Security information and event management (SIEM) systems have evolved quite a bit over the past 19 years. There have been quite a few shifts throughout that evolution, with different vendors, use cases and functionalities dancing in and out of the frame.

In simple terms, SIEM’s evolution started from a simple tool designed to help organizations achieve and maintain compliance, and spun into a complex threat-detection system that allows security operations center (SOC) analysts to respond to incidents more quickly and effectively.

SIEM has exploded into a $2.5 billion market, dominated by major players such as Splunk, IBM, LogRhythm and AT&T (AlienVault), according to CSO.

In technology, evolution is a good thing, right? Generally, yes; however, it’s said by some that SIEM has gotten a little too big for its britches. Trying to take on too much.

One of the reasons SIEM software for security operations is getting so much attention nowadays is because of its new, added capabilities.

EMA’s Paula Musich

“Now a lot of SEIM technologies bring in threat-intelligence feeds in addition to traditional log data, and there are multiple SIEM products that have security-analytics capabilities that look at network behavior as well as user behavior to give more intelligence around whether an activity indicates malicious activity,” explained Paula Musich, research director at Enterprise Management Associates (EMA).

Technology research firm Gartner is all about this. In its May 2017 report on the worldwide SIEM market, Gartner calls out the stellar SIEM tools, saying “innovation in the SIEM market is moving at an exciting pace to create a better threat detection tool.”

This is all well and good, but as SIEM scaled, organizations understandably began to need more and more hardware tiers to keep up with this added performance and scale. This has led to a situation where SOC personnel have to throw all of their focus and energy at activities such as threat detection and incident response, and forensic investigations are dependent upon SIEM infrastructure teams to upgrade hardware, load balance servers and add storage capacity.

Goodbye On-Premises Servers, Hello Public Cloud

This year, it is predicted the security analytics/operations technology model will start to undergo a sizeable shift — it’s about to get a bit cloudy. Over the next few years, experts say that the SIEM backend will migrate from on-premises servers to public cloud infrastructure.

This transition to cloud-based alternatives already has begun, spurred by shifts on the supply-and-demand side of things. CISOs and MSPs will likely go after cloud-based SIEM solutions because of the following reasons, as outlined by CSO:

For CISOs and providers, cloud-based SIEM can …

… help conquer all of these issues.

Kroenke’s Bryan Becker

“Like many other businesses that are rapidly moving to the cloud, and considering the massive growth of data in the enterprise (especially security data), folks are trying to gain visibility and functionality for a knowable cost,” said Bryan Becker, vice president, information security at Kroenke Sports & Entertainment.  “We know as security leaders that security is turning into a big-data problem in which organizations need all of their security data, telemetry and logs in one place with the ability to analyze that data with modern tools. Opex subscription services … are highly appealing.”

As for the supply side, vendors and cloud service providers are getting in on the action as well. Hungry for blossoming market opportunities, they will likely help push cloud-based SIEM into the market.

This is a phenomenon that shows no sign of slowing down, and it’s either get on board or be left behind.

“In my humble opinion, the writing is on the wall — security analytics/operations is a big-data application, and big-data applications are moving to the cloud,” said Jon Oltsik of analyst firm ESG. “CISOs who still distrust the public cloud must face this fact. They will either figure out how to peacefully coexist with cloud-based cybersecurity analytics/operations or be left in the dust.”