A reminder: cloud SIEM (“SaaS SIEM”) does not really exist yet [so, those who compute market share numbers for it are simply deluded]. However, today there are some “almost SaaS SIEM” products on the market and I wanted to quickly mention them here, as a part of my current cloud security monitoring research.
To me [and that is an important point – this is not yet our published research position], these products below fit under “almost cloud SIEM”, listed in no particular order:
- FireEye Threat Analytics Platform (TAP)
- Splunk Cloud with Enterprise Security App installed
Since I am already deviating from my personal rule of “not mentioning vendors by name on the blog”, I will not go into details as to why I think these are indeed close enough to be SaaS SIEM. Frankly, both their “cloudiness” (such as rapid provisioning, scaling, on-demand, multi-tenancy, etc) and their “SIEMness” (such as near-real time correlation, search, reports, security content, etc) are both present.
Naturally, a cloud SIEM is well-suited for doing cloud security monitoring (hence my interest now!) and the above tools have indeed been used for things like AWS / IaaS security monitoring – some for years.
On the other hand, these are NOT really cloud SIEM (even though some people mistakenly think that it is):
- A traditional SIEM that somebody runs for you at their site (this is hosted SIEM, nothing “cloudy” about it)
- A traditional SIEM that you run on some IaaS like AWS (this is a regular SIEM, just located over there)
- Broad scope (i.e. not security focused) SaaS-delivered log management (this is not SIEM, by definition)
- MSSP where the security analysts are asleep at the wheel or left for a long vacation 🙂
There you have it – just clarifying here.
Will there be more cloud SIEM in the future? I am almost certain of it….
P.S. Vendors, if you think you have a real cloud SIEM, please argue!
Related blog posts: