{"id":1550,"date":"2025-12-03T13:47:43","date_gmt":"2025-12-03T19:47:43","guid":{"rendered":"https:\/\/raffy.ch\/blog\/?p=1550"},"modified":"2025-12-03T13:47:45","modified_gmt":"2025-12-03T19:47:45","slug":"the-trojan-horse-we-let-into-the-siem-kingdom","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2025\/12\/03\/the-trojan-horse-we-let-into-the-siem-kingdom\/","title":{"rendered":"The Trojan Horse We Let Into the SIEM Kingdom"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large is-resized is-style-default\"><a href=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2025\/12\/trojan_siem.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2025\/12\/trojan_siem-1024x683.png\" alt=\"\" class=\"wp-image-1556\" style=\"width:650px\" srcset=\"https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2025\/12\/trojan_siem-1024x683.png 1024w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2025\/12\/trojan_siem-300x200.png 300w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2025\/12\/trojan_siem-768x512.png 768w, https:\/\/raffy.ch\/blog\/wp-content\/uploads\/2025\/12\/trojan_siem.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Every few years in security, a category shows up that makes you think: <strong>\u201cThis market should have never existed.\u201d<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The \u201csecurity data pipeline \/ data fabric \/ routing\u201d universe is exactly that. Impressive companies in the space, smart founders, great execution and (thank you Observo!) great exists already. But the fact that there <em>is<\/em> a market here is the real indictment. This category is nothing more than a gap SIEM vendors left wide open. And the pipelines walked right in.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>A Market That Shouldn\u2019t Exist<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s be honest: Splunk, Elastic, Sentinel, Exabeam\u2026 they all ignored the ingest problem for too long. Cost, routing, shaping, tiering \u2014 none of it was solved cleanly. So Cribl et al solved it for them. But here\u2019s the twist. By solving it, they also became the neutral abstraction layer. The thing sitting <em>between<\/em> customers and their SIEM. That layer is now the switching fabric. It isn\u2019t just \u201coptimize your Splunk bill.\u201d<br \/>It\u2019s:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce SIEM ingestion.<\/strong><\/li>\n\n\n\n<li><strong>Store everything in our &#8220;cheap&#8221; data lake.<\/strong><\/li>\n\n\n\n<li><strong>Oh, and here\u2019s some lightweight analytics while you\u2019re here.<\/strong><\/li>\n\n\n\n<li><strong>Or how about you go ahead and try out another SIEM?<\/strong> We can easily forward your data to multiple places while you evaluate moving away and then switching in a matter of hours.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s the Trojan Horse. You invite it in to help. And suddenly it controls the keys to the castle.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>History Is Repeating Itself<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve seen this play before:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UEBA -> first standalone products slowly morphed into adding data stores, analytics, and then became full SIEMs<\/li>\n\n\n\n<li>SOAR -> got absorbed into SIEM<\/li>\n\n\n\n<li>Ingest pipelines -> now becoming lakes -> and eventually a SIEM<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Cribl already has Cribl Lake. Give it time and it becomes a SIEM-lite. Then a SIEM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is the cycle: <strong>Start as an add-on -> become indispensable -> become the platform.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We keep acting surprised. But it\u2019s the same movie every time. And again, keep thinking about the switching costs. This layer enables every customer to easily evaluate new solutions and switch over fairly easily.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>If You\u2019re Splunk\u2026<\/strong> I mean Cisco&#8230;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You\u2019re one of the few players that can still turn this around \u2014 if you execute sharply and fast.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s what Splunk <em>must<\/em> own again:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reclaim the ingest pipeline.<\/strong><\/li>\n\n\n\n<li><strong>Make cost the advantage, not the penalty.<\/strong><\/li>\n\n\n\n<li><strong>Federate search across data lakes natively.<\/strong> (I think you are almost there)<\/li>\n\n\n\n<li><strong>Make tiering and reduction a first-class feature.<\/strong><\/li>\n\n\n\n<li><strong>Kill the routing layer through pure convenience.<\/strong><\/li>\n\n\n\n<li><strong>Figure out your real-time story<\/strong>. Crowdstrike is going strong on messaging how fast attackers act these days and a batch approach won&#8217;t work anymore.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If Splunk doesn\u2019t own the control plane, Cribl will. And once you lose the control plane, you lose the customer. No matter how good your detection content is. Cisco gives Splunk a rare opportunity: distribution, integration leverage, and a chance to fix what was ignored for too long. But they can\u2019t let another category grow unchecked. Not again.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>My Take<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Data pipeline products aren&#8217;t the problem. They are the <strong>symptom<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The problem is the complacency that let the ingest layer drift outside the SIEM in the first place. Because once a neutral fabric handles all your data, the SIEM becomes swappable. The next SIEM won\u2019t start as a SIEM. It will start exactly where Cribl started; <strong>as a pipeline<\/strong> (Abstract Security, anyone)? That\u2019s the Trojan Horse.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every few years in security, a category shows up that makes you think: \u201cThis market should have never existed.\u201d The \u201csecurity data pipeline \/ data fabric \/ routing\u201d universe is exactly that. Impressive companies in the space, smart founders, great execution and (thank you Observo!) great exists already. But the fact that there is a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,8],"tags":[45],"class_list":["post-1550","post","type-post","status-publish","format-standard","hentry","category-log-analysis","category-security-information-management","tag-data-lake"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/1550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=1550"}],"version-history":[{"count":5,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/1550\/revisions"}],"predecessor-version":[{"id":1557,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/1550\/revisions\/1557"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=1550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=1550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=1550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}