by Anton Chuvakin | April 7, 2017 | Comments Off on SIEM Future: A UEBA Path or An MDR Way?
Want to hear a bad joke about #SIEM?
- Knock knock
- Who’s there?
- No way… you are dead!!!
Ok, in all seriousness, we all know SIEM is NOT dead – but a nearly $2b business with decent growth. To put this in context, a 2nd tier SIEM vendor likely makes more money than the entire UEBA / UBA market worldwide …
However, how would SIEM look like in, say, 3-5 years? While this is not a research note, but a short blog (albeit from somebody involved with SIEM for 15 years), I wanted to say that I see two routes only:
- A UEBA path – this is where SIEM merges with or borrows from UEBA and becomes smarter on its own (I will call this “a machine brain path”).
- An MDR way – this is where SIEM merges with MDR and/or become mostly delivered via co-managed model (this is something like “a rent-a-brain path”).
Why do I think so? Security talent shortage!!! There are not enough people to write all those correlation rules – and the world of IT is growing MUCH faster than the security talent pool. As IT / IoT grows, the pool of security people cannot and will not grow with it – so expect the future to be MUCH worse in this regard than now, cloud or no cloud.
Therefore, you either invent a machine brain (hard) or rent a brain (and the question of where the providers will find those great brains to rent out is left an exercise to the reader), with all the problems and limitations of each. So, yes, I am well aware of that fact that fully-automated analytics is not yet trustworthy and “rented brains” can be occasinablly kinda stupid 🙂
There you have it – an incomplete thought from a newly minted Research VP & Distinguished Analyst [I promise I will stop now – just to avoid my promotion going all to my ego 🙂]
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.