You are here

Gartner Magic Quadrant for SIEM 2016: Not just for compliance anymore

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

SIEM isn't just for compliance anymore.

The market for security information and management systems (SIEM) used to be driven by companies searching for ways to meet compliance requirements rammed down their throats by government and industry regulators, but that's not the case anymore, according to the latest "Magic Quadrant" report on the SIEM market prepared by Gartner.

"Threat management is the primary driver, and compliance remains secondary."

Demand for SIEM systems remained strong over the past year, Gartner added, rising 3.6% to $1.73 billion in 2015 from  $1.67 billion in 2014. A number of new markets are contributing to that growth.

"In North America, there continue to be many new deployments by smaller companies that need to improve monitoring and breach detection—often at the insistence of larger customers or business partners."

It added that new SIEM deployments have also picked up at larger companies with conservative attitudes toward technology adoption.

What's more, some big businesses that already have SIEM systems have begun exploring replacing them due to incomplete, marginal, or failed deployments.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

Gartner's Magic Quadrant for SIEM 2016

Gartner identified 14 companies in its Magic Quadrant for Security Information and Event Management 2016. (See our Magic Quadrant for SIEM report from last year. ) It defines SIEM as a technology that aggregates data produced by security devices, network infrastructure and systems, and applications. The primary source of information for a SIEM is log data, but it can process other forms of data, such as NetFlow and net packets. That data is combined with contextual information on users, assets, threats, and vulnerabilities. Then the SIEM normalizes the data so infosec personnel can use it for network security monitoring, user activity monitoring, and compliance reporting. Typically, both real-time monitoring and historical analysis can be performed by the systems.

Companies are included in the report based on criteria such as that their products support both security management and event management capabilities, that their brand is on the SIEM evaluation product lists of end-user organizations contacted by Gartner for the report, and that the companies offer a software or appliance version of their products.

Exclusion criteria include offering a SIEM product that's only a managed service and having revenues of less than $13.5 million from a SIEM product.

Inclusion in one of the report's quadrants—Leaders, Niche, Challengers, and Visionaries—is based on an ability to execute in the market and the completeness of vision. Among the factors taken into account toward an ability to execute are overall viability, sales execution and pricing, market responsiveness, market execution, customer experience, and operations in terms of service, support, and sales capabilities. Vision factors include market understanding; strategies for marketing, sales, products, verticals, and geographies; and innovation.

[ See Guide: Best Practices for GDPR and CCPA Compliance ]

Leaders Quadrant

Companies placed by Gartner in the Leaders Quadrant have been the most successful in building an installed base and establishing a revenue stream from the SIEM market. Leaders also typically have a high share of the market and high revenue growth. They've also demonstrated superior vision and execution for emerging and anticipated requirements of the market. What's more, they've garnered positive customer feedback for their SIEM products, as well as service and support of those products. Gartner places five SIEM players in the leaders quadrant. 

Hewlett Packard Enterprise (HPE)

HPE's SIEM platform ArcSight has three variations. ArcSight Data Platform focuses on log collection, management, and reporting. ArcSight Enterprise Security Management (ESM) is aimed at organizations with large-scale monitoring needs. ArcSight Express targets midmarket companies with an appliance-based, all-in-one offering. In addition to acting as an independent log-management solution, ArcSight can be used to collect data for ArcSight ESM. Capabilities of HPE's products can be boosted with premium additions for behavioral analysis, DNS malware detection and threat intelligence.

In the last 12 months, the ArcSight SIEM's architecture and licensing model has been simplified. The analyst user interface has also been improved. More granular control can be exercised over incoming events and incidents. Behavioral analytics and DNS malware analytics modules have been added to the product, as well as modules for a community exchange for integration with the products of other vendors.

Gartner noted that ArcSight Express should be considered for midsize SIEM deployments that require extensive third-party connector support. The ESM solution can be a good fit for large-scale deployments and organizations creating a security operations center (SOC).

ArcSight strengths cited by Gartner are its ability to support the needs of a SOC, a robust user behavioral analytics component, and a wide variety of out-of-the-box third-party connectors and integrations.

Gartner cautioned, however, that ArcSight deployments routinely require more professional services than those of other vendors. The ESM offering is also more complex and expensive to deploy, configure, and operate than comparable solutions. Although ArcSight has high visibility in the market, that visibility is declining as new installs decrease and competitive replacements rise, Garter noted. It added that SIEM shoppers should review the latest features and functions available in ArcSight, since HPE is in the process of revamping the platform.

