Gartner has been a thought leader in the SIEM space for the last few years. Gartner’s Magic Quadrant is considered one of the top market research reports on SIEM’s capabilities and vendors. Very recently, I attended the 2019 Gartner Security & Risk Management Conference, and based on thousands of conversations Gartner has had with their clients, they have a good vantage point on the SIEM space this year.
My interpretation of all the sessions that I attended on the Security Analytics/ SIEM track can be summarized into three main groups.
1. SaaS and Cloud SIEM is making SIEM relevant again
The top challenges of SIEM were around its architecture, deployment, complexity, and manageability. It took up to 18 months in some instances to install SIEM fully and almost 50% of the deployments failed. Many of these challenges were associated with the management of SIEM software/appliance. These were the same reasons why customers are moving to the public cloud such as AWS/Azure/GCP. The SIEM being moved to the cloud, especially as a multi-tenant, cloud service, eliminates the burden of installation, management, upgrades, patches, hardware refreshes, configurations, and many more management tasks.
2. Leverage ‘as-a-service’ SIEM model
One of the recommendations was to consume SIEM via ‘as-a-service’ models. The various options presented were SaaS, Managed Detection and Response (MDR)/Managed Security Service Provider (MSSP)/Managed Endpoint Detection and Response (MEDR), co-managed SIEM, or Security Operations Center (SOC) as a service.
Each has its pros and cons, and SaaS can be a great option to replace every other SIEM model except if you are not planning to outsource it (MDR/MSSP). In some of the MDRs, even the core tech is usually built on SaaS SIEM to make things easier for both providers and the customers.
The reasons mostly depend on your use cases, type of network, your security stack, what you want to get out of your SIEM or security solutions, and your risk appetite. Looking for a SaaS SIEM that supports various CISO/CIO strategies would be a good choice. Typically these strategies include but are not limited to cloud-first, cloud-native, defense-in-depth, and multi-cloud initiatives.
3. SIEM stack consists of UEBA, SOAR, and Application stack monitoring capabilities
It was noted that 75% of the customers today already have a cloud-first strategy. It is also recommended to move the security analytics/SIEM to the cloud first. Gartner research said that almost 80% of SIEM by 2020 will have a stack of solutions. This includes user and entity monitoring capabilities, modern application stack monitoring, and automated incident response through webhooks, playbooks, or integrations with SOAR.
How does Sumo Logic fit into this trend?
Sumo Logic is a Cloud SIEM. It is born in the cloud and is delivered as a cloud-based multi-tenant service that needs no hardware, software, OS, updates, patches, or operations. There is no installation. You simply sign up and point your log sources to Sumo, and dashboards will start lighting up in minutes.
We have 200+ apps with built in dashboards and queries to get you started. We have over 5500 queries that you can modify and create use cases for any source, any vendor in minutes. Sumo is a massive secure data lake where you can pump in logs at hundreds of TB/day and perform analytics without delay. Our customers don’t need any capacity planning and we scale up and down in minutes.
Sumo Logic Cloud SIEM consolidates security findings from all three public cloud company security centers such as AWS Security Hub, GCP SCC, and Azure Security. We have connectors to collect from any source, device, or log types. Sumo Logic provides full stack hybrid and multi-cloud security all using a single tool.
