A Magic Quadrant, digested.
There will always be excellent software or IT services options that don’t fit into a Gartner Magic Quadrant; for a great many reasons we won’t rehash here.
The reports carry weight however; and many CIOs won’t buy outside them.
The consultancy’s latest publication looks at the thorny subject of the best SIEM, or Security Information and Event Management offering. CISOs, pay heed.
(Many, of course, think SIEMs and their torrent of false positives simply aren’t worth the money, but that’s a different story: strong thoughts on this? Get in touch).
A quick rehash: a SIEM aggregates log data produced by host and endpoint systems, security devices, applications and cloud services, as well as others sources like network telemetry, for analysis of security events.
Most will be able to map detected attacks to common frameworks, such as the MITRE ATT&CK framework.
In Gartner’s new SIEM Magic Quadrant unusually, there are no companies listed in the “challengers” section. For brevity and focus, we’ve also stripped out the “niche players”. Here are the seven “leaders” and solitary “visionary”.
Best SIEM: The Top Eight, Ranked
San Francisco-based Splunk ranks highest in Gartner’s “leaders” quadrant.
Pros: It can run as software on-premises, in IaaS and as a hybrid model. (Splunk Cloud is a SaaS solution using AWS infrastructure).
It is ranked highly as a solution that can support multiple teams (e.g., IT operations, security operations, data and analytics): “Buyers can start with one use case or team and then expand into others with limited friction.”
Ease of integration, quality and availability for end-user training are also ranked highly. Pricing is based on the amount of data ingested into the platform.
Cons: Boy does it get expensive. Despite its high rating, Gartner notes that “reference customer overall scores for evaluation and contract negotiation, service and support, pricing and contract flexibility, and value for money spent are below most of its competitors. This reflects ongoing concerns about the cost of Splunk.”
New York-headquartered IBM ranks a close second.
Pros: Its QRadar SIEM can be deployed on-premises, via hardware virtual appliances and software packages, or it can be hosted in the cloud.
Over the past 12 months IBM has improved alert efficiency. It offers “extensive options in deployment architecture” and a broad range of integrations available via its open API, and application marketplace Gartner notes.
Cons: The licensing models and pricing schemes available are a “complex set of choices for potential customers”. (Crudely, core SIEM licensing is based on number of events per second across the data sources in scope and flows per minute.)
More strikingly, QRadar offers “limited options for data collection for forensics from endpoints/hosts”. (It is better at network monitoring). “Customers must deploy third-party products or rely on its WinCollect agent or Sysmon for Windows collection.”
San Mateo-based Exabeam also ranks very highly.
Pros: It can run on-premises or as a cloud-based SIEM, hosted and managed by Exabeam. There are several form factors for on-premises deployments: hardened physical appliances, virtual appliances, dockerized containers, and private or public cloud deployments (in Amazon, Google and Azure).
Unusually, and attractively, Exabeam’s licensing and pricing models are “straightforward” says Gartner. Each of the SMP products is sold as a one- or three-year subscription, and priced by number of employees in the organisation, with the exception of Entity Analytics, which is priced by assets monitored.
It also got “stronger-than-typical marks for behavior analytics.”
Cons: It needs to work on its integration, deployment and ease of customisation.
With a heavy US focus at the moment, buyers outside the US looking for an SIEM-plus-services engagement should “confirm partners are trained/certified, and can address operational and use-case development requirements.”
Texas-based Securonix jostles closely with Rapid7 and LogRhythm for the next highest spot in the “leaders” quadrant.
In 2019 it moved to a SaaS SIEM, based in AWS, as the standard deployment model, and most new customers use that model. Customers deploy Remote Ingestor Nodes (RINs) for data collection and transport to the cloud.
Pros: Securonix receives high marks for analytics and user-monitoring capabilities. Fresh from the box it is comes with strong firepower, complete use cases, analytics, alerts, dashboards and response playbooks.
It includes support for complex and advanced use cases (e.g., APT, insider threat and fraud and its strong cloud support includes three different tenant models (shared, dedicated and isolated [servers]).
Cons: Getting the most out of it is not easy.
Gartner also cautions that “Securonix’s approach to filling functional coverage gaps by OEM, resell and technology partnerships introduces risks, because dependencies are created. Clients should understand both parties’ roadmaps and longer-term commitments, and assess support and maintenance structures”.
Boston-based Rapid7 is another SaaS-based SIEM built on AWS.