IBM

QRadar is IBM's SIEM platform. It's made up of QRadar Log Manager, Data Node SIEM, Risk Manger, Vulnerability Manager, QFlow and VFlow Collectors, and Incident Forensics. The platform can be deployed as a physical or virtual appliance, as well as an as-a-service solution. It can be installed as an all-in-one implementation or scaled using separate appliances for discrete functions. Capabilities include collection and processing of event and log data, NetFlow, deep-packet inspection of network traffic, and full-packet capture and behavior analysis.

Over the last year, IBM has added to QRadar support for IBM X-Force Exchange for sharing threat intelligence and IBM Security App Exchange for sharing applications, security app extensions, and enhancements. Through the purchase of Resilient Systems, IBM bolstered QRadar's incident-response capabilities. It also enhanced the product's multitenant, system administration, and search capabilities.

Gartner noted that QRadar can be a good fit for midsize and large enterprises with general SIEM needs. It's also appropriate for organizations looking for a single security event and response platform for their SOCs or for midsize companies that want a solution with flexible implementation, hosting, and monitoring options.

Among QRadar's strengths, according to Gartner, are its ability to provide an integrated view of log and event data and the correlation of network traffic behavior across NetFlow and event logs. The platform also supports security event and log monitoring in IaaS environments, including monitoring for AWS CloudTrail and SoftLayer. In addition, the platform is straightforward to deploy and maintain, and third-party capabilities can be plugged into the offering's architecture through Security App Exchange.

Those third-party support capabilities are especially useful since the platform lacks endpoint monitoring for threat detection and response and for basic file integrity. Gartner also cautioned that its clients had mixed success integrating IBM's vulnerability management add-on with QRadar. The sales engagement process with IBM can be complex and "require persistence," Gartner added.

Intel Security

Intel Security's SIEM offering is McAfee Enterprise Security Manager (ESM). It's available as a physical, virtual, or software appliance and has three primary components: ESM, the Event Receiver (ERC), and the Enterprise Log Manager. The components can be deployed together or separately for distributed environments. A number of optional components are also available for the offering: Advanced Correlation Engine (ACE), Database Event Monitor (DEM), Application Data Monitor (ADM), and Global Threat Intelligence (GTI).

In the last 12 months, Intel has added to its SIEM offering support for more internal and external sources for dynamically populating watchlists, deeper integration with Hadoop, and additional threat intelligence access and management capabilities. The product also has better endpoint visibility through integration with McAfee Active Response.

Gartner noted that EMS is a good choice for companies that already use Intel Security products or organizations looking for an integrated security framework with response capabilities.

Gartner found that its customers liked the deep integration of another Intel Security product, McAfee ePolicy Orchestrator, with ESM. ESM also has good coverage of technologies used in industrial settings, such as ICS and SCADA.

Gartner cautioned, however, that SIEM shoppers who want advanced features in ESM will need to invest in more Intel Security products. Intel's offering also has limited advanced analytics capabilities and integration with third-party tools. Out-of-the-box integration with third-party workflow products is also limited, although EMS has strong workflow features of its own. Gartner also found that ESM's customers complained about its poor stability and performance and the quality of its technical support. It added that fewer clients have asked about ESM over the last year and that customer discussions about replacing ESM have increased.

LogRhythm

LogRhythm's SIEM  supports an n-tier-scalable, decentralized architecture. It's  composed of the Platform Manager, AI Engine, Data Processors, Data Indexers, and Data Collectors. All-in-one consolidated deployments are also possible.  The offering can be implemented as an appliance, software, or virtual instance format. The SIEM combines event, endpoint, and network monitoring capabilities, with user and entity behavioral analytics, an integrated incident response workfow, and automated response capabilities.

In the last year, LogRhythm has divided its SIEM's log processing and indexing capabilities into two components and added unstructured search capabilities through a new storage back end based on Elasticsearch. Other additions include clustered full data replication; an improved risk-based prioritization (RBP) scoring algorithm; more parsers for applications and protocols; support for cloud services such as AWS, Box, and Okta; and integrations with cloud access security broker solutions such as Microsoft's Cloud App Security  and Zscaler.

Organizations that wish to combine advanced threat monitoring capabilities and SIEM should consider LogRhythm's offering, Gartner noted. Resource-restricted security teams that need lots of automation and out-of-the-box content should also give LogRhythm's offering a look-see.

