.svg)
AI-powered security automation can enable organizations to avoid vendor lock-in by standardizing and integrating data from various cybersecurity products, regardless of vendor, to provide more open integration and flexibility between best-of-breed solutions.
.webp)
This year has seen significant changes in the security information and event management (SIEM) market, owing to major acquisitions and mergers. In March 2024, Cisco completed its $28 billion acquisition of Splunk, cementing its position as a key player in the SIEM market. This acquisition paved the way for further industry consolidation.
Palo Alto Networks (PAN) announced in May 2024 that it had acquired IBM's QRadar SaaS assets. This move facilitated the migration of QRadar SaaS customers to Palo Alto's Cortex XSIAM platform, further consolidating market power among a few major players.
In the same month, LogRhythm and Exabeam, two major SIEM providers, announced their merger. This merger aimed to create a unified entity that specialised in AI-powered security operations.
As a result, the SIEM market has been significantly consolidated. The number of independent players has declined, raising concerns about vendor lock-in.
Vendor lock-in, also known as proprietary lock-in or customer lock-in, is a situation in which a customer becomes dependent on a vendor's products or services, making switching to another vendor difficult and expensive. In the context of cybersecurity, this dependency can take many forms, including reliance on proprietary data formats, APIs, or custom integrations.
Consider a medium-sized company that has been using Globex Corporation's SIEM platform for the past five years. They use this platform to gather log data from endpoints, firewalls, and other security devices.
Over time, the security team has heavily customised Globex’s SIEM with various rules, dashboards, reports, and correlated alerting workflows to meet their specific needs. In addition, they have converted logs and event data from their diverse infrastructure into their SIEM's proprietary format.
Now, due to rising costs and a lack of new features, the security team wishes to consider switching to another SIEM. However, the extensive customisations and reliance on Globex SIEM's data model have effectively locked the company in.
Converting 5 years of proprietary data, custom rule scripts, correlated alerts, and dashboards to another vendor's platform would necessitate significant re-engineering and testing. Even the migration of log source integrations alone could take several months.
While a platform change may be desirable, the costs and risks now outweigh the perceived benefits. This scenario demonstrates how SIEM vendor lock-in can develop gradually over time through product customisation and data normalisation, even in smaller organisations.
One common challenge that organizations face is that some SIEM vendors prefer proprietary data formats over open standards such as CEF or Syslog. Custom log formats make it difficult to export security data and integrate it into other ecosystem tools. This lack of integration caused by data lock-in has ramifications that impede the development of a comprehensive security strategy.
In addition, vendors sometimes contribute to lock-in by tightly coupling their SIEM with specific security tools using custom integrations. For example, deeply integrating a SIEM with a threat intelligence platform increases reliance on that customized connection. If the organization later decides to switch solutions, the significant work required to rebuild custom integrations serves as a deterrent, discouraging switching vendors even if needs exceed the current SIEM's capabilities.
Long-term contracts with high termination fees can amplify lock-in effects. For example, a three-year agreement with a 50% penalty for cancelling the remaining value limits the flexibility to pivot if market dynamics change or the SIEM underperforms over time.
As security teams gain experience operating one SIEM platform and its proprietary processes, it becomes difficult to transfer that knowledge elsewhere, which is exacerbated when vendors demand skills specific to their solution. Without these specialized skills, organizations struggle to leverage alternative SIEMs, resulting in a reliance on their initial vendor choice.
Cybersecurity companies can thankfully reduce their reliance on a single vendor by leveraging AI-driven security automation.
One of the most significant benefits is that security teams will no longer need to specialize as much. In a security operations centre (SOC), establishing a new workflow typically entails a technical engineer writing the necessary code, determining which data sources to query, analysing results to identify patterns, and triggering alerts or responses. However, AI-powered automation makes this process easier.
Security analysts can simply describe the new activity they want to monitor, such as "5 failed login attempts from the same IP in 1 minute," and the AI system will generate the code required to integrate this workflow into existing SIEM tools. This eliminates the need for security teams to rely solely on technical engineers for development tasks, making it easier to expand monitoring capabilities.
Another benefit of AI-powered automation is the ability to reduce log volume by responding quickly to alerts. For example, a prompt can be written to instruct the system to look up a received alert on a threat intelligence platform such as VirusTotal, scan devices for indicators of compromise (IOC), open a Jira ticket if the IOC is discovered, and notify a Slack channel. Previously, analysts had to manually query each system and service to coordinate and manage alerts.
With AI-enabled automation, this workflow can be completed automatically, resulting in faster intelligence collection and response coordination. This not only shortens the mean time to resolution (MTTR), but also allows analysts to focus on other tasks. In addition, it reduces the demand on log storage by resolving alerts more efficiently.
AI-powered security automation can integrate a wide range of cybersecurity technologies across a network, eliminating the need to rely on a single vendor. This flexibility allows you to use a variety of tools from different providers. For example, security automation could collect logs from a SIEM system like LogRhythm and analyze them using threat detection capabilities from a network security monitoring tool. If any anomalies or threats are discovered, an automated security orchestration tool, such as Palo Alto Networks' Cortex XSOAR, can be used to remediate the affected systems.
This method has the advantage of not being limited to proprietary interfaces or data formats, promoting an open architecture. It enables the ingestion of data from various sources and the coordination of responses across the security infrastructure. As a result, even if individual components are updated or changed, the overall automation system continues to operate normally.
Security automation frequently employs open standards and can integrate with open-source tools, which are inherently vendor-neutral, lowering the risk of becoming locked into proprietary formats or technologies and allowing businesses to switch vendors if one no longer meets their requirements.
For example, many security automation workflows are defined using open standards like STIX and TAXII, allowing threats and indicators to be easily shared across vendor solutions. Workflows can import threat data from open sources in STIX format, enabling widespread information sharing. Automation can also incorporate MITRE ATT&CK data and open-source intelligence feeds that are unrelated to any particular commercial tool.
Using open formats rather than proprietary APIs or file types protects the automation investment, allowing the automation logic and indicator collection to continue to function by integrating with alternative vendor products if the primary security tool is discontinued.
If you are experiencing any of the following warning signs in your current security operations, it may be time to consider upgrading to a more efficient platform like Blink:
1. Your security team is always playing catch-up.
2. You struggle with scalability in your automation.
Blink is an ROI force multiplier for security teams and business leaders looking to quickly and easily secure a wide variety of use cases, including SOC & incident response, vulnerability management, cloud security, identity & access management, and governance, risk & compliance.
With thousands of automations available in the Blink library, or the option to customize workflows to fit your unique use case, Blink Ops can significantly enhance your security operations.
Get started today, and unlock your full security automation potential.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.
.webp)
.webp)
