Forecasts of SIEM Death Premature - Just Ask Cisco, SplunkCisco's Planned $28B Purchase of Splunk Shows XDR and SIEM Can Run Side by Side
It turns out SIEM isn't on life support after all.
Cisco is providing 28 billion reasons to believe enterprises aren't scrapping the security operations center staple anytime soon. Rivals with other types of security technology have attempted to write SIEM's obituary for years. In December 2022, Palo Alto Networks CEO Nikesh Arora said, "I feel very strongly that the category of SIEM needs to be eliminated and replaced" (see: Palo Alto CEO: 'SIEM Needs to Be Eliminated and Replaced').
Secureworks' Ryan Alban told Information Security Media Group in August 2022 that XDR uses advanced techniques to pinpoint threats in high volumes of data, while SIEM lacks the horsepower or analytics to spot the signal. And SentinelOne's Nicholas Warner said SIEMs suffer from not taking action on alerts and relying on third parties for the data layer, putting the vendors' technology road map at risk.
Despite all the skepticism, SIEM looks like it's here to stay. Cisco's willingness to shell out $28 billion to buy one of the godfathers of SIEM indicates that businesses don't plan to rip out existing SIEM deployments and replace them with XDR. That's because SIEM offers more flexibility around analytics, dashboards and reports while turnkey deployment options for XDR result in less flexibility, said Gartner's Mitchell Schneider (see: Cisco to Bring XDR, SIEM Together With $28B Splunk Purchase).
"We still see SIEM being purchased to be the center of the security operations center," Schneider told ISMG on Thursday. "We typically will see XDR purchased to augment the SIEM. We don't see it the other way around. We don't see XDR displacing SIEM. We see it as more of an augmenter or contributor and to complement existing SIEM or SOAR capabilities."
'SIEM and XDR Will Be Alongside One Another for Some Time'
Splunk's 2004 founding made it part of the first wave of SIEM vendors, and the company quickly found itself competing against the likes of LogRhythm - established in 2003 - as well as QRadar, which was bought by IBM in October 2011, according to Schneider. Then in the early 2010s, a stand-alone user and entity behavior analytics market emerged, led by red-hot startups Exabeam and Securonix, he said.
As the 2010s progressed, Schneider said, the UEBA and SIEM markets began converging. UEBA offered SIEM staples such as log management while SIEM developed UEBA features of its own. Then in 2019, Microsoft entered the SIEM market with its cloud-native Azure Sentinel offering. Despite having no experience working with SIEM buyers, Microsoft crushed the market in execution ability last year (see: Microsoft, IBM, Splunk Dominate SIEM Gartner Magic Quadrant).
"SIEM and XDR will be alongside one another for some time, where they're used for different types of buyers and customers, Schneider said. "Mature customers that have the resources and require a bit more flexibility in how they do operations might gravitate toward a SIEM. Organizations that don't have as many investments in security technology - let alone resources - might find XDR more appealing."
Once Cisco's purchase of Splunk closes in summer 2024, the joint company will offer both Splunk's SIEM - which Gartner has named a leader in the space for nine years running - as well as Cisco's XDR, which became generally available to customers just last month. Schneider expects Cisco will use Splunk's staff, resources and expertise on the technical and sales side since Cisco has little exposure to SIEM buyers (see: Cisco's New XDR Tool Emphasizes Robust Telemetry Correlation).
Risks Around 'Overlapping Solutions and Limited Integration'
One key question is whether Cisco plans to keeps the Splunk business separate for an extended period of time following close, which Schneider said is fairly common in large acquisitions such as this one. Existing Splunk customers should closely monitor whether Cisco plans to change the licensing, packaging and procurement of Splunk technology or if it will adjust the road map for security capabilities and functions.
Schneider said Cisco certainly could have acquired SIEM, UEBA and even SOAR capabilities for far less than $28 billion. But Splunk's ability to bring security operations and IT observability together on a single platform made it stand apart from others in the space, according to Schneider.
Cisco will turn its attention to ensuring it captures the anticipated technology synergies while minimizing client disruption. Digesting acquisitions has been tough for Cisco, which this year debuted a common design language across its network and security tools so they no longer look or feel different from one another. Future products acquired by Cisco are supposed to be incorporated into the design system (see: Jeetu Patel on Having a Consistent Design at Cisco Security).
"From what I've seen, inorganic acquisition delivers the technology but often can lead to overlapping solutions and limited integration within and across product lines," Schneider said. "That can result in customer confusion as well as suboptimal management and operation of solutions. But of course, that's not with all acquisitions."