SIEM remains an enterprise security architecture requirement

Enterprise-class cybersecurity technology vendors must offer SIEM software, security analytics, and operations capabilities or have strong SIEM partners

Enterprises are changing their cybersecurity technology procurement habits and consolidating the number of cybersecurity vendors they do business with and purchasing security products designed for integration, according to ESG research. 

Eventually, CISOs will buy more products from fewer vendors, leading to the rise of a few enterprise-class cybersecurity technology vendors that dominate the space.  These vendors will offer tightly integrated cybersecurity technology architectures that span across applications, host systems, networks and cloud-based assets, offering capabilities for threat analysis/investigations, as well as prevention, detection and response.

+ Also on Network World: The rise of enterprise-class cybersecurity vendors +

Of course, security analytics and operations have long been the domain of security information and event management (SIEM) software. Does this mean SIEM must be part of an enterprise-class cybersecurity technology architecture? 

To find out, ESG asked a panel of 176 cybersecurity and IT professionals working at enterprise organizations (i.e. 1,000 employees or more) the following question: How important is a SIEM as part of an enterprise-class security architecture or platform? 

It turns out 48 percent say SIEM is a very important part of an enterprise-class security architecture, while 45 percent say it is important. Furthermore, 90 percent of respondents say offering a SIEM is really a requirement for any technology provider classified as a true enterprise-class cybersecurity vendor.   

Here’s my take on this data:

1. The ESG research suggests that enterprise cybersecurity tactics and strategy is increasingly driven by data analytics. In other words, enterprises are collecting, processing, analyzing and responding to more and more security data from a growing diversity of sources. Given that, SIEM and/or other security analytics tools assume a starring role in a hub-and-spoke architecture that extends from security analytics to policy management and enforcement controls deployed across the network.

2. The world of cybersecurity analytics and operations is in a state of innovative flux, and ESG believes individual capabilities will come together to form an integrated security operations and analytics platform architecture (SOAPA) over the next few years. Given that trend, enterprise-class cybersecurity vendors don’t necessarily need a SIEM software offering. Instead, they need leading security analytics and operations tools, SOAPA reference architectures and strong SIEM partners.

3. SIEM functionality extends to other areas, such as threat intelligence analytics, network security analytics, EDR, UEBA, incident response automation and orchestration. Enterprise-class cybersecurity vendors will really have to play in all those areas with products of their own or with tight integration with products from ecosystem partners.

There is also tremendous innovation happening in all areas of cybersecurity analytics and operations, so look for lots of M&A activity over the next 12 to 18 months. Additionally, look for continuing integration of open source technologies—HDFS, Spark, Elastic search, etc.    

4.  AlienVault and LogRhythm represent very attractive acquisition targets for vendors lacking a SIEM.

5. Every technology provider vying to become an enterprise-class cybersecurity technology vendor will partner with Splunk because of its existing enterprise installed base—even those that offer a SIEM of their own.     

6. IBM and McAfee have a SIEM platform, making them well positioned to assume a role as enterprise-class cybersecurity technology vendors. 

7. While SOAPA will take some time to become established in large enterprises, there is a tremendous opportunity for offering an end-to-end SOAPA portfolio (of products and services) to mid-market and small enterprise customers. Vendors such as Symantec and Trend Micro have a great opportunity here.   

No one will coronate anyone as an enterprise-class cybersecurity technology vendor just because they offer a SIEM or work with leading SIEM providers. Rather each and every vendor will have to earn this position with best-of-breed products, tight SOAPA integration, strong services, and a commitment to hold customer hands during this transition. This effort will separate those truly committed to enterprise-class cybersecurity technology from those still slinging products and marketing rhetoric.     

Cybersecurity market research: Top 15 statistics for 2017