Strong points of LogRhythm's SIEM solutions cited by Gartner include a user experience that's highly interactive and customizable and automated response capabilities for performing actions on remote devices. Gartner customers also praised how straightforward the SIEM products were to set up and maintain. In addition, they found the out-of-the-box cases and workflows very effective. LogRhythm is very visible in the SIEM evaluations of its clients, Gartner added.

It cautioned, though, that organizations with critical IT and network operations requirements for system and network monitoring may want to look at alternatives to what LogRhythm has in those areas. The custom report engine included with LogRhythm's offering needs improvement, Gartner added. It also noted that LogRhythm has fewer sales and channel resources compared to its competitors. In addition, buyers outside North America may have to work to find reseller and service partners.

Splunk

Two offerings make up Splunk's security intelligence platform. Splunk Enterprise is the company's core product. It provides event and log collection, as well as search and visualization with Splunk's own query language. Splunk Enterprise Security adds more security features to the mix. It includes predefined dashboards, correlation rules, and reports. It supports real-time monitoring and alerts in addition to incident response and compliance reporting. Both offerings can be deployed on-premises and in public, private, or hybrid clouds. An as-a-service version  is also available.

With the acquisition of Caspida in 2015, Splunk added native behavioral analytics to its repertoire. It also supports third-party UEBA products. During the last year, Splunk has also tightened integration between its enterprise security edition and other behavioral products. Other changes during the period include improved incident management and workflow capabilities, lower data storage requirements, better visualizations, and expansion of monitoring to additional infrastructure and software as-a-service providers.

Good fits for Splunk are organizations in need of a flexible SIEM platform that can handle a variety of data sources and has analytics capabilities or a single data analysis platform for their entire business, Gartner noted.

It found Splunk gaining "significant" visibility across Gartner's client base. Splunk also has strong advanced security analytics for combating advanced threat detection and insider threats.

Gartner cautioned, however, that Splunk's enterprise security product provides only basic predefined correlations for user monitoring and reporting. It added that Splunk's licensing model, which is based on gigabytes of data indexed per day, can cost more than other SIEM products, although Splunk has introduced new licensing arrangements for high-volume data users. Gartner also cautioned that users of Splunk's UBA offering need to plan for it, since it requires a separate infrastructure and uses a different licensing scheme than Splunk's other offerings.

Niche Quadrant

As the title of this quadrant suggests, Niche companies sell solutions that address a particular SIEM use case or a subset of the functions that would be found in a total SIEM package. These businesses will often focus on a market segment—the midmarket, for instance—or a particular geographic area or industry vertical. They also have a small installed base and have limitations that restrict their ability to provide a full set of capabilities in their SIEM offering. That doesn't, however, reflect negatively on what they bring to the table for their customers. Gartner puts seven companies in the Niche Quadrant.

BlackStratus

Three products make up BlackStratus's SIEM offering. LOGStorm is for log management. SIEMStorm features multitenancy and security event management. CYBERShark is a cloud-based SIEM that combines elements of the company's other two offerings. Both  LOGStorm and SIEMStorm provide an integrated incident management and ticketing system guided by the SANS seven-step incident remediation process.

Improvements made to BlackStratus products over the last year include a new compliance-reporting template set and a redesigned and updated HTML5 web user interface.

Gartner noted that BlackStratus offerings can be a good fit for service providers looking for a customizable SIEM platform or service-centered end-user organizations in need of well-formed multitenancy support.

Strengths of SIEMStorm and LOGStorm cited by Gartner include the ability to be deployed as virtual machines. The offerings also have an installation wizard and passive autodiscovery feature for integrating data sources. In addition, the products have a bidirectional API to enable custom-built service architectures. BlackStratus has also received high marks from customers for a knowledgeable support staff that's quick to respond to problems.

Gartner cautioned potential buyers that out-of-the-box support by BlackStratus' products for third-party data sources is limited and that some advanced security capabilities—for example, network forensics, deep packet inspection, and IAM integrations—are not supported at all. Ad hoc querying of log data could also be stronger.

EventTracker

Midsize organizations and government agencies with security event management and compliance reporting requirements are targets for EventTracker's SIEM software. EventTracker Security Center does correlation, behavior analysis, and reporting. Optional features include configuration assessment, change audit file integrity management, ntoping, and integration with open-source and commercial threat intelligence feeds. EventTracker also offers services for performing tasks on a scheduled basis. AWS and Azure deployment is also supported by the solution. Licensing is based on the number of sources producing events.

