A simple prediction for the future of SIEM

Congratulations! Your organization just finished building out a new SIEM (security incident and event management, for the unindoctrinated) and I suspect you all went with or wish you had gone with Splunk. What’s your reward for all this hard work? You get to think about what’s next. That’s where I am, thinking about what’s next. I get this question a lot… what will replace Splunk? And honestly, I think there will be a next thing… remember ArcSight? I know that predicting the future is a risky business, though it’s objectively fun in the moment. So let’s do some predicting!

Splunk is the analytic tool I most often see within cybersecurity, and anyone who knows me knows I really like Splunk. It’s easy to use, fast, and often provides users the type of creative outlet that leads to strong emotional attachment. I often use the unscientific but usually accurate measure of facial expression to determine how successful a tool will be. Most enterprise tools, especially in cybersecurity, seem to get something close to a frowny face from its users. This is due to a myriad of reasons, not always in the vendor’s control, but usually comes down to a few factors: load times, interface ergonomics, flexibility and documentation. Splunk builds typically get a big smile from me. However, there’s a problem: most organizations don’t have building and maintaining a complex data analytic tool and the vast infrastructure it runs on, in their mission statement.

So here is the prediction: the future is CLOUD! (mic drop…) but maybe not in the way you think. Sure, you can use your IaaS partner of choice to lift and shift your data center, but you’ve already done that and I’m aiming to be better than a fortune cookie. So, your next SIEM will be a cloud native analytics service, SIEM as a Service if you will. But not just any SIEM as a Service, your next SIEM will be brought to you by the likes of AWS, Google Cloud and Azure. Why? I don’t really expect you to believe that any of these companies will be able to build a better mouse trap, because they probably won’t, they’ll check enough of the right boxes to make a viable alternative. They don’t have to be better, because they are playing a different game. Your Cloud provider is after your data, your compute cycles and are all but willing to give away software of many types to convince you to buy into their ecosystem. Once your organization buys in, that SIEM capability will just be there ready to turn on with little effort. A security vendor can’t compete with that level of convenience.

There is a lot to be said about convenience. Recently someone told me that they don’t like SharePoint, but it’s there so they use it. The revolution of Cloud is that it democratized network and system administration, so now Terry from accounting can have their own little data center with nothing more than a credit card number. One day someone from audit is going to tell Terry they need security monitoring, so Terry is going to do what any reasonable person would do: turn on the Cloud’s native security tools. Boom! now you have a Cloud SIEM in your environment. By the way, if your organization uses Azure, this might have already happened.

On the positive side, there are good reasons I believe this type of SIEM as a Service could be the right next step for your organization. They have to potential to provide a lower TCO, your data lake can be more flexible (your AI team wants that data too!), regulators are pushing for increased data regionalization, they’ll require less maintenance, and frankly because your data is already sitting in the Cloud! Although a review of current Cloud SIEM offerings uncovers tangible drawbacks, there is enough maturity, particularly in Azure, to start a slow transition beginning by offloading small workloads such as analysis of Cloud audit, transaction and application data, and then expanding usage over time.

So that’s it, that’s the prediction. Forthcoming Cloud native security analytics services will soon become a small part of your security tech stack, then slowly increase in scope of data analyzed until you reach a tipping point and make the decision to consolidate all security analytic workloads away from your now 2 to 5 year-old SIEM, and into an all ‘as a service’ solution. Will it be the best capability on the market? Probably not. But it’ll be there, and you’ll use it.