Why isn’t “Just SIEM” Enough?

There’s a legacy connotation attached to SIEM that has led to vendors advertising themselves as some iteration of a next-generation solution. But is it necessary? I’ve been struggling to find solutions that would be classified as “legacy SIEM”—that is, SIEM without some sort of automation, response, or anomaly detection capabilities or modules.

It makes sense for SIEM to house all these capabilities. What doesn’t make sense is this unsynchronized attempt at differentiating today’s solutions from those of 2015.

Let’s have a quick look at what SIEM solutions get called today:

  • Fusion SIEM
  • Next-gen SIEM
  • Evolved SIEM
  • Unified defense SIEM
  • Cloud-native SaaS SIEM
  • “Not a SIEM” SIEM (aka, unified security operations platform)

So, is this a problem? Different takes on product names is nothing new, but in this case, it creates a lot of confusion in the market. First, these names don’t inherently mean anything. Sure, some offer indications, like “cloud-native SaaS SIEM platform,” but generally speaking, there is no objective difference between a next-gen SIEM and an evolved SIEM.

Second, there are multiple permutations of modules that are different from vendor to vendor. One might offer SIEM + SOAR + UEBA, while another may offer a SIEM + ASM + XDR. While it’s great to have more comprehensive security products, you may not need or want the additional modules.

“Not a SIEM” SIEM solutions add another layer of confusion, as these products do everything a SIEM solution does, but they won’t show up when you Google “best SIEM solution 2024.” Another challenge is proving to regulators for compliance purposes that although what you use for SIEM is called a SOC platform, it is a SIEM solution.

So yes, I do think that adding adjectives before the word “SIEM” is a futile exercise that creates more confusion instead of differentiating a product. But there’s more.

SIEM and Security Operations

When evaluating solutions, it’s important to decide whether you need a “just SIEM” or a unified tool for automating your security operations center. I believe that we should keep SIEM as a standalone term that predominantly focuses on doing what it says on the tin—information and event management.

SIEM itself can be part of a wider security operations platform alongside technologies such as XDR, SOAR, UEBA, and ASM. However, for the same reasons provided above, we shouldn’t keep calling these converged solutions “SIEM.”

For this reason, I have adjusted the security operations reports I’ve been working on, namely the SIEM Radar and autonomous SOC Radar. SIEM focuses on evaluating tools’ capabilities with respect to information management. We’re still including additional aspects such as automation and analysis, but they remain focused on the main scope rather than branching out to full UEBA or SOAR capabilities.

Autonomous SOC, on the other hand, is now a more standalone approach compared to its previous SIEM + SOAR scope. It evaluates the capabilities required by a security operations center to manage and automate its daily activities. There is less focus on compliance and more on response, orchestration, and user monitoring.

Next Steps

To learn more, take a look at GigaOm’s SIEM Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.

If you’re not yet a GigaOm subscriber, you can access the research using a free trial.