In the last 12 months, EventTracker has added unknown-process detection and black and white listing capabilities. IP reputation integration and alerting has also been added, as well as threat analysis dashboards, with third-party enrichment and more threat intelligence feed options. A new touchscreen interface has also been added for mobile devices.

Gartner suggests that midsize businesses that want a software-based solution for log and event management, compliance, and reporting, and operations monitoring with an on-premises or cloud-hosted SIEM may want to evaluate EventTracker's offering.

Among the positives cited by Gartner for EventTracker's SIEM software are that it's easy to deploy and maintain, has good support services, offers good reporting features, and includes a behavioral analysis module for some basic profiling and anomaly detection. Its range of service offerings aligned with run, watch, tune, and comply activity is another plus because they meet a real need in the software's target market.

However, EventTracker isn't as visible among SIEM shoppers as other vendors, Gartner cautioned. It added that the ability of EventTracker's software to detect advanced threats is basic and Windows-centric. Flow and packet capture, Gartner added, is not cleanly integrated into the core product. Neither is support of third-party advanced threat detection and response available. In addition, application monitoring capabilities are more limited than they are in other SIEM products, and full incident management requires an external solution.

Fortinet

Fortinet recently purchased AccelOps. It plans to merge AccelOps' technology with Fortinet's and create a new product it's calling FortiSIEM. AccelOps' SIEM product has both SIM and SEM functions, file integrity monitoring, configuration management database (CDMB) capabilities, and availability and performance monitoring.

In the last 12 months, AccelOps has rolled out a cloud offering. The SIEM-as-a-service product is aimed at managed service providers (MSPs), managed security service providers (MSSPs), and organizations using AWS or Azure. Other additions include support for virtualization and public cloud services, improved threat feed integration, and support for network and endpoint detection of advanced threats. Also, it has updated its architecture to support Apache Kafka, which will enable it to better integrate with big data platforms.

Midmarket organizations, MSPs, and MSSPs with a need for security monitoring and application performance management with CMDB capabilities are a potential fit for the new Fortinet SIEM, Gartner noted. IT operations teams with combined IT, network, and security operations functions, as well as organizations that need multitenancy capabilities for role and duty separation, may also want to consider the offering.

One of AccelOps' strengths, Gartner noted, is its ability to provide IT with a unified view of an organization's environment. That includes physical and virtual environments, as well as physical and hybrid clouds. The offering also uses its strong operational and security capabilities to remediate and manage incidents. What's more, customers have found the offering easy to deploy. They also praised the depth and flexibility by which the solution can be customized.

SIEM searchers evaluating Fortinet's new offering need to get an idea about where the company plans to take the solution, Gartner cautioned, especially when it comes to support of third-party technologies. The research firm also observed that the AccelOps platform lags behind other SIEM products in advanced analytics capabilities, direct integration with big data platforms, and integration with complementary solutions, such as behavioral analytics.

ManageEngine

Zoho-owned ManageEngine uses Log 360 to integrate two products—ManageEngine EventLog Analyzer and ADAudit Plus—into its SIEM solution. EventLog is offered in two versions. The Premium version is for a singe-instance deployment, and the Distributed version for organizations that need to scale beyond a single instance of EventLog. ADAudit Plus is offered in two versions, too, based on feature need, The software monitors Active Directory and provides user context for EventLog Analyzer.

ManageEngine's products are distributed as VMware images. They include a PostgreSQL database for storage. An agentless approach is used by the offerings to collect event and log information. Licensing for EventLog Analyzer is based on number of hosts, devices, or applications generating security events or event logs.

Gartner recommends that organizations that are already users of ManageEngine tools and are looking for a cost-effective approach to adding security event monitoring should evaluate EventAnalyzer or Log 360.

Among ManageEngine's strengths is its ease of deployment and its more than 1,000 predefined reports covering a variety of devices and applications in a typical IT environment. For organizations using Active Directory exclusively, ADAudit Plus can provide a comprehensive logging and auditing capability.

Gartner cautions, however, that EventLog Analyzer provides only basic SIEM functions. In addition, while Log360 integrates the two components of ManageEngine's SIEM, you still have to work with two distinct user interfaces to get things done. ManageEngine has very little visibility among Gartner's customers, the research firm noted.

