Since their introduction to the security product market over 20 years ago, Security Information and Event Management (SIEM) platforms have faced challenges with complexity and scope creep. What began mainly as a means of consolidating alerts from intrusion detection systems and firewalls has become a central hub for all kinds of security functions: threat intelligence analysis, audit support, risk management, automation, detection engineering, and more. Vendors have responded to this demand by consolidating more tools and capabilities into their platforms, which has resulted in products that are powerful but complicated.

Entire product classes have emerged around reducing data ingestion costs and complexity and getting better detections out of the SIEM. If Act One of the SIEM “story” is log collection and search, and Act Two is threat detection and consolidation of functions such as security orchestration, automation, and response (SOAR) and user and entity behavior analytics (UEBA), is the SIEM now at risk of collapsing under its own weight? Is it time to pivot to a different form factor for detection and response, like extended detection and response (XDR) and its variants? The response based on our review of Google SecOps is a resounding “no.” As we’ll discuss in this paper, Google SecOps very successfully combines Google’s large-scale search performance, world-class security expertise from Mandiant and VirusTotal, and artificial intelligence via the Gemini model in a streamlined detection and response platform.