Over the last several months, multiple security information and event management (SIEM) platforms have either merged or been acquired. LogRhythm merged with Exabeam, Palo Alto Networks acquired IBM’s QRadar portfolio, and Cisco acquired Splunk. 

To talk about why this is happening and what it all means, Chas Clawson, field CTO at Sumo Logic, joined the most recent episode of the ITOps Times podcast, Get With IT. Here is an edited and abridged version of that conversation:

David Rubinstein, editor-in-chief of ITOps Times: Why is this happening? And why are we seeing this now? And what does it mean, for SIEM in general?

Chas Clawson: I think the market has been kind of primed for this for a while. As you mentioned, the Cisco acquisition of Splunk was the first domino to tip. I think there’s a lot of driving forces behind it. 

First, I would say, vendors are really realizing that there’s value in data. SIEM has probably been one of the long-standing solutions that has been focused on telemetry collection, and now we’re in a position where we can extract intelligence out of this mountain of data better than ever before. So as you look across the landscape, what better move to make than acquire a company that has been specializing in that data collection? 

And so Cisco paid a premium for Splunk, as everyone knows. Palo Alto wants in on the game. LogRhythm and Exabeam merging together, I think they’re hoping that that will be kind of a forces combined story, where they have the data, and now they can layer on that, you UEBA artificial intelligence for advanced detection. 

And I think the other side of the coin is consolidation. Customers are really overwhelmed with tool sprawl. To be honest, there’s just so many tools. And it makes sense to have that platform play. I want one throat to choke, I want technologies that I know integrate. So that’s the other side of the story. It doesn’t always work out as nicely as they might claim, but at least it sounds good, right?

DR: That’s always a key consideration for organizations when you need to have separate solutions for security and then metrics and then are trying to integrate them all. And then you’re getting layers on top of layers on top of layers to try to make sense out of all of it, and it can certainly be overwhelming. So that seems to be a move that’s in a good direction. So, of course, I would be remiss not to talk about AI, because quite frankly, that’s what everyone’s talking about, as you know. So how is that going to change the whole SIEM market and what it looks like and what the capabilities are going to become?

CC: So that’s really where it gets interesting. We released a paper not too long ago, kind of dividing the story of SIEM into generations. And we’re claiming that we’re really now entering the fifth generation of SIEM technology. And that’s where the advancements of generative AI are really coming to bear. 

And if you wind the clock back a little bit, the fourth generation was more of doing things at scale, right? The power of microservices and cloud-based architectures allowed for data ingest and collection and storage like never before. But that didn’t really move the needle in a lot of ways. Because, yes, you can collect data, you can store it at cloud scale, but then now that you bring AI into the picture, you get the ability to use machines to just comb through mountains of data, and extract intelligence and insights out of the data. 

It’s always been like SIEM is a necessary evil, and for those of us that have been in the space, now we’re really excited that oh my gosh, the dream of SIEM might finally come true. And I think that’s exactly what we’re seeing. 

DR: When you’re talking about AI, it’s all about trust. I mean, everybody’s saying you have to be able to trust the outputs. And we talk about hallucinations and things that are just flat out wrong, but AI insists is correct. So how is that going to affect getting that single source of truth and knowing that you can trust what is there?

CC: I think we’re all learning as we’re going. It reminds me of the early days of cloud where you innovate as fast as possible, and then things kind of stabilized. And then you realize the risks and you course correct where needed. AI for sure is in its infancy. But at the same time, you know, anybody that’s serious about cybersecurity cannot afford to, you know, not invest in it heavily. 

And I would say the value can be broken down into two areas, specifically, and that’s detection, and response. On the detection side, you leverage AI so that your detections become higher infidelity. We’ve always been grappling with that signal to noise problem, where there’s just too many false positives. And that’s largely been solved through user entity behavior analytics, that UEBA style approach where every user has a baseline, and we know what’s normal. And we know what’s the outlier. And AI is certainly going to improve that dramatically. And so I would expect to see the detection side of the house, get a huge boost from artificial intelligence. 

And then on the response side, it’s really been a boon to the analysts, right? Because they can now take all of these signals, these events of interest, and contextualize them, and then ask AI like, what does this mean? Tell me how would an analyst investigate this? What are some searches and some queries that I might might run against this dataset? And because AI essentially has as part of its data store, all of the queries out there all of the different techniques for adversaries, etc., it’s leveling up the analysts now where they’re coming in, even if they’re a tier one analyst that’s newer, they can lean heavily on this kind of copilot technology and say, help me investigate this. And so because you’re now injecting AI into the detection, and in the response, I think the scale on both sides is just really leveling up. 

DR: Well, will that lead to perhaps not needing to collect logs and go through log reports, if you can detect with AI almost automatically and remediate almost automatically? I mean, is there still going to be a role for some of the ways that we’ve always gone about detecting events and finding the source and all of that? 

CC: I think so. I mean, ultimately, you have to have the data because that’s really what AI is doing is it’s the ability to parse and look through data at scale. If all of your software and applications and everything is not sending that digital exhaust somewhere for either, you know, old school detections or newer AI-based detections, then you’re already behind the eight ball, you’re already struggling to do root cause analysis, because the data is not there, right? If you don’t collect it, it’s gone. And so I think that single source of truth still has to be established. And what we’re doing now is just putting icing and cherries on top of all the data that we’ve had, we just haven’t really known what to do with it.


You may also like…

Siren – ITOps Times Open Source Project of the Week

Q&A: Bad bots and their impact across the internet