Blog post

SIEM Future: A UEBA Path or An MDR Way?

By Anton Chuvakin | April 07, 2017 | 0 Comments


Want to hear a bad joke about #SIEM?

  • Knock knock
  • Who’s there?
  • SIEM!
  • No way… you are dead!!!

Ok, in all seriousness, we all know SIEM is NOT dead – but a nearly $2b business with decent growth. To put this in context, a 2nd tier SIEM vendor likely makes more money than the entire UEBA / UBA market worldwide …

However, how would SIEM look like in, say, 3-5 years? While this is not a research note, but a short blog (albeit from somebody involved with SIEM for 15 years), I wanted to say that I see two routes only:

  1. A UEBA path – this is where SIEM merges with or borrows from UEBA and becomes smarter on its own (I will call this “a machine brain path”).
  2. An MDR way – this is where SIEM merges with MDR and/or become mostly delivered via co-managed model (this is something like “a rent-a-brain path”).

Why do I think so? Security talent shortage!!! There are not enough people to write all those correlation rules – and the world of IT is growing MUCH faster than the security talent pool. As IT / IoT grows, the pool of security people cannot and will not grow with it – so expect the future to be MUCH worse in this regard than now, cloud or no cloud.

Therefore, you either invent a machine brain (hard) or rent a brain (and the question of where the providers will find those great brains to rent out is left an exercise to the reader), with all the problems and limitations of each. So, yes, I am well aware of that fact that fully-automated analytics is not yet trustworthy and “rented brains” can be occasinablly kinda stupid 🙂

There you have it – an incomplete thought from a newly minted Research VP & Distinguished Analyst [I promise I will stop now – just to avoid my promotion going all to my ego 🙂]

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed