Gartner Archives - DETECTX | Cloud Security Expert

Published 11 June 2020 – ID G00718877 – 23 min read

Network detection and response (formerly known as network traffic analysis) vendors are adding more automated and manual response features to their solutions. Here, we provide an overview of the market and highlight some of the key vendors to be considered by security and risk management leaders.

Overview

Key Findings

Applying machine learning and other analytical techniques to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.
Network detection and response (NDR) remains a crowded market with a low barrier to entry, as many vendors can apply common analytical techniques to traffic monitored from a SPAN port. Customer references, from a broad set of vendors, are generally satisfied with their tools.
Response capabilities fall into two categories: manual and automatic. Vendors have been actively enhancing their manual (threat hunting and incident response) features, and have been adding partners to broaden their automatic response functionality.

Recommendations

To improve infrastructure security and the detection of suspicious network traffic, security and risk management leaders should:

Implement behavioral-based NDR tools to complement signature-based detection solutions.
Include NDR-as-a-feature solutions in their evaluations, if they are available from their current security information and event management (SIEM), firewall or other security vendors.
Decide early on in the evaluation process if they desire automated response versus manual response capabilities. A clearly defined response strategy is valuable in selecting a shortlist of NDR vendors.

Market Definition

NDR solutions primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect suspicious traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing traffic from strategically placed network sensors.Response is also an important function of NDR solutions. Automatic responses (for example, sending commands to a firewall so that it drops suspicious traffic) or manual responses (for example, providing threat hunting and incident response tools) are common elements of NDR tools. In 2019, Gartner named this market “network traffic analysis.” This year, we renamed it “network detection and response,” because this term more accurately reflects the functionality of these solutions.

Market Description

Dozens of vendors claim to analyze network traffic (or flow records) and to detect suspicious activity on the network. We have applied the following criteria to identify the most relevant vendors.Inclusion CriteriaVendors must:

Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time.
Monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network).
Be able to model normal network traffic and highlight suspicious traffic that falls outside the normal range.
Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics that detect network anomalies.
Provide automatic or manual response capabilities to react to the detection of suspicious network traffic.

Exclusion CriteriaWe exclude solutions that:

Require a prerequisite component — for example, those that require a SIEM or firewall platform.
Emphasize network forensics over detection functionality, primarily through the storage and analysis of full PCAP data.
Work primarily on log analysis.
Are based primarily on analytics of user session activity — for example, user and entity behavior analytics (UEBA) technology.
Focus primarily on analyzing traffic in Internet of Things (IoT) or operational technology (OT) environments, because specialized solutions are optimized to address this use case.

Market Direction

Vendors are focused on enhancing their detection and response capabilities. For detection, we expect vendors to continue enhancing their ability to detect suspicious patterns in encrypted traffic. Some vendors will add the ability to terminate, decrypt and analyze TLS traffic natively in their sensors. However, most vendors, particularly the ones with out-of-band sensors, will enhance their ability to detect suspicious traffic without decrypting the TLS traffic and inspecting the payload. Some vendors detect suspicious SSL/TLS Server Certificates for this purpose. Also, some vendors use techniques such as analyzing the length of individual packets, the timing between packets, the duration of connections and other methods to detect suspicious TLS traffic. We expect that more vendors will enhance their solutions with similar functionality.Vendors will also be enhancing their response capabilities. For automated responses, they will broaden partnerships with firewall vendors (send commands to firewalls to drop suspicious traffic), network access control vendors (send commands to the network access control [NAC] solution to isolate an endpoint), security operations automation response (SOAR) vendors (respond to events with playbooks), endpoint detection and response (EDR) vendors (to contain compromised endpoints) and other security vendors. For manual response, vendors will improve their threat hunting and incident response functions by improving workflow features (for example, helping incident responders prioritize which security events they need to respond to first).

Market Analysis

Here, we analyze the segments of the NDR market:

Pure-play NDR companies. The vendors in this category are mostly smaller specialty companies whose only product is an NDR solution.
Network-centric companies: Several companies that have historically targeted network use cases, such as network performance monitoring and diagnostics (NPMD; see “Market Guide for Network Performance Monitoring and Diagnostics”), have developed solutions to address security use cases. These network-centric solutions were already monitoring network traffic, and these vendors have applied analytical techniques, such as machine learning, to detect anomalous traffic.
Others. A few vendors do not fit cleanly in the two categories defined above. For example, large, diversified network security providers, such as Cisco and Hillstone Networks, also offer NDR solutions. Cisco has Stealthwatch, and Hillstone has the Server Breach Detection System.

Representative Vendors

Market Introduction

Table 1 highlights the NDR vendors that meet our inclusion criteria and were not eliminated by our exclusion criteria.

Table 1: Representative Vendors in Network Detection and Response

Enlarge Table

Vendor	Product, Service or Solution Name
Awake Security	Awake Security Platform
Blue Hexagon	Blue Hexagon
Bricata	Bricata
Cisco	Stealthwatch
Corelight	Corelight Sensors
Darktrace	Enterprise Immune System
ExtraHop	Reveal(x)
Fidelis Cybersecurity	Fidelis Elevate
FireEye	SmartVision
Flowmon	Flowmon Anomaly Detection System (ADS)
Gigamon	ThreatINSIGHT
GREYCORTEX	MENDEL
Hillstone Networks	Server Breach Detection System (sBDS)
IronNet	IronDefense
Lastline	Lastline Defender
Plixer	Scrutinizer
Vectra	Cognito Detect

Source: Gartner (June 2020)Please refer to Note 2 for a list of other vendors that we are tracking.The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Vendor Profiles

Awake Security

Based in Santa Clara, California, Awake Security uses supervised machine learning, unsupervised machine learning and some deep learning techniques to detect suspicious traffic. Awake does not decrypt TLS traffic. It also does not use JA3 signatures, but Awake has developed its own application/TLS fingerprinting algorithms. It also uses encrypted traffic analysis techniques. For example, it can identify attempts to tunnel malicious traffic over DNS and other protocols.Awake’s solution includes manual and automatic response capabilities. Its Ava tool performs automated threat hunting, incident triage and response. Awake partners with multiple firewall vendors, orchestration tools and other solutions to enforce automated responses. Awake sells the solution as an annual subscription, based on aggregate throughput. Virtual appliances are available at no charge, and physical devices are available for a fee. Customers can deploy Awake in two modes. With the first option, no customer sensitive data ever leaves the customer’s environment. With the second option, customers deploy the central analytics and management in an Awake hosted cloud. In this scenario, each customer’s data is isolated and can only be accessed by the customer that owns the data. Awake also offers a managed network detection and response service built on the technology platform.

Blue Hexagon

Blue Hexagon is based in Sunnyvale, California. It launched its network and IaaS (Amazon Web Services [AWS] and Microsoft Azure) network detection solution in 2019, with a cloud management console. The vendor serves the U.S. market and plans expansion internationally in 2020. Blue Hexagon’s detection engine inspects network traffic and files, and is based on deep learning to detect threats. The solution cannot decrypt TLS. It relies on TLS handshake and tunnel characteristics to detect anomalies on encrypted traffic, using its deep learning models. The vendor uses threat intelligence feeds, but also uses deep learning to classify sources as malicious.Blue Hexagon can be deployed in-line and out-of-band. When deployed out-of-band, it integrates with endpoint security and firewall solutions, as well as SIEM, SOAR and AWS/Azure to provide automated response. When deployed in-line (“bump in the wire” or through ICAP), it can directly block traffic. Licensing for Blue Hexagon follows a traditional network security approach, with hardware purchase (virtual appliance is free of charge) and licensing based on required bandwidth, which includes vendor support. IaaS pricing can be bandwidth-based or per hour.

Bricata

Headquartered in Columbia, Maryland, Bricata is a network security vendor primarily targeting the U.S. and European markets. The vendor’s solution leverages the Suricata IDPS module for signature-based controls and the Zeek (formerly Bro) engine for protocol and behavioral analysis, while capturing full-packet traffic data for retrospective analysis. Bricata is a highly customizable solution, where users can tune detections and create specialized detections. Bricata also includes the Cylance Infinity engine for file analysis. The network sensors and centralized management are available in physical and virtual appliances. They can also be deployed on the main IaaS platforms. The sensors do not decrypt TLS traffic, and rely on JA3 fingerprinting to provide encrypted session analysis. The vendor recently released the ability to tag alerts based on the MITRE ATT&CK framework, to aggregate similar events in the dashboard, and to run files in the Cuckoo Sandbox.The vendor’s response capabilities rely on SIEM and SOAR integration, and API documentation is available to create custom response scenarios with firewall, NAC and other products. Bricata’s software pricing is based on aggregated bandwidth of inspected traffic. Customers can also purchase hardware appliances through Bricata’s channel partners.

Cisco

Cisco, based in San Jose, California, offers two deployment options for its Stealthwatch solution. Stealthwatch Enterprise collects, stores and analyzes information in the customer’s environment. Stealthwatch Cloud is a SaaS offering. It can monitor a customer’s private network or a public cloud environment (through integrations with AWS, Azure or Google Cloud Platform). Stealthwatch detects suspicious traffic primarily by analyzing NetFlow, IPFIX or sFlow records. Stealthwatch uses multiple analytical techniques to detect suspicious traffic, including supervised machine learning, unsupervised machine learning and some deep learning algorithms. The solution does not decrypt TLS traffic. Stealthwatch uses Cisco’s Encrypted Traffic Analysis (ETA) functionality to analyze TLS traffic without decrypting it.Stealthwatch provides historical information to enable a security analyst to manually respond to incidents. It also enables automated responses through integration with Cisco’s Identity Services Engine (ISE). Stealthwatch alarms and events can be shared with Cisco’s SecureX platform, where responses can be automated via SecureX playbooks. Stealthwatch is sold as a subscription based on the necessary flows per second, network device count or total monthly flows.

Corelight

Corelight is headquartered in San Francisco, California, serving customers essentially in North America and Europe. The vendor’s founders created the Zeek (formerly Bro) network monitoring framework and the solution’s sensors are available in the form of appliances (physical and virtual) on AWS and, more recently, on Azure. Corelight uses Zeek as its main engine and as a support for its own detections and integrating third-party threat intelligence feeds. Corelight mainly relies on its own analysis of the traffic metadata, and can also extract files to forward them to third-party file inspection devices. Corelight Sensors do not decrypt TLS, but the vendor just added additional encrypted traffic analysis for SSH — to detect brute force attempts and interactive connections — and TLS, including JA3 fingerprinting and certificate analysis.As Corelight Sensors are more frequently deployed out of band, the vendor focused its response capabilities on integrating with a broad portfolio of SIEM and SOAR tools. Customers interested in Corelight will purchase hardware appliances and attached subscriptions based on sensors’ expected bandwidth capacity.

Darktrace

Darktrace is based in Cambridge, U.K., and San Francisco, California. It’s detection capability is primarily based on unsupervised machine learning, and it also utilizes supervised machine learning and deep learning algorithms. To analyze encrypted traffic, Darktrace relies primarily on unsupervised machine learning to detect unusual and anomalous JA3s. Darktrace offers a SaaS module to monitor traffic between users and Microsoft Office 365. In 2019, Darktrace introduced the Cyber AI Analyst capability. It uses analytical techniques to automatically investigate threats detected by Darktrace’s flagship Enterprise Immune System (EIS). Cyber AI Analyst investigates the most important incidents on a dashboard, and it provides written reports on these incidents.Darktrace’s optional Antigena tool automates the response to incidents detected by EIS. It sends commands to leading firewall vendors to drop suspicious traffic. It also integrates with some SOAR tools, some EDR tools and NAC tools. Cyber AI Analyst is Darktrace’s primary tool for automatically investigating and responding to threats. Pricing for EIS is based on an annual subscription. The price for Antigena for Network is 50% of the cost of the EIS license. The price for Antigena for Email is based on the number of users in the organization.

