Gartner Blog Network


What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”

by Anton Chuvakin  |  July 6, 2018  |  8 Comments

Contrary to what some “analytics” or “AI” vendors will have us believe, SIEM in 2018 is not the SIEM of our grandfathers. In 2002, when I was first initiated into the dark arts of SIEM, it was very different (it was called either SIM or SEM back in the B.C. era – that is, Before Compliance).

Indeed, SIEM has evolved! Well, to be honest, good SIEM vendors have evolved, and the shitty ones died, became zombies or remain stuck in the past (“we have 13,471 different compliance reports! we are the best!!”).

Now, here at Gartner we may or may not be working on a note defining “NG SIEM.” And, if we do, I don’t want to steal the authors’ thunder here, and … you know … reveal the score.

However, we do see SIEM technology nicely absorbing features of some related product categories, and hence evolving into an integrated “cyber” defense platform of sorts. SIEM has largely eaten the UEBA, and has been biting chunks out of SOAR as we speak by building more workflow and orchestration features. Also, SIEM has been expanding into NTA (by collecting L7 traffic metadata) and perhaps a bit into EDR (just as EDR itself has been collapsing into the maelstrom of EPP).

So, what may possibly be included in such a platform? Personally, I think some mix of these:

  • A good SIEM (for sure!)
  • A good UEBA/analytics with workable ML
  • A decent SOAR feature set for workflow and orchestration
  • Scalable backend for real-time and historical analysis (because data volumes in 2018 are way, way, way larger than in 2002)
  • Network traffic data collection and analytics (some NTA feature set)
  • Endpoint sensing and analysis (some EDR feature set)
  • Solid threat intel integration and TI-enablement throughout the platform
  • Perhaps, cloud delivery?

Anything else you’d want?

P.S. This raises a question: if SIEM really does get all of the above, what do we call it? Just SIEM? A better SIEM? An NG SIEM? Or something fancy with lots of cybers in the name?

Some of the related posts about SIEM:

Category: analytics  future  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”


  1. Cris says:

    I my opinion SIEM are just used (in my region: LATAM) for compliance purpose, and SOCs, that supposed to operate the SIEMs, are not adding real value to the business beyond compliance.

    So why not just automate all the boring SOC compliance staff into a SIEM and move beyond to start to support more activally response capabilities.

    • IMHO, in some regions SIEM is more popular for compliance use cases, and this is OK. Their choice. I’d say in this case a SOC is just unnecessary. SIEM for compliance is legit, SOC for compliance sounds like a huge money drain – just get an MSSP and pay them 1/10 of that for the same [=low :-)] quality of monitoring….

  2. Cris says:

    I my opinion SIEM are just used (in my region: LATAM) for compliance purpose, and SOCs, that supposed to operate the SIEMs, are not adding real value to the business (beyond compliance).

    So why not just automate all the boring SOC compliance stuffs into a SIEM and move beyond to start to support more activally response capabilities.

  3. Siddhant says:

    The word “Platform” seems apt :-)

  4. Chris Meenan says:

    Of course I might say this, but if we are talking next gen and therefore something that’ll be around for many years to come. I think an open app/sdk framework is becoming a must. It’s the only way a Siem (or any platform) can keep up with, and successfully deliver, ever changing use cases and workflow.
    I agree, cloud delivery also for similar reasons, but different challenges.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.