Analyst Chat

Analyst Chat #111: From SIEM to Intelligent SIEM and Beyond


A comprehensive cybersecurity strategy typically includes the use of modern, intelligent Security Information and Event Management (SIEM) platforms. These go far beyond simply aggregating and analyzing log files. Alexei Balaganski outlines the latest market developments based on his recently published Leadership Compass on "Intelligent SIEM Platforms" and explains the differences to other market segments together with Matthias.

Welcome to this KuppingerCole Analyst Chat, I'm your host. My name is Matthias Reinwarth, I'm Senior Analyst and Lead Advisor with KuppingerCole Analysts. My guest today is again Alexei Balaganski. He's a Lead Analyst in the areas of cybersecurity and beyond. And it's great to have you back. Hi, Alexei.
Hello Matthias. Great to be back on the podcast again.
Great to have you, and this time it's for the reason that you have been just publishing a new research document, a Leadership Compass around the topic of intelligent SIEM platforms. So this is really interesting because this is a new topic I have not yet seen such a document from our side. What does intelligent SIEM mean? What is that market segment?
Yeah. You are kind of at the same time, right and wrong about this topic being new. Unless it is the first for me, definitely, and for KuppingerCole but SIEM products themselves have existed for almost 20 years now. And in fact, I've heard so many times people just saying: SIEM is dead. Which, of course, we absolutely do not agree with. And this is why we have a really interesting and sometimes even kind of slightly controversial and a little bit exciting, I would even say, coverage of this area, and this is why we are discussing this result today. But yes, you're right, the question was, What is SIEM anyway? So, SIEM stands for Security Information and Event Management and back then, 20 years ago the first generation SIEM tools basically were glorified log management solutions. The idea was you set up a large database where you put all your log files from your applications, servers, network devices and so on, and you run some kind of rule system to detect if something bad is going on. For example, if you set up a rule to catch all IP addresses from China you could alert someone that there's someone from China who is accessing your system. In that regard, those old school SIEMs of course, are long dead. Absolutely no doubt about that. But SIEM a rather reinvented, many times upgraded and modernized idea, those tools still exist and this is what we are covering in our essay.
Right, and what does "intelligent" then mean in that context, what is the added intelligence to that SIEM? As you've described just log management just rules, just very traditional technology - intelligence sounds promising, better?
Well, the biggest problem with those old school SIEMs was the amount of alerts they generated. If basically you just have a simple rule which will alert you every access from China you would drown in those alerts. And nowadays it's even more relevant because a typical company, not even the large one has to run a SOC or security operation center. They would have those alerts sound in somewhere, probably in a war room with large screens and stuff like that. And if you let an old school SIEM operate in that room, it would just ring all the time because there would be thousands of alerts generated every minute. And the biggest challenge, of course, is that you won't simply have enough analysts to react to every one of those alerts. One of the biggest changes of modern tools had to implement was some kind of automation, some kind of intelligence to suppress like 99% of those false alerts and only let analysts concentrate on that ones that really matter.
Right, so just just a quick side question when we're talking about the intelligence of the system being provided and being also supporting the analyst and finding the right information in there, is this something that, and we see that trend everywhere, that is also increasingly delivered from the cloud? Is this something where the power then is available so you don't have to run it yourself? So other different deployment models now available. And is this a trend as well?
Well, I actually hear two different questions in your question Matthias. First one we can just quickly address. So yes, absolutely, running any security tool on the cloud is a huge trend nowadays, simply because everyone needs security and not everyone has the skills and the budgets and capabilities to actually run the whole thing themselves. So yes, every modern SIEM tool, or like 95%, probably all of the solutions we have covered do offer a "SIEM as a service" solution available from the cloud. And the other part I would actually like to address separately is like, where does this automation come from? And of course, it comes from AI, the machine learning, if you will. It's an extremely popular buzzword nowadays. You know, everything is now done by artificial intelligence, including SIEMs. And of course, you have to understand that not every AI is created equal and whenever you are actually trying to understand whether this particular tool is really as automated as were the promises don't just look for the AI is a label. You actually have to understand how exactly which tools, which methods, which solutions they have to offer you. For example the simplest method of using AI is basically filtering out those noisy false positives. For example, you will just run some kind of anomaly detection engine, which would throw away all the things which are irrelevant, the outliers, or instead they would only look for the proper anomalies. Again, what if, for example, users typically work from nine to five, but suddenly one of the users is accessing in your system during the night time. Maybe it's a hacker operating from a different time zone. This is a kind of anomaly that we'd look for. But of course, that's not intelligent enough for us. I would say the next level of intelligence would be the system can actually support your decision making. So instead of just giving you an alert, something bad has happened, it would at least tell you it actually looks like ten different alerts you had last month. So maybe you just quickly go back and look what you have decided back then, and you can just reuse the same decision this time. And some companies go even further, they would just give you a single button to click. Kind of an advisor, like Alexa for cyber security, if you will. But even higher than that, I would say, the ultimate level of cybersecurity information is autonomous threat mitigation. Basically, then you don't have to involve any humans at all. The system would detect a threat automatically. It would analyze it and understand what is actually happening by using some frameworks like MITRE ATT&CK, for example. It won't just detect that someone is actually hacking you from China, they would actually understand that yes, they're using a specific kind of malware in the right way to mitigate it is to block a specific port on your firewall for example. Then it would reach out to the firewall and block it automatically. It's kind of the ultimate level of security information that we're looking at in this report, and I have to say, we do have some really interesting developments in that area.
