CyberCompare Market Commentary #30: SIEM Unique Selling Points, it-sa Near-Death + Nuggets

Marktkommentar, Marktkommentar /
Hello everyone,
 

“Most SIEM bake-offs look great on paper and flawless in the demo. But the real test isn’t a sales pitch — it’s the 2 a.m. incident when your team is buried in noise and broken workflows” says Matt Snyder after the painful experience of multiple SIEM migrations.

First of all, interesting: Somehow (AI/NG/X) SIEM is now more en vogue in marketing than XDR. This may also be due to the fact that auditors require a SIEM for regulated customers. And if the product isn’t listed as a SIEM on Gartner, there’s a problem.

But what are other differentiating features of SIEM platforms? Many features can now be found across all manufacturers. Connectors for log sources, for example, can be created much more easily than before using AI assistance, i.e. the number of listed integrations continues to converge.

Here are some excerpts from current SIEM selection processes and structured test case demos, in which SIEMs still differ in terms of capabilities, not only in user guidance (the latter, however, is probably more important for analysts in practice than individual features):

      • General:
        • Is the compute capacity provisioned per customer static or elastic (to reduce processing time) for searches?
        • Data Retention: Can individual retention times be defined for log sources?
        • Are all changes in the severity and risk rating of alarms and incidents logged to the system by SOC analysts? (=> Important for DORA proofs)
        • Air gapped deployment possible? (Of course, only relevant for a few customers)
        • Proprietary modules for easier integration + fewer agents on hosts: EDR, SOAR, CNAPP, Vuln Mgmt…
        • Risk based alerting: Which parameters can be configured by customers (e.g. number + severity of events in a certain period of time for a certain user group)?
      • Behavior-Based Anomaly Detection (UEBA):
        • Does UEBA also work for customer-specific (e.g. self-programmed) applications?
        • Can baselining activities across different accounts (e.g. an employee has different admin accounts for certain systems and an additional normal user account) be baselined and continuously monitored?
        • Can a peer group be defined that is also used for baselining?
        • Is the baselining time window for anomaly detection rolling + per rule customizable?
        • Are thresholds automatically adjusted when SOC analysts rate alarms higher or lower, or suppress alarms?
      • AI Assistance:
        • Can a parser proposal be created for parsing (normalizing data fields) from customer-specific application log sources?
        • Are alert rules suggested for customer-specific application log sources that contain data fields, logic tree, and threshold values?
        • Is the AI Natural Language to Query Language Translation Wizard included in the license cost?

By the way, a surprising number of security providers (e.g. Arctic Wolf, Akamai, Palo Alto, Barracuda, Abnormal, Varonis, Deloitte) use a solution in the backend for Pipeline Mgmt. and Lakehouse that we have hardly noticed in the DACH region so far: Databricks. Whenever it comes to automated processing and searching in data haystacks from distributed sources and storage locations (Federated Search, Decoupled SIEM), Databricks seems to be a good alternative to Cribl+Elastic or similar. Customer quotes speak of a radical reduction in event ingest and search times. If anyone knows test results on this, I would be happy to hear from you.

Telemetry pipelining is particularly useful if the logs are not only used for monitoring security use cases, but also for performance monitoring. And of course, performance can be much more relevant to sales. If webshops experience delays during checkout, the rate of customers who abandon the payment process immediately increases. I can well imagine that more and more companies are using the same observability architecture for service monitoring and security instead of building it separately. SentinelOne is already advertising Zalando as a major customer, where the S1 SIEM (formerly Scalyr) is used in this way.

CyberGym evaluates AI models along the ability to perform real-world security tasks. Claude Opus + Sonnet seem to be performing best next to GPT5 so far, but with a 25-30% probability of success. The tasks are limited to the detection and validation (by means of PoC exploits) of vulnerabilities in code, whereby the AI also regularly finds zero days.

Praetorian (a red teaming provider with its own BAS tool) has an interesting attack vector: tapping the SSH passwords used by vulnerability scanners for authenticated scans. For example, SSH environment variables can be changed, a tracer can be used to break down the interprocess connections (IPC) or the complete authentication module can be replaced in /etc/pam.d/.

The remedy can be provided by a PKI, the replacement of old protocols such as NTLMv1 with e.g. SMB/NTLM and functioning EDR/SIEM (the tested EDR systems did not work, however).

And that’s about it at this point.To compensate, a few more provider notes are packed in below, because I naturally took the opportunity for some demos at it-sa . The thing is really incredibly wild in the meantime, actually one should demand compensation from Messe Nürnberg for participation. After 3 days of constant disco sound by 900 exhibitors in stuffy cave hangars, I looked like a model zombie, talked like one and felt like one despite high-frequency vitamin boosters. I would be surprised if I had left out any virus that was offered. That’s why I’m especially looking forward to the next 2 weeks… Holiday.

