By Augusto Barros, Vice President of Solutions
TL;DR: People keep questioning SIEM value, but cloud SIEM makes SIEM so much better. SIEM is now capable of delivering a lot of security value. The Securonix Jupiter release is confirmation of that trend.
The SIEM market is a US$5B market with a two-digit annual growth rate. Still, we keep seeing multiple questions and discussions around SIEM’s role, future, and value. Why?
There are many reasons, including:
The high importance of SIEM’s role for security operations: The SIEM is often the foundation of Security Operation Centers and has a critical role in their work. It is natural to see it being constantly evaluated and discussed as it has a role in almost all SOC processes.
Cost and budget share: SIEM is not cheap. It usually takes a big chunk of the security budget. Organizations will keep trying to reduce it as part of their cost optimization efforts, while vendors of other technologies will keep trying to sell their products as alternatives to tap into existing SIEM budgets.
Operational effort required: SIEM is definitely not a “set and forget” tool. This is not a deficiency per se, as other technologies, such as EDR, also require people to deliver value. But the concerns about how much effort must be put into SIEM operations is a constant driver of discussions about improvements or even replacements of this technology.
Multitude of experiences: SIEM has been around for more than 20 years. Many professionals have gone through multiple implementations, sometimes with good experiences, sometimes not so much. I’ve seen many people with very strong opinions on SIEM based on their personal experiences with this type of tool, experiences that many times are not representative of how SIEMs can support security initiatives.
Evolution of other technologies and of the entire technology landscape: As other technologies evolve it is inevitable to look at how they impact the role of SIEM. It happened with UEBA, it happened with SOAR, it is happening with XDR. The technology environments where these tools operate are also constantly evolving. Big SAN storage systems came up, virtualization became ubiquitous, big data spread out like wildfire. These changes affect the security tools we use to protect IT environments in multiple ways. Some increased the amount of data to be collected and processed, while others were used to evolve SIEM and make it more scalable and capable.
Nothing is more important to those discussions as Cloud SIEM. Not just “hosted” in the cloud, but as a native cloud offering. Why? Because now SIEM vendors can have some control over deployment success. What are you saying, Augusto? Didn’t they have control over the success of their own product before? Yes, that’s true!
As a traditional SIEM vendor, it is very hard for you to ensure the customer will be able to get all the benefits your product can provide. First, they may underestimate the required capacity for their environment. They will end with a sluggish product, overflowing with data, having to deal with adding servers, memory, storage, or even stopping the deployment to rearchitect the whole solution before getting any value from it. I’ve seen countless SIEM deployments dying this way before generating any return of investment.
But it doesn’t stop there. They may get the sizing right but underestimate the effort to keep it running. They estimate the number of people to use the SIEM, but they forget that a traditional SIEM requires people to use it but also to keep it running. That means people will spend their time keeping servers running, applying patches (to operating systems, middleware and to the SIEM software too), troubleshooting log collection, ensuring storage doesn’t blow up, and not paying attention to what the SIEM should actually be doing for them. The tool is up and running, but again, not providing any value.
We can see how much the vendor depends on the customer to provide value. And even if the customers do things properly, there are other challenges too. Traditional software allows for high variation of deployments: Customers running on different versions, with different hardware and architecture. How can a vendor distribute SIEM content (parsers, rules, machine learning models, etc.) that works in a consistent manner to its customers in this scenario? It just can’t.
Considering these factors, I risk saying that offering a traditional SIEM solution is similar to the Sisyphus Myth. As much as the vendor tries to deliver value, the solution will eventually fail to achieve the customer objectives. As traditional software, SIEM was really destined to die.
How does the cloud SIEM change this?
First, many challenges on SIEM deployments are related to problems that are completely solved or minimized by the SaaS model. Cloud services are highly scalable and elastic, and SaaS practically eliminates the need to maintain the application and underlying components. Now you have a SIEM that finally scales and does not require an army to keep it running. You can focus on using it appropriately.
Second, a SaaS SIEM puts customers on highly standardized deployments. With most customers running on the same version, without capacity challenges, it’s far easier to deliver content that works for all of them. That makes a huge difference in perceived value. And it doesn’t stop there. With this scenario it becomes easier to the vendor to finally realize the benefits of the “wisdom of the crowds”. Developing more complex ML models for threat detection, for example, becomes easier and more effective. The vendor now has access to more data to train and tune the models. Even simple IOC match detection content can be quickly developed and delivered to all customers, allowing the SIEM vendor to provide detection of new, in the wild threats.
Finally, delivering any software solution via SaaS gives the developer the opportunity to embrace more agile development practices. Upgrading a traditional SIEM deployment is so complex that vendors would naturally rely on traditional waterfall development practices, generating big releases with long times between them. SaaS SIEM can leverage agile development and CI/CD practices, so new features can be quickly added, and defects quickly fixed.
Securonix Next-Gen SIEM’s latest release and features are great examples of how cloud SIEM makes it easier to provide value. It may seem odd to mention agile releases while delivering such a big release as Jupiter. I realize there is a contradiction there. But a big part of Jupiter is preparing the architecture to allow for faster, smaller releases, and reducing the SIEM time to value.
The new content management system, for example, allows us to have a channel for quick delivery of new content and content updates, detached from software releases. Together with the improvements to the analytics sandbox, these features are also enabling customers to adopt an agile posture to content development and maintenance, well aligned to DDLC concepts.
Some of the new features, such as the new ingestion framework and activity monitor are also focused on making the “running the SIEM” pieces still in the hands of the customer easier to handle. Those features would normally see a slow adoption with traditional SIEM and require complex upgrade processes, sometimes never being adopted due to fear of a painful migration. But the SaaS nature of Securonix can make them quickly available to customers, improving reliability and scalability.
Last but not least: These recent improvements also include another gem, our “Bring Your Own Cloud” model.
As I spent this entire blog post highlighting benefits from a cloud-based deployment, some may point that there may be some disadvantages in this model too. Sometimes a SaaS alternative may be more expensive than running the solution on your own infrastructure; or, that you are putting your data in the hands of the vendor, what may not be desirable or even allowed by certain regulatory requirements.
We designed BYOC to address those two issues. Even with all those great cloud advantages, none of them would be of any importance if the customer just cannot give us their data. For those cases, BYOC comes to the rescue and allows organizations to keep their data in their own AWS resources. They own and control the access to their data. This simple design can address many regulatory concerns and make SaaS SIEM viable to organizations that couldn’t even consider it as an option before.
Another big challenge in providing cost-effective SaaS SIEM is the cloud storage cost. We need to pass those costs to our customers as part of our solution’s price, and it’s not cheap. But many organizations out there are using the same AWS services we use, and they may have access to heavily discounted prices. Our BYOC model allows them to use our SaaS SIEM while leveraging their AWS account for the solution storage needs, resulting in huge cost savings for them.
As “huge” I mean up to 40% savings in an 8-digit deal!
Cloud SIEM is in its infancy when you consider SIEM is just past its teenage years. But there are so many opportunities to explore with this model that I can finally say “Next-Gen SIEM” without feeling silly about it. Just wait to see what’s out there just past Jupiter. I’ll borrow a line from Buzz Lightyear: To infinity and beyond!