It can be challenging to operate and maintain security information and event management (SIEM) platforms, but it can also be difficult just to choose which SIEM is right for your Security Operations team.
The 2021 GigaOm Radar for SIEM, written by Chris Grundemann, Karen Martin, and Logan Andrew Green, goes into detail about the SIEM market, offers some key criteria for comparing products, and looks at the offerings of 10 leading SIEM platforms.
The report is a valuable review of the tools market. Here are the key takeaways—and broader insights about the state of SecOps tooling from top experts.
1. The SIEM tools market is mature and competitive
Most SIEM vendors have had well over a decade to refine their products, and the differentiation among basic SIEM functions is fairly small. While there are important differences among the vendors’ capabilities, the report noted, no vendor’s solution considerably outperforms others for SIEM-specific capabilities, such as alarm fidelity and data enrichment.
“Core SIEM functionality at this point is pretty mature, and because of that, almost everybody does most of the things they need to do well, which creates a lack of differentiation. Where they continue to differentiate is in SOAR functionality and combining with other tools.”
A.N. Ananth, president of Netsurion, a cybersecurity-as-a-service provider, said the market was getting to look like the market for some cars.
“What a SIEM is is pretty common, just like what a four-door sedan is.”
One area where there are significant differences between vendors, though, is in the cloud, maintained Michael Mumcuoglu, CEO and co-founder of CardinalOps, a threat coverage optimization platform maker.
“As organizations are rapidly migrating to and adopting cloud technologies, vendors that fail to provide a true cloud-native solution will become obsolete and lose the race.”
2. Software stacks begin to stack up
As SIEMs compete in the security space with other solutions, vendors also offer tightly integrated solution stacks, allowing customers to choose the solutions they need most, whether just a SIEM; a SIEM with security orchestration, automation, and response (SOAR); a SIEM with endpoint detection and response (EDR); or some other combination. Other vendors are incorporating limited EDR- or SOAR-like capabilities into their SIEM solutions for customers that want the extra features but are not ready to invest in multiple solutions.
Michelle Abraham, research director for security and trust at IDC, explained that there is integration between SIEM and SOAR platforms, with a number of SIEM vendors also offering SOAR, but separately. This is changing, albeit slowly.
“While right now this is often a separate product, one vendor, Micro Focus, includes SOAR with its SIEM. Others may follow suit in the future.”
CardinalOps’ Mumcuoglu said, however, that SIEM vendors haven’t been very nimble in dealing with competing technologies. “Most SIEM vendors have been slow to react to the EDR/XDR [extended detection and response] market and failed to make significant investments in these areas,” he said.
One notable exception, per Mumcuoglu: Elastic, which provides an endpoint agent through the acquisition of Endgame Security.
“I expect SIEM vendors that will not adapt to these emerging challengers to eventually be disrupted and left behind.”
3. Information centralization is key
Due to the nature of its design—SIEM as the central repository of information for security analysts—the technology is in prime position to swallow the capabilities of other security solutions such as SOAR, user and entity behavior analytics (UEBA), and EDR. Whether the result will be called simply a next-generation SIEM or an entirely different name remains to be seen, the report noted. But you can expect SOCs to need only one main platform for collection, filtering, investigation, response, and reporting.
Scott Crawford, research director for information security at 451 Research, said the exact future of SIEM technology is not clear. Right now, it’s difficult to say if SIEM will swallow up its competitors. Challengers like Cloudstrike and the new Mandiant offer a different approach to security operations, he said.
“It is a pivotal moment for the SIEM market. It’s facing some challenges it hasn’t faced before.”
Technology has historically been developed through mergers and acquisitions, and SIEM is no exception, said Sean Nikkel, a senior cyber-threat analyst with Digital Shadows, a provider of digital risk protection solutions.
“We’ve already seen companies integrate additional capabilities through acquisition in just the last few years, and the trend will continue as vendors try to solve the next big security problem.”
Netsurion’s Ananth said that SIEMs act as the glue in a security scheme. “They’re not going to replace EDR or a dedicated SOAR, but SIEM can act as the single pane of glass for those things, as a clearinghouse for information coming from all locations,” he explained.
“SIEM won’t swallow competing technologies, but it will swallow their presentations and data.”
CardinalOps’ Mumcuoglu said he was also uncertain about the ultimate winner between SIEMs and their competitors.
“Since EDR/XDR vendors and SIEM vendors both have large players, it is yet to be determined who will swallow and who will get swallowed. But five years from now, I believe they will merge into a single security analytics category.”
But John Bambenek, a principal threat hunter with Netenrich, an IT and digital security operations company, is skeptical about SIEM vendors absorbing competing technologies.
“The only thing SIEMs have the potential to swallow is a disproportionate share of your cybersecurity op-ex budget.”
4. Tackling complexity is critical
The SIEM vendors that succeed in the future will be those able to successfully deal with a bugaboo that’s haunted the technology since its inception: complexity. After all, the SOAR market came into being to pick up the unrelenting number of SIEM alarms security analysts had to deal with, noted GigaOM’s Grundemann.
“There’s still a lot of complexity there, but it’s gotten better,”
He said that a lot of vendors have gotten good at role-based management. Different roles can get different views of the system, Grundemann explained. “That can reduce complexity because you only see what’s relevant to you.”
IDC’s Abraham added that vendors are improving dashboards and mapping to the MITRE ATT&CK framework to help security analysts gain more insight. “They are also providing historical information over how an alert was triaged in the past and suggestions for remediation,” she said.
Toolmakers are also providing built-in integration and SIEM as a service to make their products easier to use, said Netsurion’s Ananth.
“Built-in integration simplifies the work of setting up a SIEM. It’s like a meal kit. You have all the ingredients for the meal, but you still have to put it together yourself. That’s usually good for large corporations.”
SIEM as a service is appealing to small and medium businesses, he continued. “It’s like Uber Eats. You want your meal delivered to your door.”
With information overload, SecOps teams struggle
Bambenek contends that complexity remains a problem for SecOps teams. For organizations that want to solve complexity issues, you need intelligent data collection, automated enforcement, and the ability to enrich and contextualize events quickly, he said.
“All of these functions have not been well-performed by SIEMs.”