M&A Corner:

      • Vectra buys NDR’s competitorNetography (actually more of a mini-SIEM: without appliances, without DPI, but with log forwarders and analysis purely of metadata)
      • Pentera buysDevOcean, a cloud vulnerability aggregation and patching/remediation solution (similar to the functionality e.g. in Qualys)
      • Cybereason will be acquired byLevelBlue (AT&T Managed Services). 4 years ago, an IPO at a valuation of almost USD 5 billion was planned, but most recently a bridging loan was necessary
      • Securepoint (UEM + firewalls for SMEs) takes overSeculution (allowlisting)

Notes from vendor conversations:

Astelia:

      • US Startup for Vulnerability Prioritization, Umbrella Category CTEM, Clearer Focus on Reducing False Positives
      • Collects all kinds of scanner data (similar to Axonius, Brinqa, Zafran, Vulcan/Tenable, XM Cyber…)
      • Then compensatory measures such as EDR, segmentation firewalls, WAFs are used to calculate the customer-specific risk of a vulnerability (query via API)
      • To calculate network accessibility (attack path simulation), routers and load balancers are also queried
      • The whole thing, of course, using Agentic AI
      • In addition, it is checked whether the vulnerable components are actually loaded in memory when executed. And the result is then enriched with the usual key figures such as KEV, EPSS, CVSS
      • What is still missing from my point of view: Check of roles+rights+authentication methods (integration with IAM/PAM)
      • SaaS deployment without sensors on hosts (on prem variant on roadmap)
      • I could well imagine that one of the XDR manufacturers, for example, would buy this as a supplement

Senthorus:

      • Swiss provider of managed sec services, was the Swiss subsidiary ofBlueVoyant until 2024 (BlueVoyant is also still a development partner for the detection rules), approx. 45 employees and also approx. 45 MSOC customers, also in finance
      • Now part of the ELCA Group (~2400 employees, ~350 million turnover). Together with other ELCA teams, consulting including IAM and Offensive Sec services is also offered
      • L1/L2 shift operation 24/7 (i.e. not only on-call duty)
      • SIEM options: MS Sentinel, Crowdstrike, Splunk. These include installations with SentinelOne EDR or Darktrace NDR
      • Of course, optional services such as Darkweb Monitoring, Exposure Mgmt…

Yarix:

      • MSSP from Italy
      • Approx. 400 employees, ~75 MSOC customers. Belong to the VAR Group with ~4000 employees
      • SOC analysts in Italy, Singapore and Mexico
      • A lot of OT expertise in-house, relying on Nozomi and syslog connection SIEM

Excalibur (if you’re looking for that: xclbr.com):

      • Remote Browser Isolation / Streamed Access Startup from Slovakia
      • Patented solution to replace web application firewalls
      • The RAM requirement on your own web servers is reduced by ~80% compared to previous remote browser solutions by only transferring DOM changes to the client => Very low delays, at least in the demo
      • All user interactions can be recorded => Again advantage over WAF
      • Cool feature: In addition to AI-based conditional access, a human in the loop can also be requested as a 4-eyes principle instead of the 2nd factor for authentication requests
      • First customers (including a bank and some authorities)

SecureCloud:

      • Cloud storage, Fileshare + Collaboration from D
      • Incredible success story: In 10 years, 6000 corporate customers from > 40 countries > gained
      • MS Office compatible
      • Digital signatures as an alternative to Docusign or Adobe
      • C5 certified

G+H Systems / daccord:

      • IGA Tool made in Germany for the entire lifecycle from the provisioning of roles
      • Specializing in regulated medium-sized customers – many clinics among them. On-prem deployment possible
      • Mapping Matrix Organizations in Workflows
      • Segregation of Duties: Can be detected by categorizing roles (e.g. procurement)
      • Risk assessment of users (e.g. high privilege, lack of training)
      • House number of 70 thousand EUR for the one-time license purchase + 60 thousand EUR/a maintenance fees for a 1000 employee company

Labyrinth (labyrinth.tech):

      • Deception solution from Poland/Ukraine
      • On prem possible
      • Special feature: Honeypots also for OT/SCADA, which imitate PLCs or servers and can communicate via Modbus, S7 or MQTT

Neox Networks:

      • IT NDR solution including in-house production of hardware appliances completely from Germany, SW is based on Suricata
      • Coming from Application + Service Performance Monitoring
      • PCAP analyses up to 100 GB/s without feedback and loss
      • Reference customers include Daimler, VW, DB (interlockings), Shell, Merck, Siemens Bundeswehr…
      • But so far no OT protocol analysis

XplicitTrust:

      • ZTNA/Microsegmentation/NAC Startup from Germany (also hosting on European data centers)
      • Seemed to offer basically all the essential functions you can expect, e.g. conditional access depending on identities and compliance with device policies
      • With ZTNA/SASE, of course, the integrations and the access times are esp. Important for large environments and distributed locations => PoC necessary

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or arrange the archive alphabetically.

Regards

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top