Service Provider of Tomorrow, Part 9: as the Cloud thrives, SIEM will suffer

As Cloud adoption accelerates, traditional SIEM vendors will find their market opportunity steadily declining.

SIEM vendors will fade in importance because they target large enterprises taking a do-it-yourself approach to security and IT infrastructure management. SIEM vendors have built their products on monolithic architectures, striving to be master aggregators of all security data for enterprise Security Operations Center (SOC) organizations. SIEM vendors design for traditional enterprise use cases and traditional IT infrastructure paradigms. As enterprise and SMB computing is increasingly distributed across on-premise, IaaS and SaaS, businesses are making the choice in increasing numbers to concede at least partial control over security to their service provider, and their incident response model is distributed as well. In other words, as IT infrastructure moves to the cloud the traditional SOC model is going away – this will drag traditional SIEM products as master aggregators of all security data with it into obscurity.

Next-gen service providers are building their capabilities around a model where security responsibility is distributed and shared. Turnkey IaaS solutions include managed security services in addition to management of the IT infrastructure stack. As we discussed recently, this development has dire implications for traditional MSSP vendors. Likewise, the most successful security software vendors of the future will fit into the IaaS paradigm of distributed and shared control over infrastructure security. In this model, the IaaS provider takes the lead in securing the hosted environment, and the enterprise becomes the consumer of information and an audit point. Compared to this paradigm, SIEM vendors face several gaps including target customers, target use cases, and product architecture. IaaS providers want their security software products to be based on natively multi-tenant architectures, built for rapid provisioning (this means SaaS), and designed for consumption by IT generalists.

Recently, SIEM vendors have tried to compensate for their architectural misalignment with the cloud by introducing so-called virtual appliances. This maneuver misses the point. As Misha Govshteyn explains in his commentary on a recent debate about the future of MSSPs, cloud service providers want to embed managed security services into their network fabric in a way that scales up to their largest customers and scales down to their smallest customers. Virtual appliances don’t solve that problem. The solution lies in a natively multi-tenant architecture reaching from the appliance all the way through back-end storage and processing services. Products from today’s leading SIEM vendors don’t meet this standard.

Can SIEM vendors re-architect their products for the cloud? Possibly, but transitions like that have historically been tough. The advantage goes to companies like Alert Logic who have built their products from the ground up to be deployed in multi-tenant IaaS networks.

Can IaaS providers convert monolithic SIEM products into multi-tenant MSSP solutions through their own integration and software development? Several have tried, and in every case the result has been an inflexible solution achieving very limited multi-tenancy and relegated to being useful for only the largest customers and the highest tier of SIEM pricing. In other words, “No.”

While nobody believes in-house IT or enterprise SOCs will completely disappear, we do believe the default option will increasingly be the cloud, putting pressure on SIEM vendors and creating opportunity for multi-tenant Security SaaS providers.