Demand- and supply-side changes will move SIEM from on premises to the public cloud.
Cloud based analytics- Security information and event management (SIEM) systems first appeared around 2000 from vendors such as Intellitactics, NetForensics, and eSecurity. The original functionality centered around event correlation from perimeter security devices such as IDS/IPS and firewalls.
The SIEM market evolved over the past 19 years, with different vendors, functionality, and use cases. SIEM has also grown into a $2.5 billion market, dominated by vendors such as Splunk, IBM, LogRhythm, and AT&T (AlienVault).
Despite the SIEM evolution, today’s products can be seen as super-sized versions of those of yesteryear. In fact, the original design of SIEM seemed like a knockoff of network and systems management tools CA Unicenter, HP OpenView, and IBM Tivoli. SIEM products were based upon a tiered architecture of distributed data collectors/indexers/processors and a central database used for data analytics, visualization, and reporting.
As SIEM scaled, organizations needed more and more hardware tiers to maintain performance and scale. This has led to a situation where SOC personnel focused on activities such as threat detection, incident response, and forensic investigations are dependent upon SIEM infrastructure teams responsible for upgrading hardware, load balancing servers, adding storage capacity, etc.
SIEM will move from on-premises servers to the public cloud
In 2019 (happy new year, dear readers), the security analytics/operations technology model is in the midst of a massive architectural shift. Over the next few years, the SIEM backend will migrate from on-premises servers to public cloud infrastructure. I firmly believe that by the end of 2020, even organizations with dogmatic on-premises biases in industries like financial services, government, and military equipment manufacturing will eschew on-premises SIEM in favor of cloud-based alternatives.
This transition has already started and will progress rapidly due to changes on the demand and supply side. CISOs will seek out cloud-based SIEM solutions because of:
- Massive growth in security data. According to ESG research, 28 percent of organizations collect, process, and analyze substantially more security data than they did two years ago, while another 49 percent collect, process, and analyze somewhat more security data. (Note: I am an employee of ESG.) What types of data is behind this growth pattern? Cyber threat intelligence (CTI), network packet capture, cloud logs, business application logs, you name it. Continuous security data growth equates to more infrastructure, more personnel, and more operational tasks.
- Higher software costs. Aside from infrastructure and staffing costs, some SIEM vendors base their pricing on the amount of data under management. I’ve heard CISOs complain that it’s not unusual for them to blow through a three-year SIEM budget in a year.