There’s a legacy connotation hooked up to SIEM that has led to distributors promoting themselves as some iteration of a next-generation resolution. However is it vital? I’ve been struggling to seek out options that may be categorized as “legacy SIEM”—that’s, SIEM with out some form of automation, response, or anomaly detection capabilities or modules.
It is smart for SIEM to accommodate all these capabilities. What doesn’t make sense is that this unsynchronized try at differentiating at present’s options from these of 2015.
Let’s have a fast take a look at what SIEM options get known as at present:
- Fusion SIEM
- Subsequent-gen SIEM
- Advanced SIEM
- Unified protection SIEM
- Cloud-native SaaS SIEM
- “Not a SIEM” SIEM (aka, unified safety operations platform)
So, is that this an issue? Totally different takes on product names is nothing new, however on this case, it creates plenty of confusion available in the market. First, these names don’t inherently imply something. Certain, some supply indications, like “cloud-native SaaS SIEM platform,” however typically talking, there isn’t a goal distinction between a next-gen SIEM and an developed SIEM.
Second, there are a number of permutations of modules which can be completely different from vendor to vendor. One would possibly supply SIEM + SOAR + UEBA, whereas one other could supply a SIEM + ASM + XDR. Whereas it’s nice to have extra complete safety merchandise, it’s possible you’ll not want or need the extra modules.
“Not a SIEM” SIEM options add one other layer of confusion, as these merchandise do the whole lot a SIEM resolution does, however they received’t present up while you Google “finest SIEM resolution 2024.” One other problem is proving to regulators for compliance functions that though what you employ for SIEM is known as a SOC platform, it’s a SIEM resolution.
So sure, I do suppose that including adjectives earlier than the phrase “SIEM” is a futile train that creates extra confusion as an alternative of differentiating a product. However there’s extra.
SIEM and Safety Operations
When evaluating options, it’s vital to determine whether or not you want a “simply SIEM” or a unified instrument for automating your safety operations heart. I imagine that we must always preserve SIEM as a standalone time period that predominantly focuses on doing what it says on the tin—data and occasion administration.
SIEM itself may be a part of a wider safety operations platform alongside applied sciences equivalent to XDR, SOAR, UEBA, and ASM. Nonetheless, for a similar causes offered above, we shouldn’t preserve calling these converged options “SIEM.”
For that reason, I’ve adjusted the safety operations experiences I’ve been engaged on, particularly the SIEM Radar and autonomous SOC Radar. SIEM focuses on evaluating instruments’ capabilities with respect to data administration. We’re nonetheless together with further features equivalent to automation and evaluation, however they continue to be targeted on the principle scope reasonably than branching out to full UEBA or SOAR capabilities.
Autonomous SOC, then again, is now a extra standalone method in comparison with its earlier SIEM + SOAR scope. It evaluates the capabilities required by a safety operations heart to handle and automate its day by day actions. There’s much less concentrate on compliance and extra on response, orchestration, and consumer monitoring.
Subsequent Steps
To be taught extra, check out GigaOm’s SIEM Key Standards and Radar experiences. These experiences present a complete overview of the market, define the factors you’ll wish to think about in a purchase order choice, and consider how plenty of distributors carry out in opposition to these choice standards.
For those who’re not but a GigaOm subscriber, you may entry the analysis utilizing a free trial.
The publish Why isn’t “Simply SIEM” Sufficient? appeared first on Gigaom.
