SECNOLOGY and the bright value of cloud SIEM & SOAR

People have questioned the value of SIEM, but cloud-based SIEM improves SIEM.

SIEM & SOAR can now add tremendous value in terms of security. SECNOLOGY confirms this trend.

The SIEM market is a US$5 billion market with a double-digit annual growth rate. And yet, we continue to see multiple questions and discussions around the role, future and value of SIEM + SOAR. Why?

There are many reasons, including:

The very important role of SIEM to SOC: SIEM is typically the foundation of security operations centers and plays a critical role in their work. It is natural that it is constantly being evaluated and discussed, as it plays a role in almost every SOC process.

Cost and budget sharing: SIEM isn’t cheap. It generally takes up a large portion of the security envelop. Organizations will continue to try to mitigate it as part of their cost maximization efforts, whilst vendors of other technologies will continue to promote their products as alternatives for leveraging existing SIEM budgets.

Operational work needed: SIEM is definitely not a “set it and forget it” tool. This is not a shortfall per say, as other technologies, such as EDR, also need people to offer value. But the worry about how much strain needs to go into SIEM efforts is a continual driver of talks about enhancements or even substitutions for this technology.

A multiplicity of experiences: SIEM has been here for a good twenty years. Many experts went through several deployments, sometimes with worthy experiences, sometimes less so. Many people have very robust opinions about SIEMs, based on their own experiences with these tools, experiences that are often not representative of how SIEMs promote security capabilities.

Progression des autres technologies et de l’ensemble du paysage technologique :

Of alternate technology environments:

As other innovations progress it is inexorable to see how they influence the SIEM purpose. After UEBA and SOAR, it is occurring with XDR. The technological domains where these devices occur are also continuously growing. When large SAN storage systems emerged, virtualization was everywhere, big data propagated like wildfire. These changes influence the security tools we operate to protect IT environments in various ways. Some expanded the volume of data to be collected and processed, while others were used to develop SIEM and make it more flexible and efficient.

Nothing is more pertinent in these conversations than Cloud SIEM. Not just “present” in the cloud, but as a cloud-native offering. Why? Simply because SIEM vendors can now have power over the success of the deployment. What are you saying? Didn’t they previously have control over the success of their own offering? Yes, they did!

As a legacy SIEM vendor, it’s very complicated to guarantee the customer that they will be able to receive all the benefits your product has to offer. First of all, they may underrate the capacity required for their environment. They will end up with a slow product, overloaded with data, having to add servers, memory, storage, or even cancel the deployment to redesign the entire solution before getting any benefits from it. There have been countless SIEM deployments that died before making any ROI.

But there is more to it than that. They can get the sizing right but miscalculate the effort required to make it work. They evaluate how may people who will use the SIEM, but they forget that a traditional SIEM requires people not only to use it but also to run it. This means experts spend their time running servers, applying patches (to OS, middleware, and SIEM software as well), troubleshooting log collection issues, making sure storage doesn’t exceed limits, without paying attention to what the SIEM should really do for them. The system is up and running, but it doesn’t add any value.

We can see the extent of the vendor’s dependence on the customer to deliver value. And even when customers get it right, other challenges arise. Traditional software allows for a wide variety of deployments: Customers use different versions, with different hardware and architectures. How can a vendor distribute SIEM content (analyzers, rules, machine learning models, etc.) that works consistently to its customers in this scenario? It simply can’t.

In view of these factors, offering a legacy SIEM solution is akin to the myth of Sisyphus. Even if the vendor tries to provide value, the solution will ultimately fail to meet the customer’s objectives. As traditional software, SIEM was really destined to disappear.

How does cloud SIEM replace that?

First of all, the multiple challenges faced by SIEM deployment are connected to issues that the SaaS model completely answers or mitigates. Cloud services are highly scalable and malleable, and the SaaS model actually greatly reduces the need to preserve applications and underlying constituents. Now that you have a SIEM, the SIEM can eventually be expanded without requiring a large team of experts to keep it running. You can concentrate on using it correctly.

Secondly, SIEM SaaS puts clients in a greatly standardized rollout. Since most customers are using the same version and there are no capacity issues, it is much easier to distribute content that works for everyone. That makes a big difference in value. And there’s more. In this case, it’s easier for vendors to finally realize the benefits of “crowd wisdom”. For example, it becomes easier and more efficient to develop more complex ML models for threat detection. Vendors can now access more data to train and tune models. Even basic IOC match detection information can be promptly issued and distributed to all clients, so SIEM vendors can ensure that new threats are detected in the wild.

Finally, delivering software solutions via SaaS gives developers the chance to adopt more agile development practices. Upgrading traditional SIEM deployments is so complicated that vendors will naturally rely on traditional linear development practices, resulting in large releases and long delivery times in between. SIEM under the SaaS model can influence agile development and CI/CD practices, so new factors can be included promptly and defects can be fixed promptly.

The latest version and features of SECNOLOGY Next-Gen SIEM and SOAR are a perfect example of how SIEM Cloud can promote value creation. It seems strange to mention the agile version when offering a large version like SECNOLOGY. I know there are contradictions there. But a large part of SECNOLOGY SIEM + SOAR is developing the architecture to enable faster, smaller releases and reduce SIEM + SOAR evaluation time.

The new CMS provides a channel to quickly distribute new content and updates separate from the software version. In addition to advancements to the analysis sandbox, these qualities also allow clients to implement agile methods for content based on the Detection Development Life Cycle.

Some new features (such as a new ingestion frame and an activity monitor) are also designed to make it easier to manage the elements of “SIEM operations” in the hands of clients. Typically, for legacy SIEM, the speed of adoption of these features will be very slow, and a complicated upgrade process is required. Sometimes, because of the fear that migration will be painful, these features have never been adopted.

SECNOLOGY SIEM + SOAR :

SECNOLOGY integrates SIM, SEM and SOAR to provide a complete solution. It provides real-time or on-demand analysis of security alerts generated by the network, security hardware and applications. Like many meanings and definitions of function, evolving needs continue to shape the derivatives of the SIEM + SOAR product categories. With SECNOLOGY, there is no need to use Big Data platforms such as Hadoop to increase data storage capacity and analytical flexibility to complement SIEM functions.

For more information on SECNOLOGY please visit this link : www.secnology.com
Or contact us directly using the contact form.