SHARED INTEL Q&A: Everything the Cisco-Splunk merger tells us about the rise of SIEMs

By Byron V. Acohido

Cisco’s recent move to acquire SIEM stalwart Splunk for a cool $28 billion aligns with the rising urgency among companies in all sectors to better protect data — even as cyber threats intensify and disruptive advancements in AI add a wild card to this challenge.

Related: Will Cisco flub Splunk?

Cisco CEO Chuck Robbins hopes to boost the resiliency the network switching giant’s growing portfolio of security services. Of course, it certainly doesn’t hurt that Cisco now gets to revenue from Splunk customers like Coca-Cola, Intel, and Porsche.

Last Watchdog engaged Gurucul CEO Saryu K. Nayyar in a discussion about the wider implications of this deal. Gurucul is known for its innovations in User and Entity Behavior Analytics (UEBA) as well as its advanced SIEM solutions. Here’s the exchange, edited for clarity and length:

LW: What are tech giants like Microsoft, Google and now Cisco doing in the SIEM space?

Nayyar: Microsoft, Google, and Cisco are not security-first companies, but they recognize that SIEM is at the heart of security operations, so it’s not surprising they want to get in. It seems their strategy is to leverage their existing customer base and products to get traction in this space. 

LW: Why are suppliers of  legacy firewall, vulnerability management and EDR  solutions also now integrating SIEM capabilities?

Nayyar: Many security vendors want a piece of the SIEM market, even if their technology isn’t necessarily purpose-built. These vendors aren’t so much ‘doing SIEM’; rather, they’re positioning a set of point products to solve pieces of the puzzle, not the whole puzzle. The importance of SIEM continues to rise along with the constant velocity and veracity of threats, so this trend of jumping on the SIEM band wagon will likely continue.

LW: For some historical context, could you summarize how we went from SIM to SIEM and how Gurucul came to pioneer UEBA?

Nayyar:: The transition from SIM to SIEM was born out of necessity. Security teams needed greater visibility across their operating environment. Combining a security Information tool with a security event tool made it easier to correlate alerts generated by security products, like firewalls and IDS, normalize it, and then analyze it to identify potential risks.

SIEMs of today, like Gurucul’s, have evolved leaps and bounds over legacy SIEMs with the addition of purpose-built machine learning and analytics models,  along with the ability to scale.

Gurucul pioneered UEBA technology a decade ago – in fact our company was built around this capability. UEBA focuses on behavioral patterns for users and entities to identify anomalies and activity outside of the norm. We use machine learning models on open choice big data lakes to detect unknown threats early in the attack chain.

Instead of being stuck in reactive mode, security analysts could proactively determine if an attack was underway. This significantly improved their ability to accurately identify a potential threat early in the kill chain before damage happens.

LW: Then along came SOAR and next-gen SIEM, correct? What was behind the emergence of these advances?

Nayyar: SOAR gave analysts a playbook for responding to an attack campaign so they didn’t have to reinvent the wheel each time. Many attacks, while varied in how they are used, have a known set of characteristics. The MITRE Attack framework is an example of how various attack techniques, even if unique, can still be mapped to known techniques and procedures. SOAR uses the output of detection engines and investigations and recommends workflows or playbooks to build a response plan, saving time and effort.

Next-gen SIEM came about to address the shortcomings of legacy SIEMs when it comes to things like ineffective data ingestion, a flood of unprioritized alerts from security control products, and weak threat detections. Early SIEMs were log management and compliance tools, they were never built to address real-time threat detection and response.

Essentially, next-gen SIEM combines the capabilities of UEBA, SOAR and XDR so security teams can proactively – and accurately – assess threats and respond quickly. Another characteristic of a next-gen SIEM is its ability to ingest and interpret any data from any source and easily scale.

LW: To what extent is Cisco’s acquisition of Splunk just a microcosm of a wider shift of network security that’s taking place? Can you frame how legacy security tools (NGFW, WAF, web gateways, SIEM, SOAR, UEBA, XDR, VM, IAM, etc.) appear to be converging, in some sense, with brand-new cloud-centric solutions (API Security, RBVM, EASM CAASM, CNAPP, CSPM, DevSecOps, ISAT, BAS, etc.)

Nayyar: While there will always be point products to solve specific problems, the best solution for customers is a platform that combines the best-of-breed technologies into a single framework.

Related: Reviving obervability.

As the SIEM has long been central to gathering data and information across the entire infrastructure, it’s naturally evolving into an observability platform where the data can be used for various use cases beyond just security, such as application and cloud performance monitoring and management. There is greater awareness that IT functions can work together to improve the gathering of data, analytics, and prioritization of security-related events to improve the organization’s resiliency.

 LW: How should a company leader at a mid-market enterprise think about all this? What’s the most important thing to keep in mind?


Nayyar: Mid-market enterprises need the ability to reduce manual tasks and detect and respond faster. They are resource-restrained and don’t typically have specialized analyst roles. They need a SIEM that can automate their workflow and provide prioritized, risk-driven context that enables them to respond to threats in real time.

LW: What do you expect network security to look like five years from now?

Nayyar: Traditional network security is becoming less relevant as edge computing and zero trust networks evolve. The incorporation of edge networking, cloud migration, and identity and access data is changing how we look at security and its interaction with IT.

However, companies making investments in their security stack will likely continue to use a layered approach versus a deprecative approach. For example, Anti-virus will continue to be supported on endpoints even though its efficacy has dramatically reduced. This also means that automating and simplifying management of these layers is important.

LW: Anything else?

Nayyar: When we look at the SIEM market, legacy log-based architectures that were built for centralized deployments have failed to provide the needed visibility and detection of threats in the cloud. And, cloud-vendor approaches, like GCP and Azure or cloud-only SIEMs, have failed to recognize that most organizations are hybrid and will continue to be hybrid for many years.

As data becomes more de-centralized and spread across multiple clouds and geographies, it becomes significantly harder to analyze and identify attack campaigns. All the while, attackers are becoming more sophisticated.

The only way to make sense of all the data is through sophisticated analysis leveraging data lakes, machine learning and AI. These capabilities exist today; security operations teams don’t have to be saddled with tools that have failed to keep up with the threat environment.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone