Security Information and Event Management (better known as SIEM): these five words are defined hundreds of ways by thousands of people. And since 2005, industry analysts have now effectively debated it through two pivots of what exactly answers the primary problems of SIEM. There’s a lot to be learned by watching a market like SIEM adapt as technology evolves, both for the attackers and the analysis.

SIEM (or SEIM): The Monitoring Wild West of the early aughts

When a centralized, single pane of glass was first desired to answer security questions, such as “What is happening on our network?” and “Is that activity bad?” there were very quickly a few dozen software (and hardware—this was almost fifteen years ago) vendors racing to be the solution these forward-thinking security professionals implemented. You would have to be crazy not to make your play to be the central backbone of an organization’s security operations. At this point, it didn’t matter that most security budgets were only opened to avoid regulatory fines. If compliance was the way to justify the security team’s spend, the smart vendors found ways to both influence regulation to include log analysis and event review, and subsequently make compliance reporting table stakes for buyers.

No one had done this before, so there was room for a dozen different approaches to find early success:

“Log collection and analysis is key!” said some vendors.
“No way! It’s the SOC console that matters above all else!”
“You’re all fools! Integration with vulnerability management. That’s the most important capability.”

There wasn’t even agreement on whether the ‘I’ was before ‘E’, even though it didn’t follow a ‘C’ [nor pronounced ‘a’ nor...]! Evaluating these solutions was extremely difficult, but by 2010 or so, three vendors (one of which had already been acquired, twice) were starting to become the shortlist for any Fortune 100 organization: ArcSight, Network Intelligence, and Q1 Labs. This certainly didn’t mean all other solutions had failed, but there was a clear cool kids’ club, and they paid little attention to the outsiders.

Pivot 1: SIEM 2.0—New leaders emerge by focusing on search and analysis

But it was when these three winners of the original SIEM Hunger Games were swallowed up by major worldwide conglomerates that three very different vendors fought their way into the fray. One of which, NitroSecurity, was absorbed less than a year after it became a serious competitor. This was the first significant pivot of the SIEM market.

Some security teams dug in and invested more in what they’d already implemented (head nod, sunk cost fallacy), but others knew that any alternative had to be better. Getting best-of-breed in search from a tool IT operations already had in place was definitely better than a box which, theoretically, contained all the data you needed, but was useless during actual alert triage and incident analysis.

This pivot silently whittled six leaders down to five, and people made one of three decisions about SIEM tools:

  1. This is home base. Forever. Treat the SIEM like a regularly-updated database and build what is needed on top.
  2. We can change, but only so much. The only options are to switch from the Legacy 3 to the Hipster 2.
  3. ‘SIEM’ is a four-letter word (not acronym). SIEM just won’t work for my organization. It is too complicated and expensive.

Compliance reporting was very clearly still a base requirement for the SIEM space, yet there were a three festering pains felt across all SIEM 1.0 and 2.0 users: the ridiculous effort to determine whether an event is normal, an untenable number of vague rule-based alerts, and the cost of ownership under Moore’s Law.

UBA (or UEBA) is dead. Long live UBA!

Despite these highly-successful factions having survived the 2012 pivot, an increasing number of security professionals were voicing their dissatisfaction with their monitoring options. A group of start-ups and, well, Rapid7, homed in on the the first two pains in legacy SIEM above, just as the primary tool in the attackers’ arsenal became the theft, and use, of legitimate credentials for widespread compromise without triggering any alarms. The leading five SIEM vendors simply couldn’t provide effective user monitoring or advanced analytics to detect and investigate these attacks. Alerts were far too binary to help you know how to look at this authentication instead of those other fifty authentications.

The new Monitoring Wild West, almost exactly a decade later, involved more than a dozen user behavior analytics (UBA) vendors who all used very different statistical anomaly detection and peer group profiling on the datasets they best understood. Whether the solutions had their own data collection or not, it was clear that they were a complement to the behemoth SIEM solutions which had saturated the market. Such a business model of always complementing the hub was doomed to a short life, so through a combination of UBA vendor acquisitions that looked good on paper, check-the-box UBA add-ons, and SIEM enhancements to UBA solutions, two markets converged in early 2017, faster than any industry analyst or CEO dared predict. But there was still one remaining pain among SIEM buyers.

Pivot 2: SaaS SIEM—No longer an oxymoron

Software-as-a-service: to some of us children of the eighties, this term is neither scary nor a caution. However, many organizations resisted the idea of their data on someone else’s servers, even if they reside in a bomb-proof fortress with armed guards and fewer labels than Hangar 51. Until they stopped resisting…en masse. And it reached a point (in 2017) when even SIEM was redefined to include SaaS (and its cooler twin, cloud) as a delivery model.

changing-of-guard-uk

As a recovering hardware engineer, I realize that Moore’s Law has been purposely misconstrued to serve many a storyteller’s plot device. The pace of complexity growth for integrated circuits has slowed in recent years, but the need to upgrade hardware appliances, continually reconfigure multi-site indexers, and expand storage clusters is a real burden. If you want to deploy exponentially faster and lessen your maintenance headache, cloud-native solutions finally make value attainable for the vast majority of teams.

After a five-year journey, Rapid7’s mission to create a security monitoring world in which today’s attacks can be detected and handled is getting its due validation. The entire definition of SIEM is shifting (a second time) with us, and we want you to see why. Sign up for a free trial of InsightIDR—we believe it’s the SIEM solution you’ve been waiting for.