Which SIEM Should I Study?

What SIEM Should I Study

Throughout my career, most of my focus has been on SIEM. I was an analyst, and then I became a SIEM Engineer for many years. I have spent time with Splunk, Sentinel, IBM QRadar, I evaluated Exabeam as a Proof of Concept, Fortinet's FortiSIEM, LogRhythm, and Elastic Stack. So I am no stranger to SIEMs. This is What SIEM Should I Study? The evolution of SIEMs has been quite trial-and-error in my anecdotal experience. It was a simple log collector that had the ability and language to search that data, and SIEM was born when they added the ability for alarms to go off with the logs matching a given criterion. Then there was a split, platforms for LogRhythm kept that search and retrieval simple and didn't really have a 'query language', so to speak. It was a point-and-click type of thing, and I am not really sure why that didn't take off; instead, it was dominated by SIEMs that had technically complex syntax languages like Splunk's SPL or Microsoft's Sentinel's KQL. I don't know that it was any better than, say, LogRhythm's point and click, and the learning curve is much harder. Nevertheless, they prevailed. Then there became a need to better document analysts' findings, so they began baking case management into their platforms, which is largely defunct today because it's done in Security Orchestration Automation and Response (SOAR) tools. We will come back to that.. So then the early days of AI came, which I swore wouldn't ever lead to anything and boy was I wrong. It led to the generative AI that we use today. Early on, when a SIEM product said it used Machine Learning, which is kind of like baselining your sets of logs and determining what is normal and then setting off alarms for any anomalies and creating a feedback loop where it asks you if it was right or not. It was absolute sh*t. And then deep learning began, and this was the early days of determining if something was malicious or not. The only thing it actually did was suppress alerts for companies who didn't care much about security, or couldn't afford to care (which is also a thing). I was one of the first security experts to train a cybersecurity model. I worked for a company called OpenText and I learned a lot from my CISO and for most of the time in that role it was great, but like almost all jobs, eventually something isn't going to work out. So today there are these tools called SOAR tools, and their aim is to automate tasks. I worked with Splunk Phantom, and xSOAR, and instead of analysts working entirely out of SIEMs, they began working out of SOAR tools, and only visiting the SIEM when they need to. It's much like a human approving or denying decisions that were automatically made by the SOAR tool. Does it reduce human labor? Absolutely. But the early days of SOAR tools was a lot like trading cybersecurity analysts for software developers and these tools required massive amounts of maintenance when things break, so at the end of the day it didn't really fulfill the promises it made to reduce human labor costs. There is only one way it could save money and that is if it silenced alarms, which companies could have done in the first place. I went to a LogRhythm conference in Vail, Colorado, one time, and spent a good portion of the time sick from altitude sickness, but it was extremely beautiful. They changed the conference to a lower altitude in the years after. I did like LogRhythm a lot.

I went to a Splunk conference once in Orlando, Fl., and it was informative. These conferences are a lot about indoctrination. Companies want you to love this tool they spend millions of dollars a year on, so that you become an expert and essentially just begin training yourselves.

I worked with Fortinet's FortiSIEM, while not the best, Fortinet has some of the very best people in the world, and there is a lot to be said about being stuck with good people. So, some comments on the quadrant.

I started using Sentinel from the very beginning, and although I never took the time to become a KQL expert, my queries, while inefficient, always got the job done. In fact, I architected our lab here at Cyber NOW in Azure. I have been preaching that Sentinel will dominate this space since I studied the Microsoft architecture diagrams several years ago while working as a Cyber Advisor for our clients at an MSSP. Not because it is superior to Splunk, just because its integration with EVERYTHING makes things simple. Simplicity is a significant factor when it comes to uptime and labor efficiency. For instance, with the Microsoft ecosystem, when a company issues a new laptop, all they need to do is enter a product key, and it automatically joins it to that company's infrastructure. It really is that easy; it's baked into every computer, and there's a lot of money saved in that simplicity. However, the bill for Microsoft Security can be pricey, but it's offset, as I mentioned. Both Splunk and Microsoft have free training. So do both to maximize your competitiveness.

Gartner Magic Quadrant is the leading research that ranks products and services. Companies have to pay millions of dollars to be evaluated each year, and it's common that they then get demoted.

Explore our Courses