As we already mentioned, one of the papers we are writing this quarter would be about (in part) SIEM delivered via a Software-as-a-service (SaaS) model. Let’s call it “SaaS SIEM.” If you recall, my long-time position was that such a thing didn’t really exist. As late as 2015, I mentioned this very fact. Well, it didn’t exist then, but it does exist now. Or, at least something as close to it as makes no difference…
In this post, I want to do two things:
- Discuss ONE critical strength and ONE critical weakness of SaaS SIEM
- Solicit comments from the production users of SaaS SIEM-like tools.
When I think of SIEM delivered in the form of SaaS, I see one HUGE advantage. And by HUGE, I mean HUGE. Specifically, it is in vendor’s ability to create and refine analytics on the entire body of data collected from all customers. This applies to both mundane things (parsing rules tweaking) and exciting things (machine learning algorithms need data, deep learning needs even more data, etc). And this is both not achievable even in principle by a traditional on-premise “boxed” SIEM and also hugely valuable to the users, for threat detection effectiveness. There are other advantages (ease of deploymet, performance, etc), but to me this is at the very center of SaaS SIEM unique value!
On the other hand, there is also one BIG negative: if you lose your network link, you lose your SIEM capability. Perhaps, you are an optimist and believe that attackers will never take out your connectivity. Or, maybe you are a realist and have 5 redundant connections. No matter! If you lose Internet, you lose your SaaS SIEM (note that you lose both access to the platform and log flow, which means when the link is restored it will take some time for the log data to flow up and become available for analysis).
Now onto my second point. Are you perhaps a current SaaS SIEM user? Apart from invitiing you to rate the product you use at Gartner Peer Insights, please get in touch. We’d like to ask you questions like:
· Why did you pick SaaS SIEM vs another product/service?
· Any operational practices you follow that are different from those for a regular SIEM?
· Any other differences you observed in using SaaS SIEM vs a regular SIEM?
BTW, this is not, NOT, N-O-T about MSSP, MDR or other managed services. While many people royally confuse the issue and mix them up, we don’t! MSSP or MDR means “you rent people’s time”, SaaS means “you rent tools.” Also, this is not about hosted “single-client” SIEM, which isn’t really SaaS.
Related blog posts: