Open XDR , Security Information & Event Management (SIEM) , Security Operations
Microsoft, IBM, Splunk Dominate SIEM Gartner Magic QuadrantMicrosoft Enters Leaders Quadrant While LogRhythm, Rapid7 Fall in Latest Rankings
A surging Microsoft has leapfrogged to the top of the SIEM Gartner Magic Quadrant, catapulting past security operations stalwarts IBM, Splunk, Securonix and Exabeam.
The Seattle software goliath entered the SIEM market three years ago with its cloud-native Azure Sentinel tool and has climbed from being named a visionary by Gartner last year to crushing the entire SIEM market in execution ability in 2022. Microsoft's rise coincides with the drop of LogRhythm and Rapid7 from the leaders to the challengers quadrant due to a decline in their completeness of vision, Gartner found.
"The SIEM market is maturing at a rapid pace and continues to be extremely competitive," the authors wrote. "The reality of what SIEM was just five years ago is starting to detach from what SIEM is and provides today."
Exabeam, IBM, Securonix and Splunk were recognized by Gartner as SIEM leaders both this year and last, but their position within the quadrant markedly shifted over the past 12 months. Microsoft, IBM and Splunk took the gold, silver and bronze, respectively, in execution ability this year. That's a dramatic change from last year, when Exabeam, IBM and Securonix took the gold, silver and bronze.
The completeness of vision category also saw ranking shifts, with Gurucul jumping to the top, despite execution ability challenges keeping the company in the visionaries quadrant. Securonix and Exabeam, which took the gold and silver in 2021, each fell one spot due to Gurucul's rise. And IBM, which took the bronze last year, fell to fifth after being leapfrogged by Splunk for fourth place, Gartner found.
"The SIEM market will continue to evolve and see increased competition with new solutions that have come to market," Gartner wrote.
SIEM purchasing activity rebounded in 2021, and the market grew 20% to $4.1 billion, according to Gartner. That's in stark contrast to the pandemic year 2020, when the SIEM market shrank by 3.9%.
Organizations are using SIEM to assess their real-time risk posture by examining the configuration status of cloud assets, risk profiling across users and entities, asset inventory, and criticality rating, Gartner says. Buyers want SIEM tools with broad and deep capabilities around threat detection, response, exposure management and compliance to satisfy a variety of use cases and support a diverse environment.
"The most prominent deployment architecture has shifted from client-hosted and managed to cloud-native (SaaS) or cloud-delivered (hosted) to take advantage of easier deployments, scalability and flexibility," the authors wrote.
Outside of the leaders, here's how Gartner sees the SIEM market:
- Visionaries: Gurucul, Sumo Logic, Elastic, Micro Focus
- Challengers: LogRhythm, Rapid7, Devo, Fortinet
- Niche Players: Logpoint, ManageEngine, Huawei
- Missing the List: DataDog, Google Chronicle, Graylog, Logsign, Panther Labs - didn't meet functional or commercial requirements
How the SIEM Leaders Climbed Their Way to the Top
|Exabeam||SkyFormation||Not Disclosed||July 2019|
|IBM||Q1 Labs||Not Disclosed||October 2011|
|IBM||Resilient Systems||Not Disclosed||April 2016|
|IBM||ReaQta||Not Disclosed||November 2021|
Microsoft Extends Automation Beyond Remediation and Response
Microsoft has focused on increasing visibility, driving efficiency and extending coverage around its SIEM product, says Sarah Fender, partner director of product management at Microsoft. The company has expanded its marketplace of integrated data sources and use cases, enabling customers to search across all data - including basic logs, archive logs and historic logs - and analyze it with native integrations, Fender says.
Azure Sentinel also extends automation beyond remediation and response to other tasks within the security operations center, such as enrichment and correlation, reducing the time needed to complete tasks, Fender says. Microsoft has extended its ability to monitor critical workloads from traditional IT to areas that are underserved by the SOC today, such as cloud, OT and business applications such as SAP.
"You really need this extended visibility across your entire estate to piece together the attack story," Fender tells Information Security Media Group. "It's no longer that we see attacks that start and end in an IoT or OT device. They come into the enterprise network, and so we really need this expanded visibility to effectively piece together these signals."
Gartner criticized Microsoft for limited out-of-the-box content, the potential for indirect vendor lock-in, and making it difficult to understand the true cost. Fender says Microsoft has reduced cost by bringing in a lower-priced tier of logs and log storage options, supports a multivendor ecosystem and has moved to rapidly add connectors, though she says the company is more focused on current tools than legacy ones.
"We believe we cover the vast majority of the data sources and use cases that customers need," Fender says. "If there are any gaps, we will move quickly to address those. I tell customers, 'If there's something that you don't see there, just tell me and we'll build it.'"
IBM Leverages ML Analytics to Detect 'Low and Slow' Attacks
IBM believes SIEM should fundamentally give customers visibility into their environment, detect new and emerging threats, and respond to those quickly, says Vice President of Product Management Chris Meenan. From a visibility perspective, Meenan says IBM has focused on collecting usage and telemetry data from services such as Box and bringing that into the SIEM to better understand who's accessing files.
