Disclaimer: This blog is my opinion based on my experience in the Security Information and Event Management (SIEM) and cybersecurity market. It is not representative of the opinions of Gartner, or Gartner analysts, except where expressly stated as such.
What is evident to me from the 2017 Gartner Magic Quadrant for Security Information and Event Management (SIEM) is after a four-year drought from 2013 through 2016, innovation has finally returned to the SIEM market. (You can download a complimentary copy of the 2017 Gartner Magic Quadrant for Security Information and Event Management here.)
How can I say that? In my opinion it was evidenced by the scarcity of companies positioned as Visionaries in the previous 2013 through 2016 Gartner Magic Quadrants for Security Information and Event Management (SIEM). In fact, only one company was included in that quadrant during that time (and, in my view, just barely).
From our perspective, the number of Visionaries was both unfortunate and surprising, because while innovation languished, bad actors continued to evolve—and rapidly. Cyber attackers expanded their range of targets—a trend that is destined to continue as the attack surface of the typical organization expands. According to Cybersecurity Ventures, 111 billion lines of new code were written in 2017. And as the world goes more and more digital, Gartner estimates that the attack surface will reach 6 billion people by 2022.
This trend has also caught the attention of a more financially motivated new set of hackers, which includes those connected to global organized crime who have access to more resources. Attackers are rapidly upping the ante with well-honed and sophisticated skill sets, not to mention access to low-cost automated hacking tools. And despite the focus on these growing external threats, the malicious insider also continues to be one of the biggest sources of data loss and damage.
Defending against attacks across the full span of your attack surface, and its many unpatched vulnerabilities, requires a broader variety of tools that work together to produce the needed holistic insights into network activity. These include the latest technologies for monitoring user behavior and endpoint activity while providing real-time (or near real-time) access to the latest threat intelligence. Security teams also need to detect anomalous user behavior and lateral movement across networks.
Only a SIEM that has evolved at the speed of the bad actors (or preferably faster) can stand up against these new, more sophisticated threats. Only an evolved or next-generation of SIEM—a security analytics platform that considers the human element of machine activity—can provide an adequate defense in the face of these evolving threats and more motivated insiders threats. This platform also needs to provide security teams with the best possible threat detection and intelligence to enable rapid and automated incident response (IR) in order to stop or limit the damage.
The innovators were mostly doing the same things
Looking at last year’s Magic Quadrant for Security Information and Event Management, we believe that you can perhaps get a hint from Gartner’s research on where we will see the innovation to match these emerging cyber threats. The Gartner Magic Quadrant is a culmination of research in a specific market, providing a graphical competitive positioning of the relative positions of the market’s competitors, and positions them within four quadrants: Leaders, Visionaries, Niche Players and Challengers.
The Gartner Magic Quadrant aims to help organizations evaluate their choices by providing an assessment of vendor offerings. While we see significant differences in the vendors in the Visionaries quadrant, it’s our view that they all share one thing—similar functionality. My assessment of the three vendors in the Visionaries quadrant is they are similar in that they all include a SIEM, the use of User and Entity Behavior Analysis (UEBA) for threat detection, and SOAR for incident response automation. In short, they’ve all built what might be described as “next gen SIEMs.” These offer what I would consider innovative functionality and more modern tools such as data lakes, machine learning, behavioral analysis, and automated incident response.
The lack of innovation is costing the incumbents
While not a tectonic shift, I believe that the newer tech stack of the Visionaries does seem to have pushed the Leaders quadrant to the left. It appeared to me that not a single Leader maintained its position or moved right in the Leaders quadrant compared to the 2017 report. Why? I would assert that it’s because these companies, although typically more established and with larger user bases, didn’t have the full SIEM + UEBA + SOAR stack of the innovators. Does this mean the “next generation” of SIEM will retool to incorporate these stacks and more? Will more SIEMs focus on user behavior versus correlation rule-based analysis? Or, will innovation come from applying machine learning to other, non-detection use cases like incident prioritization or context enrichment?
According to Gartner, “The greatest area of unmet need is effective detection of targeted attacks and breaches. Organizations are failing at early breach detection, with more than 80% of breaches undetected by the breached organization. The situation can be improved with threat intelligence, behavior profiling and effective analytics. SIEM vendors continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies, and Gartner customers are increasingly expressing interest in developing use cases based on behavior.”
My opinion is that the SIEM market has matured in the last years, and SIEM is predicted to enjoy even broader adoption. However, which direction today’s innovators decide to take this market, only time will tell.
Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa, 4 December 2017.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.