Gartner Blog Network


Summer of SIEM 2017 Coming…

by Anton Chuvakin  |  July 11, 2017  |  7 Comments

Initially, I wanted to name this post My SIEM Is Too Slow | My SIEM Is Too Dumb”, but then I decided to go for a milder version, because – against all odds – I still love SIEM.

So, now that we are wrapping up our cloud and VA/VM research, it is time to plan for our “Summer of SIEM” — a project to update a few of our SIEM documents – and write some new ones (meanwhile the SIEM Magic Quadrant 2017 is being cooked in parallel).

Specifically, we are going to update our SIEM technology analysis (with exciting vendor profiles of the real players!) and our mammoth [not in the extinct sense, but size-wise :-)] SIEM Evaluation Criteria. We are also thinking of a whole new document on SaaS SIEM (yay!!!) and perhaps co-managed SIEM too.

To prepare for this, I have “retired” to my backyard with a huge pot of coffee and did some thinking. As you know, I’ve been involved with SIEM for 15 years and know where all its skeletons are buried. This carries advantages – but also risks of falling into “pre-set” thinking.

As a result, I realized that most legitimate (i.e. not from people who failed to even turn theirs on …) complaints about SIEM operations I encountered over the years fit these two big buckets:

  1. my SIEM is too slow – reports take hours, searches take minutes, my collectors buffer, unless my retention is short nothing really works, etc
  2. my SIEM is too dumb – it just gives me rule matches and search results, little value from data, have data – but no knowledge, what should I look at, no long-term insights, etc

Naturally, I touched on both of these in my many blog posts (example, another, also), but it is easy to notice that people building SIEMs today (either from scratch, or based on UEBA) are well aware of these. And so are the “legacy” SIEM vendors. This means…ahem…that we can make SIEM great again :-)

Finally, I want to pour some manure on the “SIEM is dead” crowd. The fact is, SIEM serves an essential security monitoring need. Therefore, if you create an “NG-SIEM” or another replacement technology, you will need to overcome some of the same challenges that SIEM has been struggling for. Or, as I said to one UEBA vendor, “Want to replace a SIEM? Come back when your Windows log collector actually works. And, BTW, it took a leading SIEM vendor 4 years to debug theirs…”

Select related blog posts:

Category: logging  monitoring  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Summer of SIEM 2017 Coming…


  1. John Burnham says:

    Well said, Anton. Eagerly awaiting the reports..

  2. […] we already mentioned, one of the papers we are writing this quarter would be about (in part) SIEM delivered via a […]

  3. […] Anton already blogged (many times) and twitted about, we are working to refresh some of our SIEM research and also on a […]

  4. Pete Hennis says:

    Looking forward to hearing from the ‘roll your own’ crowd when it’s released.

  5. […] Summer of SIEM 2017 Coming… (SIEM research) […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.