The market for traditional security information and event management (SIEM) solutions is dying, and not a moment too soon.
When examining the success of enterprise cybersecurity product segments during the past decade, few solutions have overpromised and underdelivered like SIEM.
Intended to facilitate threat detection, investigation, and response (TDIR) by helping enterprises collect and analyze cybersecurity-related log and telemetry data, SIEMs often produce too many alerts, many of which are false positives, and ultimately fail to contribute to successful TDIR outcomes.
Fortunately, in place of SIEM, a new segment is emerging: next-generation SIEM (NG-SIEM). These cloud-native solutions can accept a wider variety of telemetry, including software- and infrastructure-as-a-service logs, as well as threat intelligence; offer built-in analytics for precise, accurate detections; and have integrated response capabilities for faster, smoother resolutions.
In its newly published Omdia Universe research on NG-SIEM (see additional links), Omdia conducted a detailed analysis of seven NG-SIEM solutions. Omdia's research revealed that there are multiple leading vendors, each with unique strengths and weaknesses, but many solutions that are worthy of consideration by potential enterprise buyers.
In addition to its product-specific findings, below Omdia highlights five overall takeaways to guide CISOs and other cybersecurity decision makers when considering NG-SIEM solution purchases.
- Cloud-native NG-SIEMs offer significant advantages: Only two of the solutions in the 2021-22 NG-SIEM Omdia Universe met Omdia's definition for being fully cloud native. (As a prerequisite to participate, all had to offer either cloud-native or cloud-hosted versions of their solutions.) But at present, Omdia believes fully cloud-native NG-SIEMs offer distinct advantages. They consistently deliver faster, simpler deployment; they provide superior systems management; faster and often transparent software upgrades; more frequent new features; new detection and parser content are often all handled by the vendor, akin to a managed service; and they can scale dynamically to automatically accommodate an increase in data sources or burst ingestion events. By the end of 2022, Omdia expects these capabilities to be common across NG-SIEM vendors, but until then, solutions that already include these cloud-native capabilities offer operational advantages for customers, and pose competitive challenges for the rest of the market.
- Security data science is an emerging differentiator: One of the primary reasons traditional SIEMs never delivered on their potential is that data processing and normalization — a fundamental capability within threat detection that underpins the entire TDIR life cycle — is exceedingly challenging. A discipline emerging within NG-SIEMs to address this is what Omdia defines as security data fusion. This is the process whereby multisource data, typically disparate, is brought together and analyzed using new or alternative methods, not only to approximate the current security posture of an organization within a given scope but also to predict the likelihood that certain events will occur in the future. It may seem like science fiction today, but the most successful NG-SIEM vendors in the long term are likely to be those that invest in developing improvements in security data science, including security data fusion.
- Data ingestion-based pricing is finally fading away: Traditionally, SIEM pricing has been based on the amount or volume of data taken in by the SIEM. While this paradigm was advantageous for the vendors, it unintentionally inhibited customers from using a SIEM to its fullest extent. In practice, this has meant that enterprises have often had to exclude important telemetry sources, such as DNS logs or endpoint detection and response (EDR) logs, from the data sources sent to the SIEM because the volume of data was too great, significantly increasing cost. Fortunately, many NG-SIEM providers are evolving their pricing models. Employee-based pricing, typically tiered based on the number of full-time employees in the customer's organization, is increasingly common and allows for more predictable annual or contract-duration costs. Other pricing models, such as term-based flat fee, will soon become standard. Vendors are also increasingly introducing multitiered storage, adding options such as "cold" or infrequently accessed storage, which will come with reduced pricing.
- NG-SIEM is distinct from XDR: NG-SIEM finds itself squarely in the crosshairs of another emerging and rapidly advancing enterprise cybersecurity product segment: Extended detection and response (XDR). The definition of XDR remains in flux: Ask 10 vendors how they define XDR, and you will get 10 different answers. But it is clear that many XDR vendors are positioning their solutions as alternatives to NG-SIEMs, delivering integrated TDIR capabilities that are better, faster, and cheaper than NG-SIEMs. Both product segments are early in their life cycles, hence much is yet to be determined, but ultimately both will thrive. Omdia anticipates that XDR will come to be defined as a TDIR solution that focuses on specific threat types and outcomes with efficient, selective use of data. Perhaps most importantly, unlike highly customizable NG-SIEMs, XDR will provide a guided experience, delivering enterprise-grade TDIR capabilities to organizations with less security maturity. Largely for that reason, XDR will often be delivered as a managed service. NG-SIEM will serve as the preferred choice for large enterprises with expansive hybrid cloud environments, dedicated security operations center (SOC) teams, and specific, detailed compliance and reporting demands.
- The best NG-SIEMs are laser-focused on outcomes: The overall top-ranked solution in the 2021-22 NG-SIEM Omdia Universe exceled in two key areas where other vendors largely struggled. One is querying and threat hunting: buyers need natural language-based searching to enable SOC analysts and threat hunters alike to easily identify, for example, users and entities whose sessions contain specific activities and/or values, or any combination of activities/attributes by risk score. The other area is event analysis, which Omdia defines as capabilities that help analysts develop unique insights, draw conclusions, and identify follow-on response actions. The most effective solutions offer a chronological incident timeline using manually added and system-gathered data, providing a uniquely fast, easy-to-understand mechanism for SOC analysts to examine an incident, pinpoint causes, and gain insight on the best courses of action for successful remediation. Buyers should look for differentiation in outcome-driven features that enables SOC analysts to do their jobs with greater efficiency and effectiveness.
To be sure, the NG-SIEM segment is still early in its development, and solutions have yet to mature. Many of the NG-SIEM capabilities that Omdia believes will ultimately have the greatest impacts, such as adaptive log normalization and predictive threat detection, are likely still years away. Plus scores were broadly underwhelming in seemingly fundamental areas, such as performance management, integrated response orchestration and automation, system management, and reporting and compliance.
Despite these challenges, NG-SIEM solutions aptly deliver a much-needed new generation of core platforms to give enterprises the capabilities they need to mature and advance the TDIR life cycle. Omdia believes NG-SIEMs not only have great potential today to help enterprises improve TDIR outcomes but also in the years to come will finally help organizations gain ground on attackers, an objective that has been far too elusive for far too long.