SIEM-Apocalypse: Protecting Your Security Team in a Time of Turmoil

As I wrote a couple of weeks ago, it is evident that the long-anticipated consolidation of security products and vendors is well underway. With significant market players Exabeam and LogRyhthm merging, Splunk now officially under the umbrella of Cisco, and Palo Alto Networks scooping up IBM QRadar SIEM Cloud business, the market momentum for consolidation is no longer a ripple but a Tsunami.

While these vendors take strategic steps for the sake of their shareholders, their customers must deal with the unwanted stress of an uncertain future. Granted, the most significant and strategic customers get special attention from the companies involved in these mergers and acquisitions. However, the remaining customers are left in limbo, waiting for communications from their sales representatives on their ultimate fate.

If you are among the customers caught up in this SIEM apocalypse, now is the time to ensure your security team remains effective during this market turmoil. Here are a few steps you can start taking today to protect your team and take control of your future.

Demand Attention

When news broke about these mergers and acquisitions, customers flooded these vendors’ customer support lines for more information. I am sure the support teams have standard answers to questions such as, “What is happening to my product?” ” What is the price for the new product?” or “I am waiting on a new feature. Is that still coming?” While basic information is a good start, you should demand a meeting with your vendor representative to discuss how this change impacts your product, in-process commitments, and the long-term viability of your deployment.

You should push for as many “in the weeds” details as possible during that meeting. For example, in the case of IBM QRadar, Palo Alto Networks only purchased the QRadar SIEM Cloud business to transition these QRadar customers to the XSIAM platform. So, if you are an on-premises QRadar user, you must know what this means for your product and future developments. In this specific example, however, we all know the answer.

QRadar on-prem users have a product that will ultimately move to the end-of-life stage. Fortunately for these customers, a few companies, like Stellar Cyber, offer flexible deployment options where the organization can run its SIEM/XDR platform from the cloud or on-premises. This scenario is just one example of the details you need to get from your vendor ASAP and then, based on their answers, determine your next course of action.

What Do We Have?

To answer this question effectively, you must develop (or update if you are already on top of this) the list of products you currently use to secure your environment, from top to bottom. A simple spreadsheet would suffice where you can capture the following:

Once you have this filled out as completely as possible, by creating some simple pivot tables, you can forecast which products are coming up for renewal sooner rather than later, as well as the most expensive (or cheapest) products in your stack, sorted by importance.

Answering this simple question offers a few benefits.

First, you can comprehensively view your security framework’s complexity, especially if you are relatively new to the organization. This visibility alone gives you some sense of strategic steps you want to take to remove some of the complexity your team deals with daily.

You can also get a feel for any vendor dominating your security stack. While working with a few vendors (aka “one throat to choke”) can make it easier to deal with contracts, support, etc., it can also mean that vendor can throw your team a curveball at any time when your “key vendor” takes strategic steps like the market is experiencing today. For example, take current LogRhythm or Exabeam customers. Maybe during the evaluation process, you weighed these two competitive products against each other and decided on one over the other.

With the pending merger, you might be uncomfortable working with a vendor you eliminated for a good reason. Fortunately, many alternatives to Exabeam and LogRythm can give you similar, if not better, capabilities.

While I’d love to say there is one step to take if you determine you might be beholden to one vendor, there is not. You have to determine your level of comfort with this situation. If the thought of being dependent on a single vendor keeps you up at night, now would be a great time to research alternative products. If that single vendor provides your point products (e.g., EPP, EDR, FW, etc.) and your SIEM, you should consider transitioning to an “open” platform, to meet your SIEM needs. With an open platform you can reduce reliance on any vendor without having to rip and replace widely deployed agents, for example.

Take Action

After meeting with your vendor and completing a comprehensive review of your security stack, it’s time to make some decisions. If you are pleased with your vendor’s answers to your questions and comfortable with the mix of products in your security stack, you might stick with your existing SIEM vendor. However, for those who find this unexpected turn of events too much to deal with, now is the perfect time to start meeting with other vendors who can help you move away from your existing SIEM while keeping your security team fully operational.

To see how Stellar Cyber can help you take control of your security operations, contact us to schedule a meeting.

Author Christophe Briguet is product manager for AI/ML at Stellar Cyber. Guest blog courtesy of Stellar Cyber. Read more Stellar Cyber guest blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.