Making Sense of the Seismic Shifts in the SIEM World

· 3 MIN READ · LAUREN HORAIST · MAY 24, 2024 · TAGS: Managed security / MDR / SIEM / SOC

This month has been newsworthy in the world of security information and event management (SIEM), to say the least. On May 15, Exabeam and LogRhythm announced a merger, and by market close that same day, Palo Alto Networks announced its intention to acquire QRadar SaaS assets from IBM and move QRadar customers to Palo’s Cortex XSIAM platform. All this comes on the heels of Cisco’s acquisition of Splunk last year, which is still causing ripple effects across cybersecurity.

The burning questions in many security leaders’ minds are:

  1. What does this mean for customers like me?
  2. What does this mean for the SIEM market as a whole?

More specifically, customers of Exabeam, QRadar, and LogRhythm are wondering how these changes impact them, how they’ll be supported through the changes, what will happen to the SIEM tools they’ve invested so much in, and, if they have to make a change, how long it will take for their teams to implement and learn new tech. In conversations we’ve had with our customers’ SecOps teams in the last few days, we’ve heard those sentiments and concerns expressed more than once.

I expect that each of the vendors involved in last week’s changes will make their best efforts to support you during these transitions to help ensure that you have continuity—regardless of ownership. But, if you use one of these SIEMs today, there is undoubted uncertainty. Like many customers of these SIEMs, you’re likely thinking about the long term effects—and what the future of those SIEMs should be within your business.

Having the unique perspective of a managed detection and response (MDR) provider that supports customers on all these technologies, we’ve been uniquely positioned to see and hear the situation from many different angles. Even prior to last week, we’ve had customers asking, “How do I reduce my reliance on SIEM, and if I keep my SIEM, how do I optimize my investment?” For a few years now, customers have seen less and less security value from their SIEM, while at the same time paying more and more for it due to the ever increasing amount of data produced throughout the enterprise and sent to the SIEM for monitoring and long-term retention.

This trend leads to the second question: “What does this mean for the SIEM market as a whole?” For years, SIEM customers have been underserved, leveraging, in some cases, decades-old technology that served as a good way to collect a lot of data, but, for many, failed to provide the critical security insights, SOC automation, and response help that customers so critically need in high-stress, high-stakes moments.

These challenges were some of the catalysts that led to new security categories, including extended detection and response (XDR) and MDR (and I suppose MXDR, if you like the alphabet soup of security acronyms). These new categories aimed first and foremost to deliver positive security outcomes that help SOC teams not only detect, but also triage, investigate, and respond to threats faster. And in the case of MDR, we’ve gone a step further to act as a 24×7 extension of our customers’ SOC teams, providing around-the-clock detection, investigation, and response capabilities on their behalf.

So what’s next?

If you find yourself questioning the future of your SIEM, now is a good time to review your long-term security analytics strategy. Take a look at the security use cases that matter most to you, and assess the value you’re getting from your SIEM today. If you’re happy with your current solution, be sure to ask your vendor hard questions about how you’lll be supported while they sort out their business changes.

If you’re not happy with your current security outcomes and you feel like you’re not getting the expected value, it might be time to rethink if your current SIEM is right for you. Fortunately, there are resources available to help. Among others, we at Expel have provided guidance to multiple customers as they’ve navigated their own unique technology considerations, including (but not limited to) SIEM.

If you’re starting to think about reducing your reliance on SIEM in exchange for more impactful security outcomes, you might want to consider XDR and MDR options instead. One of our customers, Rona, found that MDR helped them to simultaneously reduce their SIEM log ingestion by 75% while also extracting even greater value from their existing security investments.

However, this may not be the right choice for your organization, and that’s okay. SIEM preferences are highly use case driven for each individual organization. As you consider your own unique needs, security outcomes, and potential transition options, keep in mind that there are ways to scale down your current SIEM—without introducing risk—while you work to build up your new solution of choice.

If you find yourself considering what last week means for the future of your security stack—be it reducing reliance on your current SIEM, or switching to a different SIEM, XDR, or data lake altogether—know that you have options. And if you decide that you need help in the process, we’re always here to help, providing 24/7 threat detection, investigation and response across 120+ security tools—including the leading SIEMs that you have today, or the technology that you may choose for tomorrow.