Analysis and research firm Gartner, Inc. has released the latest iteration of its yearly Magic Quadrant (MQ) for Security Information and Event Management (SIEM), available here.
Every year, Gartner evaluates the strengths and weaknesses of the SIEM vendors that it considers most significant in the current market and provides readers with a graph—the titular Magic Quadrant— which plots those vendors based on their ability to execute their platforms and their completeness of vision.
The 19 vendors in this year’s report, in alphabetical order, are:
Micro Focus (ArcSight)
Micro Focus (NetIQ)
The graph is divided into four quadrants: niche players, challengers, visionaries, and leaders. Gartner does not endorse any vendor, product, or service depicted in its research publications, regardless of their position on the quadrant.
The 2017 SIEM Magic Quadrant is the twelfth iteration of the report, which Gartner first introduced way back in 2005 when their researchers first coined the term. Since then, Gartner has observed the SIEM market mature and increase in competition; the market grew from $2.001 billion in 2015 to $2.167 billion in 2016 and is projected to grow to nearly $6 billion in 2021. SIEM is in a period of broad adoption even as growth rates in Asia/Pacific and Latin America outpace North America and Europe. And with 80% of breaches going undetected by the breached organizations, SIEM solutions are more vital than ever.
At Solutions Review, we read through the full report, available here, and pulled a few of the important takeaways and changes since the 2016 report. Here they are:
How Gartner Defines SIEM
Before we can explore what’s changed in the past year, we must first review what Gartner’s analysts mean when they discuss SIEM and the top players in the field.
Gartner Analysts define SIEM “by the customer’s need to analyze event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, analyze, investigate and report on event data for incident response, forensics and regulatory compliance.”
To put the matter more simply, SIEM allows companies to monitor security events in real-time, analyze those events, and archive them for historical threat analysis and compliance reporting.
To be considered for inclusion on Gartner’s SIEM Magic Quadrant, vendors must provide both SIM— which includes log management, analytics and compliance reporting—and SEM— which involves real-time monitoring and incident management—capabilities.
Additionally, vendors must support data capture from heterogeneous data sources including network devices, security devices, and security programs. Their solution must be delivered to the customer environment as a software or appliance based-product, or via an as-a-service model.
Gartner excluded vendors who did not appear on the SIEM product evaluation lists of end-user organizations or whose SIEM revenue was less than $15 million over the past year from the Magic Quadrant.
With that established, let’s see what has changed on the Magic Quadrant for SIEM in 2017:
A Year of New Names in SIEM
According to Gartner’s report, the SIEM vendor landscape is evolving. Sure enough, while there were a lot of veterans of the Magic Quadrant operating under new names–Fortinet instead of AccelOps, for instance—there were a surprising number of outright new vendors who made the quadrant this year: Venustech, Securonix, Rapid7, Micro Focus (ArcSight), FireEye, and Exabeam.
Gartner’s states in its report that a vendor’s appearance or disappearance from the quadrant is not a reflection of change in quality or opinion, but simply market changes and inclusion criteria. They also noted that many of the new vendors have added SIEM functionality to their preexisting User and Entity Behavior Analysis (UEBA)-focused products. In the case of FireEye, it added SIEM as a service to its threat detection platform.
Many of these new software platforms are user-based rather than IP address or hostname-based in their monitoring practices, as befits outgrowths of UEBA technology. Gartner notes that this may yet change the market once again in the near future as customers adjust to the deluge of new approaches.
The Same Vendors Remain “Leaders,” With One Difference
Vendors in Gartner’s SIEM Leaders Quadrant are judged by the strength of their products’ against general market requirements, their success at building an installed revenue stream, and their visibility.
Gartner notes that the leading vendors continue to command more than 60% of the SIEM market’s revenue. Each displays an emphasis on anomaly detection, threat analytics, and endpoint and network activity monitoring in their solutions.
This year the Leaders Quadrant was once again dominated by recognizable names from 2016: Splunk, LogRhythm, and IBM. Intel Security did not appear in the quadrant this year, as their affiliation with McAfee ended in April and the latter resumed operating as an independent entity. McAfee did appear in the leaders quadrant, but is lower in the rankings than the other leaders. Splunk, meanwhile, rose slightly in its positioning.
But the major difference for the Leaders Quadrant in 2017 is the conspicuous absence of HP or HPE related vendors. Gartner stated that this year HPE closed a business deal with Micro Focus while its ArcSight architecture was still being updated, leaving the software’s status ambiguous. Micro Focus has stated it will continue investment in the program, but Gartner noted licensing and architecture issues persisted for the solution.
Changing Demands, Changing Programs
Gartner predicted in the 2016 SIEM Magic Quadrant that at least 60% of major vendors will incorporate advanced analytics and UEBA functionality into their products. With the recent expansion of SIEM software stemming from UEBA tools from many vendors, their prediction appears to be fairly accurate. However, other leaders—even leaders such as LogRhythm and visionaries such as Rapid7—offer solutions that have trouble integrating with third-party UEBA programs.
In response to changing demands in the SIEM marketplace, Gartner’s analysts placed greater weight on capabilities that aid in targeted in attack detection when considering vendors this year. However, they noted that threat management is still the primary driver of demand in the field. General monitoring and compliance reporting came second in the minds of security professionals.
The Perspective From 2018
SIEM has garnered even more attention in the few months since Gartner released this report just a few months ago. Compliance, once the primary interest driving enterprises to this solution, has taken something of a backseat to threat management. As more cybersecurity experts and solutions architects have come to terms with the idea that even the best preventative cybersecurity measures won’t be 100% effective, detection has become the new paradigm in digital safety.
Reducing attacker dwell time and gaining visibility into IT environments are more important than ever before. SIEM has risen to prominence as a result. We can’t be sure how this might effect Gartner’s proprietary decision-making process for the Magic Quadrant next year, but we suspect it may influence how they perceive market-shares and persuade them to reduce the importance of compliance capabilities when selecting their Leaders, Visionaries, Challengers, and Niche Players.
We’ll have to see what 2018 holds.
You can download the full report here.
Latest posts by Ben Canner (see all)
- How Make Your SIEM Solution Deployment Easier for Your Enterprise - June 21, 2018
- 4 Tips For Security Analytics Solutions (That Everyone Forgets) - June 20, 2018
- Kevin O’Brien of Great Horn Talks Email Security - June 19, 2018