Is this the end of the pure-play #SIEM? On May 15th, Palo Alto Networks announced it was acquiring IBM's QRadar assets, and LogRhythm and Exabeam announced a merger. This adds to Cisco's completed acquisition of Splunk in March. Every single major SIEM outlined in this IDC chart, except Sumo Logic (which was taken private by Francisco Partners last year), is now part of a broader platform of security tooling. Clearly, the vision that the SIEM would be the central logging layer for all security telemetry and that this would result in long-term stickiness with customers no longer holds. The SIEM was a major part of the #CISO budget, and as the ability for these vendors to command high prices has reduced, customers are out looking for cheaper options for logging. But this doesn't mean that the role of the SOC analyst or the process of detecting and remediating alerts is any less important. In fact, I believe that the SIEM budget will go elsewhere - whether that's in cloud threat hunting, detection engineering, MDR automation, or something else. We have been early investors in the evolution of this category from Phantom Cyber (acquired by Splunk) to Respond Software to Anvilogic to Permiso Security to AirMDR, Inc. There is more innovation still to come and if you're a #founder working on something new, I'd love to learn where you think the SIEM budget can be reallocated.
Patrick Coughlin
5mo
Haven’t we seen the SIEM is dead story every year for 20 years? Possible that this time it’s different but also possible the other products around the SOC analyst consolidate into the “M” in SIEM…
Richard Stiennon
5mo
There are 206 SIEM products in the IT-Harvest database. So, no. Not the end. Possibly the end of Splunk?
John Chirhart
5mo
Do you have a chart showing the "Cost per Win" on each platform? What is the true cost and how do we measure success with these platforms? Currently, we are witnessing scenarios where $500 drones are being used to neutralize $5 million tanks. This raises an important question: Are our multi-million-dollar digital defenses actually vulnerable to simpler, cheaper threats? We see many metrics on platform consolidation, but not enough concrete success stories or "war trophies." I'm curious because anyone who thinks AI and ML alone can solve these problems has likely never paid a cloud hosting bill. These are not cheap technologies to deploy, especially for solving problems we have historically struggled with manually. Much of what is perceived as cybersecurity effectiveness is often due to the "magic curtain" of SIEMs. How do we balance the cost of advanced platforms against their actual success in defending against threats? Are these high-cost defenses genuinely secure, or are they susceptible to cheaper, innovative threats? Understanding the true financial implications of leveraging AI and ML in cybersecurity is crucial, as well as finding accurate ways to measure and demonstrate the success of these investments. How?
Alon Bender
5mo
Looking at Crowstrike’s Next Gen “SIEM” and PAN’s Precision AI there are number of big players looking to replace the legacy SIEM approach of promising to aggragate as much data as possible but charge you for it, to now leveraging LLM (in addition ML and Deep Learning) to digest all log data but at a fraction of the cost and footprint to achieve better results. Legacy approach dealt a dilemma around which security data sets SoC teams are going to keep for their analytics in order to be able to controls the cost. While making this choice consciously leaving some log data out that leads to missed threats. Still evolving space but future is cleary Gen AI.
Augusto Barros
5mo
There is a constant confusion around the value of SIEM legacy implementations vs the SIEM concept. The SIEM remains the core component of a TDIR architecture. Most alternative stories are either SIEMs in disguise or options that fit well for smaller orgs only. There more than $3B up for grabs in the space and I don't think we can assume it will go for the platform players. Many, if not most of enterprises have concerns about vendor lock-in and want to be able to adopt a best of breed posture for the main pieces of technology used by their sec ops teams. The next SIEM MQ will include many of the "not a SIEM" vendors, as they want to have access to the $6B market represented by that pie chart. We'll see some creative rhetoric exercises to justify being listed as SIEM while presenting itself as a SIEM alternative.
Joshua Neil
5mo
At the level of technical need, access to comprehensive enterprise telemetry for analytics is required. Low FP, low FN threat detection is simply too hard without vast context. Splunk has left the door open due to their prohibitive pricing, since it's too expensive to ingest all the context needed. Until a platform can consolidate (or support access in real time to) all context necessary, call it a siem, security datalake, xdr, mesh, whatever, and do so in a cost effective manner, that door will remain open, at least from the TDR angle.
We love the SIEM is dead story, PANW said the same at the XDR launch party. Now they go out to acquire something they aren’t able to replace. The logs have to go somewhere, until we have a solution focussed on the data problem, solutions are only going to be of incremental value.
This assumes traditional log storage structure, the 2nd gen is coming DNIF HYPERCLOUD ...Shomiron DAS GUPTA , April Halden
Sanjay Sawhney
5mo
When one talks about SIEM, I think it's important to make a distinction between the storage-oriented plays and the information layer players. Almost all of the traditional SIEM players have pathetic threat detection capabilities. Without that, the SIEM solutions are no more than dumps of logs & events indexed by time and fancy graphs, charts etc.
Partner at Foundation Capital
5moWow, almost 40 comments in just over 12 hours. I really appreciate all the perspectives here, thank you!