Security Operations, Content, Security Program Controls/Technologies

Why SIEM Remains An Enterprise Security Architect Requirement

Author: Jon Oltsik
Author: Jon Oltsik

I recently posted a blog about changes cybersecurity technology procurement changes at enterprise organizations. According to ESG research, enterprises are consolidating the number of cybersecurity vendors they do business with and purchasing security products designed for integration.

Eventually, CISOs will buy more products from fewer vendors, leading to the rise of a few enterprise-class cybersecurity technology vendors that dominate the space. These vendors will offer tightly integrated cybersecurity technology architectures that span across applications, host systems, networks, and cloud-based assets, offering capabilities for threat analysis/investigations as well as prevention, detection, and response.

Of course, security analytics and operations have long been the domain of security information and event management (SIEM) software. Does this mean that SIEM must be part of an enterprise-class cybersecurity technology architecture?

Where SIEM Fits In to Enterprise Cybersecurity

To find out, ESG asked a panel of 176 cybersecurity and IT professionals working at enterprise organizations (i.e., 1,000 employees or more) the following question: How important is a SIEM as part of an enterprise-class security architecture or platform? As it turns out, 48% say SIEM is a very important part of an enterprise-class security architecture while 45% believe it is important. Furthermore, 90% of respondents believe that offering a SIEM is really a requirement for any technology provider classified as a true enterprise-class cybersecurity vendor.

Here’s my take on this data:

  1. The ESG research suggests to me that enterprise cybersecurity tactics and strategy is increasingly driven by data analytics. In other words, enterprises are collecting, processing, analyzing, and responding to more and more security data from a growing diversity of sources. Given this, SIEM and/or other security analytics tools assume a starring role in a hub-and-spoke architecture that extends from security analytics to policy management and enforcement controls deployed across the network.
  2. The world of cybersecurity analytics and operations is in a state of innovative flux, and ESG believes that individual capabilities will come together to form an integrated security operations and analytics platform architecture (SOAPA) over the next few years. Given this trend, I believe that enterprise-class cybersecurity vendors don’t necessarily need a SIEM software offering. Instead, they need leading security analytics and operations tools, SOAPA reference architectures, and strong SIEM partners.
  3. SIEM functionality extends to other areas like threat intelligence analytics, network security analytics, EDR, UEBA, incident response automation and orchestration, etc. Enterprise-class cybersecurity vendors will really have to play in all these areas with products of their own or with tight integration with products from ecosystem partners. There is also tremendous innovation happening in all areas of cybersecurity analytics and operations so look for lots of M&A activity over the next 12 to 18 months. Additionally, look for continuing integration of open source technologies—HDFS, Spark, Elastic search, etc.
  4. AlienVault and LogRhythm represent very attractive acquisition targets for vendors lacking a SIEM.
  5. Every technology provider vying to become an enterprise-class cybersecurity technology vendor will partner with Splunk because of its existing enterprise installed base—even those that offer a SIEM of their own.
  6. IBM and McAfee have a SIEM platform, making them well positioned to assume a role as enterprise-class cybersecurity technology vendors.
  7. While SOAPA will take some time to become established in large enterprises, there is a tremendous opportunity for offering an end-to-end SOAPA portfolio (of products and services) to mid-market and small enterprise customers. Vendors like Symantec and Trend Micro have a great opportunity here.

No one will coronate anyone as an enterprise-class cybersecurity technology vendor just because they offer a SIEM or work with leading SIEM providers. Rather, each and every vendor will have to earn this position with best-of-breed products, tight SOAPA integration, strong services, and a commitment to holding customer hands during this transition.  This effort will separate those truly committed to enterprise-class cybersecurity technology from those still slinging products and marketing rhetoric.

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.