From Logging to Learning – Making SIEM Intelligent and Incident-Ready
Presented by Vivin Sathyan, Official Spokesperson at ManageEngine, at BE-CEC on September 11, 2025 in Dolce, La Hulpe
At the Belgian Cybersecurity Executive Conference (BE-CEC), Vivin Sathyan, delivered a clear call to action for Belgium’s cybersecurity leaders: logs alone won’t save you. In his session, “From Logging to Learning – Making SIEM Intelligent and Incident-Ready”, he explained why traditional Security Information and Event Management (SIEM) systems are no longer sufficient — and how enterprises can make them smarter, faster, and more resilient.
Sathyan opened by introducing Zoho Corporation, the parent company of ManageEngine. Founded in 1996, Zoho is a privately held global software company with over 100 million users in more than 150 countries. Unlike most of its peers, Zoho has stayed independent, debt-free, and firmly committed to not monetizing user data.
The company operates in two divisions:
Zoho: a suite of 60+ cloud applications for CRM, HR, finance, collaboration, and more.
ManageEngine: the IT management and security division, providing solutions to enterprises worldwide.
What sets Zoho apart, Sathyan emphasized, is that it builds everything in-house, from applications to the underlying technology stack, and puts privacy at the heart of its philosophy.
Zooming in on the Belgian landscape, Sathyan outlined a sobering picture:
Hybrid threats are escalating: Espionage and sabotage campaigns increasingly target government, finance, and healthcare. Attacks against Belgian organizations rose 53% in the past year.
Critical infrastructure is at risk: Energy, telecom, and transport face constant pressure from advanced persistent threats (APTs).
Belgium’s geopolitical weight: As headquarters of the EU, the country is a prime target for nation-state actors.
AI-driven attack evolution: Threat actors now use machine learning to evade detection. Two-thirds of Belgian security leaders (67%) fear AI-powered phishing campaigns against their workforce.
“The threat landscape has outpaced static defenses,” Sathyan warned. “Organizations that only collect logs without context are leaving the door wide open.”
The NIS2 Directive is adding urgency. Sathyan stressed three aspects Belgian CISOs must not underestimate:
Broader scope: Coverage now includes IT service providers, cloud platforms, and data centers.
Heavy penalties: Up to €10 million or 2% of global turnover for essential entities; €7 million or 1.4% for important entities.
Executive accountability: Management bodies are personally liable for breaches, with 24-hour notification requirements for major incidents.
In other words, compliance is no longer just an IT issue — it is a board-level responsibility.
Traditional SIEM, Sathyan argued, was built around centralized logging and static rules. This creates a massive “data lake” but doesn’t generate true intelligence. In Belgium, where enterprises often process 8–10TB of logs daily, this model leads to alert fatigue: 75% of SOCs report ignoring alerts due to sheer volume.
Sathyan laid out the evolution path to intelligent SIEM:
Centralized Logging → Consolidates logs, but risks drowning in data.
Correlation & Rule-Based Alerts → Good for known threats, but blind to novel attacks.
Behavioral Analytics (UEBA) → Machine learning baselines detect anomalies early, like credential abuse spotted 17 days faster than rules.
Threat Intelligence Integration → Combining global feeds with Belgium-specific advisories from the Centre for Cybersecurity Belgium (CCB).
Automated Response (SOAR) → Playbook-driven remediation cuts mean time to respond (MTTR) from 4.2 hours to 27 minutes.
“Logging is history. Learning is the future,” he said.
Sathyan highlighted several capabilities that make SIEM more incident-ready:
Contextual alerts: Prioritization by asset criticality and threat intelligence → 65% faster investigations.
Automated enrichment: Adding user, geo, and behavioral context → 40% faster triage.
Behavioral baselining: Detects insider threats and credential misuse earlier.
Playbooks & automation: Automates common responses, freeing analysts to focus on high-value work.
Cloud & hybrid monitoring: Ensures 100% visibility across on-prem and multi-cloud environments.
Sathyan pointed out that Belgian organizations have a unique advantage: the Centre for Cybersecurity Belgium (CCB). As the country’s national authority, the CCB provides:
Free security assessments and incident response support.
Threat intelligence feeds tailored to Belgian sectors.
A CCB Early Warning System that SOCs can integrate directly into SIEM platforms.
“CCB is not just a regulator,” Sathyan noted. “It’s a partner. But you need to integrate their intelligence into your systems to benefit.”
Sathyan showcased ManageEngine’s Log360, a complete SIEM + SOAR solution designed for this new era:
AI/ML-driven UEBA: Learns behavior patterns, assigns risk scores.
Integrated threat intelligence: Combines global feeds with Belgian-specific IOCs.
SOAR automation: Over 200 prebuilt playbooks, plus custom workflows for Belgian requirements.
Compliance reporting: NIS2 and GDPR templates built-in, with evidence collection.
Belgian organizations already see results:
A major bank cut false positives by 72% while improving detection rates.
A regional healthcare provider achieved NIS2 compliance three months early.
A government agency automated 85% of Tier-1 alerts.
Sathyan offered CISOs a practical three-step, 90-day roadmap:
Days 1–30: Assessment & Baseline → Audit logs, map critical assets, benchmark false positives and MTTR.
Days 31–60: Advanced Analytics → Deploy UEBA, integrate Belgian threat feeds, enable contextual alerts.
Days 61–90: Automate Response → Roll out top playbooks, connect SIEM to endpoints, and implement NIS2-compliant reporting.
Sathyan urged leaders to focus on four priorities:
Integrate, don’t add tools → Avoid silos, maximize value from existing investments.
Reduce analyst fatigue → Choose platforms that enrich alerts, not multiply them.
Adopt compliance-driven analytics → Map SIEM output directly to NIS2/GDPR requirements.
Prepare for AI-powered threats → Deploy AI defenses before attackers fully weaponize them.
Sathyan ended with a memorable metaphor:
Logs are raw material — valuable, but not useful on their own.
Intelligence is the product — the insights that prevent breaches and prove compliance.
Incident-readiness is the profit — with the average Belgian breach costing €4.7 million, automation can cut losses by 65%.
To help organizations take the first step, ManageEngine offers a 30-day, no-cost proof of concept including visibility assessment, NIS2 gap analysis, and a custom ROI calculator.
Vivin Sathyan’s message to Belgium’s security executives was clear: logs must evolve into learning. With hybrid threats rising, AI-powered attacks looming, and NIS2 deadlines approaching, organizations cannot afford to drown in data lakes. By combining behavior analytics, identity context, automation, and national intelligence, SIEM can shift from reactive logging to proactive learning — keeping Belgium’s enterprises, critical infrastructure, and institutions a step ahead of attackers.