Predictions in regards to the loss of life of SIEM platforms have swirled for years, fueled by experiences of alert fatigue, sky-high information prices and the shiny guarantees of prolonged detection and response (XDR), safety information lakes and, now, agentic AI. But, twenty years after they first emerged, SIEM applied sciences stay important elements of safety operations at many organizations.
CMI Consulting predicted that the SIEM market will develop from simply over $7 billion in 2024 to almost $18 billion in income by 2033, pushed by rising demand for menace detection and searching capabilities and increasing regulatory necessities. As a substitute of going the way in which of the dinosaur, SIEM is present process a pivotal evolution, specialists say. The query is not whether or not the idea is out of date, however whether or not the implementation is mired in one other period.
“SIEMs have been the safety device that individuals like to hate,” stated Andrew Braunberg, an analyst with Omdia, a division of Informa TechTarget. “And whereas it’s true that they are often complicated and dear to function, Omdia continues to forecast regular development for the market.”
The evolution of SIEM
A know-how that when provided little greater than centralized log assortment and rule correlation has dramatically remodeled in response to each critics and the evolving menace panorama. Early SIEM deployments earned a popularity for producing overwhelming volumes of false positives, requiring armies of analysts to sift by means of alerts and imposing crushing prices on enterprises.
These points with SIEM — actual and perceived — have pushed substantial maturation. “In the present day’s [next-generation] SIEMs embrace superior analytics similar to consumer and entity conduct analytics, higher integration with menace intelligence, and SOAR [security orchestration, automation and response] capabilities delivered on cloud-native architectures,” Braunberg stated.
Jason Soroko, a senior fellow at Sectigo, shared Braunberg’s outlook on SIEM. The know-how has had its share of issues, plenty of which have coloured folks’s tackle its future, he stated. Initially, SIEMs have been constructed as log-centric compliance instruments that relied on static correlation guidelines and monolithic architectures, leaving them ill-equipped to research huge cloud information volumes, detect subtle real-time assaults or automate menace response.
As well as, many platforms charged based mostly on information quantity and used inflexible information codecs that struggled to deal with the detailed data wanted to detect trendy assaults, similar to consumer conduct patterns, cloud software exercise and workload information. Organizations typically confronted the inconceivable alternative of both feeding their SIEM platforms the wealthy safety information they wanted, then watching prices skyrocket, or proscribing the info circulate and lacking important threats.
“A few of that is inherent to the unique design, which optimized for centralized log storage, compliance and fundamental reporting reasonably than real-time cross-domain analytics,” Soroko stated. “Some [of it] is an implementation drawback the place organizations underinvest in content material engineering, use-case design and automation.”
Why organizations will not abandon SIEM
Newer platforms, similar to XDR and AI-driven detection, concentrate on high-quality telemetry, built-in detections mapped to frameworks like Mitre ATT&CK, behavioral and anomaly analytics, and native automated response. These platforms are higher than SIEM in some ways, particularly relating to endpoint and identity-centric assaults, lateral motion and speedy containment.
But, SIEM stays the system of report for safety telemetry in lots of enterprises and gives core capabilities which are tough to switch, Soroko stated. For instance, conventional SIEM programs excel at long-term retention for compliance and forensics, cross-domain querying throughout heterogeneous information sources, configurable correlation for area of interest organizational dangers, and mandated safety reporting to regulators and auditors.
“The [SIEM] deployments that succeed are often people who slim scope to obviously outlined use circumstances,” Soroko defined. “[These deployments] deal with information onboarding as an engineering self-discipline, constantly tune detections and combine the SIEM deeply with SOAR, ticketing, case administration and menace intelligence so alerts grow to be structured investigations and playbooks reasonably than uncooked occasions.”
The place SIEM falls quick is high-fidelity real-time detection for cloud-native and SaaS-heavy environments and in automated, closed-loop response — conditions the place XDR suites, safety information lakes and AI-optimized platforms ship richer telemetry, extra scalable analytics and cheaper storage, he stated.
Specialists, together with Soroko, stated organizations should not scrap their SIEMs, however as a substitute rework them. In a contemporary setup, the SIEM ought to grow to be a cloud-native management and correlation layer that sits on high of a safety information lake, pulling in high-quality alerts from instruments similar to XDR, community detection and response and id analytics. A SOAR system then handles the response aspect, whereas tight two-way integration with menace intelligence updates detections, searching queries and automatic playbooks with the newest indicators and attacker behaviors.
Persistent worth proposition
In line with Daniel Kennedy, analyst at S&P World Market Intelligence, SIEM stays the one most regularly cited “necessary” device in a safety operation middle (SOC). The elemental drawback it was invented to resolve — too many alerts, not sufficient folks — hasn’t gone away, he stated. A latest examine by S&P World confirmed 45% of alerts acquired nonetheless go unreviewed largely resulting from headcount shortages.
He stated he separates the philosophical idea of SIEM from vendor implementations. “When folks shout ‘SIEM is useless,’ they often imply dangerous, outdated implementations or particular distributors that fell behind, not the core concept of a central place to gather, correlate and act on safety information,” Kennedy defined. “The truth that the SIEM vendor leaderboard has modified fully over the previous 10 to fifteen years is an indication of how the market has advanced greater than a sign of its imminent demise. New approaches, higher looking, extra intuitive interfaces, cheaper choices and even higher advertising have lengthy made SIEM a dynamic market when it comes to which distributors are attaining market chief positions.”
When folks shout ‘SIEM is useless,’ they often imply dangerous, outdated implementations or particular distributors that fell behind, not the core concept of a central place to gather, correlate and act on safety information. Daniel Kennedy, analyst, S&P World Market Intelligence
The agentic AI wild card
Braunberg stated he perceives rising agentic AI instruments as the best potential menace to SIEM. Agentic startups promise a method for organizations to interrupt out of the scalability entice that has plagued SOCs, and notably SIEMS, for a decade or extra, he stated.
“Whereas SIEM distributors may nicely trip the agentic wave by means of aggressive adoption of the know-how, we already see examples of agentic SOC startups constructing multi-agent options that bypass the SIEM and go on to the telemetry supply when performing alert evaluation, similar to alert triage.”
On the finish of the day, the talk over SIEM’s future typically misses a elementary level about why organizations adopted the know-how within the first place and what they’re truly utilizing it for at the moment. SIEM has all the time had two distinct worth propositions, and understanding that break up is vital to understanding why the know-how persists regardless of repeated predictions of its demise, defined John Pescatore, director of rising safety developments on the SANS Institute.
For organizations obligated to adjust to log monitoring rules, SIEM has lengthy provided a comparatively cost-effective method of checking that field. The second proposition — and the one which organizations have had a a lot tougher time with — is lowering time to detect, reply to and recuperate from threats.
Some 40% of organizations utilizing SIEM, Pescatore estimated, accomplish that for required reporting compliance, and one other 40% for fundamental occasion correlation utilizing vendor signatures or patterns to detect and prioritize acknowledged occasions. The remaining 20% use it to detect complicated, new assaults.
“I believe SIEM at decrease costs nonetheless is smart for many organizations,” Pescatore stated, including that “SOAR and XDR sort instruments added on make sense for the high-end, lean-forward safety groups.”
Jaikumar Vijayan is a contract know-how journalist with greater than 20 years of award-winning expertise in IT commerce journalism, specializing in data safety, information privateness and cybersecurity matters.
