—and a bottleneck.

The problem is that today’s adversaries aren’t tripping traditional alerts. They’re logging in, not breaking in. They’re using valid credentials, minted by internally trusted IAM systems and Identity Providers, and moving through systems like legitimate users. And every time they do, those breadcrumbs—the identity signals—get dumped into SIEMs as “just another log line.”

By the time those signals are correlated, analyzed, and prioritized—if they’re seen at all—it’s often too late.

Why SIEMs Fail Identity

SIEMs weren’t built for behavioral nuance. They treat identity the same way they treat firewall logs and DNS requests: timestamped, siloed, and disconnected. That’s a huge issue in a world where lateral movement and persistence are accomplished using “clean” identities. You can’t detect impersonation, MFA bypass, or privilege escalation through static logs alone.

And while SIEM vendors will be quick to talk up their “user and entity behavior analytics” (UEBA) capabilities, let’s be real: bolting on ML after the fact doesn’t give them real-time context, especially when identity telemetry is often delayed or poorly structured.

The IAM Industry’s Complicity

To compound matters further, the vendors minting identities—IAM and IDP platforms like Okta, Ping Identity, ForgeRock, and even Microsoft Entra—have been, to be candid, a bit asleep at the wheel. They’ve focused primarily on authentication success, not behavioral integrity. As long as a user can pass those gates (username, password, token), these platforms issue tokens and move on.

No anomaly detection. No chaining of events. No graphing of behavior over time. Just trust, verify, and forget.

IAM vendors need to be careful not to become the dinosaurs of the security stack: big, slow, and increasingly irrelevant in the face of modern, dynamic threats. Their failure to evolve has been noticed by cybercriminals and the resulting year-over-year 3X+ increase in attacks is one damning piece of evidence.

-----

In PART 2, we explore why behavioral analysis—rooted in identity—is the only way forward to address these challenges, and how a new approach is needed rather than continued legacy thinking from IAM vendors and SIEM providers.

In PART 3, we look at what the future of identity security really looks like—and why organizations need to treat identity signals as first-class threat intel, rather than be lulled into more log fodder.

Subscribe to Our Newsletter
No spam. Just the latest releases and tips, interesting articles, industry news and event updates delivered to your inbox.
Mark Batchelor

As the CTO and co-founder of Verosint, Mark leads with a contagious passion for cybersecurity and team building. Before coming to Verosint, Mark served as the VP of Business Development at Chainalysis enabling partners and building strategic alliances for the company. Prior to Chainalysis, he served on the executive team at Ping Identity as the Chief Solution Architect for the global sales engineering team and leading the Innovation Lab initiatives.