ExtraHop

ExtraHop is a large network monitoring and security vendor, based in Seattle, Washington. It launched its NDR product, named Reveal(x), in January 2018. The vendor quickly gained visibility on shortlists among its existing customers and across multiple regions in pure NDR evaluations. ExtraHop delivers Reveal(x) as a self-service on-premises or IaaS appliance solution, or as cloud-hosted SaaS. Reveal(x) sensors extract enriched metadata to feed multiple analysis engines and build correlated security events. ExtraHop also offers full-packet capture or event-triggered packet capture. Users can drill down from summary metadata into the raw packets as Reveal(x) allows filtering and downloading of only the range of packets required. Reveal(x) can decrypt TLS traffic, if given access to the server secret keys or the symmetric session key, and relies on JA3 fingerprinting and other traffic analysis techniques when decryption is not an option. ExtraHop detection capabilities leverage a combination of techniques, including rule- and reputation-based controls, but also combine supervised and unsupervised machine learning to detect anomalies and deviation from normal network behaviors.ExtraHop chose to integrate with ticketing, SIEM and SOAR for automated orchestration, and with firewalls or endpoint protection solutions for automated response. Reveal(x) is priced as a set of subscriptions, which depends on the number of endpoints, and so-called “critical assets” combined with bandwidth tiers. Additional features, such as full-packet capture and physical appliances, are priced separately.

Fidelis

Fidelis is based in Bethesda, Maryland. In addition to its NDR solution, the vendor also sells its own EDR and deception products. Fidelis combines multiple techniques to detect malicious traffic, including supervised and unsupervised machine learning, signatures, and statistical analysis. In April 2020, Fidelis launched a stand-alone TLS decryption appliance. It plans to add TLS decryption as an option on its sensors in 3Q20. It also uses JA3 signatures and machine learning techniques to analyze encrypted TLS traffic.Fidelis Network does not directly integrate with any firewall solutions. It provides automated responses, such as packet drops, TCP resets and email quarantine, as well as quarantining files and custom playbooks, through its integration with its own EDR tool, Fidelis Endpoint. Fidelis also integrates with Carbon Black Cloud and other EDR tools. Fidelis can export data to SIEM and SOAR products. Manual response capabilities include the ability to search metadata, which can be stored for as long as the customer decides to keep it. Fidelis Network is licensed on an aggregate bandwidth and metadata storage model. An on-premises license can be purchased as a subscription or a perpetual model. A cloud license (managed from the cloud with data stored in the cloud) can only be licensed as a subscription.

FireEye

FireEye is a global security company, based in Milpitas, California. FireEye SmartVision is its NDR solution, specialized on server-side traffic. SmartVision physical or virtual sensors are deployed typically to intercept client-to-server traffic. SmartVision detection engines heavily leverage IDS and threat intelligence rule-based controls. FireEye products are powered by a proprietary Multi-Vector Execution (MVX) engine, which can be hosted on-premises or in the cloud. FireEye Network Forensics provides full-packet capture and analysis of traffic. Machine learning techniques also apply to traffic and file analysis.FireEye SmartVision response capabilities are available through the vendor’s orchestration and endpoint solutions, or via numerous integrations. Additional investigation tools are part of the FireEye Helix threat hunting and managed security service offering. The SmartVision solution can be purchased with a perpetual license (customers buy appliances), or as an annual subscription (based on Mbps of throughput or on a per-user basis).

Flowmon

Flowmon is based in Brno, Czechia. Its detection algorithms are based on a combination of multiple techniques, including machine learning, heuristics, statistical and signature-based methods. Flowmon does not decrypt TLS traffic. It uses encrypted traffic analysis techniques to look for indicators of compromise and compliance-related risks. It also uses JA3 fingerprints, but it does not rely heavily on this technique. Flowmon can ingest flow data (for example, NetFlow, IPFIX and others) from the network infrastructure, but it achieves the best results when customers implement its probes. These probes generate metadata that provides visibility into Layer 7 traffic across multiple protocols. The probes also include a memory buffer to support event-triggered packet captures.Flowmon supports some automated response capabilities through formal partnerships and integration with Cisco’s NAC tool, Fortinet and Hillstone firewalls, and some other products. The tool also enables manual response by providing the ability to query and analyze origin data for threat hunting and incident analysis. Flowmon’s detection engine is licensed per volume of processed flows per second (fps). Customers can purchase yearly subscriptions or perpetual licenses. Flowmon collectors are licensed based on performance (fps) and storage capacity. Stand-alone probes are licensed per number of interfaces and speeds.

Gigamon

Based in Santa Clara, California, Gigamon’s ThreatINSIGHT solution is based on technology from its acquisition of ICEBRG in 2018. ThreatINSIGHT uses a combination of techniques to detect suspicious traffic, including supervised and unsupervised machine learning, deep learning, and signatures. ThreatINSIGHT can analyze decrypted TLS traffic when it is coupled with Gigamon’s SSL decryption feature (an optional component of Gigamon’s flagship GigaVUE network packet broker). To analyze unencrypted TLS traffic, ThreatINSIGHT uses JA3 signatures and it applies machine learning techniques to detect anomalous patterns of communication within the encrypted traffic stream.When compared to many of its competitors, ThreatINSIGHT has limited integrations with technology partners to automatically respond to detections. It integrates with Demisto, Splunk and Mimecast, but it does not have any partnerships with firewall vendors (to drop suspicious traffic) or NAC vendors (to isolate a compromised endpoint). The Insight Query Language (IQL) feature allows incident responders to perform threat hunting and incident response by searching through a store of metadata. ThreatINSIGHT is available as a subscription service, priced according to bandwidth. As part of the subscription, every ThreatINSIGHT customer receives a dedicated Technical Account Manager, regardless of their size.

GREYCORTEX

With headquarters in Brno, Czechia, GREYCORTEX is a pure-play NDR vendor offering a solution called MENDEL. GREYCORTEX offers its solution mainly in Europe and the Asia/Pacific region. MENDEL consists of virtual and physical appliances. It can work with a single device, combining traffic gathering (sensors) and analysis (collectors), and expand to a three-tier architecture by adding a centralized management to handle multiple collectors. GREYCORTEX combines numerous supervised and unsupervised machine learning models, then correlates it with rule-based controls. It also provides solutions for ICS/SCADA networks. GREYCORTEX NDR supports configurable packet capture, and uses JA3 fingerprinting for TLS analysis and supports TLS decryption.MENDEL can automatically block by instrumenting third-party network and security devices, leveraging their management API. Default configuration includes one month of searchable metadata. Two pricing models are available. Customers can purchase perpetual licenses based on sensor throughput and flows per second. Alternatively, customers can purchase a subscription license, also based on sensor throughput and flows per second (the subscription price includes support).

Hillstone Networks

Hillstone Networks is a large network security vendor, based in Suzhou, China, with regional headquarters in Santa Clara, California. Its Server Breach Detection System (sBDS) can be deployed as a stand-alone product, and its threat detection sensors can also be bundled in the vendor’s centralized analytics solution (i-Source). Hillstone’s solution combines the various engines from its security portfolio, including IDS and malware inspection, but does not decrypt or analyze TLS sessions. Its use of unsupervised machine learning is focused on baselining client-to-server traffic patterns and spotting deviations.Hillstone’s NDR solution integrates with other products from the vendor for incident response. Pricing is based on appliance purchase and attached subscriptions.

IronNet

Based in Fulton, Maryland, IronNet targets large enterprises that are concerned about attacks from nation states. Its solution uses a combination of behavioral detection techniques, including supervised and unsupervised machine learning and some deep learning. It also uses statistical analysis and some heuristic techniques to detect suspicious traffic. IronNet does not decrypt TLS traffic, and it does not support JA3 fingerprints. However, it uses a range of artificial intelligence and machine learning techniques to detect suspicious TLS traffic.Unlike many vendors in this market, IronNet does not automatically respond to threats by integrating with firewalls to drop suspicious network traffic. However, it does integrate with leading SOAR and SIEM products. IronNet has strong manual hunt capabilities, enabling threat hunters to investigate across network flow data and pull packet capture (PCAP) on any flow (not just what IronDefense deems as high risk). The Expert System feature in the IronDefense product prioritizes threats and provides contextual information for incident responders. The solution also provides a crowdsourcing feature that enables communities of peer enterprises to collaborate against targeted threats. Pricing for IronDefense is based on a flat monthly fee based on analytical throughput (not ingest throughput) or by number of users. Customers must purchase IronDefense physical or virtual sensors.

Lastline

On 4 June 2020, VMware announced the intent to acquire Lastline. Gartner expects the deal to close by the end of June. After the deal has closed, Gartner expects that VMware will integrate Lastline technology into its NSX product.Lastline is based in San Mateo, California. Its Defender product uses a combination of techniques to detect suspicious traffic, including supervised and unsupervised machine learning, and some deep learning functions. It also uses signatures, statistical analysis and heuristics, as well as a sandbox to detect malicious files. Defender does not natively decrypt TLS traffic. Instead, it applies anomaly detection to JA3 hashes. It also applies encrypted traffic analysis techniques to detect suspicious traffic without inspecting the payload.Lastline’s automated response with firewall vendors (to send a command to the firewall, so it drops suspicious traffic) is limited to only Check Point Software Technologies. However, Lastline integrates with many other security products, including VMware Carbon Black Cloud, Symantec (Blue Coat), Splunk (Phantom), Trend Micro (Tipping Point), Palo Alto Networks and several others. When the Lastline sensors are deployed in-line, they can block suspicious traffic. For manual response, Lastline provides good threat hunting and incident response capabilities. The solution includes the open-source Kibana search and visualization product. Lastline has also built a query language to do more complex searches. The solution includes a triage functionality that correlates multiple alerts into a single high-fidelity alert. Defender is sold as a subscription. Organizations can purchase based on either the number of protected hosts or the number of protected users.

Plixer

Based in Kennebunk, Maine, Plixer is a network performance monitoring and security vendor, offering an NDR solution based around Scrutinizer. Its customer base is mainly in the U.S. and Europe. Scrutinizer is deployed as physical/virtual sensors or as a SaaS. Scrutinizer collects metadata from the existing network infrastructure (switches, routers, firewalls, packet brokers, etc.), as well as from Plixer FlowPro, which is an optional sensor. The vendor recently acquired endpoint monitoring software, which promises to add more endpoint-related monitoring. Plixer offers integration with Endace for full-packet capture. Scrutinizer includes multiple rule-based and heuristic detections, detecting network anomalies, and security incidents. It complements these techniques with traffic baselining for anomaly detection and JA3 fingerprinting for TLS session analysis.Scrutinizer’s response capabilities include incident-based and threshold-based triggers to update firewall or other network equipment through API calls. Plixer’s subscription licensing is based on flow rate and the number of metadata-exporting network devices. Threat hunting capabilities are integral to Scrutinizer.

Vectra

Vectra is a global NDR vendor, with headquarters in San Jose, California. Vectra Cognito is the company’s main product offering. The vendor was early on the NDR market with its Cognito platform. Vectra is highly visible in Gartner client inquiries across the Americas and EMEA regions, and growing in the Asia/Pacific region. Cognito Detect, the NDR product, leverages physical appliance sensors and virtual machines deployable on hypervisors and on IaaS platforms, and can interact with some SaaS through APIs to gather SaaS events. The analysis engine (Vectra Brain) can be deployed on-premises or on public cloud. Vectra uses supervised machine learning to detect global threats, and combines it with threat intelligence for more accurate detection of known bad actors. It uses unsupervised learning models for more contextualized anomaly detection. The vendor uses JA3 fingerprinting and other techniques to provide detection coverage for encrypted traffic, but does not decrypt TLS. Vectra provides easy-to-understand dashboards, and a “campaign view,” which puts multiple events in context and eases the investigation. Vectra recently launched a beta program for an Office 365 monitoring offering, and released Lockdown, an event aggregation and automated response (via partner integrations) feature that is part of Cognito Detect.Vectra’s Lockdown solution integrates with endpoint controls, firewalls, SOAR and SIEM to provide response capabilities. It can also directly integrate with the infrastructure, taking down workload or temporarily disabling compromised user accounts. Vectra’s pricing, in addition to the hardware costs, is based on the number of active monitored IP addresses. Additional subscriptions are available to forward enriched, Zeek-formatted data in real time to a third-party data lake (Cognito Stream), or to a SaaS that is integrated with Cognito Detect (Cognito Recall) for threat hunting purposes.

Market Recommendations

Enterprises should strongly consider NDR solutions to complement signature-based tools and network sandboxes. Many Gartner clients have reported that NDR tools have detected suspicious network traffic that other perimeter security tools had missed.When evaluating NDR vendors, assess these factors:

Response — Some vendors focus more on automated responses (for example, sending a command to a firewall to drop suspicious traffic), whereas other vendors focus more on manual responses (for example, providing strong threat hunting tools). Enterprises should decide which approach is a better fit for them and should analyze the vendors with response features that best meet their requirements.
Pure-play versus NDR as a feature — Is it more sensible to implement NDR as a feature from another technology vendor (for example, SIEM), or do you require a more full-featured, pure-play NDR solution from one of the vendors analyzed in this Market Guide?

