SIEM Migration Trends

The Market Churn

It will not have escaped anyone’s notice that there is currently significant churn in the SIEM market, with organisations more and more frequently moving from one SIEM product to another. We are often asked by customers about the process and effort associated with migrating from one to another. All too frequently when we delve deeper into this conversation, we inevitably end up asking the customer to take a step back.

When we probe around why the customer wants to migrate, common themes such as cost, management effort and value come up. On deeper questioning it is often the case that organisations have not defined these as well as they could.

Getting Clear on your Rationale for Migrating

More and more we find customers looking to move under the reasoning of cost, without having a clear view on value. Before embarking on a SIEM migration it is worth gaining a clear understanding of the value you seek from the platform and how this will be measured. All too frequently a product first, utility second mentality is taken when implementing SIEM platforms and when looking at migration. When the headline cost of an alternative product looks less, customers feel compelled to switch. However, only with a thorough understanding of some of the platform fundamentals can an informed decision be made. Examples of some of the areas that should be investigated include;

• Understanding your data. Many of the clients we work with come to us facing serious issues with their data; They’re eager to use observability or monitoring tools, but they often don’t understand the basics: where their data comes from, how it’s structured, or why that matters. This lack of clarity leads to common problems in understanding what data, or subset of data is relevant to their threat detection approach. We explored this in a previous blog here.

• Understanding your Risk and Threat. Having the data is one thing, but it’s imperative to have a clear view on your business risk, the associated threats and how your chosen, or mandated, frameworks relate to that risk. Understanding your threat landscape is key to determining what data is relevant, a key driver of platform cost. Putting data into the platform and not fully using it is a sure way to drive up the cost.

• Evolving a set of clear use cases and illustrating risk and framework coverage. With a clear view on risk and threat, a definitive set of detective use cases can be created, with a clear mapping between the three. This exercise is a key step in clearly showing senior stakeholders the link from threat coverage, through data onboarding to cost, and providing the all-important evidence based view on what the investment in the platform provides in terms of coverage, against risk or compliance requirements. Importantly, it shows what is not covered.

• Understanding data pipelining and retention requirements fully. With the above defined customers can think more clearly about data management strategies. What data needs to go where and when. And where does it need to be retained, what for and for how long. Grappling with these questions will help customers determine data pipelining and retention strategies, which help ensure the proper use of the SIEM platform, and it’s use not being bloated unnecessarily, e.g. with incorrectly provisioned storage.

• Managing your users – a driver of cost on SIEM platforms is an incorrectly managed user base. It is important to be clear on who needs what access, what for and when. Who is able to onboard, or authorise onboarding new data sources, creating new searches or writing new apps. If not managed properly this can not only lead to increased platform cost, but also an increased overhead in platform management and maintenance as more functionality is added to the platform without a proper change process. This can lead to the perception of a difficult to manage, expensive platform.

Summary – Understand what you need

By clearly defining the platform requirements, a sensible decision be made as to which platform is the right platform, and which will offer the greatest value to the business at a justifiable price. Understanding the above will give customers the information to decide whether a platform really is expensive or just needs to be optimised in its use, with a greater focus on the value it is delivering.

In summary, before deciding that the grass is greener on the other side, it is a worthwhile endeavour to understand the requirements of your SIEM platform and ensure that a clear description of the value it will bring can be articulated. Only then can you accurately evaluate whether to stick or twist with your current platform.