Is this the end of SIEM?
The LogRhythm-Exabeam merger and QRadar sale show a changing landscape
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m finally getting around to talking about the flurry of cybersecurity M&A activity. Today, I’m going to focus on the LogRhythm-Exabeam merger and the QRadar acquisition. I know a lot of analyses have been done on individual transactions, but I think that’s less interesting than what it means for the broader SIEM and security analytics market.
What is SIEM?
SIEM stands for security information and event management. There are many “philosophies” around this, but fundamentally it’s the aggregation and analysis of security-relevant logs. LogRhythm, Exabeam, and QRadar (owned by IBM) offered SIEM products.
SIEM has always been the cornerstone of security operations. It is one place where security could go and get a sense of what was going on in the organization as well as write rules to detect and respond to incidents. In fact, it is not only a central data source but also a source of analytics and intelligence for security (if done properly). This is somewhat impressive given that security people traditionally don’t have the best data skills, and it was created before the modern data stack.
The market for this is large. Having an effective SIEM is a sign of a mature security organization although this view has been shifting recently. It sometimes took years, tons of processes, and a team of analysts to reach this. An effective SIEM gave great visibility into the organization and allowed for more coordinated incident detection and response.
What’s complicated about the SIEM market?
Given the large investment, security organizations expect a lot out of a SIEM. First, a SIEM is only as good as the data in it. The SIEM has to have all the core integrations so that security can ingest the data from the proper applications. (Fun fact: this is why most enterprise applications have audit logs and APIs.) It has to be easy enough to use so that security can do it themselves without bothering or asking for support from the application owner’s team. Second, the data itself is useless. Of course, there’s some value to being an aggregator or orchestrator. However, the most important part is the analysis and intelligence. As a result, SIEMs created new markets like SOAR, UEBA, etc. to analyze and more effectively use the data. Splunk and others provided some of these applications and intelligence as part of the product. Honestly, I believe the applications that security needs are relatively simple, so many of those markets have fused into the SIEM budget and died over time. For example, UEBA was initially a separate category focused on user behavior but became part of the broader security analytics market and eventually became an expected feature of SIEMs.
The key insight is that almost all security organizations need at most one SIEM. It is a large investment, which makes the product sticky. As a result, there’s also a huge switching cost. SIEM companies have to battle for that budget, and there is an enormous amount of pressure to differentiate and deliver value both to attract new customers and convince them to switch and acquire new customers.
With all that said, a newcomer/startup would requires a large amount of effort and capital to compete against the existing players. Of course, there are GTM wedges that a startup can do, such as focusing on mid-market and having more cost-effective solutions there. It seems that’s what LogRhythm and Exabeam tried to do, and IBM tried to sell QRadar as part of the broader IBM security offering.
What changed the SIEM market?
Anton Chuvakin regularly posts on Twitter X about various security trends with a focus on security analytics tools, such as SIEM, EDR, etc. The thread has a series of interesting replies, including the following:
Here, he refers to Tool Q as QRadar, Tool L as LogRhythm, and Tool E as Exabeam. I don’t agree with Anton here. I do think they have been dead for a while, and an improving public market allowed an environment for these transactions to happen. In my mind, the Splunk acquisition by Cisco showed exactly how tough the market was in general given that Splunk was/is the leading player.
So what happened to the SIEM market? My opinion is that two major factors drove a market change: the cloud/SaaS and MDR. Of course, there are other factors, but I do think we can ultimately draw a line back to this. I also think that MDR was a direct result of the movement to the cloud/SaaS.
The rise of cloud and SaaS adoption in companies changed the relationship between the company and software. Before SaaS, deploying and maintaining software was a burden. However, SaaS not only made this easier but also shifted how software should be owned in an organization. IT traditionally owned and managed software, but with SaaS, an organization or business unit could own it themselves because it no longer required any technical expertise or buy-in from the IT team. As a result, it created a shift in thinking for executives. Why build or maintain software that’s not strategic to the company? In other words, it’s cheaper and less effort to “outsource” this, and it leads to faster deployment.
Security is always behind trends, and it’s been given a free pass for too long. Going forward, executive teams will demand more metrics and efficiency. These acquisitions represent a start to this new accountability, which I described in my 2024 predictions.
With this in mind, especially with security becoming more engineering-focused, SIEMs have always been an expensive endeavor, and it’s very reasonable for security teams to wonder if they need a SIEM at all. As described above, an effective SIEM requires substantial resources to build. Also, with the SaaS application owning the infrastructure, the expectation is that the application has security capabilities to protect its infrastructure.
On top of that, managed detection and response (MDR) products like Expel have gained traction in the market. It’s quick to spin up detection and response capabilities without going through the costly process of building a SIEM and the team to staff it. Integration with an MDR tends to be fast, and results appear quickly. With this option, it’s hard to justify building your own detection and response program.
Moreover, most companies tend to use similar SaaS applications, and as more people use MDRs, the MDR has more intelligence on potential anomalies, similar to how EDR became more effective with Crowdstrike’s analytics strategy. This means it’s unclear whether having an in-house SIEM is actually an advantage as MDRs will likely have just as much and if not more context than an in-house team, especially for the high-risk applications, such as AWS, Okta, Auth0, etc.
Therefore, it’s not uncommon to see cloud-first startups mature and never have a SIEM. To me, security itself is evolving. Security organizations aren’t just relying on security products to provide visibility and then delegate the detection and response capabilities to the SIEM. Security teams are expecting each security product to provide some intelligence to do detection and response. We see this with the acquisition of Gem Security by Wiz to provide cloud detection and response. In fact, the QRadar acquisition by Palo Alto Networks shows this also. Moreover, the trend of XDR from endpoint security companies also represents an extension of a traditional alerting product to one that is more detection focused.
Overall, security organizations are rethinking the purpose of a SIEM and questioning its efficacy. The overall decline in the SIEM is a result of multiple factors, but primarily, it’s security teams rethinking how they want to do security operations. Specifically, do we need a centralized detection and response function/product? It seems with companies managing less infrastructure, there’s less of a strategic advantage to having an in-house and centralized detection and response capability. A managed product seems better — a less resource-intensive way to get much of the capabilities of a SIEM-based security operations. Especially, in a risk-based security mindset, MDRs (and other capabilities) reduce risk faster and more efficiently. Moreover, this can be augmented with increased detection and response features from existing security products.
Takeaway
These M&A activities in the SIEM space show an overall decline in the market. Companies are shifting how they do security operations. With less infrastructure and more focus on cloud/SaaS products, companies are finding that it’s more effective and efficient not to have SIEMs and are looking for other ways to detect and respond to security issues. I think this is beneficial for the security industry — we need to rethink and adapt the way we do security operations, especially with technology stacks evolving so quickly.