Gartner Magic Quadrant for SIEM 2015

Coaching, Governance, Security, Technology Trends

Gartner Magic Quadrant for Security Information and Event Management (SIEM) July 2015

gartner

The security information and event management (SIEM) market is defined by the customer’s need to apply security analytics to event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, analyze and report on log data for incident response, forensics and regulatory compliance. The vendors included in our Magic Quadrant analysis have technologies that have been designed for this purpose, and they actively market and sell these technologies to the security buying center.

SIEM technology aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as NetFlow and network packet. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time correlation of events for security monitoring, query and analytics for historical analysis and other support for incident investigation and compliance reporting.

Gartner Magic Quadrant for Security Information and Event Management 2015 July

HP hewlett packard

HP’s ArcSight SIEM solution includes Enterprise Security Manager (ESM) software for large-scale, SEM-focused deployments, and ArcSight Express, an appliance-based offering for ESM for the midmarket with preconfigured monitoring and reporting. ArcSight Logger appliances and software provide log data collection and management functions that can be implemented stand-alone or in combination with ESM. HP provides additional modules, such as Application View, providing runtime application visibility based on HP Fortify technology, and HP ArcSight User Behavior Analytics, providing integrated user behavior analysis (UBA) capabilities based on a technology partnership with Securonix. ArcSight licensing is primarily based on consumption in GB per day.

HP added a number of improvements in 2014, notably fully integrated high-availability capabilities for ArcSight ESM, an updated Web UI for ArcSight Logger and enhancements to the ArcSight Management Center that include enhanced health monitoring and distributed management features.

ArcSight Express should be considered for midsize SIEM deployments. ESM is appropriate for large-scale deployments as long as sufficient in-house support resources are available, and for organizations seeking to build a dedicated SOC.

Strengths
  • ArcSight ESM provides a complete set of SIEM capabilities that can be used to support an SOC, including a full incident investigation and management workflow.
  • HP ArcSight User Behavior Analytics provides true and full UBA capabilities in conjunction with SIEM.
  • HP ArcSight has a wide variety of out-of-the-box third-party technology connectors and integrations.
  • ArcSight continues to be very visible in competitive evaluations of SIEM technologies.
Cautions
  • User feedback indicates that the fat client console UI for ArcSight ESM is considered dated. HP plans to release a Web-based interface in the near future.
  • HP ArcSight deployment proposals routinely include more professional services than comparable offerings.
  • Customers still provide feedback stating that they find ESM to be more complex than other leading solutions.
  • The average of ArcSight reference customer satisfaction scores for scalability and performance, effectiveness of predefined correlation rules and the ease of customizing them, report creation and modification, query capabilities, and product quality and stability is lower than the average scores for all reference customers in those areas. Customer support has been cited as a frequent issue by Gartner clients.

IBM Security ibm

IBM Security’s QRadar Platform includes the QRadar SIEM, Log Manager, Vulnerability Manager, Risk Manager, QFlow and VFLow Collectors, and Incident Forensics. QRadar can be deployed as an appliance, a virtual appliance or as SaaS/infrastructure as a service (IaaS). Components can be deployed in an all-in-one solution or scaled by using separate appliances for different functions. The QRadar technologies enable collection and processing of log data, NetFlow data, DPI, full packet capture and behavior analysis for all supported sources.

Recent enhancements include incident forensics support, new data storage appliances, improved query support across logs, flow data, threat intelligence, and vulnerability and asset data. The capability to replay historical event data through current correlation rules is also now available. IBM plans to improve incident response workflow capabilities, enable sharing of threat intelligence data, and introduce more advanced analytics support for incident investigation and response.

IBM offers a hybrid delivery option for QRadar, with an on-premises QRadar deployment, a SaaS solution hosted on IBM Cloud and optional remote monitoring from IBM’s managed security service operations centers. Midsize and large enterprises with general SIEM requirements, and those with use cases that require behavior analysis, network flow and packet analysis, should consider QRadar.

