As organizations evolve in terms of detection & response capabilities, more than a decade old SIEM remains an enterprise security must, acting as one of the main platforms within a cyber defense program.
Despite being overshadowed by easy to justify initiatives like vulnerability management, investments in SIEM will be among the fastest-growing, with Security Analytics playing an important part.
As F-Secure's Mikko Hypponen says:
Every company is a software company.
In addition to in-house built, custom applications, for pretty much every new technology an enterprise brings in, it is likely producing new telemetry which is the 'raw material' for widening the detection surface.
Given the amount of non-standard data types and distinct threat models or different priorities seen in enterprise environment, it comes as no surprise that organizations should not rely on vendors to come up with ways to leverage that data for detection.
In other words, it's rather naive to assume or expect that a set of out of the box rules shipped with a product (aka canned content) will be able to fulfill even the basic needs when it comes to detection coverage.
SIEM as a development platform
If you follow closely what's going on within #blueteams and #threathunting related forums (Twitter, Slack, etc), it's easy to notice a clear practice being built on top of regular security engineering (device tuning, etc).
With Splunk and Microsoft Sentinel being the most prominent platforms, users are building new detection rules as new threats are just uncovered — drastically reducing the time it would otherwise take when waiting on a vendor update.
And that's not only because those platforms can easily ingest different data types, but because the output of closed research or intel (honeypots, threat modeling, etc) in combination with basic stats/coding skills extracts a value that was never seen before.