Micro Focus

Sentinel Enterprise, which is offered as software or as a virtual appliance, is Micro Focus's core SIEM product. It can be supplemented with Change Guardian, for host monitoring and file integrity management, and Secure Configuration Manager, for compliance cases. Modules can be added to the core product for features such as threat intelligence feeds, exploit detection, and high-availability support. Customers of NetIQ Identity Manager and Aegis who use Sentinel  have the added benefit of enhanced identity tracking and workflow management, a plus resulting from Micro Focus's  purchase of Net IQ in 2014. However, a stand-alone product, Sentinel Log Manager, is needed for log management.

Over the last year, Micro Focus has made some modest improvements in its SIEM offering. It has enhanced usability, platform health and management, visualizations, deployment, and threat intelligence.

Gartner noted that Sentinel is a good offering for managed security services providers with a need for large-scale event processing for distributed IT environments. It added the it is especially good for organizations that have implemented NetIQ IAM and IT operations tools. Those tools can enrich the context around security events detected by Sentinel.

Integration with NetIQ technologies is one of Sentinel's strengths, according to Gartner. It adds features such as user monitoring, identity and endpoint monitoring, and enforcement-response capabilities. Gartner added that Sentinel is one of the simpler solutions to deploy and scale. Another strength of the SIEM is its support of mainframe platforms, along with Windows, Unix, and Linux. Gartner customers gave Sentinel above-average or average marks for scalability and performance, ease of customizing existing report templates, and support experience.

On the downside, the Micro Focus offering can't use NetFlow data to add context to events. Threat intelligence capabilities lag behind competitors, Gartner added, and there's a lack of support for and integration of  behavioral tools. The offering's analytics also trail its competitors. It also is behind the competition when it comes to usability and result reporting when replaying historical event data against correlation rules. As for visibility, it's low among Gartner's clients.

SolarWinds

The architecture of the SolarWinds Log & Event Manager (LEM) is made up of a centralized log storage and management component, LEM manager; a data display and search component, LEM Console; and some optional agents. Available as a virtual appliance, LEM supports basic data loss prevention, file integrity management, and automated response capabilities for Windows hosts.

During the past year, SolarWinds added its "zero configuration" threat intelligence feed to the SIEM to provide updates for reputational IP blacklists.

LEM is aimed at resource-constrained security teams that don't have any big data requirements, analytics needs, or advanced threat detection demands. Integration with other SolarWinds products can beef up LEM's capabilities.

Simplicity is a strong suit of LEM. Its out-of-the-box content can meet the compliance and security operations of many small and medium-size businesses. The SIEM's Windows endpoint agent offers some threat containment and quarantine control capabilities. SolarWinds uses a simple licensing arrangement for LEM based on asset count. The combination of simplicity and low cost has been a hit among Gartner's customers who use the SIEM. They have high levels of satisfaction and praise for the product.

Nevertheless, LEM has its limitations. It offers only basic statistical and behavioral analytics, doesn't have any support for third-party advanced threat defense technologies, doesn't support real-time correlation of flow data or packet capture, and doesn't support true distributed n-tier scaling. More features can be added to LEM, but they require buying additional SolarWinds products.

Trustwave

Two SIEM products are offered by Trustwave: SIEM Enterprise and Log Management Enterprise. Both are available as physical or virtual appliances. In addition, the log management product supports an AWS advanced metering infrastructure. What's more, a number of co-managed and hybrid services by Trustwave can be used to augment the products.

The company has made improvements in the last 12 months to its core functions. They include better storage options, an improved user interface, and search enhancements. It has also enhanced the way its products are deployed in managed and multitenancy environments.

Gartner noted that Trustwave's SIEM products are good offerings for organizations that are already invested in Trustwave's product portfolio or that need support from a co-managed service.

Trustwave's broad offering of deployment and service options is one of the company's strengths, Gartner noted, and may appeal to organizations with limited internal resources. Existing users of Trustwave products can benefit from the bidirectional integration across the technologies. Those benefits include support for automatic quarantining of endpoints and locking down of accounts. Organizations with large event monitoring, multitenant, or geographic distribution demands can profit from SIEM Enterprise's correlation, capacity, and customization capabilities. Gartner also noted that the simplicity of Trustwave's architecture makes it easy to deploy and expand.

