Over the last year, Ovum has seen that customers and vendors appear to be signaling that the security incident and event management (SIEM) platform might be in its last years of life. Among many transactions, HPE spun off ArcSight in 2016 to merge with MicroFocus, which at a minimum, suggests it is a very mature technology. Ovum does not therefore expect much growth in traditional SIEM technology, but does anticipate a flurry of activity to supplement and replace this now legacy technology.
Industry activity seems to indicate SIEM's end-of-life position
Ovum believes that enterprise customers and MSSPs view traditional SIEM platforms as not providing the security posture nirvana they had expected and have become part of the security tool exhaustion most CISOs are now dealing with.
It is unclear whether SIEM will become part of the security tool graveyard, or whether it will morph into some new expanded, open, next-generation security management platform. While vendors of new security tools are at pains to highlight that they can integrate with SIEM platforms, companies developing rival oversight and monitoring technologies, as well as several emerging MSPs, are attacking SIEM's value and functions. Many new security vendors and SPs are initially pitching their offerings as complementary to SIEM, but have plans (not so hidden) to replace it over time. New technology, including cloud-based security and advanced analytics with machine learning/AI, encourage customers to try new approaches, with and without SIEM in place.
Ovum’s research shows that the SIEM market is a mature enterprise technology segment, where most high-end target customers already have a SIEM platform. This makes it a market characterized by recurring/maintenance fees (this is what will have attracted Micro Focus to the ArcSight business), where customer wins typically mean ousting a rival.
The future seems limited for traditional SIEM, and the need of enterprise customers to know and maintain or improve their required security posture will create alternatives to the use of a singular technology such as SIEM as the long-term solution. Future platforms will need to be open, fully integrated with third parties, and cloud-aware, if not fully cloud-based.
Mike Sapien, Chief Analyst, Enterprise Services
Rik Turner, Principal Analyst, Infrastructure Solutions