There’s a legacy connotation hooked up to SIEM that has led to distributors promoting themselves as some iteration of a next-generation answer. However is it mandatory? I’ve been struggling to seek out options that may be categorised as “legacy SIEM”—that’s, SIEM with out some type of automation, response, or anomaly detection capabilities or modules.
It is smart for SIEM to deal with all these capabilities. What doesn’t make sense is that this unsynchronized try at differentiating in the present day’s options from these of 2015.
Let’s have a fast take a look at what SIEM options get known as in the present day:
- Fusion SIEM
- Subsequent-gen SIEM
- Developed SIEM
- Unified protection SIEM
- Cloud-native SaaS SIEM
- “Not a SIEM” SIEM (aka, unified safety operations platform)
So, is that this an issue? Completely different takes on product names is nothing new, however on this case, it creates a variety of confusion out there. First, these names don’t inherently imply something. Positive, some supply indications, like “cloud-native SaaS SIEM platform,” however typically talking, there isn’t a goal distinction between a next-gen SIEM and an advanced SIEM.
Second, there are a number of permutations of modules which are totally different from vendor to vendor. One may supply SIEM + SOAR + UEBA, whereas one other could supply a SIEM + ASM + XDR. Whereas it’s nice to have extra complete safety merchandise, chances are you’ll not want or need the extra modules.
“Not a SIEM” SIEM options add one other layer of confusion, as these merchandise do every little thing a SIEM answer does, however they gained’t present up while you Google “greatest SIEM answer 2024.” One other problem is proving to regulators for compliance functions that though what you utilize for SIEM is named a SOC platform, it’s a SIEM answer.
So sure, I do suppose that including adjectives earlier than the phrase “SIEM” is a futile train that creates extra confusion as a substitute of differentiating a product. However there’s extra.
SIEM and Safety Operations
When evaluating options, it’s necessary to resolve whether or not you want a “simply SIEM” or a unified software for automating your safety operations middle. I imagine that we should always hold SIEM as a standalone time period that predominantly focuses on doing what it says on the tin—info and occasion administration.
SIEM itself could be a part of a wider safety operations platform alongside applied sciences equivalent to XDR, SOAR, UEBA, and ASM. Nonetheless, for a similar causes offered above, we shouldn’t hold calling these converged options “SIEM.”
Because of this, I’ve adjusted the safety operations reviews I’ve been engaged on, specifically the SIEM Radar and autonomous SOC Radar. SIEM focuses on evaluating instruments’ capabilities with respect to info administration. We’re nonetheless together with further features equivalent to automation and evaluation, however they continue to be targeted on the principle scope reasonably than branching out to full UEBA or SOAR capabilities.
Autonomous SOC, however, is now a extra standalone strategy in comparison with its earlier SIEM + SOAR scope. It evaluates the capabilities required by a safety operations middle to handle and automate its day by day actions. There may be much less give attention to compliance and extra on response, orchestration, and person monitoring.
Subsequent Steps
To study extra, check out GigaOm’s SIEM Key Standards and Radar reviews. These reviews present a complete overview of the market, define the factors you’ll need to take into account in a purchase order choice, and consider how quite a few distributors carry out in opposition to these choice standards.
- GigaOm Key Standards for Evaluating SIEM Options
- GigaOm Radar for SIEM
If you happen to’re not but a GigaOm subscriber, you possibly can entry the analysis utilizing a free trial.
The submit Why isn’t “Simply SIEM” Sufficient? appeared first on Gigaom.