Key Takeaway’s from Gartner’s 2015 SIEM Critical Capabilities Report

Gartner-Critical-Capabilities (1)Analysis and research firm Gartner, Inc. has released its latest Critical Capabilities Report for Security Information and Event Management (SIEM), available to download here.

In the 2015 version of their Critical Capabilities report for SIEM, Gartner takes the 13 vendors that it considers most significant in the SIEM market and evaluates the strengths and weaknesses of those vendors against ‘critical capabilities’ and use cases for SIEM. Gartner does not endorse any vendor, product, or service depicted in its research publications.

The 13 vendors featured in the report are, in alphabetical order, AccelOps, AlienVault, BlackStratus, EMC (RSA), EventTracker, HP (ArcSight), IBM Security (QRadar), Intel Security (McAfee), LogRhythm, Micro Focus (NetIQ), SolarWinds, Splunk, and Trustwave.

This is the seventh iteration of the report, which Gartner first introduced way back in 2008, and it comes at a turbulent time for the SIEM market, which stands at a crossroads between traditional, full-blown SIEM solutions, and newer, big-data analytics focused solutions such as Splunk.

I read the 17 Page report, available for download here, and pulled a few of the most important takeaways and key market indicators. But first, let’s get a couple of definitions out of the way…

 So what are Critical Capabilities, Exactly? 

This one is pretty straightforward: Gartner defines Critical capabilities as “attributes that differentiate products/services in a class in terms of their quality and performance.”

For SIEM, those critical capabilities are: real-time monitoring, threat intelligence, behavior profiling, data and user monitoring, application monitoring, analytics, log management and reporting, and deployment/support simplicity. Those capabilities are evaulated across three use cases: compliance, threat management, and SIEM.

Gartner rates each vendor’s product or service on a five-point  scale in terms of how well it delivers each capability.

Before jumping in, we should probably clarify exactly what Gartner analysts mean when they talk about SIEM.

How Gartner Defines SIEM

Gartner Analysts Mark Nicolett and Amrit Williams coined the term SIEM way back in 2005, and though the infosec market has changed a lot since then, the definition of SIEM has remained fairly constant. In this report, Gartner defines an SIEM solution as technology that “aggregates event data produced by security devices, network infrastructures, systems, and applications.”

SIEM technology primarily deals with log data, but can also process other forms of data, including NetFlow and network packet, says Gartner. “The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring, and compliance reporting.”

Simply put, SIEM allows real-time monitoring of security events, analytics, and historical analysis for incident investigation and compliance reporting.

So now that we understand the evaluation criteria, as well as the subject being evaluated, let’s see who came out on top.

LogRhythm, Splunk, and IBM Top the Charts

LogRhythm, Splunk, and IBM Security (QRadar) came out on top of the charts in Gartner’s use case comparison metrics, with average scores of 4.04, 3.87, and 3.83, respectively.

That’s no surprise for those of us following the SIEM and security analytics markets closely—Gartner placed all three of these vendors in the leaders quadrant of the 2015 SIEM Magic Quadrant report, and LogRhythm and Splunk have made significant inroads in the market as of late.

LogRhythm was singled out as “optimal for organizations that require balanced SIEM capabilities combined with endpoint and network monitoring to support security operations and compliance use cases,” while Gartner notes that Spunk has earned “high visibility on SIEM shortlists” with the Splunk App for Enterprise Security.

For their part, IBM has maintained its position as a leader of the pack in the SIEM market, even while smaller, more agile companies nip at its heels. IBM’s QRadar solution earned Gartner’s praise for its ability to “support a wide set of threat management and compliance use cases for modest as well as large-scale deployments.

SIEM Use Case Shifts to Threat Monitoring

One of the most interesting aspects of this report is the analysts’ observation of an industry-wide, seemingly seismic shift in SIEM use cases from compliance to threat monitoring.

In the past, says Gartner, “the driver for many SIEM deployments has been satisfying regulatory requirements.” But today, Gartner’s analysts note a “strong shift in focus in the client base to threat monitoring in the past year,” with compliance now playing second fiddle.

This change in focus makes sense—data breaches have become commonplace, and they’re often high profile embarrassments with extensive legal ramifications for the targeted organization. What’s more, it takes an average of 206 days for an organization to detect a breach—a totally unsustainable number that has many CISOs running scared.

With their increasing monitoring capabilities and the capability to deal with more data than ever, modern SIEM tools are giving organizations a welcome opportunity to improve threat detection. Which brings us to our next point of observation…

Here Comes the Big Data (Again)

Just as in the SIEM Magic Quadrant report, Big Data is sort of the elephant in the room (or in the .PDF, if you will).

Data correlation—the collection of event data in near real-time to enable immediate analysis—is an essential function fo any decent SIEM solution, and solutions with a big data background have an obvious expertise in that field. Additionally, many businesses are already using big data vendors for Business Intelligence applications, which makes them top-of-mind for additional security use cases.

Traditional SIEM vendors are taking note—some vendors, such as IBM, HP, and RSA, are now developing or deploying SIEM integrations with their big data technologies, others, such as Intel Security, have already integrated such capabilities, sometimes with third party vendors.

With big data vendors such as Splunk muscling into the SIEM shortlist, and competitors adapting quickly, it’s not a long shot to say that we’ll be talking about this for a while.

Want more? You can download the report in full here.


Widget not in any sidebars
Jeff Edwards
Follow Jeff

2 thoughts on “Key Takeaway’s from Gartner’s 2015 SIEM Critical Capabilities Report”

  1. Jack D. says:

    Clearly the normalisation from the database prevents “big data” correlation capabilities. Not so with Secnology.

Leave a Reply

Your email address will not be published.