What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”

Contrary to what some “analytics” or “AI” vendors will have us believe, SIEM in 2018 is not the SIEM of our grandfathers. In 2002, when I was first initiated into the dark arts of SIEM, it was very different (it was called either SIM or SEM back in the B.C. era – that is, Before Compliance).

Indeed, SIEM has evolved! Well, to be honest, good SIEM vendors have evolved, and the shitty ones died, became zombies or remain stuck in the past (“we have 13,471 different compliance reports! we are the best!!”).

Now, here at Gartner we may or may not be working on a note defining “NG SIEM.” And, if we do, I don’t want to steal the authors’ thunder here, and … you know … reveal the score.

However, we do see SIEM technology nicely absorbing features of some related product categories, and hence evolving into an integrated “cyber” defense platform of sorts. SIEM has largely eaten the UEBA, and has been biting chunks out of SOAR as we speak by building more workflow and orchestration features. Also, SIEM has been expanding into NTA (by collecting L7 traffic metadata) and perhaps a bit into EDR (just as EDR itself has been collapsing into the maelstrom of EPP).

So, what may possibly be included in such a platform? Personally, I think some mix of these:

  • A good SIEM (for sure!)
  • A good UEBA/analytics with workable ML
  • A decent SOAR feature set for workflow and orchestration
  • Scalable backend for real-time and historical analysis (because data volumes in 2018 are way, way, way larger than in 2002)
  • Network traffic data collection and analytics (some NTA feature set)
  • Endpoint sensing and analysis (some EDR feature set)
  • Solid threat intel integration and TI-enablement throughout the platform
  • Perhaps, cloud delivery?

Anything else you’d want?

P.S. This raises a question: if SIEM really does get all of the above, what do we call it? Just SIEM? A better SIEM? An NG SIEM? Or something fancy with lots of cybers in the name?

Some of the related posts about SIEM:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/07/06/what-is-siem-or-can-we-have-a-cyber-defense-platform/