In the world of security operations, there is a growing fascination with the concept of a “decoupled SIEM,” where detection, reporting, workflows, data storage, parsing (sometimes) and collection are separated into distinct components, some sold by different vendors.
Closely related to this is the idea of federated log search, which allows data to be queried on demand from various locations without first centralizing it in a single system.
When you combine these two trends with the emergence of AI agents and the “AI SOC,” a compelling vision appears — one where many of security operations’ biggest troubles are solved in an elegant and highly automated fashion. Magic!
Magical decoupled SIEM + magical federated log search + magical AI agents
=
90X the magic
(Is my math mathing? Cheap + good + fast + AI powered … pick any …ehh… I digress!)
However, a look at the market reveals a conflicting — dare I saw opposite — trend. Many organizations are actively choosing the very opposite approach: tightly integrated platforms where search, dashboards, detection, data collection, and AI capabilities are bundled together — and additional things are added on top (such as EDR).
Let’s call this “EDR-ized SIEM” or “SIEM with XDR-inspired elements” (for those who think they can define XDR) or “supercoupled SIEM” (but this last one is a bit of a mouthful..)
While some suggest this is a split between large enterprises choosing disaggregated stacks and smaller companies opting for closer integration, this doesn’t fully capture the success rates of these different models (one is successful and another is, well, also successful but at a very small number of extra-large, engineering-heavy organizations)
If one were to take a contrarian view (as I will in this post!), it might be that the decoupled and federated approach, with or without AI agents, is destined to be a secondary, auxiliary path in the evolution of SIEM.
Log Centralization: The End Is Nigh?
This isn’t a nostalgic vote for outdated, 1990s-era ideas (“gimme a 1U SIEM appliance with MySQL embedded!”), but rather a realistic assessment based on past lessons, such as the niche fascination with security data science.
Many years ago (2012), while at Gartner, I wrote a notorious “Big Analytics for Security: A Harbinger or An Outlier?” (archive, repost), and it is now very clear that late 2000s-early 2010s security data science “successes” remained a tiny, micro minority examples. A trend can be emergent, growing tenfold from a tiny base of 0.01% of companies, yet still only reach 0.1% of the market — making it an outlier, not a harbinger of the mainstream future.
Ultimately, the evidence suggests that a decoupled, federated architecture will not form the basis of the typical SIEM of 2027. Instead, the centralized platform model, enhanced and supercharged by AI, will reign supreme (and, yes, it will also include some auxiliary decentralized elements as needed, think of it as “90% centralized / 10% federated SIEM” — a better model for the future).
My conclusion:
- SIEM has a future! If you hate SIEM so much that you … rename it, then, well, SIEM still has a future (hi XDR!)
- Decoupled SIEM and federated log search belong in the future of SIEM.
- However, decoupled SIEM and federated log search (In My NSHO) are not THE future of SIEM.
- I think this because both are just too damn messy for many clients to make them work well. They also fail many compliance tests (well, the federated part, not the decoupled)
- AI and AI agents are a very big part of the SIEM future. However, AI agents do not make decoupled SIEM and federated log search less messy enough (“I didn’t save any logs from X, hey AI agent .. get me logs from X” does not work IRL)
Put another way:
The Romantic Ideal: The theory is that scalable data platforms and specialized threat analysis are dramatically different, so they should be handled by specialists, and modern APIs should make connecting them “easy.” Magic!
The Real Reality: A natively designed, single-vendor, integrated SIEM is inherently simpler and easier to manage and support than a multi-component stack you have to assemble “at home.” It is also faster! AI integrated inside it just works better. With decoupling, also lose the benefit of having a “single face to scream at” when things break. Reality!
Here is my “decoupled SIEM reading list” (all fun reads, obviously not all I agree with):
- Security is about data: how different approaches are fighting for security data and what the cybersecurity data stack of the future is shaping up to look like
- Future of security operations isn’t interfaces like SIEM, it’s access to data
- Prepare for SIEM Evolution
- Building the SOC of the Future (video)
- Security Data Lakes: A Reality Check
- The SIEM Stack Is Breaking: What Comes After Splunk and Legacy Security Infrastructure
- Next generation of SIEM will be a focused security layer running on top of a commodity data layer
- A Year-End Reflection on the SIEM and SecOps Landscape
- Changes in SIEM Market
- Navigating the data current: Exploring Cribl.Cloud analytics and customer insights
Please argue on socials (X or LinkedIn) or in comments!
Related posts:
- Decoupled SIEM: Brilliant or Stupid?
- Log Centralization: The End Is Nigh?
- Debating SIEM in 2023, Part 1
- Debating SIEM in 2023, Part 2
- Why Your Security Data Lake Project Will … Well, Actually …
- EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures
- EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective
- Detection as Code? No, Detection as COOKING!
- Back to Cooking: Detection Engineer vs Detection Consumer, Again?
Decoupled SIEM: Where I Think We Are Now? was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/decoupled-siem-where-i-think-we-are-now-89ab9f3df43f?source=rss-11065c9e943e——2