SIEM, MSSP

We Need to Talk: Breaking up With Your SIEM Vendor

Guest blog courtesy of Stellar Cyber and written by Steve Garrison.

Relationships are challenging at times. They’re like a seesaw – every relationship requires effort from both sides to keep it balanced and healthy. But what happens when one person pushes while the other is just along for the ride? That’s when the seesaw tips, and the relationship can turn sour.

Many MSSPs are currently in an unbalanced relationship, and their SIEM vendor is just along for the ride. However, like many personal relationships that go on longer than they should because of the actual or perceived difficulty in ending it, MSSPs might hesitate to talk with their SIEM vendor.

I get it – you spent months getting the product implemented and integrated into your security ecosystem. You invested in training the team on the product and built workflows and playbooks around this product. You might even like your sales rep and customer support person, so you are okay with the constant delays in new product features, lack of out-of-the-box integrations, and shortcomings in automation.

But while you put up with a lot from your SIEM vendor, your team’s frustration grows with each passing day. Holding out hope that your SIEM vendor – who has repeatedly let you down, will suddenly change its ways is only hurting you and your team’s ability to protect your environment.

If this sounds like you, now is the time to break up with your SIEM vendor. Here are three tips to make this breakup as painless as possible and help you build a healthier relationship with your next SecOps platform vendor.

1. Bring “Receipts”

Before initiating your SIEM vendor breakup, gather “receipts” showing how your vendor failed to meet your needs. These might include:

  • Email conversations where your vendor promised a feature or bug fix that never materialized
  • Feature requests submitted to your vendor and left in no man's land
  • Open support tickets with little to no movement from the vendor
  • Integration needs that were denied or put into a backlog; never handled.

While it’s your right to end your SIEM vendor relationship anytime, bringing receipts to this uncomfortable conversation will show that you have good reasons to leave.

2. They Will Try and Win You Over - Remember Why You Need to Leave

Just as in a personal relationship, when the vendor realizes that you are serious about moving on, they will try to convince you that they can change. They may offer meetings with high-level executives, improved support plans, or discounts on your next renewal.

Remember why you decided to move on and play the relationship forward in your mind. While things might improve in the short term, will they change in the long term? Probably not, but let’s give them the benefit of the doubt and say they put more effort into the relationship going forward. In the back of their mind, their sales rep will think about how you threatened your way to more attention.

No worthwhile vendor will be blindsided by your decision to leave – they would have seen the warning signs long before. If you’ve decided to move on for good reasons, don’t fall for the “we can do better” song and dance.

3. Find Your New Vendor First

Before kicking your current SIEM vendor to the curb, you must know where you will land. When finding your new SIEM/SecOps vendor, make a short list of must-haves and not-wants. Your list might look something like this:

  • Must Haves
    • Coverage for my top security use cases
    • Be deployable in my chosen environment (cloud, on-prem, or both)
    • Use a specific technology (such as AI, automation, etc.)
    • Supports my security stack products out-of-the-box
    • Provide on-demand training
    • It doesn’t charge for new integrations
    • And anything else you cannot live without
  • Not-Wants
    • Limited integrations
    • Difficult to use interface
    • Too many manual processes
    • Opaque roadmap
    • And anything else that would be a deal breaker

Given the recent tumult in the SIEM market, it’s wise to understand the company’s strategic vision for the next 3-5 years. While there is no guarantee any vendor you select won’t be the next one to announce a merger or acquisition, having a brief conversation on the topic at least lets the potential new vendor know that you are taking the process seriously.

Closing Thoughts

Ending a relationship is never easy, especially if it has gone on for years, but that doesn’t mean it isn’t for the best. Do yourself and your team a favor; if you’re in a dead-end SIEM vendor relationship, take steps now to take control of your security future. Contact us to set up a personal consultation today to see how Stellar Cyber and our Open XDR Platform have helped many security teams move on from toxic SIEM vendor relationships.

You can skip this ad in 5 seconds