Editor’s Note: The 2016 version of the SIEM Magic Quadrant is now out, get a download link here.
Analysis and research firm Gartner, Inc. has released the latest iteration of its yearly Magic Quadrant (MQ) for Security Information and Event Management (SIEM) Report.
In the 2015 MQ for SIEM (available here) Gartner evaluates the strengths and weaknesses of 13 vendors that it considers most significant in the SIEM market and provides readers with a graph (the Magic Quadrant) plotting the vendors based on their ability to execute and their completeness of vision. The graph is divided into four quadrants: niche players, challengers, visionaries, and leaders. Gartner does not endorse any vendor, product, or service depicted in its research publications.
The 13 vendors featured in the report are, in alphabetical order, AccelOps, AlienVault, BlackStratus, EMC (RSA), EventTracker, HP, IBM Security, Intel Security (McAfee), LogRhythm, Micro Focus (NetIQ), SolarWinds, Splunk, and Trustwave.
This is the tenth iteration of the report, which Gartner first introduced way back in 2005, and it comes at a turbulent time for the SIEM market, which stands at a crossroads between traditional, full-blown SIEM solutions, and newer, big-data analytics focused solutions. In the 2015 MQ, we see legacy IT vendors retaining the edge, with HP, IBM, and Intel all ranking in the leaders quadrant, but big data-focused vendor Splunk has also found its way to the front of the pack.
At Solutions Review, We read the 15 Page report, available in full here, and pulled a few of what we considered the most important takeaways and key market changes since the 2014 SIEM MQ.
How Gartner Defines SIEM
Before jumping into the big changes in this iteration of the report, we should probably clarify exactly what Gartner analysts mean when they talk about SIEM.
Gartner Analysts Mark Nicolett and Amrit Williams coined the term SIEM way back in 2005, and in its newest report, Gartner defines the SIEM solutions as technology that “aggregates event data produced by security devices, network infrastructures, systems, and applications.” SIEM technology primarily deals with log data, but can also process other forms of data, including NetFlow and network packet, says Gartner. “The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring, and compliance reporting.”
Simply put, SIEM allows real-time monitoring of security events, analytics, and historical analysis for incident investigation and compliance reporting.
To be considered in Gartner’s report, vendors must provide both SIM and SEM capabilities and support data from “heterogeneous data sources” (network devices, security devices, servers, etc). Vendors were excluded if the SIEM solutions was offered exclusively as a managed service, if SIEM product revenue was less than $13.5m in 2014, and if the products SIEM functions were primarily oriented to data from the vendor’s own products (proprietary).
Point Vendors Struggle to Remain Competitive Amidst Market Consolidation
The SIEM market is large and extremely competitive. In 2015, the market has entered what Gartner calls “the broad adoption phase,” which means that multiple (if not most) vendors can meet a given customer’s basic log management, compliance and event monitoring needs.
Entering this broad adoption phase, the market has continued to follow a trend of domination from large vendors. While Gartner notes that there were no notable acquisitions in 2014, the analysis firm notes that four large vendors— HP, IBM, Intel, and Splunk— command more than 60% of market revenue.
Amidst this trend of market consolidation and domination from big vendors, Gartner has noted that many smaller point-solution vendors have struggled to maintain relevance. Of the 13 vendors included in the report, just six are point solution vendors.
Despite the lack of acquisitions, there has been considerable consolidation over the past 18 months, according to Gartner. Symantec, for example, has ended the sale of its SIEM technology, while TIBCO and Tenable both “no longer position their technology competitively in the SIEM space,” instead choosing to market their products as complementary to full-blown SIEM. As such, both vendors have been dropped from the report. Gartner’s analysts noted LogRhythm as one example of a point solution vendor that has retained a competitive edge.
Here Comes the Big Data
As noted above, the SIEM market has become increasingly focused on big data analytics capabilities. As customers become increasingly focused on early breach detection (rightly so, with 92% of breaches going undetected by the breach organization, according to Gartner), many SIEM vendors have responded to customer concerns with increased development of capabilities such as threat intelligence, analytics, and anomaly detection. For many, that means considerable investments in big data analytics capabilities.
Some vendors, such as IBM, HP, and RSA, are now developing or deploying SIEM integrations with their big data technologies, notes Gartner. Others, such as Splunk and Intel Security have already integrated such capabilities, sometimes with third party vendors. Gartner praised Splunk in particular for its app for enterprise security, which Gartner claims is a good fit for organizations requiring “a SIEM platform that can be customized to support extensive analytics functions and a variety of log formats.
Of course, for the time being it’s impractical for companies to completely eliminate traditional SIEM capabilities in favor of big data, but it will be an interesting trend to follow in the future.
Widget not in any sidebars
Latest posts by Jeff Edwards (see all)
- Five Questions You Need To Ask Yourself When Evaluating SIEM Solutions - November 8, 2017
- Winning the Data Breach War with User and Entity Behavioral Analytics - November 3, 2017
- 5 Alternatives to The Gartner Magic Quadrant for SIEM - October 31, 2017