Not All TDIR Tools are Created Equal — The Emerging Generation of SIEMs

Photo by Brett Jordan on Unsplash

A couple of months back, I wrote about traditional SIEMs not being adequate threat detection, investigation, and response (TDIR) tools for our new world, and how that forced the marketplace to adapt, creating a vacuum for two types of TDIR tools, namely 1) XDRs and 2) emerging SIEMs. After several posts on XDR tools (mainly open XDRs), and another post on the differences between SIEM and open XDR, today I’ll spend some time describing a few differences between several generations of SIEMs.

Not all SIEMs are created equal. SIEMs from 2005 have little to do with the SIEMs of today (Gartner subscription required). This is like talking about “computing devices” and putting both the 1943 ENIAC and the most recently released iPhone in the same basket. Yes, they both compute, but we’re not really talking about the same thing. One would fill a whole room and require an army of people to operate; the other one fits in your pocket and is a massively efficient and adored device.

SIEMs have gone through a similar transformational journey across approximately three generations, with each having some unique defining characteristics. Let’s look at some of these differentiators in more detail.

SIEMs have evolved a lot since their inception more than 15 years ago, and I think it’s important to point out the differences and articulate some nuances between these different generations of tools. Especially in this crowded market.

Your turn — have you observed the SIEM tools to follow this journey?

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.