Contrary to what some “analytics” or “AI” vendors will have us believe, SIEM in 2018 is not the SIEM of our grandfathers. In 2002, when I was first initiated into the dark arts of SIEM, it was very different (it was called either SIM or SEM back in the B.C. era – that is, Before Compliance).
Indeed, SIEM has evolved! Well, to be honest, good SIEM vendors have evolved, and the shitty ones died, became zombies or remain stuck in the past (“we have 13,471 different compliance reports! we are the best!!”).
Now, here at Gartner we may or may not be working on a note defining “NG SIEM.” And, if we do, I don’t want to steal the authors’ thunder here, and … you know … reveal the score.
However, we do see SIEM technology nicely absorbing features of some related product categories, and hence evolving into an integrated “cyber” defense platform of sorts. SIEM has largely eaten the UEBA, and has been biting chunks out of SOAR as we speak by building more workflow and orchestration features. Also, SIEM has been expanding into NTA (by collecting L7 traffic metadata) and perhaps a bit into EDR (just as EDR itself has been collapsing into the maelstrom of EPP).
So, what may possibly be included in such a platform? Personally, I think some mix of these:
- A good SIEM (for sure!)
- A good UEBA/analytics with workable ML
- A decent SOAR feature set for workflow and orchestration
- Scalable backend for real-time and historical analysis (because data volumes in 2018 are way, way, way larger than in 2002)
- Network traffic data collection and analytics (some NTA feature set)
- Endpoint sensing and analysis (some EDR feature set)
- Solid threat intel integration and TI-enablement throughout the platform
- Perhaps, cloud delivery?
Anything else you’d want?
P.S. This raises a question: if SIEM really does get all of the above, what do we call it? Just SIEM? A better SIEM? An NG SIEM? Or something fancy with lots of cybers in the name?
Some of the related posts about SIEM:
- Can You Do a SIEM-less SOC?
- SIEM Alternatives? What Are They? Do They Exist?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- Let’s Define “SIEM”!
- Is SIEM The Best Threat Detection Technology, Ever?
- The Coming UBA / UEBA – SIEM War!
- UEBA Shines Where SIEM Whines?
- SIEM or Log Management?
- SIEM Future: A UEBA Path or An MDR Way?
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
8 Comments
Some call SOAPA?
https://www.csoonline.com/article/3145408/data-protection/goodbye-siem-hello-soapa.html
Well, I am, frankly, not a fan of this. I think pretending that this is a grand new thing and not an improved SIEM is counter – productive.
I my opinion SIEM are just used (in my region: LATAM) for compliance purpose, and SOCs, that supposed to operate the SIEMs, are not adding real value to the business beyond compliance.
So why not just automate all the boring SOC compliance staff into a SIEM and move beyond to start to support more activally response capabilities.
IMHO, in some regions SIEM is more popular for compliance use cases, and this is OK. Their choice. I’d say in this case a SOC is just unnecessary. SIEM for compliance is legit, SOC for compliance sounds like a huge money drain – just get an MSSP and pay them 1/10 of that for the same [=low :-)] quality of monitoring….
I my opinion SIEM are just used (in my region: LATAM) for compliance purpose, and SOCs, that supposed to operate the SIEMs, are not adding real value to the business (beyond compliance).
So why not just automate all the boring SOC compliance stuffs into a SIEM and move beyond to start to support more activally response capabilities.
The word “Platform” seems apt 🙂
Of course I might say this, but if we are talking next gen and therefore something that’ll be around for many years to come. I think an open app/sdk framework is becoming a must. It’s the only way a Siem (or any platform) can keep up with, and successfully deliver, ever changing use cases and workflow.
I agree, cloud delivery also for similar reasons, but different challenges.
Thanks for the comment Chris. IMHO, API/open platform is NOT the future. It is the present for good SIEMs. Your arguments are 100% correct, IMHO, but not your timing 🙂