Traditionally, security information and event management vendors have charged companies based on how much data they collect.
Companies on limited budgets have to figure out which log data they absolutely have to have in their SIEM systems and leave the rest out. It's as if Microsoft Excel charged by the spreadsheet.
Annual costs can run from tens of thousands to over $100,000.
According to Research and Markets, SIEMs and related technologies were a $5.3 billion market in 2018, and the market is expected to growth at a compound annual growth rate of 19.7 percent – to $12.9 billion by 2023. SIEMs are the fastest-growing segment of the market, the analyst company said.
But high costs of robust threat intelligence services are a barrier to adoption, the company said. Next-gen SIEM vendors have been attacking the incumbents, offering simpler, per-user pricing models.
Companies still have to pay the storage costs for the logs they collect, but storage is getting cheaper all the time, and vendors that offer these new pricing models, such as LogRhythm, LogPoint, and Exabeam have been gaining ground.
The new pricing models, as well cloud delivery, and AI-powered analytics available with next-gen SIEMS are bringing the capabilities of enterprise-level security to companies that haven’t traditionally had access to these technologies, said Alex Heid, chief research officer at SecurityScorecard.
But, he warned, customers need to be careful and become familiar with all aspects of the technology before they make the switch. "Security data is now in the cloud," he said, "which expands the third-party risk and dependency map."
As evidence that the move is happening, Gartner has been including more next-gen vendors in its magic quadrant for security information and event management, including Exabeam.
Exabeam last week announced a $75 million investment round specifically to help accelerate its efforts to displace the incumbents. According to the company, 75 percent of its replacement deals eliminated legacy vendors, such as IBM, McAfee, and RSA.
The next-gen vendors also typically offer their products via cloud or SaaS delivery models, making them appealing to smaller companies, and to those with cloud or hybrid data centers.
"Companies can have more insight because they can hold more data," Exabeam chief marketing officer Tim Matthews told us. "We charge based on the organization size. The incumbents largely charge by the byte. But what you want for better security is to store as much as you can." The by-the-byte pricing model hurts companies, he said.
The next-gen SIEMS offer another advantage: they're built from the ground up to take advantage of big data, machine learning, and other cutting-edge technologies.
"If you look at the current market, most of the incumbent players have been in the market for 10 or 15 years," Matthews said. "These products were developed pre-big data and before the recent revolution in machine learning. So, they can't scale, and they don't actually use machine learning to help you make decisions."
Instead, he said, they depend on security analysts who create queries against databases to find out what's going on. "But it's such a vast amount of data that humans just can't make sense of it anymore," he said.
There is also a lack of trained personnel to do this. According to a survey released this month by AT&T Cybersecurity, 40 percent of companies say that the lack of skilled and trained staff is their biggest hurdle to operating their SIEM effectively.
That is also helping the move toward next-gen SIEM delivery models, such as SaaS SIEMs, as well as co-managed SIEMs and service-based models, said Gartner analyst Anton Chuvakin.
In addition, according to Garner, SIEM and machine learning-powered user and entity behavior analytics (UEBA) are converging into a single technology.
With machine learning and artificial intelligence the system can automatically spot anomalies and deliver results to the security analyst in the form of actionable alerts, said Darien Kindlund, VP of technology at Insight Engines. As a result, the amount of data traditional cybersecurity analysts must sift through is dramatically smaller.
According to a March report from the CyberEdge Group, a cybersecurity research firm, more than 90 percent of IT security organizations have already invested in machine learning or AI technologies – and more than 80 percent are seeing a difference.
However, the analytics systems aren't perfect yet, said Kindlund. Security teams use user behavior analytics to prioritize the alerts, then access the raw data in the SIEM in order to validate them.