Note 1Representative Vendor Selection

These vendors were selected because they met Gartner’s inclusion criteria, and were not eliminated by our exclusion criteria.

Note 2Other Vendors That We Are Tracking

IoT and OT Specialization Vendors

Armis
Cyberbit

NDR as a Feature Vendors

IBM (QRadar Network Insights)
LogRhythm (NetMon)
Palo Alto Networks (Cortex XDR)

Other Vendors

Accedian
aizoOn
Braintrace
cPacket
Kaspersky (see Note 3)
Lumu
MistNet
MixMode
Noble
Nominet
Quadminers
Qianxin Technology Co., Ltd. (SkyEye)
Qihoo 360
RSA
Stellar Cyber
Tencent (T-Sec NTA)
ThreatBook
Vehere
VIAVI

Note 3: Kaspersky

In September 2017, the U.S. government ordered all federal agencies to remove Kaspersky’s software from their systems. Several media reports, citing unnamed intelligence sources, made additional claims. Gartner is unaware of any evidence brought forward in this matter. At the same time, Kaspersky’s initial complaints have been dismissed by a U.S. District of Columbia Court.Kaspersky has launched a transparency center in Zurich where trusted stakeholders can inspect and evaluate product internals. Kaspersky has also committed to store and process customer data in Zurich, Switzerland. Gartner clients, especially those who work closely with U.S. federal agencies, should consider this information in their risk analysis and continue to monitor this situation for updates.

Cyentia Cybersecurity Research Library

One of the first places I go when performing cyber security research is Cyentia Institute.

Cyentia Cybersecurity Research Library

https://library.cyentia.com/

Selecting the Right SOC Model for Your Organization

Published 24 February 2020 – ID G00464962 – 22 min read

An SOC provides centralized security event monitoring and threat detection and response capabilities, and may support other security operations’ functions and business unit requirements. This research helps security and risk management leaders identify the best SOC model for their organization.

Overview

Key Findings

Security operations centers (SOCs) will fail in their mission without a clear target operating model, and if their deliverables are not tightly coupled to business use cases, risks and outcomes.
A hybrid SOC working with external providers is a credible option that is increasingly being adopted by many organizations, specifically midsize enterprises.
Organizations are increasingly interested in multifunction SOCs, extending SOC duties to incident response, threat intelligence and threat hunting, while adding OT/ICS/IoT in scope.
Building, implementing, running and sustaining a fully staffed 24/7 SOC is cost-prohibitive for most organizations.

Recommendations

Security and risk management leaders responsible for security operations should:

Develop an SOC target operating model, taking into account current risks and threats, as well as the business objectives, focusing on specific threat detection and response use cases.
Use managed detection and response (MDR) or other security services to offset the cost of 24/7 SOC operations and to fill coverage and skills gaps, tactically or as a long-term strategy.
Expand the SOC’s capabilities beyond just SIEM solutions to provide greater visibility into the IT, OT and IoT environment where appropriate, but do not expect a full SOC/NOC integration.
Likewise, plan for SOC functions beyond reactive incident monitoring and into threat detection and response, and even proactive threat hunting.

Strategic Planning Assumption

By 2024, 25% of all organizations will have an SOC function, up from 10% today. This will range from small part-time virtual SOCs to fully staffed full-time SOCs, to outsourcing of SOC services to an external provider, or a combination of these.

Analysis

Security operations centers (SOCs) have historically been adopted by only very large organizations requiring centralized and consolidated security operations focused on security event monitoring, and threat detection and response, usually delivered 24/7.

This has changed, and SOCs are becoming more ubiquitous as organizations large and small shift security efforts from prevention only to a blend of prevention and detection.

Definition

Gartner defines an SOC as a construct with the following characteristics:

A mission, usually focused on threat detection and response.
A facility, dedicated to the SOC, either physical or virtual.
A team, often operating in around-the-clock shifts to provide 24/7 coverage.
A set of processes and workflows that support the SOC’s functions.
A tool or set of tools to help predict, prevent, detect, assess and respond to security threats and incidents.

However, the SOC does not always have to be a physical facility with hundreds of analysts working around the clock. Gartner has seen less mature, as well as resource-constrained organizations employ staff members to perform security operational functions on an ad hoc basis and remotely (that is, where there is a virtual SOC function being delivered). While SOC is the ubiquitous term, other terms such as cybersecurity operations center, cyber defense center and cyber fusion center are often used.

Gartner observes a renewed interest from incoming inquiries in merging both the NOC and SOC functions for economies of scale. Although a fully fused NOC/SOC approach is not a viable alternative at scale, the common set of functions between NOC and SOC needs to be identified, and a decision has to be made on where this function will live. At the very least, always improving coordination between the NOC and SOC needs to be encouraged.

An organization cannot buy an outsourced SOC. Outsourced services still feed into an organization’s own security operations regardless of how informal that may be. A hybrid SOC usually connotes an SOC where one or more of the core functions are performed using outsourced security services. It is the most common form of SOC across all organizations, as most organizations will leverage some types of security services (for example, reverse malware engineering is a common function).

Description

SOCs’ main mission is focused on the following functions, with threat detection and response being the most common across SOCs. The SOC needs to be clearly aligned to its target operating model, as defined in “Create an SOC Operating Model to Drive Success.” If a set of functions is not delivered out of the SOC, this could indicate that these functions are performed by another internal structure, an external service provider or are not aligned to the organization’s security use cases:

Security event monitoring, detection, investigation and alert triaging
Security incident response management, including malware analysis and forensic analysis
Threat intelligence management (ingestion, production, curation and dissemination)
Risk-based vulnerability management (notably, the prioritization of patching)
Threat hunting
Security device management and maintenance (for the SOC technology stack)
Development of data and metrics for compliance reporting/management

Figure 1 describes the main functions of an SOC across all SOC models.

Figure 1. Modern SOC Components

Depending on the functions and capabilities provided, a fully functional SOC running 24/7 requires at least eight to 12 full-time employees (see “How to Plan, Design, Operate and Evolve a SOC”). This does not include capacity for management, staff turnover, personal time off or other special activities like malware reverse engineering, forensics and threat analysis that may need to be performed by the SOC staff.

Ideally, an SOC should be located in a dedicated, physical environment (such as an isolated room) with heightened levels of physical access required. Due to the sensitive nature of incident investigations, as well as the potential for tampering with potential evidence and hiding malicious tracks, physical access to the facility needs to be restricted to authorized personnel only. The SOC’s infrastructure (network, systems, applications) should be isolated or segmented from the production network to prevent internal breaches affecting the operations of the SOC. Furthermore, the technology infrastructure used for monitoring and investigations within the SOC should be isolated and separated from the internet. Finally, the SOC will often have its own independent internet connectivity so that it can continue to operate and perform investigations even if the corporate network is, for example, under a distributed denial of service (DDoS) attack. Based on Gartner client inquiries, however, this is not always the case. Although some organizations build/manage SOCs with high levels of physical protection and isolation, as described above, most organizations opt for a traditional office environment and simple isolation measures.

SOC Models

Five main models of SOC have emerged, which can be mapped along the maturity of the SOC processes and workflows in an organization, as described in Figure 2.

Figure 2. Five Models of SOC

These models are further described in Table 1 and the sections below.

Table 1: Five Primary Operational SOC Models for Typical Organizations

Enlarge Table

SOC Model	Typical Maturity of SOC Workflows	Main Attribute	When to Select
Virtual SOC	Very low	No dedicated facility	No dedicated facility available Part-time and geographically distributed team members Activated when an incident is discovered
Multifunction SOC	Low to medium	Simple SOC with IoT/OT/ICS and some 24/7 NOC	Dedicated facility with a dedicated team performing, not just security, but some other critical 24/7 IT operations from the same facility to reduce costs Availability of some formalized processes and workflows
Hybrid SOC	Low to very high	Mixes internal resources and outsourced security services Any SOC model can be qualified as hybrid when it uses outsourced security services	Dedicated and semidedicated staff, either internally or outsourced Security operations can be performed by the organization’s internal staff 24/7, 8-5 on weekdays, or 8-5 every day with some responsibilities offloaded to an external provider Primary model when fully delegated to an MSSP or an MDR
Dedicated SOC	Medium to high	Self-contained, in-house, dedicated 24/7 threat detection and response	Dedicated facility Dedicated team Fully in-house, 24/7 operations Incident response, TH and TI functions and teams in place
Command SOC	High to very high	Manages and coordinates other SOCs and activities	Need to coordinate other SOCs Coordinate response across all SOCs for major incidents Provide threat intelligence, situational awareness and additional expertise Rarely directly involved in day-to-day operations

Source: Gartner (February 2020)

Virtual SOC

A virtual SOC (vSOC) does not reside in a dedicated facility, nor does it have a common war room.

Instead, it is composed of team members who may have other duties and functions. Since there may not be dedicated tools for the SOC, like a SIEM, team members rely on available IT, and sometimes security technologies, and become active when a security incident occurs. In addition to a lack of SOC tools and SOC expertise, the lack of formalized processes and workflows for both the detection as well as the response phase is a typical attribute of a vSOC. Things are done reactively, ad hoc, using the available people and tools, usually on a best effort and nondeterministic way.

A vSOC is typically suited to smaller enterprises that experience only infrequent incidents and/or do not have resources for a more encompassing SOC. Sometimes an organization can only afford an IT person or a handful of people who can, on a part-time basis, review alerts generated by the firewall or an antivirus, or periodically review critical logs in support of a threat detection and response function.

Multifunction SOC

The defining attribute of a multifunction SOC is to bring IoT/OT/ICS in scope for the SOC, and/or to deliver on other critical 24/7 IT operations from the same facility to reduce costs.

This model is usually adopted by less mature organizations that need to deliver multiple use cases from the same facility, and that may not have dedicated expertise in IT, security and OT. These use cases are usually simple enough, both from the NOC as well as SOC standpoint, to be delivered by common tools and common people. However, factors such as politics, budget and process maturity levels can lead to staff members doing multiple things, but none of them well. NOCs adhere to the Information Technology Infrastructure Library (ITIL) definitions of incident and incident management, which is generally not the right approach to take in terms of security incidents. The ITIL’s focus is on events that cause a disruption of service, with the goal of restoring the service as quickly and efficiently as possible. Security and risk management leaders must never be distracted by this convergence or else it may affect the mission of the SOC and its ability to help securely deliver and enable business outcomes.

Organizations engaged in this model always start by mapping available telemetry, tools, and expertise, and defining common use cases, processes and workflows for the multifunction SOC (see “Align NetOps and SecOps Tool Objectives With Shared Use Cases”). These can include not only IT and security devices and users, but also IoT/OT/ICS.

Hybrid SOC

The defining attribute for a hybrid SOC is to mix both internal resources with outsourced ones, while leveraging external security services for the delivery of some or most of the SOC functions.

One or more dedicated people are responsible for ongoing SOC operations, involving semidedicated team members and third parties, as required. If an organization cannot operate 24/7, the resulting gap can be covered by a number of providers, resulting in a hybrid SOC model. These providers might include an MSSP (see “Magic Quadrant for Managed Security Services, Worldwide”), a managed detection and response (MDR) service provider (see “Market Guide for Managed Detection and Response Services”), a co-managed SIEM service provider, or sometimes a special security consulting provider or system integrator (SI) for such services as specialized incident response/forensics. Only large enterprises are able to afford and commit to dedicated, 24/7 internal SOCs. However, many organizations desire some form of internal security operations capability (although limited), even if they are using an external provider for a majority of their security monitoring needs.

The hybrid SOC model can reduce the cost of 24/7 operations. Therefore, it is well suited not only for small to midsize enterprises, and especially for those working extensively with third parties, but also to larger organizations and mature SOCs that can selectively outsource some security services.

Furthermore, it allows the organization to maintain stable security operations while internal capabilities are developed over time. During this time, any resource gaps can be filled, and existing security resources can shift their focus to other activities, such as deeper investigations of incidents. As such, this model is also adopted by organizations that have a desire to build insourced competencies but (1) need an immediate solution to their problem, (2) have limited expertise to be autonomous right away, and (3) want to leverage the security service provider for knowledge transfer and continuous expertise gathering.

