More than an entire fiscal quarter has passed since technology research firm Gartner released their 2017 iteration of the annual Gartner Magic Quadrant for SIEM. It’s one of, if not the, most prominent and highly anticipated reports on the SIEM marketplace in the cybersecurity community. Professionals wait with bated breath for it every year, even if it is not quite a perfect assessment.
However, at the speed of digital business—and cybersecurity in particular—an entire fiscal quarter represents a significant amount of time. With the benefit of hindsight, what has changed in the SIEM marketplace since the 2017 Gartner Magic Quadrant? Have things changed significantly? How are Gartner’s assessments holding up to reality?
We looked back at our initial analysis of the Gartner Magic Quadrant for SIEM (link to the 2018 iteration). Here’s what we found:
Breach Detection Continues to Challenge Enterprises
SIEM empowers enterprises in myriad ways—via compliance reporting, data aggregation and correlation, and user and entity behavior analytics (UEBA, which we’ll come to in more detail in a moment). All of these capabilities in turn feed into what is arguably SIEM’s greatest benefit for enterprises: threat detection and monitoring. Therefore it is no surprise that in their Magic Quadrant assessment of the SIEM marketplace, Gartner examined the context surrounding this capability more than any other.
At the time of publication, the 2017 Gartner Magic Quadrant reported that more than 80% of data breaches went undetected by enterprises. The question isn’t whether threat detection continues to be a challenge for enterprises—many of the more prominent data breaches announced over the past quarter had an average dwell time of several months. Rather, the question is whether the situation has improved at all since publication.
There is some evidence to suggest that it has. A recent survey by Accenture found that while in 2017 only 32% of enterprises detected a breach within the first month of the attack, that percentage has increased to 89% in 2018. What’s more, in 2018 55% of enterprises claimed that their IT security teams could detect a threat within a week of infiltration, whereas in 2017 only 10% could make the same claim.
Yet Accenture’s research raises questions: according to the survey, only 66% of enterprises have an active cybersecurity program protecting their IT environment. If that is true, it would mean that a good percentage of enterprises are still conducting their threat detection and management manually rather than through the algorithmic tools of a dedicated SIEM solution. The researchers behind the Gartner Magic Quadrant for SIEM point out that enterprises would have a much easier time detecting malicious programs and users by deploying the threat intelligence, behavior profiling, and analytics tools that make SIEM viable. It remains to be seen how many enterprises take them up on this advice in 2018.
Compliance Continues to Take a Backseat?
While SIEM can be a critical component in ensuring that your enterprise fulfills their regulatory and industry compliance mandates, the Gartner Magic Quadrant contends that compliance is a secondary concern in purchasing decisions. Threat detection and management are supposedly much higher concerns.
Our own research can’t verify Gartner’s assertion either way. We have not yet discovered a survey that definitely places compliance as a secondary concern for enterprises in their SIEM selection process. At the same time, we haven’t seen compliance as a major topic in surveys or research concerning SIEM—they tend to focus on best practices instead.
Any good detective will tell you that sometimes the absence of evidence can be just as telling as blatant evidence, and while that is true here what it tells us can be difficult to discern. Is compliance not inquired into because the compliance tools in SIEM solutions are mature and not an innovation priority? Because it is part of the bundle that is SIEM in the first place? And if so, does that actively prove the Gartner Magic Quadrant claim?
These aren’t necessarily straightforward questions, and the answers to them are as much psychological as they are technical.
UEBA and As-A-Service Continue to Attract Interest
The Gartner Magic Quadrant for SIEM noted that many new SIEM solutions are arising from former UEBA vendors, so that it can be hard to tell whether SIEM is the natural evolution of UEBA technology or the other way around. SIEM can perform functions that UEBA cannot, but UEBA is an essential component of SIEM solutions by providing insight into user activities. The Gartner Magic Quadrant blurs the lines between the two, and that may reflect how the SIEM market is changing even as it matures.
This reflection is not meant as a critique of Gartner’s Magic Quadrant for SIEM in any way. We greatly respect their research and insight. This reflection is merely meant as a companion piece to help enterprises evaluate their selection process for one of the most difficult and important digital decisions you will make.
You can read the 2018 SIEM Magic Quadrant by Gartner here.
Latest posts by Ben Canner (see all)
- Top Five SIEM Books for Cybersecurity Professionals - September 17, 2020
- The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage - September 15, 2020
- Recent SIEM Statisitics for Cybersecurity Professionals: Q3 2020 - September 11, 2020