High stakes in security analytics as strategic disruptors heat up a mature market

October 22 2019
by Scott Crawford


With the fall conference season well underway, three events in particular stand out for their potential impact on security analytics, and markets such as security information and event management (SIEM). Each highlights the new nature of competition – and disruption – in these fields. Splunk will go first, hosting the 2019 edition of .conf, its annual event for Splunk users and partners in Las Vegas. A couple of weeks later, Microsoft will stage its Ignite conference in Orlando to highlight its innovations for the enterprise. In early December, attention returns to Vegas with Amazon and AWS re:Invent, which has become an event as significant for its impact on security as on the world of IT as a whole.

The 451 Take

In recent months, we have observed a phenomenon that has characterized the forces shaping the security market as never before. It is, as we have noted throughout the year, perhaps best described by Clayton Christensen as 'the innovator's dilemma': When faced with disruptive new influences, should an established business gamble on the future, but at the cost of under-investing in past success? Or should it risk missing out on emerging opportunity by doubling down on current strengths?

Few areas pose such a dilemma for security incumbents as analytics and information management – and the change agent is the cloud. With highly responsive compute and the potential to reveal evidence that might otherwise become lost in enormous amounts of data, cloud technologies make it more difficult for adversaries to hide in the noise than ever before. As major players in both cloud and key markets in security analytics ramp up for their Q4 2019 conferences, we expect that disruption to appear in force and further shake up security's status quo.

Mature, but ripe for disruption

SIEM was one of the first markets in security analytics, which originally arose to deal with the plethora of log entries and alerts generated by a growing ecosystem of technologies to monitor and defend IT against attacks. Pioneers such as ArcSight, now part of the Micro Focus portfolio, defined a category that brought new order to this chaos and became an anchor for security operations. The extent to which SIEM has defined security operations is evident in the many customers that remain loyal to an investment that continues to serve these priorities, as revealed in recent 451 Research survey findings:

Figure 1
Figure 1: Most important information security tools 451 Research's Information Security, Organizational Dynamics 2019

But SIEM had its limitations. Scale and performance were among the difficulties taken on by the likes of NitroSecurity, which was acquired by McAfee in 2011 and became the foundation of McAfee's SIEM play. Interoperability, meanwhile, presented another challenge. Many SIEM products could only integrate with supported technologies through defined specifications or interfaces developed by vendors in each case. With the rise of Splunk, organizations were given a tool to adapt log and event data to their own purposes, with a flexible language for ingesting and correlating data to yield actionable results. This flexibility became particularly amenable to security, which is not only a highly fragmented market made up of hundreds of vendors and tools, but is also in constant flux, as intelligent adversaries continually challenge defenses.

This adaptability, however, requires experts in SIEM to invest in its ongoing optimization and adaptation to new realities. Others emerged to make these demands more manageable through a more straightforward approach. Among these was Q1Labs, whose QRadar was originally predicated on techniques such as NetFlow to reveal anomalies in network activity that identify security events. IBM acquired Q1Labs in 2011, and QRadar has been a centerpiece of IBM's substantial security business ever since.

Since then, other technologies have emerged that both align with SIEM and challenge its dominance in security operations. User and entity behavior analytics (UEBA), for example, provides what has often been a 'missing link' in SIEM data: activity correlated to the identities, accounts and privileges of people as well as assets that can have an identity, which provides the context often needed to highlight issues such as account takeover or privilege abuse – context not always evident from infrastructure monitoring alone. Established SIEM players have taken on UEBA, both organically and through acquisition (Splunk picked up Caspida for this purpose in 2015), while pure plays such as Exabeam now target SIEM directly.

Hyperscaler disruption

This year, the stakes in SIEM and related fields of security analytics escalated noticeably with moves from a source of disruption affecting virtually all of IT: cloud's hyperscalers. Granted, it may be a stretch to say that these disruptions directly challenge SIEM per se. Among the moves hyperscalers have made this year, few likely signify a direct contention to assume the central role in enterprise security operations that current SIEM incumbents enjoy – but at least one of them did. Regardless, the sheer fact that these players are making moves in areas of security information management and analytics has current leaders concerned, to say the least, and enterprises intrigued and waiting to see what's next.