Strengths
  • QRadar provides an integrated view of log and event data, with network flow and packets, vulnerability and asset data, and threat intelligence.
  • Customer feedback indicates that the technology is relatively straightforward to deploy and maintain in both modest and large environments.
  • QRadar provides behavior analysis capabilities for NetFlow and log events.
  • The average of IBM reference customers satisfaction scores for scalability and performance, effectiveness of predefined correlation rules, report creation, ad hoc queries, product quality and stability, and technical support is higher than the average scores for all reference customers in those areas.
Cautions
  • QRadar provides less-granular role definitions and integrations with enterprise directories for workflow assignment, compared with competitors’ products.
  • QRadar customers report issues with early versions of QRadar Vulnerability Manager, including limited functionality, instability, late feature updates and support delays.

Intel Security intel

Intel Security provides McAfee Enterprise Security Manager, which combines SIM and SEM functions, and is available as a physical, virtual or software appliance. The three primary components that make up the SIEM offering are the Enterprise Security Manager, the Event Receiver (ERC) and the Enterprise Log Manager, which can be deployed together as one instance, or separately for distributed or large-scale environments.

Capabilities can be extended and enhanced with a range of specialized add-on products, such as Advanced Correlation Engine (ACE), Database Event Monitor (DEM), Application Data Monitor (ADM), and Global Threat Intelligence (GTI).

Among the enhancements released in the past 12 months were support for AWS deployment and new dashboards for risk analytics and cyberthreat management, as well as improved case and incident management capabilities. McAfee Enterprise Security Manager also released an integration with McAfee’s Advanced Threat Defense (ATD) and Threat Intelligence Exchange (TIE) for advanced threat monitoring and defense.

McAfee Enterprise Security Manager is a good choice for organizations that utilize other Intel Security technologies, as well as those seeking an integrated security framework that includes advanced threat defense or monitoring of industrial control systems.

Strengths
  • Out-of-the-box third-party device support is cited as a strength by end users. The average of Intel Security reference customers satisfaction scores for scalability, report customization, ad hoc queries and support experience is higher than the average scores for all reference customers in those areas.
  • Deep integrations with Intel Security’s Enterprise Security Database Event Monitor and Application Data Monitor provide in-depth database and application monitoring for selected technologies.
  • Enterprise Security Manager has strong support for monitoring operational technology (industrial control systems [ICSs]), and supervisory control and data acquisition (SCADA) devices.
  • Customers report that integrating multiple McAfee security products often yields good synergies and provides better solutions than were otherwise available.
Cautions
  • Intel Security’s many advanced SIEM features and capabilities in areas such as endpoint intelligence and automated response require integrations with, or further investments in, other Intel portfolio products. Some require ePolicy Orchestrator (ePO) to act as middleware.
  • NetFlow can be used to generate events and alerts, but is not automatically used to enrich log-based events.
  • User feedback indicates that version 9.4.x has been troubled by some stability and performance issues. The average of Intel Security reference customers satisfaction scores for predefined correlation rule effectiveness and customization, predefined reports and new report creation, and product quality and stability is lower than the average scores for all reference customers in those areas.

LogRhythm logrhythm

LogRhythm sells its appliance- and software-based SIEM solutions to midsize and large enterprises. LogRhythm’s SIEM consists of several unified components: the Event Manager, Log Manager, Advanced Intelligence Engine (AI Engine) and Console. For distributed log collection, Site Log Forwarders are available, and an agent is also provided for Linux, Unix and Windows for local log collection. Network forensic capabilities such as DPI, NetFlow monitoring and full packet capture are supported via LogRhythm’s Network Monitor. LogRhythm’s System Monitor Agents include basic host activity monitoring capabilities such as system process monitoring; file integrity monitoring for Windows, Linux and Unix; and Windows registry monitoring.

