Predictions concerning the loss of life of SIEM platforms have swirled for years, fueled by studies of alert fatigue, sky-high information prices and the shiny guarantees of prolonged detection and response (XDR), safety information lakes and, now, agentic AI. But, twenty years after they first emerged, SIEM applied sciences stay important components of safety operations at many organizations.
CMI Consulting predicted that the SIEM market will develop from simply over $7 billion in 2024 to almost $18 billion in income by 2033, pushed by growing demand for menace detection and looking capabilities and increasing regulatory necessities. As a substitute of going the best way of the dinosaur, SIEM is present process a pivotal evolution, consultants say. The query is not whether or not the idea is out of date, however whether or not the implementation is mired in one other period.
“SIEMs have been the safety software that individuals like to hate,” mentioned Andrew Braunberg, an analyst with Omdia, a division of Informa TechTarget. “And whereas it’s true that they are often advanced and dear to function, Omdia continues to forecast regular development for the market.”
The evolution of SIEM
A know-how that when supplied little greater than centralized log assortment and rule correlation has dramatically remodeled in response to each critics and the evolving menace panorama. Early SIEM deployments earned a status for producing overwhelming volumes of false positives, requiring armies of analysts to sift by way of alerts and imposing crushing prices on enterprises.
These points with SIEM — actual and perceived — have pushed substantial maturation. “As we speak’s [next-generation] SIEMs embody superior analytics equivalent to consumer and entity conduct analytics, higher integration with menace intelligence, and SOAR [security orchestration, automation and response] capabilities delivered on cloud-native architectures,” Braunberg mentioned.
Jason Soroko, a senior fellow at Sectigo, shared Braunberg’s outlook on SIEM. The know-how has had its share of issues, plenty of which have coloured individuals’s tackle its future, he mentioned. Initially, SIEMs have been constructed as log-centric compliance instruments that relied on static correlation guidelines and monolithic architectures, leaving them ill-equipped to research large cloud information volumes, detect refined real-time assaults or automate menace response.
As well as, many platforms charged primarily based on information quantity and used inflexible information codecs that struggled to deal with the detailed info wanted to detect fashionable assaults, equivalent to consumer conduct patterns, cloud software exercise and workload information. Organizations usually confronted the not possible selection of both feeding their SIEM platforms the wealthy safety information they wanted, then watching prices skyrocket, or proscribing the information stream and lacking vital threats.
“A few of that is inherent to the unique design, which optimized for centralized log storage, compliance and primary reporting relatively than real-time cross-domain analytics,” Soroko mentioned. “Some [of it] is an implementation drawback the place organizations underinvest in content material engineering, use-case design and automation.”
Why organizations will not abandon SIEM
Newer platforms, equivalent to XDR and AI-driven detection, concentrate on high-quality telemetry, built-in detections mapped to frameworks like Mitre ATT&CK, behavioral and anomaly analytics, and native automated response. These platforms are higher than SIEM in some ways, particularly in relation to endpoint and identity-centric assaults, lateral motion and speedy containment.
But, SIEM stays the system of report for safety telemetry in lots of enterprises and supplies core capabilities which might be troublesome to switch, Soroko mentioned. For instance, conventional SIEM techniques excel at long-term retention for compliance and forensics, cross-domain querying throughout heterogeneous information sources, configurable correlation for area of interest organizational dangers, and mandated safety reporting to regulators and auditors.
“The [SIEM] deployments that succeed are normally people who slim scope to obviously outlined use circumstances,” Soroko defined. “[These deployments] deal with information onboarding as an engineering self-discipline, constantly tune detections and combine the SIEM deeply with SOAR, ticketing, case administration and menace intelligence so alerts turn out to be structured investigations and playbooks relatively than uncooked occasions.”
The place SIEM falls brief is high-fidelity real-time detection for cloud-native and SaaS-heavy environments and in automated, closed-loop response — conditions the place XDR suites, safety information lakes and AI-optimized platforms ship richer telemetry, extra scalable analytics and cheaper storage, he mentioned.
Consultants, together with Soroko, mentioned organizations should not scrap their SIEMs, however as an alternative remodel them. In a contemporary setup, the SIEM ought to turn out to be a cloud-native management and correlation layer that sits on prime of a safety information lake, pulling in high-quality alerts from instruments equivalent to XDR, community detection and response and identification analytics. A SOAR system then handles the response facet, whereas tight two-way integration with menace intelligence updates detections, looking queries and automatic playbooks with the newest indicators and attacker behaviors.
Persistent worth proposition
In response to Daniel Kennedy, analyst at S&P International Market Intelligence, SIEM stays the only most ceaselessly cited “necessary” software in a safety operation middle (SOC). The elemental drawback it was invented to unravel — too many alerts, not sufficient individuals — hasn’t gone away, he mentioned. A latest examine by S&P International confirmed 45% of alerts acquired nonetheless go unreviewed largely as a consequence of headcount shortages.
He mentioned he separates the philosophical idea of SIEM from vendor implementations. “When individuals shout ‘SIEM is lifeless,’ they normally imply dangerous, outdated implementations or particular distributors that fell behind, not the core concept of a central place to gather, correlate and act on safety information,” Kennedy defined. “The truth that the SIEM vendor leaderboard has modified fully over the previous 10 to fifteen years is an indication of how the market has advanced greater than a sign of its imminent demise. New approaches, higher looking out, extra intuitive interfaces, less expensive choices and even higher advertising and marketing have lengthy made SIEM a dynamic market by way of which distributors are attaining market chief positions.”
When individuals shout ‘SIEM is lifeless,’ they normally imply dangerous, outdated implementations or particular distributors that fell behind, not the core concept of a central place to gather, correlate and act on safety information. Daniel Kennedy, analyst, S&P International Market Intelligence
The agentic AI wild card
Braunberg mentioned he perceives rising agentic AI instruments as the best potential menace to SIEM. Agentic startups promise a manner for organizations to interrupt out of the scalability lure that has plagued SOCs, and significantly SIEMS, for a decade or extra, he mentioned.
“Whereas SIEM distributors may effectively experience the agentic wave by way of aggressive adoption of the know-how, we already see examples of agentic SOC startups constructing multi-agent options that bypass the SIEM and go on to the telemetry supply when performing alert evaluation, equivalent to alert triage.”
On the finish of the day, the talk over SIEM’s future usually misses a basic level about why organizations adopted the know-how within the first place and what they’re truly utilizing it for at the moment. SIEM has at all times had two distinct worth propositions, and understanding that break up is essential to understanding why the know-how persists regardless of repeated predictions of its demise, defined John Pescatore, director of rising safety developments on the SANS Institute.
For organizations obligated to adjust to log monitoring rules, SIEM has lengthy supplied a comparatively cost-effective manner of checking that field. The second proposition — and the one which organizations have had a a lot tougher time with — is lowering time to detect, reply to and get better from threats.
Some 40% of organizations utilizing SIEM, Pescatore estimated, achieve this for required reporting compliance, and one other 40% for primary occasion correlation utilizing vendor signatures or patterns to detect and prioritize acknowledged occasions. The remaining 20% use it to detect advanced, new assaults.
“I believe SIEM at decrease costs nonetheless is smart for many organizations,” Pescatore mentioned, including that “SOAR and XDR sort instruments added on make sense for the high-end, lean-forward safety groups.”
Jaikumar Vijayan is a contract know-how journalist with greater than 20 years of award-winning expertise in IT commerce journalism, specializing in info safety, information privateness and cybersecurity matters.
