When I started specializing in SIEM systems as a consultant less than ten years ago, there were a few authoritative SIEM products on the market, operated on their own servers by the large organizations that used them:
- Splunk Enterprise (or Enterprise Security)
- ArcSight
- IBM QRadar
Other solutions existed, among others, Elastic’s full-fledged SIEM solution (as an add-on module on the Elastic or ELK stack) was emerging at that time.
Since then, an astonishing amount has happened in this market. In my perception, the three most important products are now the following:
- Microsoft Sentinel
- Splunk Cloud
- Google SecOps (formerly Chronicle)
The first trend that becomes clear is the migration of SIEM systems to the “Cloud”. The other is the disappearance of independent players in the market. Splunk was acquired by Cisco, and Microsoft has also gained huge market shares with its product in a few years. QRadar got sold off to Palo Alto and axed, ArcSight is outdated, got sold twice and is practically dead. Google, as a latecomer, is still struggling for traction, at least here in Germany, but is catching up. Why AWS appears here at best as a host for the competitor product Sumo Logic is beyond my knowledge - the security market may be prioritized differently with them. Be that as it may - the shift towards SaaS solutions in the SIEM area is not surprising. Since the volume of logs to be collected in companies reliably only knows one direction over time, namely upwards, systems installed in one’s own network usually reach their limits at some point, which manifests itself in extremely slow searches and similar inconveniences. The necessary budget for a technical upgrade is then difficult to obtain, and the company’s own SIEM is practically useless. Cloud providers offer to automatically scale the systems. They then become more expensive, but with a bit of luck, they continue to function even during extreme peaks of volume.
The second trend that currently concerns me is “Platformization” in this area. This sounds diffuse at first and requires an explanation of what I mean by it. For a good two years, I have been working with Google SecOps in my main job. To penetrate the SIEM area, Google not only threw a self-developed SIEM into the ring (originally known as “Malachite”) but linked it with an acquired SOAR (Security Orchestration, Automation, and Response) with built-in Case Management (similar to a ticket system). As the name suggests, the product does not want to be a SIEM system but a complete Security Operations Platform. The only component still missing is an Endpoint Detection & Response (EDR) solution of its own making. Microsoft shows similar ambitions and actually offers such an EDR solution.
Here we come to the central crux of the matter and the fact with which I am absolutely uncomfortable. Even the shift to SaaS solutions has distorted competition in the SIEM area. Splunk, Elastic, Palo Alto, and other competitors to Microsoft and Google also offer cloud products, but in some cases, they host them themselves, for example, with Google. In addition, Microsoft and Google can offer their products to customers below the price that third parties have to charge for their competing products - after all, such a competitor has to pay more for cloud resources from Microsoft and Google than they do themselves. Since almost all modern security products contain some cloud components, Microsoft and Google can extend this tactic to a whole range of security products by building such security platforms and systematically and gradually oust all competitors that do not belong to the same order of magnitude.
Perhaps this insight is not new, perhaps not even worth these lines. GAFAM (Google, Apple, Facebook, Amazon, and Microsoft) are, in their sheer financial power, able to seize almost any market they deem lucrative. What they don’t buy, they can displace. I suppose I just find it very interesting to observe this so concretely in my own work. What do I do with this insight? Do I stop working with Microsoft Sentinel or Google SecOps? Do I try to push open-source alternatives like Wazuh? Is there even a point? Honestly, I don’t know. It would certainly be nice if I could find a way for myself not to contribute to concentrating another market on the same two or three US corporations.