SIEM: Crash and burn or evolution? You decide.

SIEM history: Is SIEM dead?

Often, when I present at conferences around the country, people ask me, “Is SIEM Dead”? Such a great question! Has the technology reached its end of life? Has SIEM crashed and burned? I think the answer to that question is NO. SIEM is not dead; it has just evolved.

History of SIEM

SIEMs, unfortunately, have struggled to keep pace with the security needs of modern enterprises, especially as the volume, variety, and velocity of data have grown. SIEMs have also struggled to keep pace with the sophistication of modern-day threats. Malware 15 years ago was static and predictable. But today’s threats are stealthy and polymorphic. Furthermore, the reality is that few enterprises have the resources to dedicate to the upkeep of SIEM, and the use of SIEM technology to address threat management has become less effective and waned. Gartner Analyst Oliver Rochford famously wrote, “Implementing SIEMs continues to be fraught with difficulties, with failed and stalled deployments common.”(1)

In Greek mythology, a phoenix (Greek: φοῖνιξ phoinix; Latin: phoenix, phœnix, fenix) is a long-lived bird that is cyclically regenerated or reborn. Associated with the sun, a phoenix obtains new life by arising from the ashes of its predecessor.

Phoenix rising from the SIEM ashes

The SIEM ashes are omnipresent, and security analytics is emerging as the primary system for detection and response.

Deconstructing SIEM

Although we use the term SIEM to describe this market, SIEM is made up of two distinct areas:

1. SIM or Security Information Management (SIM) deals with the storage, analysis and reporting of log data. SIM ingests data from host systems, applications, networks, and security devices.
2. SEM, on the other hand, or Security Event Management (SEM), processes event data from security devices, network devices, systems, and applications in real-time. This deals with the monitoring, correlating and notification of security events that are generated across the IT infrastructure and application stack.

Folks no longer distinguish between these two areas and use “SIEM” to describe the market category. However, it’s important to note what you are trying to accomplish and which problems you are trying to solve with these solutions.

Why do we care about SIEM?

One could easily dismiss these solutions outright, but the security market is huge – $21.4B in 2014, according to our friends at Gartner. And the SIEM piece alone reached $1.6B last year.

According to 451 Research, the security market has around 1,500-1,800 vendors broken down into several main categories across IAM, EPP, SIEM, SMG, SWG, DLP, Encryption, Cloud Security, etc. Within each of these main categories, there are numerous subcategories.

Security landscape

And despite the billions of dollars invested, current security and SIEM solutions are struggling to keep the bad guys out. Whether cyber criminals, corporate spies, or others, these bad actors are getting through.

The Executive Chairman and former CEO of Cisco Systems famously said, “There are two types of companies, those who have been hacked and those who have no clue.” Consider that the median # days before a breach is detected exceeds 6 ½ months and that the % of victims notified by external 3^rd parties is almost 70% (3). People, indeed, have no clue! Something different is needed.

Additional SIEM resources

Find out how Sumo Logic helps deliver advanced security analytics without the pain of SIEM

Sign up for a free trial of Sumo Logic. It’s quick and easy. Within just a few clicks, you can configure streaming data and start gaining security insights into your data in seconds.

Mark Bloom runs Product Marketing for Compliance & Security at Sumo Logic. You can reach him on LinkedIn or on Twitter @bloom_mark

Sources

(1) Gartner: Overcoming Common Causes for SIEM Deployment Failures by Oliver Rochford 21Aug2014

(2) Forrester: Evolution of SIEM graph, taken from Security Analytics is the Cornerstone of Modern Detection and Response, December 2015

(3) Mandiant mTrends Reports