Driving adoption of this model are a shortage and gap in the availability of skills and expertise, general budget constraints, and the considerable cost of 24/7 security operations. As an example, Gartner has seen increased interest in and adoption of co-managed SIEM services (see “How and When to Use Co-managed Security Information and Event Management”).

Dedicated SOC

The defining attribute of a dedicated SOC is to have a 24/7 centralized threat detection and response function, with a dedicated facility, IT, and security infrastructure and team, and robust processes and workflows. It is self-contained, possessing all of the resources required for continuous day-to-day security operations.

A fully centralized SOC is suited for large enterprises with multiple business units and geographically dispersed locations, sensitive environments, and high-risk, high-security requirements, as well as service providers that provide MSSs. Specifically, large enterprises choose to build, implement and run their own SOCs when:

Laws, regulations or governance issues prevent the outsourcing option.
There are concerns about specific/targeted threats.
Specialized expertise and knowledge about the business cannot be outsourced.
The organization’s technology stack is not supported by third-party security services.

Recently, Gartner is seeing large enterprises with a complex and distinct set of use cases and/or very widespread security mandates fusing traditional security operations with more contemporary functions. Examples of these extended use cases include, but are not limited to, threat intelligence, cyber incident response and OT/Internet of Things (IoT) security. There are, however, both advantages and disadvantages to doing this. For example, fusing incident response as part of the SOC will allow tighter integration between detection and response, and is an essential factor needed for security operational success (see “Prepare for the Inevitable With an Effective Security Incident Response Plan”). On the other end of the spectrum, it can create separation of duties conflicts and/or pull the security event monitoring resources away from the incident response tasks, thus affecting the effectiveness of the monitoring during an actual incident (see “How to Plan, Design, Operate and Evolve a SOC”).

Dedicated SOCs usually keep most functions in house and minimize security services. However, even large dedicated SOCs can outsource some very specific functions, such as reverse malware engineering. Strictly speaking, most dedicated SOCs are also very advanced hybrid SOCs.

Command SOC

The defining attribute of a command SOC is to support and manage several SOCs, and not be involved in day-to-day operations.

Very large and/or distributed organizations that have regional offices with a certain operating independence, service providers offering MSSs and those providing shared services (for example, government agencies) may have more than one SOC under their purview. Where these SOCs are required to run autonomously, they will function as centralized or distributed SOCs. In some instances, the SOCs will work together, but must be managed hierarchically. In those cases, one SOC should be designated as the command SOC. The command SOC coordinates security intelligence gathering, produces threat intelligence, curates and fuses these for consumption by all other SOCs, in addition to providing additional expertise and skills such as forensic investigations and/or threat analysis. Sometimes, this is how a computer emergency response team (CERT) functions in smaller countries where they are serving as an aggregation and coordination point more than delivering day-to-day security operations.

Benefits and Uses

Improved Threat Management

Many organizations already routinely implement and/or employ a variety of security technologies and services designed to prevent and detect threats, as well as harden and protect assets. When these solutions are managed in silos, organizations lose the opportunity to centrally consolidate, normalize, correlate and monitor these threats in real time, and will at best waste valuable time and resources, and at worst miss obvious threats that an SOC could have easily detected. Such a value is realized via the SOC as a delivery vehicle for a central point of reconciliation and management of these threats.

Reduction in MTTD and MTTR Incidents

Integrated security event monitoring gives the security operations team better visibility and enables it to correlate patterns and surface suspicious activities. Effective detection and escalation of incidents and close coordination between the individual teams within a defined workflow and process allow an organization to detect and respond faster, improving both mean time to detect (MTTD) and mean time to remediate (MTTR).

Centralization and Consolidation of Security Functions

Consolidating security functions in an SOC can provide cost efficiencies, enable cost sharing and leverage economies of scale while maximizing the available expertise, skills and resources. For larger organizations with a distributed geographical environment, especially those with local governance requirements, centralizing some security operations functions can help provide a centralized view, as well as a set of core security services, to all entities, while respecting local regulations.

Regulatory Compliance

An SOC is often the operational model of choice for large and some midsize enterprises to meet regulatory requirements mandating security event monitoring, vulnerability management and incident response functions. Furthermore, an SOC can improve compliance auditing and reporting across the organization, but an SOC would typically not be built for compliance-only use cases.

Adoption Rate

Gartner indicates SOC spending tends to be a significant percent of an organization’s total security budget (see “SOC Development Roadmap”) — 57% spend over 20% of security’s total budget on the SOC. However, clients seem to be split between insourcing or outsourcing their SOC (see “Setting Up a Security Operations Center (SOC)”). In addition, an increased spending in SOC is sustained by:

Maturing of information security programs
Centralization of incident detection, threat detection and response capabilities, as well as consolidation of security operations functions expanded throughout the entire organization
Current and future legislation and regulatory frameworks that mandate security event monitoring and detection and response capabilities (see “A Technical Solution Landscape to Support Selected GDPR Requirements”)
An increase in risks/threats via breaches and incidents
Growth of technology usage due to digitalization of business (see “Hype Cycle for Threat-Facing Technologies, 2019”)
Increased adoption of external service support for security event monitoring and device management

In 2019, Gartner saw a 39% increase of inquiries from clients requesting assistance on both building and maturing their security operations through the lens of an SOC. These clients have security operations functions that are either conducted by internal staff, supported by an external provider offering MSSs to offload some of the SOC functions from the organization internally, or provided in the form of regionally or vertically aligned shared services.

Risks

Lack of Improvement in Breach Response Efficiency/Capabilities

With threat management as a major driver for adopting an SOC, most will be judged by how they perform in that function and will be measured by the speed and efficacy of security event monitoring and threat detection and response.

Organizations adopting the SOC model should carefully evaluate how this investment translates to less frequent and severe breaches, and compare it to their own pre-SOC state. Furthermore, security technologies are not silver bullets. SOCs may become overwhelmed by the vast number of alerts generated by an expanding number of security tools. Although this is a common issue, there is no simple solution to avoid this quandary. After all, some organizations genuinely have a lot of malicious activity, which leads to alert overload. Better SIEM tuning to minimize noise, use of advanced analytics for better detection, and use of automation for alert triage and faster response are often used to reduce the alert flood.

Skills, Expertise and Staff Retention

Staff retention for SOC analysts is generally difficult. Even service providers that can offer a career path and progression struggle to keep their SOC analysts for longer than three to four years. As a result of the shift-based and repetitive work, in addition to a rare and sought-after skill set, the SOC analyst role is often seen as a steppingstone role. This trend is further exacerbated by a global shortage in available qualified staff (see “Adapt Your Traditional Staffing Practices for Cybersecurity”).

An understaffed SOC or one staffed with inexperienced analysts will be ineffective and will struggle to achieve its objective of rapid detection and response to threats and incidents, despite all the spend on technology and data collection. It will also increase analyst attrition if left understaffed for longer periods. To avoid starting an SOC project that can never succeed due to resource constraints, seek out alternatives such as MSSs or other forms of hybrid and outsourced security event monitoring, like MDR service providers. Alternatively, start with non-24/7 coverage and expand later when the resources are available.

Regardless of the SOC model implemented, Gartner recommends developing an SOC staff retention strategy from the start, as well as maintaining a continuous hiring capacity, which can help the organization maintain the SOC with the minimum, yet optimum staff required (see “Develop Existing Security Staff to Excel in the Digital Era”).

Return on Investment Demonstration

Security and risk management leaders need to understand that success is not just about achieving the security operations metrics, but also about the concurrently external metrics that align with the business. Important starting points are paying attention to what is your market, what is your message and what media you should use. For example, concerns over detection rates, open tickets per analyst and ticket closure rates are warranted. However, do not lose sight of the fact that the business is mainly concerned about addressing these questions:

Can we continue to deliver our products/services?
What competitive disruptions or players in our market will cause clients to shift from our products/services?
Are we conducting our activities legally?

For more information on aligning security metrics with business objectives, see “Develop Key Risk Indicators and Security Metrics That Influence Business Decision Making.”

To ensure your organization has the most appropriate security metrics, start with the end in mind and first develop tightly defined goals and metrics the SOC needs to deliver against that align to the business outcomes. Also, make sure that a sustainable budget is secured for the first two to three years of the SOC operation. It will often take this amount of time for people, processes and technology to be integrated into your organization and delivering at a reasonable level of proficiency.

Recommendations

Security and risk management leaders involved in incident monitoring, threat detection and response, and/or other adjacent security operations functions (such as threat hunting and threat intelligence) should benefit from efficiencies by formalizing all relevant duties within a security operations center. This SOC will then:

Gather and centralize required security personnel. These can be present either physically or virtually, and can belong to the organization’s security, operations, IT or network teams, or belong to a service provider. Likewise, these resources can be assigned on a full-time or part-time basis.
Define repeatable and automatable processes and workflows. These will depend on the scope of the SOC and should tend to address not only threat detection but also response. When an outside service provider is involved, it is then particularly important to define the “who is doing what, when” by using a responsible, accountable, consulted, informed RACI matrix to define roles and responsibilities, and expose integrations and communications between the client and the service provider.
Appropriately implement tools. Depending on scope, these tools (which can include, for example, CLM, SIEM, SOAR, SIRP or ITSM) should be selected and implemented to not only support current SOC requirements, but also current or planned SOC scope creep beyond security. This includes, for example, supporting the IT operations team and its NOC, or the ICS owners and their IoT ecosystem.

The scope of the SOC can then be defined along the following two dimensions:

Breadth of scope. As an example, does the SOC address only a subset of the infrastructure, or a subset of the user population, entire BUs or even the entire organization?
Depth of scope. As an example, does the SOC address basic, best-practice cyber-hygiene use cases, or does it address more complex use cases such as advanced persistent threat (APT) or insider threat? Does it include the IoT ecosystem, and does it deliver some NOC services as well?

Based on the scope of the SOC along these two dimensions, available expertise and resources, and strategic appetite for insourcing versus outsourcing, organizations can engage in an SOC initiative using one of the models described in this research note.

Note 1ITIL 4 Incident and Incident Management Definitions

The definition of “incident” was revised in ITIL 2 as “an event which is not part of the standard operation of a service and which causes or may case disruption to or a reduction in the quality of services and customer productivity.” Failure of one disk from a mirror set would fall in this category. ITIL 4 refers to incident management as a practice, describing key activities, inputs, outputs and roles. The primary objective of the incident management ITIL process is to return the IT service to users as quickly as possible.

Magic Quadrant for Application Security Testing

Published 29 April 2020 – ID G00394281 – 61 min read

Modern application design and the continued adoption of DevSecOps are expanding the scope of the AST market. Security and risk management leaders will need to meet tighter deadlines and test more complex applications by seamlessly integrating and automating AST in the software delivery life cycle.

Strategic Planning Assumptions

By 2025, 70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated.

By 2025, organizations will speed up their remediation of coding vulnerabilities identified by SAST by 30% with code suggestions applied from automated solutions, up from less than 1% today, reducing time spent fixing bugs by 50%.

By 2024, the provision of a detailed, regularly updated software bill of materials by software vendors will be a non-negotiable requirement for at least half of enterprise software buyers, up from less than 5% in 2019.

Market Definition/Description

Gartner’s view of the market is focused on transformational technologies or approaches delivering on the future needs of end users.

Gartner defines the application security testing (AST) market as the buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities.

We identify four main AST technologies:

Static AST (SAST) technology analyzes an application’s source, bytecode or binary code for security vulnerabilities, typically at the programming and/or testing software life cycle (SLC) phases.
Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services and APIs), analyzes the application’s reactions and, thus, determines whether it is vulnerable.
Interactive AST (IAST) technology combines elements of DAST simultaneously with instrumentation of the application under test. It is typically implemented as an agent within the test runtime environment (for example, instrumenting the Java Virtual Machine [JVM] or .NET CLR) that observes operation or attacks and identifies vulnerabilities.
Software composition analysis (SCA) technology used to identify open-source and third-party components in use in an application, their known security vulnerabilities, and typically adversarial license restrictions.

AST can be delivered as a tool or as a subscription service. Many vendors offer both options to reflect enterprise requirements for a product and a service.

The 2020 Magic Quadrant will focus on a vendor’s SAST, DAST, SCA and IAST offerings, maturity and features as tools or as a service. AST vendors innovating or partnering for these were also included.

