First published at Security Boulevard.


When all vendors in a new product category use the same use case to explain their value, I become concerned. About 15 years ago, when bombs were a constant threat in many parts of the world, I heard multiple vendors of intelligent video surveillance explaining the same use case. The message was, “Say someone walks into a lobby/park/manufacturing plant carrying a briefcase/backpack. Then, they leave without it. Our smart surveillance system will alert you to that fact.”

The value proposition was simple: fewer eyes-on-glass needed. Automated systems work 24/7. Save money, catch bad guys. Yet, I have never encountered a vendor who could cite a successful, real-life situation where the use case was proven. It was hypothetical, although it would have been very useful during the hours before the 2013 Boston Marathon.

I have always questioned the value of SIEMs for this reason. Feed all the alerts from every device and system into a central repository. Use smart algorithms to correlate and identify bad stuff. The use case was always the same: “Say somebody enters a critical area by swiping their card, but also logs in to the corporate network from somewhere remote. We can tell you when that happens.”

That’s a great use case. It means that your physical security is plumbed to talk to the SIEM, as are your network access controls. It should work.

But SIEMs are notorious for being noisy. Humans in the SOC are called on to respond to hundreds, if not thousands of alerts per shift. Many add-ons have been introduced to enrich the data available to the SIEM to further diagnose and winnow out the real breach indicators from the noise. Take user and entity behavior analysis (UEBA), for instance. Obviously, it is not working. SOCs are perpetually understaffed, and breaches keep happening. (See: SolarWinds).

In 2015, I published a research report on the threat intelligence space. I listed 21 vendors broken down into three categories. One category was threat intelligence platforms (TIPs), which ingest feeds from all the other vendors and de-duplicates it. I made a bold prediction that these TIPs would evolve to replace SIEMs; after all, every TIP sorts and prioritizes indicators of compromise (IoC) and then feeds them into a SIEM for correlation with all the alerts received. Why not do away with the SIEM altogether, and just feed the alerts into the TIP for processing?

“As threat intelligence sources proliferate, the problem is beginning to look like that which has plagued logging and SIEM solutions. There is too much data (one service claims to track over 10 million threat indicators). To corral the problem, Threat Intelligence Platform (TIP) vendors have created solutions to aggregate feeds, enrich [these] feeds through de-duplication and correlation and integrate with existing tools such as Security Information and Event Management (SIEM) products, firewalls, IPS and a new breed of analytics applied to breach detection. These platforms are evolving quickly to play a more central role in breach detection and incident response. [We believe] that Threat Intelligence Platforms address all the shortcomings of SIEMs to date. By becoming the central analysis center for breach detection, TIPs will supplant SIEMs, which will be relegated to compliance roles such as logging and recording of events. As the repository and manager of threat intelligence, TIPs will also fulfill the requirement for information sharing amongst trusted parties.”

When I revisited the threat intelligence market report in 2020, there were 70 vendors to look at (as of today, I am tracking 84.) Five years later, there was no sign that TIPs were supplanting SIEMs.

I may have been five years ahead of the market. This past week, Stellar Cyber announced their own TIP. Stellar went to market as a security analytics platform, and adopted the term XDR shortly after it was coined. We know about network detection and response (NDR; think network taps, netflow, etc.) and endpoint detection and response (EDR; think modern endpoint security like Carbon Black or Crowdstrike). Now, combine them, as all security analytics platforms do, and you get XDR.

By adding a TIP to its XDR platform, Stellar Cyber is one example of a vendor that’s well on its way to providing a complete SOC solution that could ultimately displace the central role of a SIEM.

What about the existing TIP vendors? Are they introducing security analytics and, thus, finally moving to integrating a SIEM into their platform? I believe the answer is yes. I know of at least one that is likely to introduce XDR capability in the coming months.

Here are the current TIP vendors I track. Sorted by headcount as of January 6, 2021.


TIP VendorHC January 6, 2021
SOC Prime59
Media Sonar34
Alpha Recon18
Crypteia Networks (PCCW)10
The Barrier Group2

Of course, the SIEM vendors could move quickly, acquire one of these platforms, and offer an integrated product. Either way, it is high time that these platforms start delivering on their promise of reducing the workload for SOC personnel and stopping breaches before they cause damage.