SentinelOne To Challenge ‘Antiquated’ SIEM Technology From Splunk: CEO

With Splunk under agreement to be acquired by Cisco, SentinelOne sees a ‘huge opportunity with disrupting the SIEM space,’ says the cybersecurity vendor’s CEO, Tomer Weingarten.


With its cloud-native approach and high-powered data analytics technology, cybersecurity vendor SentinelOne expects to pose a formidable challenge to Cisco-Splunk in the future in security information and event management (SIEM), according to SentinelOne co-founder and CEO Tomer Weingarten.

When asked at the XChange Best of Breed Conference Tuesday about Cisco’s planned $28 billion acquisition of Splunk, Weingarten answered that “we’ve seen a huge opportunity with disrupting the SIEM space.”

[Related: Cisco-Splunk Will Face Huge Challenge Vs. Palo Alto Networks: Analysis]

Sponsored post

“I think that SIEM is generally something that is antiquated in approach, antiquated in architecture, antiquated in scale,” he said during the conference, hosted by CRN parent The Channel Company in Atlanta.

Splunk’s SIEM technology is widely deployed by Security Operations Center teams to provide the logging, analytics and search capabilities they need to monitor and respond to cyberthreats.

For SentinelOne, “it’s going to take some time, so I’m not [suggesting] that starting tomorrow every Splunk customer can find a different home. I think obviously Splunk is a good product. It’s a product that people have built on top for many, many years,” Weingarten said. “But I think it’s time for a better approach.”

Splunk declined to comment Tuesday.

SIEM systems, Weingarten noted, were originally built to “ingest gigabytes of data, at best, in on-prem environments.”

“It’s a node-based approach, never adapted to a full cloud-native platform,” he said. “The fact that Splunk was telling people that they’re a cloud company—they’re not a cloud company. They took the same technology, they put it into the cloud.”

The issues are not just about Splunk, however, Weingarten added: They are “true for every SIEM out there.”

SentinelOne’s aspirations to displace SIEM technology from Cisco-Splunk and other players in the space brings credibility, given that the company has been such a major “market disrupter” in endpoint security, said Nicholas Scarsella, CEO of Imperium Data, No. 488 on the 2023 CRN Solution Provider 500. Tampa, Fla.-based Imperium Data doesn’t partner directly with SentinelOne, but two MSSP partners that Imperium works with to serve end customers do use the vendor, he said.

When it comes to innovating in additional areas of cybersecurity such as SIEM, “I expect them to continue on the path,” Scarsella said. “They’re known for being a disrupter, and people look to them to continue to do that [more broadly].”

During the session Tuesday, Weingarten pointed to the benefits around scalability, performance and data retention that SentinelOne will be able to leverage through its cloud-native approach.

Especially critical will be its capabilities from its 2021 acquisition of “next-generation” data analytics provider Scalyr—now known as DataSet—which is “embedded in everything we do,” he said.

SentinelOne’s approach offers “petabyte scale” and “gets rid of all the complexities and the constraints that were in the SIEM world,” Weingarten said.

The approach also promises to offer dramatically lower costs for data ingestion and retention, as well as improved performance, he said.

“No longer do you need to worry about a yearlong data retention, something that’s cost-prohibitive. No longer do you need to worry about data retrieval taking hours on end every time you run a query,” Weingarten said.

Ultimately, displacing SIEM is poised to become “a great new opportunity for our company, a great new opportunity for our partners,” he said, speaking to an audience of C-level executives from major solution and service providers. “So all in all, stick with us—I think you’re going to see a lot of success.”