Gartner has observed the major driver in the evolution of the AST market is the need to support enterprise DevOps initiatives. Customers require offerings that provide high-assurance, high-value findings while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier in the development process, with testing often driven by developers rather than security specialists. As a result, this market evaluation focuses more heavily on the buyer’s needs when it comes to supporting rapid and accurate testing capable of being integrated in an increasingly automated fashion throughout the software development life cycle. In addition, Gartner recognizes the growing relevance of containers as an attractive technology for application development, especially for cloud-native applications. We have added support for containers as a factor in the 2020 Magic Quadrant.

Gartner has observed that enterprises today increasingly employ AST for mobile apps. The toolsets for AST, as well as techniques for behavioral analysis, are often employed to analyze source, byte or binary code, and observe the behavior of mobile apps to identify coding, design, packaging, deployment and runtime conditions that introduce security vulnerabilities. While these capabilities are valued, they do not drive the current or evolving needs of customers in the AST space, and thus are similarly not a primary focus of this Magic Quadrant.

Magic Quadrant

Figure 1. Magic Quadrant for Application Security Testing

Source: Gartner (April 2020)

Vendor Strengths and Cautions

CAST

Based in the U.S. and France, CAST is a software intelligence vendor whose product is used to analyze software composition, architecture, flaws, quality grades and cloud readiness. In addition to its code quality testing offering, CAST provides enterprise SAST with the CAST Application Intelligence Platform (AIP). The vendor also offers CAST Highlight, which provides SAST pattern analysis and SCA. The CAST Security Dashboard enables application security professionals to prioritize and resolve application security vulnerabilities. The vendor also provides a desktop version called CAST Lite.

During the past 12 months, CAST continued to expand its language and framework coverage; improved its SCA offering (including the addition of transitive dependencies and visual representation of dependencies); and optimized its scanning for complex projects. CAST also worked on false positive reduction, including the introduction of its autoblackboxing capability. This allows users to fine-tune and customize their analysis (for example, including external code or recognizing and suppressing specific false positives). CAST also introduced AIP Console, which allows for automated application discovery, configuration and set up.

CAST will appeal to large enterprises requiring a solution that combines security testing with code quality testing, and to existing CAST AIP clients that already use the platform for quality testing.

Strengths

CAST offers a single solution that can be used for quality analysis as well as security analysis, which can be appealing to organizations with DevSecOps use cases.
Client feedback highly rated the ability to get a single view into issues across security, quality and architecture. CAST’s analysis engine provides an architectural blueprint of the software that helps test composite applications in multiple languages, visualize the architecture to improve code security by detecting insider threats via rogue data access and reduce false positives.
The vendor provides a scoring mechanism that can be calibrated to organization-specific criteria to track whether an application’s health is increasing or deteriorating from security, reliability and multiple other standpoints.
CAST provides the ability to set up a plan of action based on a particular objective, such as reducing technical debt or improving the security score.
Client feedback favorably rated the scalability and performance of the SAST engine in analyzing larger applications.

Cautions

Clients perceive CAST as an application quality testing solution provider, rather than an established application security vendor.
The vendor does not provide SCA as part of its main SAST offering, AIP, but only with CAST Highlight.
CAST’s SAST solution is missing key software development life cycle (SDLC) integration features, such as a spellchecker, incremental scanning and, most importantly, an integrated development environment (IDE) plug-in.
CAST clients often cite setup, implementation and customization as areas for improvement. Also, the vendor does not provide 24/7 support.
CAST does not provide DAST or IAST, and has no partnerships to deliver either.

Checkmarx

Known originally for its SAST offering, Checkmarx has expanded the scope of its portfolio to include SCA, IAST and — via a partnership — managed DAST. An on-demand interactive educational offering, CxCodebashing, provides developers with just-in-time training about vulnerabilities within code. The vendor’s SCA product is essentially new this year, with an internally developed version replacing a previous OEM offering retaining the same name, CxOSA. The SCA offering also supports new container scanning capabilities to aid in identifying problematic open source in images. Another change is the addition of a Docker and Linux-based SAST scanning engine. This addresses past complaints around a requirement for Windows to support local scanning engines, and also enables a new “elastic” scanning facility allowing customers to add (or remove) scanning engines to reflect changing workloads. Another update offers expanded prioritization of results based on a confidence rating (derived from a machine learning [ML] algorithm) and other variables, such as user-defined policies, severity ratings, age and several others.

Checkmarx offers a mix of deployment options for most of its products, with identical capabilities available in on-premises, cloud and managed service forms. Based in Tel Aviv, the vendor offers a global presence in North and South America, Europe, and the Asia/Pacific region, including Japan. Principal support centers are located in Texas, Israel and India. Checkmarx was acquired on 16 March 2020 by private equity firm Hellman & Friedman from Insight Ventures, which retains a minority interest. As this acquisition occurred following the deadline for this Magic Quadrant, any impact on the vendor’s position was not addressed.

Strengths

The vendor’s portfolio competes well for various use cases, including DevSecOps, cloud-native development and more traditional development approaches where SAST is a central requirement. SAST capabilities support a broad variety of programming languages and frameworks, and include support for incremental and parallel tests.
CxIAST employs a passive scanning model and results are correlated with SAST findings, as are issues discovered within open-source packages. This helps with validation of results, and can aid in confirming that a vulnerability is within executable code.
Tool integration within IDEs and the build environment is frequently cited as a strength by customers.
Remediation guidance, augmented by the optional CxCodebashing education component, helps developers understand vulnerabilities and how they can be resolved. A graph-based display of code execution paths and vulnerabilities highlights a proposed “best fix” location. Also, chat-based guidance provides fix advice from Checkmarx support staff.
The product suite offers guidance on the prioritization of vulnerabilities, with reports factoring in data such as the severity of the vulnerability, impact, source and sink information, and confidence level. Confidence levels are derived from a mix of technologies, including an ML algorithm to validate results and correlation between SAST findings and those discovered by IAST or SCA tests.
Through its various components, the Checkmarx portfolio offers basic support for both API security testing and container scanning. The vendor indicates that it plans to continue investment in these areas.

Cautions

Reflecting its history, the bulk of the vendor’s customers are for its CxSAST product, although Checkmarx continues to invest in expanding its portfolio and capabilities, and other products show growth.
CxDAST is based on a third-party technology relationship and is only available as part of a managed service offering. For use cases where DAST is a primary — or the only — element of an AST effort, the offering may be less attractive.
CxOSA, despite retaining the existing name and feature set, is essentially a new product and is available only as an add-on to the CxSAST product.
Licensing continues to be raised as a source of dissatisfaction by some customers, which may be a consequence of the mix of pricing models offered. Especially for SAST, these are generally based on the number of users or projects/applications — an approach that is emerging as an industry standard. When combined with multiple license models (perpetual, term and subscription), prospective customers gain flexibility, along with complexity. Rankings for negotiation flexibility, pricing and value are on par with competitive vendors, and are generally positive.

Contrast Security

Based in the U.S., Contrast Security is an AST vendor that also sells in the U.K., EU and the Asia/Pacific region. The Contrast platform consists of three primary products: IAST (Contrast Assess), SCA (Contrast OSS) and RASP (Contrast Protect). Contrast Assess incorporates Contrast OSS, which automatically performs SCA through both static scans and runtime analysis, and as a part of the Contrast platform. Contrast Protect) can be licensed independently or jointly with Contrast Assess. The vendor also offers a central management console, the Contrast TeamServer, which can be delivered as a service or on-premises. The testing approach, known as self-testing or passive IAST, does not require an external scanning component to generate attack patterns to identify vulnerabilities; rather, it is driven by application test activity, such as quality assurance (QA), executed automatically or manually.

Contrast is a good fit for organizations pursuing a DevOps methodology and looking for approaches to insert automated, continuous security testing that is developer-centric. Organizations that have developers with previous security experience favor Contrast for its lower operational complexity and a quick start into DevSecOps. Some are skipping the traditional SAST/DAST starting point and going straight to IAST. Contrast offers service integrations with the Eclipse, Rational Application Developer for WebSphere Software, IntelliJ IDEA, Visual Studio (VS) Code and VS IDEs through plug-ins that users can install from the vendor’s public IDE marketplace. Contrast provides a comprehensive REST API, as well as out-of-the-box integrations with common DevOps tools such as Chef, Puppet, Jenkins, Azure Pipelines, Maven and Gradle.

Strengths

Contrast Assess, combined with the vendor’s SCA product (Contrast OSS), is a good choice for organizations leveraging a DevOps or agile approach, offering a quick starting point and rapid integration across the entire SDLC. Gartner client feedback indicates that this also helps in embedding AST among development teams without security testing expertise, because the agent can identify vulnerabilities through normal application testing. Contrast Assess is one of the most broadly adopted IAST solutions and continues to compete on nearly every IAST shortlist.
Contrast’s reporting tool, TeamServer, provides a comprehensive view of code, dependencies, vulnerabilities and project security status in an easy-to-use, intuitive platform. Status is reported as a grade (A through F), making it simple to consume status quickly across complex DevSecOps projects. It also includes a tool for representing dependencies and services in the form of a map, which makes it easier to visualize the attack surface.
Contrast has put significant effort into scanning COTS software, making it a good choice for enterprises with large implementations of third-party code that might be concerned with COTS application security and dependencies on third-party application libraries.
Clients highly rate the ease of use of the tool and the vendor’s support. Contrast introduced a Community Edition for Assess and Protect to allow users to utilize the fully functional platform for a limited number of applications.
Contrast’s platform support provides AST, SCA and RASP for Java, .NET Framework, .NET Core, Node.js, Ruby, and Python.

Cautions

Contrast Security offers a full IAST and SCA solution, and does not provide stand-alone SAST or DAST tools or services, although its IAST tools can do similar testing in some cases.
Client feedback suggests that, due to the passive testing model, effective test coverage requires clients to have mature test automation capabilities or to run Contrast Assess in conjunction with DAST or “DAST-lite” tools. To address this, Contrast introduced a “route coverage” feature to give clients visibility into their test coverage by highlighting which parts of the application were exercised or still need to be covered.
Contrast can test mobile application back ends, but not the client-side code of the mobile app, and does not conduct behavioral analysis or check front-end code vulnerabilities, such as DOM-based XSS.
Contrast does not feature some of the nice-to-have ongoing support mechanisms that organizations with no AST experience often look for (for example, IDE gamification, human-checked results), although it does support chat with staff for specific questions.

GitLab

GitLab is a global company with headquarters in the U.S. GitLab provides a continuous integration/continuous delivery (CI/CD)-enabling platform and offers AST as part of its Ultimate/Gold tier. The vendor combines proprietary and open-source scanner results within its own workflows, and provides SAST and DAST. GitLab also provides SCA functionality with Dependency Scanning. It also provides open-source scanning capabilities with Container Scanning and License Compliance. A new entrant in the Magic Quadrant, in the past 12 months GitLab introduced support for Java, remediation recommendations and a security dashboard. It also integrated the SCA technology, stemming from the acquisition of Gemnasium, into its SCA offering. GitLab also added, among other features, Secret Detection to its SAST. This functionality serves to scan the content of the repository and identify credentials and other sensitive information that should not be left unprotected in the code.

GitLab will prove a good fit for organizations that use its platform as a development environment, and for organizations looking for a broader development CI/CD-enabling solution that comes with a developer-friendly and affordable security scanning option.

Strengths

GitLab has a single platform for development and security for the entire SDLC, which allows for easier integration of security, as well as easier acceptance and adoption for developers. Security professionals have visibility into the vulnerabilities at the time the code is committed, and when modifications, approvals and exceptions are made, and can also enforce security policies in the merge request flow.
The vendor’s SAST, Secret Detection; DAST, Dependency Scanning; and Container Scanning and License Compliance offerings are included in the Ultimate/Gold tier. Its pricing is publicly available, and provides a relatively affordable option.
GitLab provides DAST on a developer’s individual code changes within the code repository. It does so by recreating a review application based on the code that is already committed in the repository.
Users can configure requirements for pipelines, and ensure that some, or all, of the security scans are a part of that.
GitLab provides container scanning for vulnerabilities, and for code deployments in Docker containers and those using Kubernetes.

