Micro Focus is now part of OpenText. Learn more >

You are here

You are here

SecOps tooling in 2021: SIEM remains in the driver's seat

John P. Mello Jr. Freelance writer

It can be challenging to operate and maintain security information and event management (SIEM) platforms, but choosing which SIEM is right for your Security Operations (SecOps) team can be challenging too.  

The 2021 GigaOm Radar for SIEM, written by Chris Grundemann, Karen Martin, and Logan Andrew Green, goes into detail about the SIEM market, offers some key criteria for comparing products, and looks at the offerings of 10 leading SIEM platforms.

Here are key takeaways from the report—and broader insights about SecOps tooling from top experts. 

1. The SIEM tools market is mature and competitive

Most SIEM vendors have had well over a decade to refine their products, and the differentiation among basic SIEM functions is fairly small. While there are important differences among the vendors’ capabilities, the report noted, no vendor's solution considerably outperforms others for SIEM-specific capabilities, such as alarm fidelity and data enrichment.

"Core SIEM functionality at this point is pretty mature, and because of that, almost everybody does most of the things they need to do well, which creates a lack of differentiation. Where they continue to differentiate is in SOAR functionality and combining with other tools."
Chris Grundemann

A.N. Ananth, president of Netsurion, a cybersecurity-as-a-service provider, said the market was getting to look like the market for some cars.

"What a SIEM is is pretty common, just like what a four-door sedan is."
A.N. Ananth

One area where there are significant differences between vendors, though, is in the cloud, said Michael Mumcuoglu, CEO and co-founder of CardinalOps, a threat coverage optimization platform maker. 

"As organizations are rapidly migrating to and adopting cloud technologies, vendors that fail to provide a true cloud-native solution will become obsolete and lose the race."
Michael Mumcuoglu

2. Software stacks begin to stack up

As SIEMs compete in the security space with other solutions, vendors also offer tightly integrated solution stacks, allowing customers to choose the solutions they need most, whether just a SIEM; a SIEM with security orchestration, automation, and response (SOAR); a SIEM with endpoint detection and response (EDR); or some other combination. Other vendors are incorporating limited EDR- or SOAR-like capabilities into their SIEM solutions for customers that want the extra features but are not ready to invest in multiple solutions.

Michelle Abraham, research director for security and trust at IDC, explained that there is integration between SIEM and SOAR platforms, with a number of SIEM vendors also offering SOAR, but separately. SOAR is offered as part of its SIEM by one company, Micro Focus. "Others may follow suit in the future," she said.

CardinalOps' Mumcuoglu said, however, that SIEM vendors haven't been very nimble in dealing with competing technologies. "Most SIEM vendors have been slow to react to the EDR/XDR [extended detection and response] market and failed to make significant investments in these areas," he said.

One notable exception, per Mumcuoglu: Elastic, which provides an endpoint agent through the acquisition of Endgame Security. "I expect SIEM vendors that will not adapt to these emerging challengers to eventually be disrupted and left behind," he said.

3. Information centralization is key

Due to the nature of its design—SIEM as the central repository of information for security analysts—the technology is in prime position to swallow the capabilities of other security solutions such as SOAR, user and entity behavior analytics (UEBA), and EDR. Whether the result will be called simply a next-generation SIEM or an entirely different name remains to be seen, the report noted. But you can expect SOCs to need only one main platform for collection, filtering, investigation, response, and reporting.

Scott Crawford, research director for information security at 451 Research, said the exact future of SIEM technology is not clear. Right now, it's difficult to say if SIEM will swallow up its competitors. Challengers like Cloudstrike and the new Mandiant offer a different approach to security operations, he said.

"It is a pivotal moment for the SIEM market. It's facing some challenges it hasn't faced before."
Scott Crawford

Technology has historically been developed through mergers and acquisitions, and SIEM is no exception, said Sean Nikkel, a senior cyber-threat analyst with Digital Shadows, a provider of digital risk protection solutions.

"We've already seen companies integrate additional capabilities through acquisition in just the last few years, and the trend will continue as vendors try to solve the next big security problem."
Sean Nikkel

Netsurion's Ananth said that SIEMs act as the glue in a security scheme. "They're not going to replace EDR or a dedicated SOAR, but SIEM can act as the single pane of glass for those things, as a clearinghouse for information coming from all locations," he explained.

"SIEM won't swallow competing technologies, but it will swallow their presentations and data."
—A.N. Ananth

CardinalOps' Mumcuoglu said he was also uncertain about the ultimate winner between SIEMs and their competitors.

"Since EDR/XDR vendors and SIEM vendors both have large players, it is yet to be determined who will swallow and who will get swallowed. But five years from now, I believe they will merge into a single security analytics category."
—Michael Mumcuoglu

But John Bambenek, a principal threat hunter with Netenrich, an IT and digital security operations company, is skeptical about SIEM vendors absorbing competing technologies. 

"The only thing SIEMs have the potential to swallow is a disproportionate share of your cybersecurity op-ex budget."
John Bambenek

4. Tackling complexity is critical

The SIEM vendors that succeed in the future will be those able to successfully deal with a bugaboo that's haunted the technology since its inception: complexity. After all, the SOAR market came into being to pick up the unrelenting number of SIEM alarms security analysts had to deal with, noted GigaOM's Grundemann.

"There's still a lot of complexity there, but it's gotten better,"
—Chris Grundemann

He said that a lot of vendors have gotten good at role-based management. Different roles can get different views of the system, Grundemann explained. "That can reduce complexity because you only see what's relevant to you."

IDC's Abraham added that vendors are improving dashboards and mapping to the MITRE ATT&CK framework to help security analysts gain more insight. "They are also providing historical information over how an alert was triaged in the past and suggestions for remediation," she said.

Toolmakers are also providing built-in integration and SIEM as a service to make their products easier to use, said Netsurion's Ananth.

"Built-in integration simplifies the work of setting up a SIEM. It's like a meal kit. You have all the ingredients for the meal, but you still have to put it together yourself. That's usually good for large corporations."
—A.N. Ananth

SIEM as a service is appealing to small and medium businesses, he continued. "It's like Uber Eats. You want your meal delivered to your door."

With information overload, SecOps teams struggle

Bambenek contends that complexity remains a problem for SecOps teams. For organizations that want to solve complexity issues, you need intelligent data collection, automated enforcement, and the ability to enrich and contextualize events quickly, he said.

"All of these functions have not been well-performed by SIEMs."
—John Bambenek

Keep learning

Read more articles about: SecurityInformation Security