What is clear now is that we believed (wrongly) that by centralizing data we could (maybe by magic) analyze it faster and thus make correlations more accurately. In a world where processing power is unlimited, and context is included in the log line this could be true. But this is not the world we live in.

The current state is that SIEMs are simply giant dumps for log files, barely conscious of basic context, that have arguably worse false-positive and alert rates than the end devices themselves. I will argue that the idea was good, but execution was poor -- competent products are inherently very complicated and expensive to operate, and you can't sell that. So we sell a magic "it'll do it all for you, no worries" that effectively makes the customer's situation worse. The *only* viable answer on SIEM is an MSSP/SaaS model where you don't try and DIY. I submit, 20+ years of DIY attempts as evidence of this.