In the past year, LogRhythm has added a new incident response and case management workflow capability that includes a centralized evidence locker and incident response collaboration tools. It has also expanded the scope of supported devices for log normalization and applications for network monitoring. The AI Engine has been updated to include risk-based profiling and behavioral analytics to identify statistical anomalies for network, user and device activity.

LogRhythm is an especially good fit for organizations that require an integrated combination of SIEM, endpoint and network monitoring capabilities, and those organizations that value ease of deployment and predefined function over a “build your own” approach to monitoring.

Strengths
  • LogRhythm combines SIEM capabilities with endpoint monitoring, network forensics and incident management capabilities to support security operations use cases.
  • Gartner receives consistent user feedback stating that LogRhythm’s solution is straightforward to deploy and maintain, and provides effective out-of-the-box use cases and reporting templates.
  • The average of LogRhythm reference customers satisfaction scores for scalability and performance, effectiveness of predefined rules, usefulness of predefined reports, ease of use and effectiveness of predefined queries, product quality and stability, and support experience support is higher than the average scores for all reference customers in those areas.
  • LogRhythm continues to be very visible in the competitive SIEM technology evaluations of Gartner clients.
Cautions
  • User feedback indicates that creating new reporting templates could be more intuitive.
  • Users report that options for reporting focused on alert trending are limited.

Splunk splunk

Splunk Enterprise and Splunk Cloud provide search, alerting, real-time correlation and a query language that supports visualization using more than 100 statistical commands. Splunk is widely deployed by IT operations and application support teams for log management, analytics, monitoring, and advanced search and correlation. In many cases, the presence of Splunk for operations support leads to consideration of the technology for SIEM, and Gartner customers regularly include Splunk on shortlists for SIEM. The Splunk App for Enterprise Security provides predefined reports, dashboards, searches, visualization and real-time monitoring to support security monitoring and compliance reporting use cases.

Splunk has continued to enhance the App for Enterprise Security, predefined security indicators and dashboards and visualizations, as well as to improve support for wire data capture and analysis. New advanced query and data pivot enable easier access to functions previously available only through the Splunk query language. Splunk can be deployed for SIEM as on-premises software, in a public or private cloud, as a SaaS offering from Splunk (Splunk Cloud), or in any combination (hybrid).

Splunk supports a broad range of threat intelligence feeds, including STIX/TAXII formats for importing and sharing feeds. Organizations that require an SIEM platform that can be customized to support extensive analytics functions and a variety of log formats, and those with use cases that span security and IT operations support, should consider Splunk.

Strengths
  • Splunk’s strong presence in IT operations groups can provide security organizations with early hands-on exposure to its general log management and analytics capabilities, “pre-SIEM” deployment by operations for critical resources, and in-house operations support for expanded security-focused deployments.
  • Splunk customers cite visualization and behavioral, predictive and statistical analytics as effective elements of advanced monitoring use cases, such as detecting anomalous user access to sensitive data.
  • Splunk has enhanced built-in support for a large number of external threat intelligence feeds from commercial and open sources.
  • The average of Splunk reference customer satisfaction scores for scalability and performance, effective and useful predefined rules and reports, rule and report customization features, report creation, ease and effectiveness of ad hoc queries, product quality and stability, and support experience is higher than the average scores for all reference customers in those areas.
Cautions
  • The Splunk App for Enterprise Security provides basic support for predefined correlations for user monitoring. Potential buyers should anticipate modifying those and building their own to implement more advanced user monitoring use cases.
  • Workflow and case management functions lag behind those of competitors. Organizations with mature SOC processes may require customization or integrations with third-party technologies for these functions.
  • Splunk’s license model is based on data volume indexed per day. Customers report that the solution is more costly than other SIEM products where high data volumes are expected.

