Manage the uncertainty of today’s SIEM market

May 23, 2024
Author:Jeff Aboud

Manage the uncertainty of today’s SIEM market

For the past several years, many market pundits have predicted that some areas of the cybersecurity market would soon begin to consolidate, shrink, and morph. Though not all of their predictions have rung true, it’s exactly what’s started to happen in the security information and event management (SIEM) space. More importantly, the changes aren’t just due to a bunch of small players being swallowed up, as you might expect. While that’s certainly happening, there are also some rather significant changes from large players. Taken together, these changes have the ability to alter the entire space.

Think about it this way: just 10 years ago, the SIEM market was all about Splunk, QRadar, and ArcSight. LogRhythm was gaining some traction, but not yet much of a threat to the big three. Now fast-forward to today; Splunk is owned by Cisco; ArcSight’s market share is miniscule and rarely makes anybody’s shortlist; LogRhythm is merging with Exabeam; and Palo Alto Networks has recently announced that it’s purchasing QRadar’s SaaS assets.

What’s more, the announcements regarding Splunk, LogRhythm, and QRadar have all occurred in just the past several months. That equates to a great deal of uncertainty for the vast majority of SIEM customers. Many customers will stay with the solution they know while others will strongly consider changing vendors in an attempt to gain more stability. Still others will remain in wait-and-see mode, living with the uncertainty of whether or not their SIEM solution will continue to maintain its edge in the future.

Of course, even for those who really want to move to a different platform, one of the biggest inhibitors to changing the organization’s SIEM is the extraordinary pain that comes with ripping and replacing an existing solution. Even though it’s largely unintentional, this pain threshold is a significant contributing factor to the vendor lock-in of most SIEMs. But the good news is that much of this pain can actually be eliminated with the right data orchestration platform.

For example, Onum provides organizations with the ability to quickly and easily build and modify telemetry pipelines, simply by dragging and dropping the desired components using a graphical interface. This makes it trivial to change your data sink (or any other component in the pipeline, for that matter). As an example, in the simple pipeline below, the data from the Cisco ASA firewall ultimately sinks to QRadar for analysis:

Original pipeline with QRadar sink

By clicking on the QRadar component followed by [Delete], and then dragging the Splunk component from the options list on the left to its proper place in the pipeline, followed by drawing the connector line from the MessageBuilder to the new data sink, I’m all set! The entire process took less than 30 seconds and now all I need to do is click the [Publish] button on the top right to save the new configuration. That’s all there is to it.

New pipeline, with Splunk sink

Obviously there’s more to changing your analytics platform than sinking data to it. After all, we can’t help you re-write your existing searches or saved reports. But when it comes to reconfiguring all of your data pipelines to sink to the new platform, we’ve got you covered. Onum makes that process as fast, painless, and foolproof as possible.


In addition to helping you easily migrate from one SIEM to another, Onum helps you reduce costs by helping you focus on the data that’s most important. We also take a holistic view of your data in transit to help you gain the deep insights you need to make rapid decisions on any number of use cases.


Click here for more information on how the Onum platform can help your organization get the most value from your data.

Return to Blogs