As far as threat detection is concerned, enhancements to IBM's machine learning analytics make it easier to detect "low and slow" attacks while automated content updates ensure users can detect the latest Log4j or Microsoft vulnerability, Meenan says. And in response, IBM has redesigned the experience around creating and managing playbooks to drive automation, consistency and speed for customers, he says.
"We automatically combine the insights from the network data with insights from Box or information from AWS," Meenan tells ISMG. "We combine those automatically for the analyst to give them far more context before they take action."
Gartner criticized IBM for its complex implementation, slow innovation around SIEM, and failure to distinguish between correlation rules and analytics. Meenan says customers don't care whether signs of malicious behavior in their environment come from correlation rules or analytics. The company doesn't use out-of-the-box data connectors for custom apps and believes SIEM customers will benefit from IBM's cloud security bets.
"SIEM doesn't live in isolation anymore," Meenan says. "SIEM needs to be really coupled with your response. Our strategy is to bring them together on that Cloud Pak platform and deliver faster time to detect threats for our customers."
Splunk Infuses SecOps With Threat Intelligence
Integrated threat intelligence is table stakes for any SIEM offering, and Splunk plans to bring intelligence and SecOps together to improve the fidelity of detection, says Patrick Coughlin, vice president of go-to-market strategy and specialization at Splunk. This helps streamline and speed detection and response since even sophisticated customers struggle with normalizing data from external threat intelligence providers.
Threat intelligence can help with alert triage by escalating the alerts that have more potential to be malicious and suppressing the ones that are more likely to be false positives, says Coughlin. Fusing threat intelligence, risk-based alerting and behavioral analytics together has helped address alert fatigue by exponentially decreasing alert volumes for customers, he says.
"Customers don't want a bunch of different barely good enough point solutions," Coughlin tells Information Security Media Group. "They're asking for strategic partners. What we are doing here at Splunk by bringing these capabilities together is sending a message to our customers that we want to be one of your handful of strategic partners for the future."
Gartner criticized Splunk for high pricing, high product complexity and a lack of understanding of market requirements outside North America. Coughlin says Splunk is fighting a perception in the market that linear ingestion of data leads to higher costs, but the company actually charges based on usage and value from data. He says Splunk offers firms diverse data storage choices based on what's right for them.
"SIEM is a complex space," Coughlin says. "These are complex, mission-critical solutions that we're talking about. There is a level of expertise that's required in the field in order to be successful."
Securonix Applies SIEM No Matter Where Data Resides
Securonix's investments over the past year have focused on increasing automation, enhancing threat detection and response, and embracing data decentralization, says Chief Strategy Officer Nitin Agale. The company now can bring analytics and SIEM capabilities to customer data regardless of where it's stored without forcing customers to duplicate their data or move it someplace else, according to Agale.
Agale says the company has 100 dedicated threat researchers focused on looking at new and advanced threats and applying that intelligence to customer environments to protect them against relevant issues. Securonix also has invested in automating menial tasks such as scaling to customer needs as well as making the platform as intelligent as possible via self-learning for data that was generated in the past.
"We have been doing security analytics for over 10 years now," Agale tells ISMG. "We started as an analytics company. That was our focus, and that continues to be our differentiator because at the end of the day, what does the customer want? 'Can you find what others cannot find? And can you help me mitigate that?' And I think that's where we shine the most."
Gartner criticized Securonix for unconventional pricing models, additional analytics packaging and overlapping marketing messaging around XDR and SIEM. Agale says Securonix plans to move from traditional data pricing to value-based pricing within the next 18 months, wants to add clarity as the XDR market develops and packages vertical-specific analytics separately since each buyer is different.
"These are fixable problems versus foundational issues like the customer complaining that the product doesn't work," Agale says.
New Exabeam SIEM Can Handle Massive Amounts of Data
Exabeam earlier this month introduced a new SIEM offering that can handle and organize large volumes of disparate data at the same speed as hyperscale cloud providers, says CEO Mike DeCesare. Exabeam's New-Scale SIEM offers not only more scalability but also world-class dashboards and reporting via a new user interface that makes it easier for customers to see where their data is coming from, DeCesare says.
The company previously could only handle 100,000 events per second without its SIEM slowing down or breaking, but New-Scale SIEM can manage 1 million events per second, which he says is equivalent to the U.S. Department of Defense giving Exabeam all of its data. Unlike its peers, Exabeam started in the user and entity behavior analytics space, which he says has given the company a massive advantage around behavioral analytics.
"We get much, much more granular at threat detection," DeCesare tells Information Security Media Group. "If a customer is dealing with somebody who is not breaking in but they're logging in using stolen credentials, Exabeam's product can still detect and stop those things. And there's not anything else on the market that can come close to us at that."
Gartner criticized Exabeam for extended onboarding time, lack of native ecosystem components and confusing messaging around XDR and SIEM. DeCesare says Exabeam's reliance on third-party EDR and NDR is a strength rather than a weakness, with parsers written across 292 different vendors, so clients can pick best of breed tools. The company now talks about TDIR rather than XDR to minimize confusion.
"When I meet with big customers, I don't hear any of them telling me that they are going to go all-in on anybody," DeCesare says. "The second that they make that decision, you have to have a technology like ours that's open."