Context

SIEM technology provides:

  • SIM — Log management, analytics and compliance reporting
  • SEM — Real-time monitoring and incident management for security-related events from networks, security devices, systems and applications

SIEM technology is typically deployed to support three primary use cases:

  • Threat management — Real-time monitoring and reporting of user activity, data access, and application activity, in combination with effective ad hoc query capabilities
  • Compliance — Log management and compliance reporting
  • An SIEM deployment that provides a mix of threat management and compliance capabilities

Market Overview

SIEM is a $1.69 billion market that grew 12.5% during 2014, with an expected growth rate of 10.9% during 2015. For exclusion, Gartner considers revenue and relative visibility of vendors in the market. The revenue threshold is $13.5 million per year for 2014 (net new license revenue plus maintenance). Visibility is calculated from the following factors: presence on Gartner client shortlists via client inquiries, search references on gartner.com, presence on vendor-supplied customer reference shortlists and mentions as a competitor by other SIEM vendors.

During the past year, demand for SIEM technology has remained strong. During this period, the number of Gartner inquiry calls from end-user clients with funded SIEM projects increased by 24% over the previous 12 months, and most vendors have reported increases in customers and revenue. During 2014, the SIEM market grew from $1.5 billion to approximately $1.69 billion, achieving a growth rate of about 14%. The primary drivers that were in place at the start of 2014 remain in effect. Threat management is the primary driver, and compliance remains a secondary driver. In North America, there continues to be many new deployments by smaller companies that need to improve monitoring and breach detection. Compliance reporting also continues as a requirement, but most discussions with Gartner clients are security-focused. There continue to be new deployments by larger companies that are conservative adopters of technology. Both of these customer segments place high value on deployment and operational support simplicity.

We continue to see large companies that are re-evaluating SIEM vendors to replace SIEM technology associated with partial, marginal or failed deployments. During this period, we have continued to see a stronger focus on security-driven use cases from new and existing customers. Demand for SIEM technology in Europe and the Asia/Pacific region remains steady, driven by a combination of threat management and compliance requirements. Growth rates in Asia and Latin America are much higher than those in the U.S. and Europe. As a consequence, our overall evaluation of vendors in this Magic Quadrant includes an evaluation of vendor sales and support strategies for those geographies.

The SIEM market is mature and very competitive. We are in a broad adoption phase, in which multiple vendors can meet the basic log management, compliance and event monitoring requirements of a typical customer. The greatest area of unmet need is effective targeted attack and breach detection. Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with stronger threat intelligence, the addition of behavior profiling and better analytics. We are monitoring the emerging entity behavior analysis (also called entity behavior analysis, and sometimes called UBA) market, as early adopters report effective detection of targeted attacks with limited deployment efforts. We expect SIEM vendors to increase their support for behavior analysis capabilities and predefined content over the next 18 months. Most companies expand their initial SIEM deployments over a three-year period to include more event sources, greater use of real-time monitoring and investigation to support incident response. The large SIEM vendors have significant existing customer bases, and there continues to be a focus on the expansion of SIEM technology deployments within existing accounts. In general, SIEM vendors are continuing to incrementally improve product capabilities in areas related to breach detection — threat intelligence, anomaly detection and activity monitoring from the network — as well as investigation workflow and case management.

Customer Requirements — Security Monitoring and Compliance Reporting for Systems, Users, Data and Applications

During the past year, Gartner clients deploying SIEM technology have continued to be primarily focused on security use cases, even though compliance continues to be an important driver. The primary focus continues to be targeted attack and breach detection. The security organization often wants to employ SIEM to improve capabilities for external and internal threat discovery and incident management (see “Using SIEM for Targeted Attack Detection”). As a consequence, there are requirements for user activity and resource access monitoring for host systems and applications (see “Effective Security Monitoring Requires Context”). In this year’s SIEM vendor Magic Quadrant evaluation, we continue to place greater weight on capabilities that aid in targeted attack detection, including support for user activity monitoring, application activity monitoring, profiling and anomaly detection, threat intelligence, and effective analytics.

