As I continue to work more and more with LEM and SIEM technology I found myself thinking that SIEM is generally treated (by users and vendors) more like a monitoring system and less like an anti-virus system; however, in reality it's much more like a hybrid between the two and I feel like it could be much more successful if treated as such.
SIEM is like monitoring in that you can configure it to look for the things you care about them and then alert you when those things are detected. This model works great when you know what it is you are looking for and if you also know how to configure the correlation rules just right to catch those things. Unfortunately this is not always the case. While some SIEM's do support anomaly detection (which I think is great), this only tells you that something "out of the ordinary" is happening and not what specifically is happening.
SIEM is like Anti-Virus in that it's often used to detect threats to your environment and acts as one of the many layers of security looking at both end-points as well as the environment as a whole.
Threats are constantly emerging and changing and SIEM systems need to be able to adapt to those changes. Anti-virus systems will check for new virus definitions as frequently as every hour (or maybe even more); however, SIEM systems don't have their correlation rules and definitions updated nearly that frequently. Also, with Anti-virus the vendor provides us a stream of definition updates created by their security experts to combat threats; however, with SIEM customers who often are not security experts are left to create their own correlations and rules.
I think SIEM would be more successful for customers and vendors if the industry would embrace the anti-virus like characteristics. SIEM vendors should have a set of security researchers on staff dedicated to understanding the new and changing threats and then creating correlations and rules to detect/combat those threats. The SIEM product should have some form of threat feed where it can get updated with this information on a regular basis in the same way an anti-virus system does with virus definitions.
I would love to hear other suggestions or thoughts on this topic!