As SIEM is displaced, where are cyber security teams looking?
What is a SIEM?
SIEM (Security Information and Event Manager) has been one of the main platforms for cyber security analysts the way Bloomberg Terminals are for bond traders.
A SIEM provides real time and historical data into everything from credential exposure to dns query activity, as well as anomaly alerting. A SIEM turns network traffic into actionable intelligence within an enterprise or provider network. Products such as Q Radar, Cisco MARS and Splunk are still widely deployed.
Palo Alto Enters the market with Cortex XSIAM
On a call earlier this year Palo Alto CEO, Nikesh Arora had this to say about SIEM
"We've already displaced 19 different SIEM vendors to-date and with the confidence under our belt, we're now looking systematically on how we can accelerate this legacy SIEM displacement."
When a leader like Palo Alto decides they want to move into a market, there is very little to nothing legacy vendors can do to stop them.
Palo Alto's Cortex XSIAM, is an "AI-driven security operations platform for the modern SOC" is one of products promising to use machine learning and AI to improve visibility and bring the most important threats to the analyst's alert queues.
CISO's are looking to XDRs to modernize
One CISO stated " We send all of these logs into your XDR and get more useful functionality from there."
Are CISO's are questioning if their companies still need a SIEM?
SOC Analysts are doing 85% of their day to day in the XDR now, previously they would be looking between splunk, email, edr and various other tools all day.
His firm, in the middle of their legacy SIEM to XDR transition uses splunk and still sends everything there, and now for creating dashboards more than actually hunting threats.
领英推荐
XDR platforms automatically block malicious traffic
Email, network activity, endpoint activity, server activity, cloud activity are all in the firm's XDR.
You search and correlate data like you would a SIEM, but if you find say a malicious IP, you can add that object to your suspicious list and the XDR works with all your devices to block it.
So clearly, firms are looking for a Southbound API approach in their XDR to push policies to network forwarding planes in switches, routers and firewalls. If a SIEM can't do this it is obsolute.
The one thing our XDR is missing is the ability to nicely visualize the data the way you can in Splunk or Elastic, but every thing else they need is there already.
XDR is about combining all these capabilities under a single pane of glass and being able to immediately action alerts and threats in the same place.
Being able to search and correlate like you would in a SIEM with the bonus of then blocking or quarantine any domains, ips, emails all in one place is a huge time saver.
The Firm still keeps Splunk as a way to check data long term, it isn't used in day to day incident response now, but they may receive a request like "Can we get all of the logins over the prior 12 months for employee ____" that is where a SIEM is still used. They also use it their main way of visualizing our data and producing reports, Splunk is still going to win against any XDR solution when it comes to that.
Relying on AI to better spot threats and take action
From Palo Alto
"XSIAM unifies best-in-class functions, including EDR, XDR, SOAR, ASM, UEBA, TIP, and SIEM"
"XSIAM uses an ML-led design to integrate massive amounts of security data. It then aggregates alerts into incidents for automated analysis and triage, and to respond to most incidents automatically, enabling analysts to focus on the few threats that require human intervention"
It's clear companies are now using the power of AI to string together threats that would normally pass a "permit" rule in a firewall by looking deeper.
A legacy SIEM's days are indeed numbered as this technology becomes more widely adopted.