Skip to main content

The stampede to the cloud has been underway for some time now and is only predicted to grow exponentially. To the extent it now seems every vendor wants to push us to use their cloud service. The benefits to the vendor are obvious; predictability of revenue streams. 

For the most part, SaaS software has also benefited the user community. CEOs and CFOs alike seem happy. There are no more big, potentially risky CapEx bills for hardware, maintenance, administration, etc. Instead, everything, post-deployment, has moved to OpEx. Welcome flexibility, agility, and options. 

But what of the SIEM marketplace? 

A SIEM, by definition, is supposed to capture your security logs and whatever else you choose to push in there. It ingests, correlates, and analyses and – assuming you have it well-configured – hopefully spits out alerts warning you of possible network incursions. And with cloud acceptance, lots of SIEM vendors have jumped on the cloud-based SIEM SaaS solution offering. Some CIOs, CISOs, and IT Managers don’t have a problem with that. Where you, or your organisation, stand on that matter, all depends on your personal data-hosting and processing religious bent.  

Hands up, all those operational technology (OT) operating organisations willing to send their OT log information out to the cloud? Anybody? No-one? 

OT ranges from the critical infrastructure industrial systems running our water, trains, and/or traffic networks to the production line machinery making Arnott’s Iced Vo-Vos. I’m not trying to malign Arnott’s here. I don’t know their policy on OT technology data-hosting and processing. But I’m pretty certain the number of critical infrastructure providers willing to send their OT data outside of their internal environment could be counted on a closed fist. Not to mention their relevant regulatory compliance requirements. 

The core issue with cloud-based SIEM for OT boils down to data privacy and security. Imagine an attacker gets into a cloud-based SIEM hosting your capital city’s traffic network OT logs. Hop, skip, and a hack from SIEM intrusion to Bruce Willis, Die Hard, and a Fire Sale, anyone? Not exactly the recipe for a smooth commute. 

This means if they want to monitor their OT logs in a SIEM environment, that SIEM has to be located on-premises. It used to be. There was a reasonable choice of SIEM solutions a company could purchase to install in their own environment that did not require exporting data out to some third-party provider. Recently, though, there’s been an amalgamation underway in the SIEM marketplace. LogRhythm and Exabeam announced they’re merging, IBM just sold their QRadar security offering to Palo Alto, and a little while back (not exactly an amalgamation) Cisco bought Splunk.  

Ignoring all other aspects of cost, functionality, support, etc., one thing each of these solutions offers is on-premises installation. With the amalgamations, however, their future roadmaps are now somewhat ‘cloudy’ to say the least, meaning any CIO, OT, or Security manager looking to install, upgrade, or deploy an OT-focused SIEM is left scratching their head. In terms of the 2024 Gartner Magic Quadrant, the last two ‘Leaders’ SIEM vendors left standing with on-premises installation offerings are Splunk and Elastic. Both offer SIEM functionality without explicitly originating as SIEM offerings. 

It’s unlikely those mopped-up vendors will abandon their customer bases overnight. They undoubtedly have contracts in place requiring them to support existing customers for a few years to come. But OT systems are generally not deployed in three or five-year cycles. OT systems are generally expected to run for ten to fifteen years or more. 

No doubt, plenty of the cloud-based offerings share the same security certifications as many of the others. And for now, at least, the larger vendors probably all enjoy relatively vibrant user communities. Never underestimate the power of a strong user community. But the ‘best’ SIEM is never specifically the one with the most bells and whistles. Or even the strongest user base.

The best SIEM is the one that meets your specific data security, ongoing maintenance, and general cost of ownership requirements. Above all, it has a future roadmap that gives you some confidence that you’re not going to end up with an abandoned asset.

Although on-premises SIEM for OT may not be the ‘shiny new toy’ on the market, it still serves a critical purpose for many industrial organisations.  

Related blogs

No substitute for knowledge!
Is XDR really better than SIEM?
Cyber: Where pawns and firewalls collide