An Analysis of the 2018 Gartner Magic Quadrant for Security Information and Event Management (SIEM)

Disclaimer: This blog is my opinion based on my experience in the SIEM and cybersecurity markets. It is in no way representative of the opinions of Gartner, or the Gartner analysts, except where expressly stated as such.

When I was preparing to write this blog, I spent some time to review the 2018 Gartner Magic Quadrant for Security Information and Event Management report, then went back over my analysis from the 2017 report. A few trends emerged, so I decided to update my analysis for 2018, instead of simply writing the obligatory “Gartner recognized Exabeam as a Leader in the 2018 Magic Quadrant for Security Information and Event Management.”

After reading this year’s report, my conclusions on the SIEM landscape are as follows:

• Threat management is paramount for growth
• Analytics is key
• SIEMs must be end-to-end

Threat management is paramount for growth

According to this year’s report, “the SIEM market grew from $1.999B in 2016 to $2.180B in 2017.” My back-of-the-napkin math has this pegged at roughly 9.1% year over year growth. Why is this important?  Because, according to my own research, this makes SIEM one of the largest total addressable markets in security—behind only the Firewall market and Endpoint market—as well as one of the fastest growing security markets.

Gartner analysts Kelly Kavanagh, Toby Bussa, and Gorka Sadowski assert that for SIEM growth, “Threat management is the primary driver, and general monitoring and compliance remains secondary.” If the battle among SIEMs is going to be waged to satisfy the threat management needs of customers, it seems logical to me that SIEMs would be heavily investing in their threat management capabilities to capture that opportunity. This brings me to my next takeaway…

Analytics is key

Last year I concluded that SIEMs needed behavioral analysis to be effective in threat detection; an opinion I still hold. The analysts that authored this year’s report made no such bold statements. This year, they do however say the following about the SIEM market, “The greatest area of unmet need is effective detection of and response to targeted attacks and breaches. The effective use of threat intelligence, behavior profiling and analytics can improve detection success.” Given that, it makes sense that 100% of the leaders in this year’s report have found a way to add either user behavior analytics (UBA) or user and entity behavior analytics (UEBA) to their platform.

Of the seven vendors in the Leader’s quadrant:

• Two originated as UEBA vendors before they were SIEMs, and thus have very mature analytics capabilities
• Two built their own UBA/UEBA offerings in the last 2 years
• Two have acquired UBA companies
• One secured an OEM arrangement to add UEBA to their platform

Outside of the Leader’s quadrant, the presence of analytics capabilities is very sparse. Only one or two vendors have viable offerings.  Coincidence? I think not.

SIEMs must be end-to-end

I would argue that threat management needs to start with data collection, but it doesn’t end there. Once the relevant data is available, the threat management process continues into detection, investigation, and ultimately response. SIEMs have long had the ability to centralize data into a central location, and as discussed above, are busy bolstering their abilities to detect threats through the use of analytics.  What’s left? Efficient incident investigation and response.  This is where security orchestration and automation (SOAR) become a critical piece of the modern SIEM stack.

Nowhere in the report does it say vendors must have SOAR capabilities to be a leader. However, my cursory analysis of the vendors in the Leader’s quadrant suggests that SOAR is part of the winning recipe. My evidence? Of the seven vendors in the Leader’s quadrant:

• Three have native SOAR capabilities
• Two have basic SOAR capabilities that the vendors have been improving throughout 2018
• One made an acquisition to add SOAR to its platform this year
• One announced an OEM to add SOAR capabilities to its platform earlier this year

Of course there is more to a vendor’s placement than the right combination of products. Analysts also take into account a myriad of other criteria including: go-to-market strategy, geographic coverage, partnerships, sales execution, operational capabilities and more.

Our take on the Modern SIEM

The Exabeam Security Management Platform (SMP) combines end-to-end data collection, analysis, and response in a single management and operations platform.

The Exabeam SMP platform is built on a scalable, modern big data infrastructure and uses user and entity behavior analytics (UEBA) to provide insider threat detection, tracking anomalous behavior and suspect lateral movements within an organization, while also securing your cloud services, machines, devices, and IoT assets. Automated incident response using SOAR allows teams to respond to security incidents rapidly and with less effort.

Get your copy of the 2018 Gartner Security Information and Event Management Magic Quadrant.

Want to learn more? Download a copy of the 2018 Gartner SIEM Magic Quadrant today!

Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa | Gorka Sadowski, 3 December 2018

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.