Security information and event management (SIEM) systems first appeared around 2000 from vendors like Intellitactics, NetForensics, and eSecurity. The original functionality centered around event correlation from perimeter security devices like IDS/IPS and firewalls.
The SIEM market evolved over the past 19 years, with different vendors, functionality, and use cases. SIEM has also grown into a $2.5 billion-dollar market, dominated by vendors like Splunk, IBM, LogRhythm, and AT&T (AlienVault).
Despite the SIEM evolution, today’s products can be seen as super-sized versions of those of yesteryear. In fact, the original design of SIEM seemed like a knockoff of network and systems management tools CA Unicenter, HP OpenView, and IBM Tivoli. SIEM products were based upon a tiered architecture of distributed data collectors/indexers/processors, and a central database used for data analytics, visualization, and reporting.
As SIEM scaled, organizations needed more and more hardware tiers to maintain performance and scale. This has led to a situation where SOC personnel focused on activities like threat detection, incident response, forensic investigations, etc., are dependent upon SIEM infrastructure teams responsible for upgrading hardware, load balancing servers, adding storage capacity, etc.
In 2019 (happy new year, dear readers), the security analytics/operations technology model is in the midst of a massive architectural shift. Over the next few years, the SIEM back-end will migrate from on-premises servers to public cloud infrastructure. I firmly believe that by the end of 2020, even organizations with dogmatic on-premises biases in industries like financial services, government, and military equipment manufacturing will eschew on-premises SIEM in favor of cloud-based alternatives.
This transition has already started and will progress rapidly due to changes on the demand and supply side. CISOs will seek out cloud-based SIEM solutions because of:
- Massive growth in security data. According to ESG research, 28% of organizations collect, process, and analyze substantially more security data than they did 2 years ago, while another 49% collect, process, and analyze somewhat more security data. What types of data are behind this growth pattern? Cyber threat intelligence (CTI), network packet capture, cloud logs, business application logs, you name it. Continuous security data growth equates to more infrastructure, more personnel, and more operational tasks.
- Higher software costs. Aside from infrastructure and staffing costs, some SIEM vendors base their pricing on the amount of data under management. I’ve heard CISOs complain that it’s not unusual for them to blow through a 3-year SIEM budget in a year.
- Unacceptable tradeoffs. Given the capacity-based pricing of SIEM software, many organizations are forced to ignore or purge valuable security data that they would otherwise collect and analyze. No security analyst wants to do this. Another common cost avoidance strategy is to supplement SIEM with some type of open source-based data lake for retrospective and longer-term investigations. While this can reduce SIEM software costs, it creates interoperability and basic operations challenges as the security staff pivots back-and-forth from SIEM to data lake while managing two sets of security technology infrastructures.
- The cybersecurity and IT skills shortages. With an acute shortage of skilled personnel available, CIOs and CISOs must ask themselves whether they really want to hire and retain personnel dedicated to the care and feeding of networks, servers, and storage devices.
For CISOs, cloud-based SIEM can help overcome all these issues.
As for the supply side, vendors see burgeoning market opportunities and will push cloud-based SIEM into the market in several ways:
- Traditional SIEM vendors see cloud upside. While they don’t talk much about it, SIEM leaders IBM and Splunk are already seeing much faster growth rates for cloud-based deployments of their products. This will continue.
- Startups are all about the cloud. The latest round of security analytics/operations vendors like DEVO, Empow Cybersecurity, and JASK have embraced a cloud-based back-end designed for data pipelining, processor-intensive machine learning algorithms, and massive scale. We’ll likely see several more newbies in 2019.
- The CSPs are jumping in. Amazon, Google, and Microsoft own globally distributed cloud-based infrastructure and are investing heavily in artificial intelligence/machine learning, so the cybersecurity analytics use case represents a perfect opportunity that aligns with their technology investments. These firms are already making the move: Google/Alphabet has announced its security analytics intentions with Chronicle. Amazon acquired Sqrll and hinted at a bigger security analytics/operations play at Re:Invent. Microsoft remains tight lipped about its security analytics/operations plans but some of its recent announcements suggest that Redmond will join the fray in 2019.
In my humble opinion, the writing is on the wall – security analytics/operations is a big data application, and big data applications are moving to the cloud. CISOs who still distrust the public cloud must face this fact. They will either figure out how to peacefully coexist with cloud-based cybersecurity analytics/operations or be left in the dust.