When I started focusing on the security market 14 years ago, the SIEM market was a burgeoning market populated by vendors such as CA, e-Security, Intellitactics, and NetForensics.
In the intervening timeframe, the SIEM market has grown, thrived, and changed every few years. SIEM started as a central repository for event correlation for perimeter security devices. It then morphed into a reporting engine for governance and compliance. In a subsequent phase, SIEM became more of a query and log management tool for security analysts.
Fast forward to 2016 and SIEM has taken on a much bigger scope – an enterprise software platform that anchors security operations centers (SOCs). In this role, SIEM platforms can also include:
- Security analytics. Beyond basic security data management and correlation rules, SIEM platforms are being outfitted with the latest machine learning technologies. For example, RSA Security is building algorithms on top of its old enVision and NetWitness offerings while Splunk purchased and integrated Caspida for user behavior analytics (UBA). Other SIEMs integrate with third-party analytics from vendors like Prelert or Sqrrl.
- Network and host security monitoring. Many SIEM platforms can amalgamate NetFlow or PCAP data with standard log file analysis. IBM and LogRhythm now offer this functionality while others can accept feeds from third-party products like Lancope (Cisco) or Solera (Blue Coat/Symantec). Oh, and some vendors also extend their monitoring capabilities to host systems as well, either with homegrown capabilities or integration with third-party tools like Carbon Black, CounterTack, Guidance Software, or Crowdstrike.
- Threat intelligence integration. All SIEMs do this to some extent as it is becoming a requirement. For example, McAfee offers its threat intelligence exchange (TIE) middleware to integrate all types of threat intelligence with its SIEM.
- An application platform architecture. Some SIEM vendors see themselves as a nexus for all types of security applications by providing data and offering APIs for interoperability. Splunk is the king here but IBM’s App Exchange seeks to level the playing field.
- An incident response control center. As a security data hub, it’s only natural that SIEM would have a big role in investigations and remediation. Some SIEM vendors are moving beyond analysis alone and are building in tools for IR workflow as well. IBM acquired Resilient for this purpose but LogRhythm (SmartResponse) and Splunk (Adaptive Response) are also onboard.
In aggregate, these new capabilities really mean that SIEM platforms must be built for enterprise requirements like scalability, central command-and-control, role-based access control, distributed data management, etc. These requirements tend to eliminate startups and fringe vendors from consideration, though there is an opportunity for managed security service providers (MSSPs) like BT, SecureWorks, Symantec, or Unisys to provide some or all of these capabilities as a managed service.
One final point: With SIEM being true enterprise software, large organizations are extremely careful about technical capabilities AND their vendors’ financial situations. This point is noteworthy given the current state of the market: HP sold off ArcSight, Intel spun out McAfee, and Dell acquired RSA through EMC.
In essence, three major SIEM providers are in a “show me” state and must now demonstrate that they remain committed to technical innovation and customer support while their companies proceed through financial gymnastics. Any missteps will send nervous customers elsewhere.