Gartner Blog Network


Once More on Cloud SIEM or SaaS SIEM

by Anton Chuvakin  |  June 16, 2015  |  8 Comments

A reminder: cloud SIEM (“SaaS SIEM”) does not really exist yet [so, those who compute market share numbers for it are simply deluded]. However, today there are some “almost SaaS SIEM” products on the market and I wanted to quickly mention them here, as a part of my current cloud security monitoring research.

To me [and that is an important point – this is not yet our published research position], these products below fit under “almost cloud SIEM”, listed in no particular order:

  • FireEye Threat Analytics Platform (TAP)
  • Splunk Cloud with Enterprise Security App installed
  • AlertLogic

Since I am already deviating from my personal rule of “not mentioning vendors by name on the blog”, I will not go into details as to why I think these are indeed close enough to be SaaS SIEM. Frankly, both their “cloudiness” (such as rapid provisioning, scaling, on-demand, multi-tenancy, etc) and their “SIEMness” (such as near-real time correlation, search, reports, security content, etc) are both present.

Naturally, a cloud SIEM is well-suited for doing cloud security monitoring (hence my interest now!) and the above tools have indeed been used for things like AWS / IaaS security monitoring – some for years.

On the other hand, these are NOT really cloud SIEM (even though some people mistakenly think that it is):

  • A traditional SIEM that somebody runs for you at their site (this is hosted SIEM, nothing “cloudy” about it)
  • A traditional SIEM that you run on some IaaS like AWS (this is a regular SIEM, just located over there)
  • Broad scope (i.e. not security focused) SaaS-delivered log management (this is not SIEM, by definition)
  • MSSP where the security analysts are asleep at the wheel or left for a long vacation 🙂

There you have it – just clarifying here.

Will there be more cloud SIEM in the future? I am almost certain of it….

P.S. Vendors, if you think you have a real cloud SIEM, please argue!

Related blog posts:

Category: cloud  monitoring  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Once More on Cloud SIEM or SaaS SIEM


  1. Matthew Gardiner says:

    You could have an addendum on #1 in the list above (traditional SIEM) where cloud based services are monitored from the “non-cloudy” SIEM.

  2. Greg says:

    I think IBM is working on a multi domain siem on q1lab.
    Meaning one siem machine could deliver siem functionality for more then one company or more then one site of the same company.
    This kind of functionality could be a saas siem.

  3. Steven Cohen says:

    Anton – I believe that we have the first truly Cloud/Saas SIEM. We are a MSSP that utilizes SumoLogic – a truly SAAS-based data analytics platform and have enhanced their security capabilities to provide SIEM correlation rules. Happy to discuss further if you want to connect with me directly on LinkedIn.

  4. Anton –

    Thanks for the article. We built our SIEM to be cloud-based from the ground-up. We hope our customers and yourself agree.

    We would be happy to be give you a more in-depth look through a briefing.

    Thanks,

    edgardo



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.