Right, this really sounds interesting, so automated mitigation sounds like the silver bullet when it comes to providing cybersecurity solutions. But when you looked at these products as part of this leadership compass, you need to have a list of capabilities that these products to implement or do not implement or are only implementing at a basic level. What are typical functionalities apart from gathering information and applying this matching and AI machine learning for identifying the obvious outliers? What other functionalities that you look at and that you require these vendors and these products to provide what are key functionalities?
Well, the key functional areas that we're looking for are obviously that the solution has to be able to collect and store all those security events from as many sources as possible. Not just from log files, but from any endpoint, server, application, networking device or just network flows. Well, you cannot deploy an agent, you can at least ease the traffic and extract some events from it directly. And of course, from the cloud, APIs or some kind of third party integration. And this solution has to be able to actually make sense of this, so to run some kind of a cross correlation between those data in real time. And this is where machine learning comes into the play. Because, at as opposed to quote unquote old school SIEMs which basically operated as a historical tool, so basically it would let you know that something bad has happened. Maybe last week. Modern tools should be able to do it in real time to analyze an attack as it's happening now. And then, of course, they have to provide rich alerting and reporting capabilities to not just tell you that something bad has happened but actually give you an overview. What exactly has happened? Who is involved or which systems are affected and who do you have to alert or are there any legal consequences? For example, if it's a data breach, maybe it should even automatically involve automated reporting of the breach to a specific agency. What about compliance? When you, for example, give me a brief overview of how well our company protected today as opposed to last month in terms of compliance, for example. Well, lots of other, less technical and more business-focused, more like KPI-oriented reporting capability. Of course, a huge part of... it's not just detecting an attack, but also to do a forensic investigation and manage the incident from the start to the finish. Well, yes, you have to be able to understand exactly like, what has happened, what kind of an event-triggered specific sensor, how was it unfolding, are any other artifacts to be analyzed and so on and so forth. So basically, it's some kind of a sophisticated ticketing system or tracking and analyzing security incidents.
And finally, a modern SIEM tool, just cannot work in a vacuum, it has to be integrated into many different systems you have around, including both security tools and, of course, every other tool which can send you a log file or any kind of security telemetry. And this is where it actually becomes interesting because as SIEM tools continue to evolve and to incorporate more and more integrations, we see kind of the boundaries blurring between SIEM as an old school way to implement security intelligence and the newer, the modern one, the XDR. And basically, one of the interesting situations we observe currently in the market is that some SIEM vendors basically rebrand their solution into a XDR tool. And although we are planning a separate report on that topic, I'm not even sure whether the overlap would be big enough next year, for example.
Right, so we already had this episode about what is XDR and why, and we we already looked at that aspect and you see that in the market even more accelerating when it comes to rebranding, redesigning the solutions and getting more complicated, more complex and more comprehensive. When we look at such a Leadership Compass, of course, it's interesting to look at these leadership charts and to look at the upper right corner and which products are there. But in general, from the market that you've looked at, how good are the product in general? And maybe you can also mention some of the leaders and how they performed and what the companies behind that look like?
Yeah. So what, as I just mentioned, there is this kind of convergent evolution, basically. The requirements for a... let's call it a general purpose security intelligence platform are evolving. A modern security intelligence platform has to be able to analyze cloud, network traffic, applications and stuff like that. And of course, endpoint telemetry as well. So those old school, the traditional, the long lane veteran vendors in this area are incorporating more and more of those capabilities from their existing tools. But on the other hand, we have a totally new start ups, which appear without all those decades of technical debt, and they design their systems completely from scratch, running on different architectures. But they do the same in the end, they analyze and collect security telemetry from whatever they can reach, they run some cross-correlation, they filter out false alerts, and then they give recommendations on how to deal with those detected threats, right? Well, some companies still call their solution SIEMs. Others call them XDRs. And there are even vendors which offer you both at the same time. You just have to decide. And exactly this situation is reflected in our "Overall Leaders". For example, on the first position, the overall leader in our Leadership Compass is IBM with their QRadar solution, which is one of the probably longest available true veteran SIEM solutions on the market. But the history goes back to like 20 years. But as we just learned recently, IBM is actually now rebranding their whole security intelligence platform as an XDR tool, while their SIEM will become just a subset of that new fancy XDR offering. Which of course, absolutely does not invalidate our findings because it's still a really robust and battle-tested SIEM solution. And again, you don't have to look at the label, you have to look at the capabilities.