Cautions

GitLab’s SAST lacks features that are available in more mature offerings. Language coverage is limited and the dashboard lacks the granularity and customizability of more established tools. Its SAST offering lacks features such as quick fix recommendations. Although GitLab can test developer code before merging it, it does not have an IDE plug-in and does not provide real-time spell checking.
GitLab is new to the AST space and Gartner clients haven’t traditionally considered it a security vendor. Its security offering is relatively new, and doesn’t have extensive end-user feedback.
GitLab’s AST comes as part of the broader development platform. Organizations that do not use GitLab for development will find stand-alone security scanning from the vendor impractical.
The vendor does not provide specific mobile AST support and its DAST offering is essentially Open Web Application Security Project’s (OWASP’s) open-source ZAP tool.

HCL Software

HCL Software is, at least in name, a newcomer to this Magic Quadrant, having acquired IBM’s AppScan products and technologies after the company exited the application security business. The acquisition was preceded by a two-year span in which HCL was responsible for development and maintenance of the product line, while IBM continued the sales and marketing functions. HCL AppScan is suitable for a variety of use cases, making it attractive to larger organizations with a mix of requirements. HCL Software is based in India. Regional sales and support offices are located in North and Central America, Europe, and several countries in the Asia/Pacific region.

The overall structure of the product portfolio remains largely unchanged, albeit somewhat complex. On-premises products include AppScan Source for SAST, and AppScan Standard and AppScan Enterprise for desktop and on-premises DAST, respectively. AppScan Enterprise Server is an on-premises server platform for sharing policies, results and DAST scanning manually and via automation. Service-based offerings are all grouped under the AppScan on Cloud brand and include both SAST and DAST support. HCL’s IAST offering, called Glass Box, is largely an extension of — and tightly integrated with — its DAST products (both on-premises and cloud-based versions). Software composition analysis is provided by the AppScan on Cloud service, and is based on an HCL static analysis engine coupled with an OEM database provided by WhiteSource. Mobile testing is available via AppScan Source for static analysis, and AppScan on Cloud for DAST, IAST and behavioral monitoring. API-specific tests are delivered through a combination of SAST and DAST. In general, products can be deployed on-premises, in the cloud or in a hybrid arrangement.

During the past 12 months, significant effort has been expended on reworking the product line to offer more standard functionality across platforms. For example, its Bring Your Own Language capability enables more consistent language coverage across platforms. Support for Apex, Ruby and Golang, available in the cloud version of AppScan, was added to the on-premises version of the product. Customers and partners can also use the capability, enabling further customization.

Strengths

AppScan enjoys a good reputation for DAST scanning, sharing the same basic technology across the portfolio. The desktop-based AppScan Standard is a customizable offering especially suited for manual assessments. Incremental scanning allows for faster scans, and an “action-based” browser recording technology enables testing of complex workflows and improved insight into single-page applications where not all activity is captured in standard GET/POST operations.
AppScan, while still owned by IBM, was one of the first products to heavily leverage ML techniques for application security tasks, including the provision of Intelligent Finding Analytics (IFA), which helps improve accuracy and identify a “best fix” location for vulnerabilities. Under HCL, progress has continued with an effort to apply ML-based analytics to DAST findings generated by the vendor’s cloud customers to significantly improve speed and accuracy.
HCL offers good support for mobile application testing, leveraging its SAST, DAST, SCA and IAST components, as well as behavioral analysis.
Support for DevOps environments is competitive with other vendors and includes integrations into common IDEs and CI/CD toolchain components. Developers can perform scans in a private sandbox, reviewing results before committing code. The tools provide standard explanatory and supportive information, supplemented by optimal fix information and vulnerability grouping provided by IFA. No formal computer-based training or “just in time” training is provided, although such support — increasingly a staple of AST tools — is reportedly on the roadmap.

Cautions

Any change in ownership is potentially disruptive, although the two-year transfer period from IBM to HCL appears to have eased the transition. However, HCL is at a disadvantage in acquiring new customers, given its current lack of brand awareness in the market. Thus, while the vendor offers a similar product vision as other portfolio vendors, it is ranked lower for its ability to execute.
The AppScan portfolio is robust, but complex, with inconsistent features across platforms. For example, Open Source Analysis is only available in the cloud, and mobile testing can span environments. HCL is taking steps — such as with the Bring Your Own Language facility — to rationalize features across the full range of the portfolio, although the result is not yet complete.
AppScan’s IAST capability is tightly integrated with the DAST offering and cannot be purchased independently. A passive IAST approach, increasingly in favor among DevOps teams, was released on 25 March 2020, after the deadline for this evaluation, and therefore is not considered.
The overall pricing model for HCL’s portfolio is complex. First, cloud offerings are based on a subscription model, but on-premises products are only available with traditional perpetual licenses (including a term-based variation). That disparity complicates purchasing for organizations wishing to pursue a hybrid deployment model. Other pricing metrics vary and are based on the number of applications, users (with varied types of user licenses on offer) and per-scan pricing. Buyers must evaluate multiple options to obtain optimal pricing terms.

Micro Focus

Based in the U.K., Micro Focus is a global provider of AST products and services under the well-known Fortify brand. Micro Focus sales has a broad global reach, with a strong presence in North America, EMEA and Central American markets. Fortify offers Static Code Analyzer (SAST), WebInspect (DAST and IAST), Software Security Center (its console), Application Defender (monitoring and RASP) and Fortify Audit Workbench (AWB). Fortify provides its AST as a product, as well as in the cloud, with Fortify on Demand (FoD). The hybrid model allows the FoD tools to scan code and integrate results with the Fortify reporting tool and the developer environment.

During the past year, Fortify has expanded language support (26 app stacks for SAST) and integration with common CI/CD tools like Jenkins/Jira. Micro Focus has also expanded its partnership with Sonatype to a full OEM agreement and integrated its Static Code Analyzer tool directly into FoD, although it still supports Black Duck and WhiteSource. Fortify’s AST offerings should be considered by enterprises looking for a comprehensive set of AST capabilities — either as a product or service, or combined — with enterprise-class reporting and integration capabilities.

Micro Focus has put investment into a more DevSecOps developer-centric model. This includes moving DAST more fully into the hands of development by providing coordination between FoD scans and code in the IDE. It is focusing on eliminating impediments to fully automated workflows with features like macro autogeneration and API scanning improvements. Fortify supports cloud-friendly deployment models and simplified orchestration, and is adding support for containerization. To facilitate a faster, cleaner DevSecOps model, Fortify has added RESTful APIs and a command line interface for both static and dynamic testing.

Strengths

Fortify is an excellent fit for large enterprises with multiple, complex projects and a variety of coding styles and experience levels. It has shown flexibility and strength in dealing with issues such as legacy code replacement and modern development styles like microservices, and has experience in M&A activity.

Swagger-supported RESTful APIs and the integrated Fortify Ecosystem were built to support modern DevSecOps organizations, a marked improvement over older versions of the product suite. Open-source integrations, both in FoD and with SSC, Jira and Octane automation, are also important steps in this direction.

Fortify offers mobile testing with FoD directly, as well as the tools with SCA and WebInspect in support of mobile application scanning.

While no one has completely solved the issue of false positives, Micro Focus has made significant improvements in simplifying and reducing FPs. Micro Focus has extended its Fortify Audit Assistant feature to allow teams the flexibility to either manually review artificial intelligence (AI) predictions on issues, or to opt in to “automatic predictions,” which allow for a completely in-band automated triaging of findings.

Cautions

While Fortify has begun to show the results of Micro Focus’ investment, overall market awareness has not yet caught up. Gartner client inquiry calls do not yet reflect the new functionality and are still dominated by discussions about the older versions of the product suite.
Fortify is known for its depth and accuracy of results, which meets the needs of enterprise customers that then leverage contextual-based analysis. Less mature organizations looking for incremental improvements over time may experience challenges with the complexity and volume of unfiltered results.
While Fortify offers highly flexible license and pricing models, during inquiries clients report that the pricing remains complicated and the on-premises operational complexity is high.
Automated scans are faster than they were in older versions of the product, and a good fit for DevSecOps, but optional human-audited scan results in FoD are out of band and can take significantly longer. ·Fortify balances this challenge to human auditing by providing customers with the option to enable in-band, AI-driven audits without human intervention, both on-premises and with FoD.

Onapsis

Founded in 2009 in Buenos Aires, Argentina, Onapsis is a U.S.-based company with centers in the U.S., Germany and Argentina. In June 2019, it acquired Virtual Forge, a prominent player in the SAP code security space. Onapsis has established or strengthened relationships with leading strategic system integrators, managed security service providers (MSSPs), technology alliance partners and value-added resellers (VARs), such as Accenture, Deloitte, Optiv, deepwatch and others, to offer services to protect organizations using SAP and Oracle.

The business-critical application space has traditionally used code reviews by developers and security personnel, and has relied on existing defense in-depth measures to protect these applications. Onapsis offers standard AST tools (SAST/DAST) and makes it easy for ERP developers to integrate them into their existing processes. Onapsis is strictly a business-application-based tool supporting the common languages used in development (e.g., ABAP, ABAP Objects, Business Server Pages [BSP], Business Warehouse Objects, SAPUI5, XSJS and SQLScript) The vendor is a good fit for companies developing tools (in-house or as a third party) that want to adopt more of a repeatable DevSecOps, process.

Strengths

Onapsis supports the DevSecOps cycle with plug-ins and services that fit into existing business-critical developer workflows.
The vendor has good support for SAP and Oracle applications as they move to the cloud, such as S/4HANA, C/4HANA, Workday, Salesforce, SuccessFactors, Ariba and others..
Its data flow and tracking options are especially useful for monitoring compliance risks in applications in financial services, human capital management (HCM), supply chain management (SCM) and other applications.
Onapsis supports a number of complex programming languages and offers a good web-based interface for scanning and managing results across multiple projects that fits well with other ERP development tools.
The vendor also supports SAP HANA Studio, Eclipse, SAP Web IDE and SAP ABAP development workbench, with similar workflows and processes across the different development IDEs.

Cautions

Although Onapsis enjoys extensive cooperation with SAP and Oracle, there is some risk as both are still competitors in this space with their own products (e.g., SAP’s Code Vulnerability Analyzer).
With a focus on applications supported by SAP and Oracle, overall programming language support is limited compared to other tools in the AST space, but is focused on common business-critical application developers.
Onapsis has an IDE plug-in for its toolsets, but the experience varies significantly between them. Results of the scans are available through PDF reports with the developer environment, or via a web interface. Onapsis also offers full integration with SAP’s cloud-based Web IDE, which does provide a fully integrated developer experience. For ABAP, there is also a fully integrated experience.
DAST support is limited to workflow and call graph analysis.

Rapid7

Traditionally known for its DAST solutions, including InsightAppSec, Rapid7 has begun to position other products in its portfolio as application security solutions. This includes the vulnerability assessment solution InsightVM, which provides some software composition analysis as part of its container assessment capabilities. The vendor’s tCell product — a RASP offering acquired in late 2018 — provides insights into code execution and vulnerabilities, generally postdeployment. As a RASP offering, tCell relies on the same basic technology as many IAST testing tools, but is designed as an application protection solution, not a testing tool.

Rapid7 retains its reputation for having a strong DAST offering, and is especially suited for use cases where the combination of DAST and vulnerability assessment is valued — such as testing the security of web-based applications, especially where organizations face strong compliance requirements. The addition of tCell provides organizations with an opportunity to work with RASP-based app protection and the insights it can provide. Improvements over the past year include enhancements to authentication support, with the addition of multiple authentication techniques enabling improved application scanning. The vendor has also added support for multiple application frameworks (such as Angular, React and others), improving its ability to test single-page applications, which are increasingly common. Integration is provided with Jira and a variety of CI/CD tools (with additional support available via API), but most in-depth analysis of results takes place in the product’s dashboard. (A Chrome browser extension enables developers and others to interact regarding results without directly accessing the dashboard.)

Rapid7 is based in the U.S., with sales and support offices primarily located in North America and EMEA, and with some presence in the Asia/Pacific region. InsightAppSec is offered as a cloud-based service, with options for on-premises deployments and as a managed service.

Strengths

Rapid7 continues to enjoy a strong reputation for its DAST tool, especially in support of in-depth custom manual assessments. Tests can be performed interactively, allowing for the manipulation of parameters, and aiding troubleshooting and the validation of fixes.
Rapid7’s Universal Translator technology analyzes requests to identify various formats, parses them and normalizes the data to a standard form to create similar attacks across tested formats. For formats that cannot be crawled, such as JSON and REST web services, this is accomplished via user-recorded traffic.
Expanded support for application frameworks makes Rapid7 an attractive choice for testing modern, single-page applications.
Rapid7 continues to enjoy good marks from most users for the product’s ease of use, dashboard and reporting. For example, developers are provided information such as recommendations, description and error information, and attack replay functionality, which enables them to understand, patch and retest vulnerabilities.