Gartner cautioned, though, that Trustwave had very little visibility in competitive evaluations of SIEM products by its clients. It added that threat intelligence feeds into the products are limited to Trustwave's SpiderLabs and that direct integration of other feeds requires the use of professional services providers. No native behavioral features are supported by Trustwave's SIEM offerings, and there's no support for third-party behavioral products. Although Trustwave's co-managed services have big data capabilities, that's not the case for users of the on-premises version of SIEM Enterprise.

Challengers Quadrant

Companies in the ChallengersQuadrant have a modest-sized customer base for their SIEM products. The businesses have strong execution capabilities that stem from their brand presence and significant sales from all their lines of business. However, they have not demonstrated a complete set of SIEM capabilities and lack the track record of success in the market compared to the firms in the Leaders Quadrant. Only one company is in the Challengers Quadrant this year.

EMC

RSA, the security division of EMC, recently renamed its SIEM product as the RSA NetWitness Suite. It can identify threats using data from events, logs, packets, NetFlow, and endpoints. The product is focused on real-time monitoring, analysis, and alerting. It also supports proactive threat hunting, incident response, and forensic investigation. Advanced incident management workflow, operational playbooks, management dashboards, and reporting can be added to NetWitness Suite with another RSA offering, RSA NetWitness SecOps Manager.

Added to RSA SIEM suite over the last year were command and control communication detection through the use of behavioral analytics, selective log retention, enhancements to event source integration and grouping, and support for AWS monitoring.

NetWitness Suite is a good fit for businesses with security operations centers or dedicated incident response teams. It may also appeal to organizations with dedicated service providers that require security monitoring across logs and network traffic for threat detection and forensic investigation.

Strengths of NetWitness Suite cited by Gartner include its ability to combine security information from disparate sources. Because it's modular, the solution also makes it easy to bring monitoring services online as needed. And its integration with RSA NetWitness SecOps Manager gives the solution unified SOC capabilities.

Gartner warns, though, that the RSA offering can be complex to implement and to fine-tune to get the results desired by an organization. It added that the suite's interface is relatively basic and typically requires more customization than other products. The suite's incident management capabilities are also lightweight.

Visionaries Quadrant

SIEM firms in the Visionaries Quadrant have strong offerings but a lower ability to execute than those in the Leaders category. That's largely due to a smaller presence in the market than the Leaders. Their installed customer base may be smaller or their revenue or growth rate lower than the larger companies found in the Leaders Quadrant. Gartner placed one business in the Visionaries Quadrant.

AlienVault

AlienVault's United Security Management (USM) offering provides a broad array of features. They include SIEM, vulnerability assessment, asset discovery, network and host detection, flow and packet capture, and file integrity monitoring. It is available as both a virtual and hardware appliance.

In the last 12 months, Gartner noted, AlienVault has improved USM's asset visibility and agent management, as well as its the speed of its reporting updates. USM is also more deeply integrated now with AlienVault's Open Threat Exchange, a global community of security professionals and threat researchers.

Gartner recommends USM to companies in need of a broad set of integrated security capabilities, either on-premises or in AWS environments.

Among USM's strengths identified by Gartner are the product's variety of security capabilities and well-designed interface for navigating events, assets, and threat intelligence. In addition, USM's security monitoring capabilities cost less than  most of its competitors. What's more, it offers a simplified licensing model based on utilized appliances.

Companies considering USM, Gartner cautions, should be aware that the product cannot generate alerts from NetFlow data and that integrating unsupported data sources can be a hassle. The product also provides only basic enrichment of event data with user context, and identity access and management is limited to Active Directory and LDAP. In addition, workflow capabilities do not include external ticketing systems or role-based workflow assignments.

A mature market

As the SIEM market matures, Gartner noted, it's becoming very competitive. "We are in a broad adoption phase, in which multiple vendors can meet the basic requirements of a typical customer," it explained.

However, one area that remains a challenge to all SIEM vendors is discovering targeted attacks and system breaches.

"Organizations are failing at early breach detection, with more than 80% of breaches undetected by the breached organization," Gartner noted. "The situation can be improved with threat intelligence, behavior profiling, and effective analytics."

 Behavior profiling has been so effective in addressing the problem of data breaches that it will be drawing a lot of attention from SIEM makers in the coming months. Gartner noted, "We expect SIEM vendors to continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies over the next 18 months, as more enterprises develop use cases based on behavior."


 

[ Join Webinar: Five Steps to Implement a Universal Policy Strategy ]