It also offers 24/7 threat monitoring and investigation and response functionality via its Managed Detection and Response (MDR) service offering.
Pros: As a SaaS, it requires only the deployment of endpoint agents or collectors on-premises. Its incident identification and investigation features have a “user-centric lens”. Simplicity of deployment is ranked highly by users.
Native support for FIM and endpoint is strong, compared with that of competitor vendors, Gartner notes, although it suggests the offering is a strongest fit for “SMBs (small businesses) that have limited security operations resources.”
It offers “strong support for user behaviour analytics (UBA)”.
A relatively small technology alliance ecosystem; very limited support of data masking for obfuscation; and its reliance on AWS mean “log management, encryption and archiving depend on the capabilities of that platform and are subject to the licensing conditions of the platform” among its drawbacks.
Availability of third-party resources for services is also an “area for improvement.”
Colorado-based LogRhythm can run on-premises as software, a physical appliance or a virtual appliance, in IaaS (AWS, Azure and Google Cloud) or hybrid environments.
Its cloud offering is, unlikely many listed, hosted and administered by the vendor.
Its core product, the XDR Stack, is licensed based on messages per second.
Pros: “The range of professional services, from onboarding to ongoing support, is extensive”. It also offers an “extensive range” of compliance report templates across a variety of industries and regulations worldwide.
Its product capabilities get good user feedback and as a unified solution that includes core SIEM, network monitoring, endpoint monitoring et al, it is a strong contender.
Cons: “LogRhythm continues to lag competitors in areas such as moving the platform toward a modern SIEM architecture (e.g., it’s still a mix of Windows Server, MS SQL and Linux OS), and the lack of a dedicated SOAR [Security Orchestration, Automation and Response] offering.”
“Support for monitoring in IaaS is lagging, compared with competitors.”.
Massachusetts-based RSA, which Dell recently agreed to sell to a private equity consortium for $2 billion cash, offers a sprawling array of mature security tools.
Metered licensing on a perpetual or term basis is the default for all new customers.
Pros: RSA’s multistage analytics engine offers “interesting, unsupervised modeling capabilities across endpoints, network and users” notes Gartner.
It points to a strong feature set in support of forensics and threat hunting, with “ubiquitous access of forensics artifacts across a wide RSA technology stack — e.g., fetch running process list from endpoints, or packet capture analysis natively inside the NWP user interface”. The company also has strong channel partners offering local support.
Cons: This last strength is also a potential weakness, Gartner notes, given the dynamic nature of OEM relationships, with some partners bought by rivals in recent years: “Clients should validate that their [partner] fits their requirements”.
It adds: “The UEBA capabilities offer fewer models than some of its competitors”
Its endpoint detection tool (NWP) not available from the vendor as a SaaS offering, although some RSA partners offer that capability. “Organizations that want a vendor-delivered SaaS SIEM may find limitations in the product and should be comfortable with its cloud security roadmap.” It is also complex to deploy.
Denmark-based LogPoint is the dark horse here.
The sole European entrant on the list, and the only company featured that fits in the “visionaries” rather than “leaders” category, its core SIEM license is a subscription based on the number of assets (number of IP addresses), and includes all modules, except LogPoint UEBA, which is licensed for additional cost.
LogPoint SIEM and components can be deployed on-premises via a physical or software appliance (based on a hardened version of Ubuntu), while the UEBA solution is delivered as a SaaS model with “predictable, asset-based licensing”.
Pros: LogPoint offers some innovative industry-vertical specific pricing models: LogPoint offers special pricing models for selected verticals: it offers hospitals a fixed fee based on the number of beds, municipalities a fixed fee based on the number of inhabitants, and universities a fixed fee based on the number of students.
The company has an “acute appreciation of privacy requirements that delivers advanced features in data masking and obfuscation for GDPR and CCPA requirements. LogPoint is the only SIEM that has obtained a Common Criteria EAL 3+ certification.”
LogPoint has carved some niche markets with interesting capabilities and security use cases for organizations extensively using SAP, or utilities using specific IoT equipment, such as Siemens wind turbines. It remains strongly Europe-focussed.
Cons: “Case management and SOC collaboration features are basic and might not support all aspects of SOC operations”, although integrations are provided with several SOAR products. Collection and parsing for custom-made data sources is done via “plug-ins,” which need to be configured by the customer. No support for GCP or IBM Cloud.