What’s Changed? Gartner’s 2016 Security Information and Event Management (SIEM) Magic Quadrant

2016 Gartner Magic Quadrant Security Information and Event ManagementAnalysis and research firm Gartner, Inc. has released the latest iteration of its yearly Magic Quadrant (MQ) for Security Information and Event Management (SIEM) Report.

In the 2016 MQ for SIEM (available here) Gartner evaluates the strengths and weaknesses of 14 vendors that it considers most significant in the SIEM market and provides readers with a graph (the Magic Quadrant) plotting the vendors based on their ability to execute and their completeness of vision. The graph is divided into four quadrants: niche players, challengers, visionaries, and leaders. Gartner does not endorse any vendor, product, or service depicted in its research publications.

The 14 vendors featured in the report are, AccelOps (Fortinet), AlienVault, BlackStratus, EMC (RSA), EventTracker, HP, IBM Security, Intel Security (McAfee), LogRhythm, Micro Focus (NetIQ), SolarWinds, Splunk, Trustwave, and ManageEngine, the newest addition to the report.

This is the eleventh iteration of the report, which Gartner first introduced way back in 2005, and it comes amidst a transitional period for the SIEM market, which stands at a crossroads between legacy SIEM solutions, and newer solutions focused on the integration of big data, network forensics, and User and Entity Behavior Analytics (UEBA) focused tools.

At Solutions Review, We read the 27-page report, available in full here,  and pulled a few of what we considered the most important takeaways since the 2015 SIEM MQ.

How Gartner Defines SIEM

Before jumping into the big changes in this iteration of the report, we should probably clarify exactly what Gartner analysts mean when they talk about SIEM.

Gartner Analysts Mark Nicolett and Amrit Williams coined the term SIEM way back in 2005, and in its newest report, Gartner defines the SIEM solutions as technology that “aggregates event data produced by security devices, network infrastructures, systems, and applications.” SIEM technology primarily deals with log data, but can also process other forms of data, including NetFlow and network packets, says Gartner. “The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring, and compliance reporting.”

Simply put, SIEM allows real-time monitoring of security events, analytics, and historical analysis for incident investigation and compliance reporting.

To be considered in Gartner’s SIEM Magic Quadrant, vendors must provide both SIM and SEM capabilities and support data from “heterogeneous data sources” (network devices, security devices, servers, etc). Vendors were excluded if the SIEM solution was offered exclusively as a managed service, if SIEM product revenue was less than $13.5m in 2015, and if the products SIEM functions were primarily oriented to data from the vendor’s own products (proprietary).

So with that out of the way, here are the key takeaways from the report.

In a Market Driven by Large Vendors, Little Change in Leader’s Line-up

The SIEM market is relatively mature, as far as cybersecurity goes, and has been dominated by a few large vendors—HP, IBM, Intel, and Splunk—that command more than 60% of market revenue, which grew an estimated four percent to $1.73 billion in 2015, according to Gartner

With that in mind, it’s unsurprising that, just like last year, Gartner named IBM, HP, Splunk, Intel Security, and LogRhythm as the five ‘Leaders’ in SIEM, with a few slight variations in positioning amongst them.

IBM and Splunk remained relatively unchanged in their positioning, while LogRhythm made considerable gains in both ‘ability to execute’ and ‘completeness of vision,’ pushing the vendor into the third spot on the chart. Meanwhile, HP and Intel both slide back from the other leaders, with notable losses in both ‘ability to execute’ and ‘completeness of vision.’

Gartner analysts praised LogRhythm for combining SIEM capabilities with endpoint monitoring, network forensics, UEBA and incident management capabilities, and criticized both HP and Intel for “slipping visibility” of new installs.

According to Gartner, the SIEM Leaders quadrant is composed of vendors that provide products that are a strong functional match to general market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market, and have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources).

UEBA is Set to Shake up SIEM

Gartner’s analysts took a particularly strong focus on the emergence of User and Entity Behavorial Analytics (UEBA) tools, which it’s analysts have been monitoring since Spunk’s acquisition of UEBA vendor Capida and HP’s announcement of an integrated solution including ArcSight and Securonix.

Gartner sees UEBA as a viable solution for early breach detection, which the analyst firm says organizations are failing at, with more than 80% of breaches undetected by the breached organizations.

UEBA, says Gartner, gives enterprises a “higher fidelity in finding advanced attacks than SIEM”, and can be deployed to support distinct use cases and complementary integrations with SIEM tools.

Gartner has noted that early adopters of UEBA tools are reporting effective detection of targeted attacks with limited deployment efforts.

“Specialised UEBA products with advanced capabilities to support early breach detection are emerging and have gained awareness and acceptance in the market over the past 18 months,” Gartner said, predicting that SIEM vendors will continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies over the next 18 months.

By the end of 2017, Gartner predicts that at least 60 percent of major SIEM vendors will incorporate advanced analytics and UEBA functionality into their products.

For more analysis and insight on the SIEM market in 2016, get the full report here, or get Gartner’s Critical Capabilities report for SIEM here. 


Jeff Edwards
Follow Jeff

Leave a Reply

Your email address will not be published. Required fields are marked *