The SIEM vs. XDR debate: industry perspectives

How many times can we say, “It’s been a busy week for the security industry,” before it becomes cliche? We recently discussed changes in the SIEM market, with mergers and acquisitions disrupting the traditional SIEM vendor landscape and XDR vendors introducing new SIEM solutions. This week, we continue to see a range of mixed messages from the market around the future of XDR and SIEM.

While no one can predict the future, it’s one of the reasons we look to analysts such as Forrester and Gartner, both of whom weighed in on the SIEM/XDR topic this week. We also saw news directly from vendors via earnings announcements where they shared results and expectations for the coming quarters.

At Sumo Logic, we always embrace new perspectives and approaches in our markets—that’s what fuels innovation and ultimately serves our customers. But with every market transformation, it’s good to see where vendors are getting it right and where gaps remain. Let’s start with the news and then dig into those points.

Forrester’s XDR report and Gartner Security Risk Summit

At the end of 2023, Forrester officially retired their EDR Wave and replaced it with the XDR Wave. In their previous XDR evaluation, Forrester considered the market immature, with most vendors offering a jumble of features that were unable to compete with SIEM. But in their latest XDR Wave report, published on June 4, 2024, Forrester states, “Now, many XDR providers have reached a point of integration and product capability where customers can start realizing the SIEM replacement vision, even if XDR still can’t compete for more niche SIEM use cases such as compliance, federated search, and heavy customization.”

In the report, Forrester also highlights the need for vision intertwined with innovation and roadmap. It’s not enough to just say “AI” – which vendors apparently did over 75 times in the evaluation process – but to have a unique vision that goes beyond the hype. Forrester advises companies to look for vendors with a realistic roadmap and adequate investment to execute their vision.

Meanwhile, at Gartner’s Security and Risk Management Summit in Washington, DC, Gartner commented that SIEM is one of the most ironclad security technologies on the market. Per their presentation on the recent SIEM Magic Quadrant, they believe SIEM solutions will more likely evolve into a modern, multifaceted TDIR-capable platform augmented by many adjacent technologies such as XDR, data lakes, analytics, cloud telemetry management and security operations platforms. At Sumo Logic, this aligns with what we’ve known – XDR technology would struggle close the gap on SIEM capabilities, especially for true cloud-scale challenges and driving threat detection and response across complex modern digital applications.

Gartner continued that ultimately, customers want fewer vendors, agents and consoles – they want reduced complexity, flexibility and improved productivity. The vendors who take advantage of augmenting these technologies and build a common data model, APIs and UI workflows, etc. will be the ones that win in the consolidation game.

While they have slightly differentiated perspectives, both analysts report double-digit growth in the SIEM market, with no signs of slowing down. Gartner also revealed that changes in the SIEM market have been the number one inquiry topic in recent weeks. Security professionals are looking at all options to determine how best to protect their organization while balancing resources.

Perspective matters

As the expression goes, if all you have is a hammer, everything looks like a nail. For legacy endpoint and extended detection and response (EDR/XDR) solutions attempting to move into the SIEM market, it’s only natural that they see what Crowdstrike recently described as, “80% of the critical data and focus on the threats in the endpoints.” We believe that assumption leaves a gap in detecting a much wider range of threats.

In this sense, it’s helpful to see EDR or XDR vendors like the local police department. They are vital for noticing and understanding a storefront break-in or evaluating petty theft in a neighborhood. But when it’s time to control Criminal Minds behind those individual incidents, you need FBI Behavioral Unit levels of awareness, which is what an enterprise SIEM can provide.

• Data scope and depth: XDR often focuses on endpoint and network data, lacking the breadth of data sources that SIEM systems encompass. SIEMs integrate data from various sources, including cloud services, applications, and legacy systems, offering a more comprehensive security view. With common applications composed of thousands of microservices, plus applications updated thousands of times a day and critical telemetry being unstructured, endpoints seem simple in comparison.

• Mature analytics: SIEM solutions have evolved to include advanced analytics, correlation capabilities, and customizable detection rules critical for identifying complex threats across unstructured data, logs, metrics, and application traces. While promising improved detection, XDR often lacks the maturity and depth of SIEM’s analytical capabilities and falls short when handling common application stacks and microservices.

• Enterprise applications: These critical applications are more vital to the business. The scale of the data due to numerous changes per day, custom stacks and code, unstructured data, and even various AI/ML models mean there’s a wide range of potential vulnerabilities and attack vectors that organizations need to defend.

• AI/ML: When we were at RSA, it was impossible to avoid the cacophony around AI. Every vendor was sharing their purported AI solution, yet when we dug in deeper, they weren’t even available for demo and most companies plan to charge extra for something that should be considered table stakes for the future of fifth-gen SIEM.

• Regulatory compliance: SIEM systems are designed to meet regulatory compliance requirements, providing extensive logging and reporting capabilities. XDR’s primary focus on detection and response may leave gaps in compliance and audit readiness.

• Vendor lock-in: Many XDR solutions, now more than ever, are tied to specific vendors. Limiting flexibility and leading to potential vendor lock-in. With their vendor-agnostic approach, stand-alone SIEM systems offer greater integration flexibility across diverse security tools. WSJ specifically called this out in their recent CIO journal article, highlighting concerns that cybersecurity leaders have around price hikes and innovation lags when they’re locked in with a vendor, and recent market consolidations only make this worse.

Where we all agree - legacy vendors simply won’t work anymore

No matter how you think the SOC will change, the fact is that things are changing fast. Not only because of AI; there are a wide range of factors that are influencing the security market. As we’ve been saying for years, legacy SIEM vendors will struggle to keep up against modern threats and the data needed to defend against them.

It’s time to reevaluate your toolset and ensure you are prepared for the future threat landscape with what we define as a fifth-generation SIEM. But be thorough in your decision criteria so that you don’t get locked into another bundled solution that doesn’t quite deliver on promises. It’s time to build for a future where your entire organization is prepared to defend against evolving threats with a modern security operations platform that covers all business-critical data.

Learn more about what to consider when evaluating SIEM solutions.