What SIEM is, and when an SMB needs one
Most Norwegian SMBs do not need a standalone SIEM. Here is when you do, when your EDR already covers it, and what to do next.
Most Norwegian SMBs do not need a separate SIEM. Here is when you do, and what to do when you do not.
A SIEM (security information and event management) is a system that collects logs from across your stack, correlates them, and raises alerts when patterns look like an incident. It is a real category with real uses. It is also one of the most over-bought products in SMB security, because the sales motion is built for enterprises that have a 24/7 analyst team to read what the SIEM produces.
If you run IT at a 30 to 100 person Norwegian firm and you are asking whether to buy one, this guide is for you.
1. What a SIEM actually does
A SIEM does three things, in order.
It ingests logs from many sources (endpoints, firewalls, identity provider, cloud apps, servers). It normalises and stores them, often for a year or more. Then it runs detection rules and threat intelligence against the stream and alerts a human when a rule fires.
The third step is the one that decides whether the SIEM was worth buying. Without an analyst reading the alerts, the first two steps are an expensive log archive.
2. What an EDR already covers
An EDR (endpoint detection and response) platform like CrowdStrike Falcon already does a lot of what an SMB wants from a SIEM, but on the endpoint and identity layer.
Falcon Insight XDR correlates endpoint behaviour with identity and cloud sign-ins, runs detection rules continuously, and surfaces real incidents through the CrowdStrike Falcon Complete Next-Gen MDR team. For a sub-100-person Norwegian firm, the laptops, servers, and identity provider are where 80 percent of the attacker activity worth detecting actually lands. Buying a separate SIEM to watch the same telemetry is paying twice for the same signal.
We wrote about why we picked the platform in why we picked CrowdStrike Falcon for modern MDR, and what the layers underneath look like in what the Falcon platform is. The short version: if Falcon is on the endpoints, the questions a SIEM exists to answer are mostly already answered.
3. The criteria that flip you into “yes, you need one”
There are three honest reasons an SMB buys a SIEM. None of them is “we feel exposed.”
Regulatory log retention. Some sector rules and customer contracts (DORA, NIS2 for essential services, larger ISO 27001 audits, US customers asking for SOC 2 Type 2) require a year or more of searchable log retention across systems your EDR does not touch: firewalls, network gear, SaaS apps, line-of-business systems. ISO 27001:2022 controls 8.15 (logging) and 8.16 (monitoring) do not name SIEM, but they expect logs that are produced, protected, reviewed, and acted on. At small scale, a documented manual review can pass. At larger scale, you need a tool.
Multi-source correlation at scale. If your stack has many non-endpoint sources (cloud workloads in three regions, a custom payment platform, network appliances, OT, dozens of SaaS apps with security-relevant logs) and an attacker chain would cross those sources before touching a laptop, EDR-centric coverage has a real gap. A SIEM closes it.
A mature SOC. If you have or are buying a real security operations function that reads alerts continuously, the SIEM is what they read. Without that team, the SIEM is unread.
If none of these three apply to you, stop here. You do not need a SIEM. Get the EDR tuned and move on.
4. How Falcon’s stack handles the SIEM job
If one of the three criteria does apply, the next question is what to buy.
CrowdStrike Falcon Next-Gen SIEM (the current product name, built on the log engine that started as Humio and was renamed Falcon LogScale) is FM CyberSecurity’s recommended path for clients already running Falcon. The reason is operational, not commercial. Endpoint and identity telemetry is already in the Falcon back end. Adding firewall, network, cloud, and SaaS logs into the same place removes the integration tax of stitching a third-party SIEM to a separate EDR. Detections that span endpoint and non-endpoint sources run in one engine.
It is not the only SIEM that works, and that is not the argument. The argument is that the cheapest SIEM project, when you genuinely need one, is the one that ingests data you are already routing.
5. What to do this week
Run the four checks below before you talk to any SIEM vendor.
- List your security-relevant log sources outside the endpoint and identity stack. Write them down on one page.
- Open the contracts and rule books that drive your retention requirement. Note the exact retention period demanded, and by whom.
- Open the Falcon console (or whichever EDR you run) and write down what it already correlates. Compare to the gap on your one-page list.
- Decide whether the gap is real, or whether a tuned EDR and a documented manual log review pass your audit.
If the gap is real and recurring, you are in SIEM territory. If it is not, you have just saved yourself a six-figure project. We see both outcomes about evenly across SMB scoping conversations.
Next action
Talk to Kenny in our detection and response practice for a one-hour scoping call. We will look at your log sources, your retention rule book, and your existing EDR coverage, and tell you whether you actually need a SIEM, what it would cost, and whether Falcon Next-Gen SIEM or a tuned EDR is the right answer. We sell the recommendation, not the SKU.
FAQ
Do we need a SIEM for ISO 27001?
ISO 27001:2022 does not name SIEM. Annex A controls 8.15 (logging) and 8.16 (monitoring) require that you produce, protect, review, and act on logs across the systems in scope. At small scale, a documented manual review of well-defined log sources can pass certification. At larger scale, or when your scope includes many non-endpoint sources, a SIEM is the practical way to evidence those controls. Decide on log sources and retention first, then decide on the tool.
Is Microsoft Sentinel a SIEM?
Yes. Microsoft Sentinel is a cloud-native SIEM in Microsoft’s stack. It is one of several real options. We are not arguing against any specific vendor in this piece. We are arguing that for a sub-100-person Norwegian SMB whose attack surface lives on laptops and identity, a separate SIEM (any vendor) is often expense and complexity that the EDR already covers. If you do need a SIEM, pick the one closest to where your data already lives.
What about compliance log retention?
This is the cleanest reason an SMB ends up needing a SIEM. If a customer contract, a sector rule (DORA, NIS2 essential services, sector-specific Finanstilsynet expectations), or a SOC 2 Type 2 commitment requires searchable retention across non-endpoint systems for a year or more, that is a SIEM job. The EDR’s retention window is shorter and scoped to endpoint and identity. Get the retention requirement on paper, in months, before you size any tool.
What is Falcon Next-Gen SIEM?
CrowdStrike’s SIEM offering, built on the log engine originally called Humio and renamed Falcon LogScale. CrowdStrike’s marketing brands the full SIEM product as Falcon Next-Gen SIEM. It ingests logs from third-party sources alongside Falcon’s own endpoint, identity, and cloud telemetry, and runs detections in the same back end as the EDR. For clients already on Falcon, it is the SIEM path with the lowest integration tax.
How is SIEM different from EDR?
EDR watches endpoints and identity in depth. SIEM watches everything you point at it, with less endpoint depth than a dedicated EDR. We wrote a fuller comparison on the EDR side in EDR and antivirus, what the difference is. The two tools complement each other when both are needed. They duplicate each other on endpoint data when you only need one.