For example, the second leader is Securonix, which also is a pretty solid and veteran vendor in this area, but they started much later, so they have a much more modern and flexible and open architecture of a security intelligence solution which makes them able to offer you a whole set of different specialized or general purpose solutions. Whether you want to just have a SIEM or an XDR or a data lake to run some third party analysis on the findings, they have it all covered. In the third place, we have Microsoft, which is actually a really amazing newcomer in this market because although Microsoft Sentinel, their SIEM solution, was probably built more normal than like a couple of years ago. It has already more customers than any other company in our rating, and they are an undisputed market leader, and they also have the third position in our overall rating. And finally, there is one more company I wanted to mention, which is Gurucul, which is a really small company, that very few people know even exists, which I personally find totally unfair because they were the true pioneers in this area, they're probably one of the first companies on the market. Which has even had the idea to make a SIEM intelligent, make a security analytics platform actually automated. So, even all those overall leaders indicate how fragmented and evolving and changing the SIEM market is, so it's a really fascinating observation.
Right. So it's really a diverse market, as you said. So this also a market where also new starters can position themselves with the right functionality in comparison with the big ones. And you've mentioned IBM and Microsoft, and these are, of course, the big ones. Microsoft and its strategy in the cloud, of course, gaining traction through many of their existing customers. If you look at this Leadership Compass and if you look back, any surprises that you've met before we close down, so something that that struck you when you did this assessment of these vendors?
Well, as I mentioned earlier, I guess probably one of the biggest surprises I had is like how many companies actually no longer differentiate between SIEM and XDR. I've even heard one vendor said that, telling me, basically like, yeah, but what is a SIEM if not XDR with an extra data lake? Which on one hand totally make sense. But on the other hand, it actually, I mean, the whole history shows that it has evolved the other way around. I would say XDR is then a SIEM without a data lake. But this distinction itself won't make much sense any longer because as I mentioned, more and more vendors basically offer you both technologies in a single flexible package where you can decide, Do you want to pay extra money for a data lake or we can not care about it? And if you don't, you're probably making a mistake because it's a huge factor for doing the compliance properly. It's up to you to decide, you have the choice, and all those different technologies basically emerge to become just different labels on the same technology stack.
Right, and we've just mentioned four of the vendors, you've covered 13 plus the vendors to watch. So to identify the right solution for an individual company goes far beyond just looking at the right upper corner of such a graph. And for those who are interested in learning more about the individual offerings and how they positioned themselves, where they are really good and where they are not that much focused on, all of those who are interested in that, I would really recommend to go to our website, to kuppingercole.com and to have a look at this Leadership Compass by getting a test subscription or using the existing subscription and fetch Alexei's document to have a look at that interesting market and as we have learned, absolutely evolving market, and let's see how that will be continued in further additions and versions of Leadership Compasses in our research. Any final words that you want to add before we close down, Alexei?
Also, first of all, yes, absolutely. I encourage everyone to go to our website and read the report or at least the first chapter with the overall findings, which is available to everyone. And yes, I would like to say that there are no bad vendors in our rating. Even those who have not reached the leaders segment in our rating, that doesn't mean that they are somehow... perhaps like, fewer functions or anything like that. Most of those companies are just kind of primarily struggling with gaining market direction because they are smaller or startups. And of course, companies like IBM and Microsoft are winning just because of their sheer size. But there are definitely many use cases where a smaller, leaner and more specialized or even just a cheaper SIEM solution would be a better fit for you than those large vendors. And another dimension is yes, the market is evolving, and although we will still be covering XDR solutions in a separate Leadership Compass, I am pretty sure that in a few years all those technologies will just merge into a single, yet unnamed product class, which I would tentatively call security intelligence.
Right. Great final words, and that shows that we are covering evolving markets, emerging markets and also consolidating markets over time. Thank you very much, Alexei, for being my guest today for sharing your insights, for sharing your view on the market. And I'm looking forward to having you soon in that podcast again.
Thank you, Matthias.
Thank you and bye bye.