Cautions

Rapid7’s inclusion of vulnerability assessment and RASP in its application security portfolio expands the scope of its offering beyond DAST, but the additional tools don’t offer feature parity with competitive solutions. For example, while InsightVM and tCell help identify vulnerabilities in built applications and containers, it does not warn of restrictive open-source licenses — a standard capability for SCA tools. (Rapid7 announced a partnership with SCA specialist Snyk as this Magic Quadrant was being finalized. Any resulting improvements in SCA capabilities will be reflected in future evaluations, as those changes materialize.)
While test results are highly detailed, the tools lack direct integration with IDEs, prompting developers to switch to the InsightAppSec dashboard (or browser extension) to review data and supporting information. It is possible to incorporate vulnerability data into a Jira ticket, which would assist in providing information to a developer more directly.
While individual Rapid7 products are built on a common platform, they lack the correlation of results across tools that other vendors provide, such as between IAST and SCA. However, correlation is provided between DAST and a selection of other vendors’ SAST tools. (Rapid7 lacks a SAST offering of its own.)
Rapid7 does not support distributed scanning.

Synopsys

Based in the U.S., Synopsys is a global company with offerings in the software and semiconductor areas. While Synopsys has been executing a strategy to expand its AST portfolio during the past five years, 2019 was primarily spent on integrating the products together technologically and consolidating their offerings. This has been successful, and the market now sees these products as a well-integrated whole with significant movement from single point solutions to multiproduct purchases.

The Polaris Software Integrity Platform has become the central management tool for all Synopsys AST products (except its DAST managed service, which is still stand-alone). Code Sight, the vendor’s IDE plug-in management tool, has been integrated into the product suite as well, with the goal of providing a complete in-editor experience for developer-based security testing. While primarily aimed at DevSecOps organizations, this developer-centric model is recommended by Gartner as a best practice, and all developers, regardless of methodology, benefit from that approach. Synopsys should be considered by organizations looking for a complete AST offering that want variety in AST technologies, assessment depth, deployment options and licensing.

In January 2020, Synopsys bought DAST and API security provider Tinfoil Security and is adding it to its suite of products; however, this acquisition occurred after the cut-off date for this Magic Quadrant and our analysis does not take it into account.

Strengths

The Synopsys suite is a relatively easy entry point for organizations that may be just starting to take a developer-centric approach to security, as well as more advanced organizations that find integrating and managing a set of point solutions to be too time-consuming.
The Code Sight plug-in is a good fit for DevOps shops. It has strong integration with IDEs to provide feedback early in the development phase. The Code Sight plug-in leverages the IDE to act as an interface to all tools on Polaris, with an emphasis on remediation. This fits well with most development teams, regardless of maturity.
Support for CI/CD tools (for example, Jenkins and Jira reporting) has increased significantly in 2019, with support in Coverity, Seeker and Black Duck being used as part of the overall build/test/deploy cycle.
Seeker continues to be one of the most broadly adopted IAST solutions, with good SDLC integration. Synopsys has an agent-only IAST for Seeker that does not require an inducer. This supports the passive testing model offered by some IAST competitors.
Seeker compliance reports now offer GDPR and Common Attack Pattern Enumeration and Classification vulnerability tracking, in addition to its PCI DSS, OWASP and CWE tracking.

Cautions

Gartner client feedback indicates that the vulnerability clarification and fix recommendation is limited, compared with some of the competitors.
Gartner clients from small and midsize businesses have expressed that, despite interest in the vendor’s solutions, the price is often outside their budgets, especially for nascent programs, leading them to seek less costly alternatives. Synopsys’ sales process is also complicated, and clients have reported trouble navigating it.
Synopsys offers DAST only as a managed service. Synopsys AST managed services are orchestrated through a cloud-based portal that is separate from Polaris; however, managed service testing results can be viewed through the Polaris reporting tool. Emphasis for dynamic testing is concentrated on the Seeker IAST product line.
While Seeker has reports for various regulatory compliance regimes, compliance is often much more complicated than a set of scans. Users should be aware that they are responsible for the full scope of audit and regulatory compliance measures.

Veracode

Headquartered in the U.S., Veracode is an AST provider with a strong presence in the North American market, as well as in the European market. The Veracode offering includes a family of SAST, DAST, IAST and SCA services surrounded by a policy management and analytics hub, as well as e-learning modules. Greenlight is a SAST plug-in for the Eclipse, IntelliJ and Visual Studio IDEs. Veracode also provides mobile AST and an application attestation program called Veracode Verified, which enables companies to provide a third-party attestation of their products’ security level to a prospective buyer.

During the past 12 months, Veracode introduced support for modern application deployments in the cloud and containers. Also, it merged its original SCA offering and the recently acquired SourceClear SCA product into a new SCA offering that can scan both locally and in the cloud. Veracode also further extended its language coverage and introduced continuous alerting on new vulnerabilities. On 1 October 2019, Veracode released its IAST, which can run in the build phase and the QA test environment.

Veracode will meet the requirements of organizations looking for a comprehensive portfolio of AST services along with tailored AST advice, broad language coverage, and ease of implementation and use.

Strengths

Gartner clients rate highly the quick setup, ease of use and scalability of the solution, as well as the vendor’s willingness to work with customer requirements.
Veracode’s services include tailored vulnerability and remediation advice, and reviews of the mitigations where needed, which can be useful to reduce remediation time and in organizations where developers are not application security experts. Veracode results come with “fix first” recommendations that consider how easy an issue is to fix and how much impact it has, and then recommend the best location to fix the issue.
Veracode feeds the intelligence collected from its cloud-based scans back to its engine and database. This is used to improve accuracy through SaaS learning, faster SCA updates, as well as advice for rapid response to known vulnerabilities.
Veracode’s SCA offering allows both agent-based local and cloud-based scanning, and provides a unique database with 50% more vulnerabilities than the National Vulnerability Database. Veracode can also scan test third-party applications or SaaS cloud with their consent, as well as COTS applications such as the ones provided by independent software vendors. To help with the focus on exposed applications, Veracode’s SCA offering can deprioritize vulnerabilities by checking if they are in the execution path of the application.

Cautions

Veracode does not offer AST tools that can be installed on-premises, only AST as a service. It provides Internal Scanning Management that can be located on the client’s network to support the testing of internal applications, with scanning configured and controlled via the cloud service.
Veracode does not offer dynamic scanning of APIs, a capability increasingly available from competitors, relying instead on static and interactive AST. Veracode also does not allow discovery of APIs.
Some Gartner clients have cited first line of support from the vendor as an item to be improved. Additionally, even though Veracode has a worldwide presence, it only provides support in English.

WhiteHat Security

WhiteHat Security’s Sentinel platform continues to stand out in use cases where DAST is a requirement, including web-based applications and APIs, both in production and preproduction. In addition, partly by virtue of a partnership with NowSecure, it ranks well for mobile AST, where it combines behavioral testing with SAST and DAST scans of popular mobile languages such as Java, Objective-C and Swift. Software composition analysis is also provided and is now available as a stand-alone product offering. Customers continue to give the vendor compliments for human and ML-based augmentations to testing, including validation of results and optional penetration testing and business logic assessments. WhiteHat continues to be unique with its Directed Remediation capabilities, where fixes developed by the WhiteHat Threat Research Center are automatically suggested to developers for selected findings. It was the first to offer chat-based assistance to developers for help in understanding specific vulnerabilities, although other vendors have also begun to provide this service. WhiteHat’s offerings are service-based, although the vendor offers a virtual appliance for local scanning, with results sent to the cloud for verification, correlation and inclusion in dashboards and reporting.

WhiteHat was acquired by NTT Security in July 2019 and operates as an independent subsidiary. Sales and support capabilities have traditionally focused heavily on North America. The vendor has also maintained a limited presence in Europe and the Asia/Pacific region. The NTT acquisition opens the possibility of broader sales and support channels.

Strengths

WhiteHat has a strong reputation among Gartner clients as a DAST-as-a-service provider and should be considered by buyers seeking an AST SaaS platform.
WhiteHat continues to execute toward its strategy of addressing the requirements of DevOps organizations with differentiated SAST, SCA and DAST products for the development, build and deployment phases of the life cycle. Generally, options earlier in the process — such as SAST and SCA for developers — are optimized for fast return of results by limiting the scope of testing. Later phases provide more in-depth checks and add options for human verification and testing. The vendor continues to expand ML-based automated verification to help speed the process, and to better align to the needs of rapidly iterating development teams.
WhiteHat’s customers continue to value the vendor’s strong support services. As noted, these include vulnerability verification, manual business logic assessments/penetration testing and the ability to leverage its Threat Research Center engineers to discuss findings.
WhiteHat SAST remediation capabilities extend beyond identifying the optimal point of remediation to automatically provide custom code patches that can be copied and pasted into the code to fix identified vulnerabilities for a portion of findings for Java and C#.
WhiteHat Sentinel Dynamic provides continuous, production-safe DAST of production websites with automatic detection and assessment, and alerts for newly discovered vulnerabilities.
DAST results can be fed to a variety of web application firewall solutions, enabling the creation of rules to mitigate vulnerabilities until they can be remediated in code.

Cautions

WhiteHat does not offer an IAST solution. It does use SAST findings to inform DAST scans for improved accuracy.
Customer feedback indicates some dissatisfaction with the products’ user interfaces. IDE plug-ins, for example, are functional, but supplementary and explanatory information is often poorly formatted. Findings can be fed to defect tracking systems, such as Jira.
WhiteHat’s SAST offering has limited language support, compared with competitive offerings.
WhiteHat does not offer AST as a tool, only as a cloud service. However, it can provide an on-premises virtual appliance that performs scans at a customer’s site, feeding results to the cloud for verification, correlation and inclusion in dashboards for reporting and analysis.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

Onapsis, HCL Software and GitLab were added to this Magic Quadrant.

Dropped

Acunetix, IBM and Qualys were dropped from this Magic Quadrant based on our inclusion and exclusion criteria.

Inclusion and Exclusion Criteria

For Gartner clients, Magic Quadrant and Critical Capabilities research identifies and then analyzes the most relevant providers and their products in a market. Gartner uses, by default, an upper limit of 20 vendors to support the identification of the most relevant providers in a market. On some specific occasions, the upper limit may be extended where the intended research value to our clients might otherwise be diminished. The inclusion criteria represent the specific attributes that analysts believe are necessary for inclusion in this research.

To qualify for inclusion, vendors needed to meet the following criteria as of 1 November 2019:

Market participation: Provide a dedicated AST solution (product, service or both) that covers at least two of the following four AST capabilities: SCA, SAST, DAST or IAST, as described in the Market Definition/Description section.
Market traction:
- During the past four quarters (4Q18 and the first three quarters of 2019):
  - Must have generated at least $22 million of AST revenue, including $17 million in North America and/or Europe, the Middle East and Africa (excluding professional services revenue)
Technical capabilities relevant to Gartner clients:
- Provide a repeatable, consistent subscription-based engagement model (if the vendor provides AST as a service) using mainly its own testing tools to enable its testing capabilities. Specifically, technical capabilities must include:
  - An offering primarily focused on security tests to identify software security vulnerabilities, with templates to report against OWASP top 10 vulnerabilities
  - An offering with the ability to integrate via plug-in, API or command line integration into CI/CD tools (such as Jenkins) and bug-tracking tools (such as Jira)
- For SAST products and/or services:
  - Support for Java, C#, PHP and JavaScript at a minimum
  - Provide a direct plug-in for Eclipse or Visual Studio IDE at a minimum
- For DAST products and/or services:
  - Provide a stand-alone AST solution with dedicated web-application-layer dynamic scanning capabilities.
  - Support for web scripting and automation tools such as Selenium
- For IAST products and/or services:
  - Support for Java and .NET applications
- For SCA products and/or services:
  - Ability to scan for commonly known malware
  - Ability to scan for out-of-date vulnerable libraries
- For containers:
  - Ability to integrate with application registries and container registries
  - Ability to scan open-source OS components for known vulnerabilities and to map to common vulnerabilities and exposures (CVEs)
Business capabilities relevant to Gartner clients: Have phone, email and/or web customer support. They must offer contract, console/portal, technical documentation and customer support in English (either as the product’s/service’s default language or as an optional localization).

