Thirty-seven percent of SOCs faced more than 10,000 alerts per day and more than half of those were false positives, which can easily cost organizations thousands of wasted hour and millions of wasted dollars every year. Realistically, many “true positives” are for events with incredibly low value, such as reconnaissance scans. Most scans don’t turn into an issue, and the ones that do often don’t correlate with any information that can be used to defend against the attack.
The model of gathering as many logs as possible and sending them off to be centrally analyzed is like trying to find needles in haystacks by gathering all the hay you can find in a ten-mile radius. You could make a case for it around completeness and the ability to apply analytics, but in reality it turns out to be a horrible approach. And when the approach does identify an attack, it tends to be hours or even days after the attack has taken hold. So what’s the alternative?