Demand from North American and European clients has increased, while the number of Asia/Pacific SIEM inquiries has remained steady as a percentage of total SIEM inquiry activity. The continued adoption of SIEM technology by companies with limited security programs has fostered a demand for products that provide predefined security monitoring and compliance reporting functions, as well as ease of deployment and support.

SIEM solutions should:

  • Support the real-time collection and analysis of events from host systems, security devices and network devices, combined with contextual information for threats, users, assets and data.
  • Provide long-term event and context data storage and analytics.
  • Provide predefined functions that can be lightly customized to meet company-specific requirements.
  • Be as easy as possible to deploy and maintain.

Scalability

Scalability is a major consideration in SIEM deployments. For an SIEM technology to meet the requirements for a given deployment, it must be able to collect, process, store and analyze all security-relevant events. Events that need to be monitored in real time have to be collected and processed in real time. Event processing includes parsing, filtering, aggregation, correlation, alerting, display, indexing and writing to the back store. Scalability also includes access to the data for analytics and reporting — even during peak event periods — with ad hoc query response times that do not preclude the use of an iterative approach for incident investigation. Query performance needs to hold up, even as the event store grows over time. We characterize the size of a deployment based on three principal factors:

  • The number of event sources
  • The sustained events per second (collected after filtering, if any)
  • The size of the event back store

We assume a mix of event sources that are dominated by servers, but also include firewalls, intrusion detection sensors and network devices. Some deployments also include a large number of PC endpoints, but these are not typical, and PC endpoint counts are not included in our totals. The boundaries for small, midsize and large deployments are not absolute, because some deployments may have a large number of relatively quiet event sources, while others will have a smaller number of very busy event sources. For example, a deployment with several busy log sources may exceed the EPS limits set below for a small deployment, but will still be small architecturally.

Gartner defines a small deployment as one with 300 or fewer event sources, a sustained EPS rate of 1,500 events per second or less, and a back store sized at 800GB or less. Gartner defines a midsize deployment as one with 400 to 800 event sources, a sustained event rate of 2,000 to 7,000 events per second and a back store of 4TB to 8TB. A large deployment is defined as one with more than 900 event sources, a sustained event rate of more than 15,000 events per second, and a back store of 10TB or more. Some very large deployments have many thousands of event sources, sustained event rates of more than 25,000 EPS and a back store of more than 50TB. We may indicate that a vendor’s SIEM technology is ideally suited for a small, midsize or large deployment, which means that the size is a typical or most common successful deployment for that vendor. Every vendor will have outliers.

SIEM Services

Gartner customers increasingly indicate that they are seeking external service support for their SIEM deployment, or are planning to acquire that support in conjunction with an SIEM product. Drivers for external services include lack of internal resources to manage an SIEM deployment, lack of resources to effectively monitor the alerts or do so 24/7, or lack of expertise to expand the deployment to include new use cases (such as user activity monitoring). We expect demand by SIEM users for such services will grow, as more customers adopt 24/7 monitoring and implement use cases that require deeper SIEM operational and analytics expertise.

SIEM vendors may support these needs with managed services, with staff augmentation or outsourcing services, or via partners. Managed security service providers, which offer real-time monitoring and analysis of events, and collect logs for reporting and investigation, are another option for SIEM users. The number of hosted SIEM, or SIEM as a service offerings (such as Splunk Cloud and Alert Logic, and log services from Sumo Logic), is increasing to support customers opting to forgo SIEM technology management, but able to use internal resources for monitoring and investigation. Customer-specific requirements for event collection and storage, alerting, investigation, and reporting may prove problematic for external service providers, and SIEM users exploring services should evaluate the fit of the service provider to meet current and planned use cases.

Gartner Magic Quadrant for Security Information and Event Management (SIEM) July 2015

One thought on “Gartner Magic Quadrant for SIEM 2015

Leave a Reply

Your email address will not be published. Required fields are marked *