Two of these initial moves took place at the 2019 RSA Conference. There, Microsoft announced Azure Sentinel as a 'reimagined,' cloud-native approach to SIEM (and did not hesitate to call it SIEM from the outset). Reinforcing the threat beyond cloud that Microsoft poses to its competitors are its substantial (to say the least) presence at the endpoint, in office productivity applications, and in development – hugely augmented by its 2018 acquisition of GitHub (more about open source shortly) – not to mention its investment in security up to now.

Also at RSA, Chronicle, the security initiative born out of Google parent Alphabet and its X 'moonshot' factory, introduced its first commercial product, Backstory – an introduction followed by the announcement in June that Chronicle had joined Google Cloud. Chronicle had become the home of Virus Total and its extensive inventory of malware information. Backstory aligned this data with analytics and highly elastic storage that gives organizations the potential to analyze large volumes of security telemetry over long time frames.

Amazon Web Services, meanwhile, has made its own announcements related to security and operational management. Amazon Web Services has offered logging through AWS CloudTrail since 2013, and in 2018 acquired threat analytics player Sqrrl. AWS re:Invent 2018 was particularly busy for security, with announcements such as Amazon CloudWatch Insights for log analytics, and previews of offerings including AWS Control Tower, which helps to define a secure AWS environment, and AWS Security Hub to centralize the management of security alerts and compliance status across a customer's AWS assets. The general availability of both AWS Control Tower and AWS Security Hub were announced in June at the company's inaugural conference devoted to security, AWS re:Inforce.

The potential that hyperscalers have for disrupting SIEM and security analytics is not lost on incumbents. Cloud providers can command compute and storage at scale and in highly elastic implementations that can make security analytics more immediate while significantly expanding their time horizon. The distribution of cost for these capabilities across thousands of subscribers also has the potential to make security data management and analytics more accessible to a wider scope of customers. At the high end of the market, hyperscalers have the ability to place more sophisticated analytics, machine learning and (to the extent it's real) artificial intelligence at the disposal of the most mature security organizations.

Cloud represents yet another disruptive force in its ability to give providers a hosted model for their offerings. SIEM 'as a service' was characterized early by competitors such as Sumo Logic, while incumbents have adopted similar models to give their customers the advantages of SaaS and hosted alternatives.

Far-reaching influence

Cloud providers don't just influence this market through their own offerings, however. Few are the contenders in security analytics that don't leverage the power of cloud to deliver insight and performance at scale. Many of today's most-touted security technologies depend heavily on concepts such as machine learning to power their functionality. Though in some cases, that power may derive more from the 'sizzle' of marketing, any substance it may have is directly attributable in many cases to the scale and performance that only cloud technologies can deliver. This is evident well beyond SIEM, in initiatives such as network visibility, detection and response to the capabilities embedded in areas from modern endpoint security to threat intelligence and beyond. Branded efforts include Palo Alto Networks' Cortex initiative, and with the acquisition of Red Hat, IBM can now count OpenShift along with its AI investments among the resources that could play a role in its future security efforts.

Coupled with analytics and elastic storage is the ability that cloud providers enable to execute automation at scale. We have seen a number of acquisitions aligning security analytics players with technologies from security automation and orchestration (SAO) to breach and attack simulation (BAS) – or 'security instrumentation' as it is called more generically by some. IBM, Microsoft and Splunk were early to embrace SAO with the acquisitions of Resilient Systems, Hexadite and Phantom, respectively, while Palo Alto Networks recently picked up Demisto, and FireEye gained Verodin for 'security instrumentation.'

Added to these is the impact of trends such as open source adoption. Elastic, for example, is a vendor that has benefited directly from trends in flexible security data management, as well as open source and cloud capability. The 'ELK' stack of Elasticsearch, Logstash and Kibana has for some years now been an open source alternative for SIEM, and in response to its adoption, Elastic recently announced its own supported SIEM offering. Elastic has further augmented its approach with Elastic Beats for data aggregation and movement, and the recent acquisition of Endgame that gives Elastic a play at the endpoint.

As we head into the fall conference season, these are the dynamics that we expect to influence security analytics and information management throughout the fourth quarter, beginning with Splunk .conf2019 and extending through Microsoft Ignite and AWS re:Invent. These disruptors will influence the course of security analytics in more markets than SIEM because they give organizations greater power to see and act more quickly and effectively on evidence than ever before.