Blog post

Once More on Cloud SIEM or SaaS SIEM

By Anton Chuvakin | June 16, 2015 | 8 Comments


A reminder: cloud SIEM (“SaaS SIEM”) does not really exist yet [so, those who compute market share numbers for it are simply deluded]. However, today there are some “almost SaaS SIEM” products on the market and I wanted to quickly mention them here, as a part of my current cloud security monitoring research.

To me [and that is an important point – this is not yet our published research position], these products below fit under “almost cloud SIEM”, listed in no particular order:

  • FireEye Threat Analytics Platform (TAP)
  • Splunk Cloud with Enterprise Security App installed
  • AlertLogic

Since I am already deviating from my personal rule of “not mentioning vendors by name on the blog”, I will not go into details as to why I think these are indeed close enough to be SaaS SIEM. Frankly, both their “cloudiness” (such as rapid provisioning, scaling, on-demand, multi-tenancy, etc) and their “SIEMness” (such as near-real time correlation, search, reports, security content, etc) are both present.

Naturally, a cloud SIEM is well-suited for doing cloud security monitoring (hence my interest now!) and the above tools have indeed been used for things like AWS / IaaS security monitoring – some for years.

On the other hand, these are NOT really cloud SIEM (even though some people mistakenly think that it is):

  • A traditional SIEM that somebody runs for you at their site (this is hosted SIEM, nothing “cloudy” about it)
  • A traditional SIEM that you run on some IaaS like AWS (this is a regular SIEM, just located over there)
  • Broad scope (i.e. not security focused) SaaS-delivered log management (this is not SIEM, by definition)
  • MSSP where the security analysts are asleep at the wheel or left for a long vacation 🙂

There you have it – just clarifying here.

Will there be more cloud SIEM in the future? I am almost certain of it….

P.S. Vendors, if you think you have a real cloud SIEM, please argue!

Related blog posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Matthew Gardiner says:

    You could have an addendum on #1 in the list above (traditional SIEM) where cloud based services are monitored from the “non-cloudy” SIEM.

  • Greg says:

    I think IBM is working on a multi domain siem on q1lab.
    Meaning one siem machine could deliver siem functionality for more then one company or more then one site of the same company.
    This kind of functionality could be a saas siem.

  • Steven Cohen says:

    Anton – I believe that we have the first truly Cloud/Saas SIEM. We are a MSSP that utilizes SumoLogic – a truly SAAS-based data analytics platform and have enhanced their security capabilities to provide SIEM correlation rules. Happy to discuss further if you want to connect with me directly on LinkedIn.

  • Anton –

    Thanks for the article. We built our SIEM to be cloud-based from the ground-up. We hope our customers and yourself agree.

    We would be happy to be give you a more in-depth look through a briefing.