Contrary to what some “analytics” or “AI” vendors will have us believe, SIEM in 2018 is not the SIEM of our grandfathers. In 2002, when I was first initiated into the dark arts of SIEM, it was very different (it was called either SIM or SEM back in the B.C. era – that is, Before Compliance).
Indeed, SIEM has evolved! Well, to be honest, good SIEM vendors have evolved, and the shitty ones died, became zombies or remain stuck in the past (“we have 13,471 different compliance reports! we are the best!!”).
Now, here at Gartner we may or may not be working on a note defining “NG SIEM.” And, if we do, I don’t want to steal the authors’ thunder here, and … you know … reveal the score.
However, we do see SIEM technology nicely absorbing features of some related product categories, and hence evolving into an integrated “cyber” defense platform of sorts. SIEM has largely eaten the UEBA, and has been biting chunks out of SOAR as we speak by building more workflow and orchestration features. Also, SIEM has been expanding into NTA (by collecting L7 traffic metadata) and perhaps a bit into EDR (just as EDR itself has been collapsing into the maelstrom of EPP).
So, what may possibly be included in such a platform? Personally, I think some mix of these:
- A good SIEM (for sure!)
- A good UEBA/analytics with workable ML
- A decent SOAR feature set for workflow and orchestration
- Scalable backend for real-time and historical analysis (because data volumes in 2018 are way, way, way larger than in 2002)
- Network traffic data collection and analytics (some NTA feature set)
- Endpoint sensing and analysis (some EDR feature set)
- Solid threat intel integration and TI-enablement throughout the platform
- Perhaps, cloud delivery?
Anything else you’d want?
P.S. This raises a question: if SIEM really does get all of the above, what do we call it? Just SIEM? A better SIEM? An NG SIEM? Or something fancy with lots of cybers in the name?
Some of the related posts about SIEM:
- Can You Do a SIEM-less SOC?
- SIEM Alternatives? What Are They? Do They Exist?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- Let’s Define “SIEM”!
- Is SIEM The Best Threat Detection Technology, Ever?
- The Coming UBA / UEBA – SIEM War!
- UEBA Shines Where SIEM Whines?
- SIEM or Log Management?
- SIEM Future: A UEBA Path or An MDR Way?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.