I really like this article for a variety of reasons, but first and foremost, it sheds light on the constant definitional battle of what the term “SIEM” does and does not mean. SIEM really does mean different things to different people and no one is completely right or wrong in their definition. The concept of a “Real-time SIEM” is particularly intriguing. At the end of the day, the value of log collection and correlation is in the potentially actionable data it provides. Every SIEM user must determine how they review and alert on that data and how frequently they can absorb it. This is where the automated concept of real-time comes into play.
Automated functionality can certainly send up the necessary flares to alert IT in the event of an incident or attack. The key is having the right people watching for the flares and prepared to take action. Continuous monitoring should be every security practitioner’s goal but with that must come appropriate incident response and procedural management.