We will not include vendors in this research that:

Focus only on mobile platforms or a single platform/language
Provide services, but not on a repeatable, predefined subscription basis — for example, providers of custom consulting application testing services, contract pen testing or professional services
Provide network vulnerability scanning but do not offer a stand-alone AST capability, or offer only limited web application layer dynamic scanning
Offer only protocol testing and fuzzing solutions, debuggers, memory analyzers, and/or attack generators
Primarily focus on runtime protection
Focus on application code quality and integrity testing solutions or basic security testing solutions, which have limited AST capabilities

Open-Source Software Considerations

Magic Quadrants are used to evaluate the commercial offerings, sales execution, vision, marketing and support of products in the market. This excludes the evaluation of open-source software (OSS) or vendor products that rely heavily on or bundle open-source tools.

Other Players

Several vendors that are not evaluated in this Magic Quadrant are present in the AST space or in markets that overlap with AST. These vendors do not currently meet our inclusion criteria; however, they either provide AST features or address specific AST requirements and use cases.

These providers range from consultancies and professional services to related solution categories, including:

Business-critical application security
Application security orchestration and correlation (ASOC)
Application security requirements and threat management (ASRTM)
Crowdsourced security testing platforms (CSSTPs)
API-security-focused solutions
Container security solutions

Evaluation Criteria

Ability to Execute

Product or Service: This criterion assesses the core goods and services that compete in and or serve the defined market. This includes current product and service capabilities, quality, feature sets, skills, etc. These can be offered natively or through OEM agreements/partnerships, as defined in the Market Definition/Description section and detailed in the subcriteria. This criterion specifically evaluates current core AST product/service capabilities, quality and accuracy, and feature sets. Also, the efficacy and quality of ancillary capabilities and integration into the SDLC are valued.

Overall Viability: Viability includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. It assesses the likelihood of the organization to continue to offer and invest in the product, as well as the product’s position in the current portfolio. Specifically, we look at the vendor’s focus on AST, its growth and estimated AST market share, and its customer base.

Sales Execution/Pricing: This criterion looks at the organization’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel.

We are looking at capabilities such as how the vendor supports proofs of concept or pricing options for both simple and complex use cases. The evaluation also includes feedback received from clients on experiences with vendor sales support, pricing and negotiations.

Market Responsiveness/Record: This criterion assesses the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. It also considers the vendor’s history of responsiveness to changing market demands. We evaluate how the vendor’s broader application security capabilities match with enterprises’ functional requirements, and the vendor’s track record in delivering innovative features when the market demands them. We also account for vendors’ appeal with security technologies complementary to AST.

Marketing Execution: This criterion assesses the clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers. This mind share can be driven by a combination of publicity, promotional activity, thought leadership, social media, referrals and sales activities. We evaluate elements such as the vendor’s reputation and credibility among security specialists.

Customer Experience: We look at the products and services and/or programs that enable customers to achieve anticipated results. Specifically, this includes quality supplier/buyer interactions, technical support or account support. This may also include ancillary tools, customer support programs, availability of user groups, service-level agreements, etc.

Operations: This criterion assesses the ability of the organization to meet goals and commitments. Factors include quality of the organizational structure, skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Product or Service	High
Overall Viability	High
Sales Execution/Pricing	Medium
Market Responsiveness/Record	High
Marketing Execution	High
Customer Experience	High
Operations	Not Rated

Source: Gartner (April 2020)

Completeness of Vision

Market Understanding: This refers to the ability to understand customer needs and translate them into products and services. Vendors that show a clear vision of their market listen to and understand customer demands, and can shape or enhance market changes with their added vision. It includes the vendor’s ability to understand buyers’ needs and translate them into effective and usable AST (SAST, DAST, IAST and SCA) products and services.

In addition to examining a vendor’s key competencies in this market, we assess its awareness of the importance of:

Integration with the SDLC (including emerging and more flexible approaches)
Assessment of third-party and open-source components
The tool’s ease of use and integration with the enterprise infrastructure and processes
How this awareness translates into its AST products and services

Marketing Strategy: We look for clear, differentiated messaging consistently communicated internally, and externalized through social media, advertising, customer programs and positioning statements. The visibility and credibility of the vendor’s meeting the needs of an evolving market is also a consideration.

Sales Strategy: We look for a sound strategy for selling that uses the appropriate networks, including: direct and indirect sales, marketing, service, and communication. In addition, we look for partners that extend the scope and depth of market reach, expertise, technologies, services, and the vendor’s customer base. Specifically, we look at how a vendor reaches the market with its solution and sells it — for example, leveraging partners and resellers, security reports, or web channels.

Offering (Product) Strategy: We look for an approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements. Specifically, we are looking at the product and service AST offering, and how its extent and modularity can meet different customer requirements and testing program maturity levels. We evaluate the vendor’s development and delivery of a solution that is differentiated from the competition in a way that uniquely addresses critical customer requirements. We also look at how offerings can integrate relevant non-AST functionality that can enhance the security of applications overall.

Business Model: This criterion assesses the design, logic and execution of the organization’s business proposition to achieve continued success.

Vertical/Industry Strategy: We assess the strategy to direct resources (sales, product, development), skills and products to meet the specific needs of individual market segments, including verticals.

Innovation: We look for direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. Specifically, we assess how vendors are innovating to address evolving client requirements to support testing for DevOps initiatives as well as API security testing, serverless and microservices architecture. We also evaluate developing methods to make security testing more accurate. We value innovations in IAST, but also in areas such as containers, training and integration with the developers’ existing software development methodology.

Geographic Strategy: This criterion evaluates the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market. We evaluate the worldwide availability and support for the offering, including local language support for tools, consoles and customer service..

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Market Understanding	High
Marketing Strategy	High
Sales Strategy	Medium
Offering (Product) Strategy	High
Business Model	Not Rated
Vertical/Industry Strategy	Not Rated
Innovation	High
Geographic Strategy	High

Source: Gartner (April 2020)

Quadrant Descriptions

Leaders

Leaders in the AST market demonstrate breadth and depth of AST products and services. Leaders typically provide mature, reputable SAST and DAST, and demonstrate vison through development of other emerging AST techniques, such as container support, in their solutions. Leaders also should provide organizations with AST-as-a-service delivery models for testing, or with a choice of a tool and AST as a service, as well as an enterprise-class reporting framework supporting multiple users, groups and roles, ideally via a single management console. Leaders should be able to support the testing of mobile applications and should exhibit strong execution in the core AST technologies they offer. While they may excel in specific AST categories, Leaders should offer a complete platform with strong market presence, growth and client retention.

Challengers

Challengers in this Magic Quadrant are vendors that have executed consistently, often with strength in a particular technology (for example, SAST, DAST or IAST) or by focusing on a single delivery model (for example, on AST as a service only). In addition, they have demonstrated substantial competitive capabilities against the Leaders in their particular focus area, and have demonstrated momentum in their customer base in terms of overall size and growth.

Visionaries

Visionaries in this Magic Quadrant are vendors that are in AST with a strong vision that addresses the evolving needs of the market. It includes vendors that provide innovative capabilities to accommodate DevOps, integrate in the SDLC or identify vulnerabilities. Visionaries may not execute as consistently as Leaders or Challengers.

Niche Players

Niche Players offer viable, dependable solutions that meet the needs of specific buyers. Niche Players fare well when considered for buyers looking for “best of breed” or “best fit” to address a particular business or technical use case that matches the vendor’s focus. Niche Players may address subsets of the overall market. Enterprises tend to pick Niche Players when the focus is on a few important functions, or on specific vendor expertise or when they have an established relationship with the vendor. Niche Players typically focus on a specific type of AST technology or delivery model, or a specific geographic region.

Context

The need for application security is ubiquitous across small, midsize and large organizations. With new data privacy requirements, the consequences of a security breach are no longer limited to reputational damage, but also can involve substantial fines and penalties. Vendors have been offering core AST technologies and additional support offerings for well over a decade, and they have matured in speed and efficacy, but common code problems still remain. Most solutions in the market provide some form of code scanning capability, security training services, program development services and remediation support in a growing variety of ways to support developers and security professionals. DevSecOps, agile, and a general demand for greater automation and speed have led to the maturing of the market and the evolution of both full platform solutions offering a wide variety of commonly used testing tools and specialty solutions that offer a deeper dive into a particular technology or combine security testing with other features like code quality.

In general, better accuracy, faster results, easier integrations and enhanced remediation guidance are top of mind for vendors in this market. It has become simpler for end users to find vulnerabilities using AST tools integrated into their workflow or development environment. Solutions that make it easy for developers to be successful at security mesh well with the DevSecOps philosophy (see “Integrating Security Into the DevSecOps Toolchain”) while freeing up some security resources otherwise dedicated to running code scans. In general, anything the developers have to remember to do will be forgotten, but when integrated into their existing workflow, they come naturally. However, Gartner client inquiry feedback still indicates a need to improve remediation guidance, increase testing speed and accuracy, and simplify the operation of AST solutions to support clients adopting, integrating and scaling AST programs.

These challenges are not solved solely by the right technology; they often require changes in organizational culture, better collaboration and sound practices. Still, incompatible security technologies can impede progress, in which case development and security teams risk being driven further apart rather than becoming better collaborators. To cope with these challenges, organizations should:

Require solutions that expose and integrate automated functionality through plug-ins (including IDE, build, repository, QA and preproduction) into the SDLC. This will enable developers to fix issues earlier in the process, and it will improve coordination between development and security.
Favor vendors that specialize in comprehensive testing of APIs, applications deployed in containers and other aspects of modern development (e.g., single-page applications, microservices, serverless, edge computing, etc.) to support those use cases. Clients increasingly are seeking out point solutions with a specific focus on these technologies, particularly with respect to testing their APIs.
Require solutions that provide SCA, which is a critical or mandatory feature of an overall approach to security testing of applications, because open-source and third-party components are proliferating in applications that enterprises build. Vendors in the industry are introducing their own SCA solutions, as well as partnering with specialized SCA vendors. Gartner clients should pay special attention to those SCA solutions that offer OSS governance capabilities to enable the organization to proactively enforce its policy with respect to OSS when components are being onboarded or pulled in from external repositories and package managers. This should be further augmented with production time SCA, such as that available from container security products to alert to new vulnerabilities as they become known.
Favor a risk-based approach to vulnerability management rather than a “fix all the bugs” mentality. Too often, the perfect becomes the enemy of the good, wasting time and resources and demotivating developers and teams. There is often a trade-off to be made between speed and depth, so buyers should ensure that any resulting diminishment in the accuracy of results that often accompanies lower turnaround times remains acceptable.
Press vendors for specifics on their roadmap with respect to false positive reduction and how they will be employed to enhance their solutions. Buyers should look past ML hype and marketing to better understand specifics on how the proposed ML implementations will meaningfully improve areas such as enhancing accuracy, automating remediation efforts or achieving better testing coverage. Gartner clients should weigh vendor plans with respect to ML-based improvements, particularly when considering longer-term engagements, and consider the applicability of the proposed approaches. Artificial intelligence (AI) and ML are overused marketing terms, making it difficult to distinguish between hyperbole and genuine value, and should be evaluated closely.

Market Overview

Current Gartner forecasts place the size of the AST market (sales of SAST, DAST and IAST tools) at $1.33 billion by the end of 2020. Through 2022, the AST market is projected to have a 10% compound annual growth rate (CAGR), indicating that the market is growing slightly faster than the overall security market, which is projected to grow at a CAGR of 9% over the same period. Initial examination of updated vendor results suggests the market is growing at a faster pace than originally projected. This is believed to be a function of both increasing buyer demand for core AST tools, and the growing importance of associated solutions not currently included in the base forecast (such as SCA and mobile AST). Analysis of data continues, and any revisions to the forecast will be published in Gartner’s quarterly Information Security Market Forecast.

2019 continued to be a busy year of buyouts and mergers in the AST market. In June 2019, HCL Technologies completed its acquisition of IBM’s AppScan product suite as part of its $1.8 billion deal for a variety of IBM products. Also, in July 2019, NTT Security closed its buyout of WhiteHat Security. NTT is keeping the WhiteHat brand distinct from NTT Security, but this does significantly expand WhiteHat’s global coverage and partner network. Rapid7 made two purchases, acquiring tCell (runtime application self-protection) in late 2018, and NetFort (network monitoring) in mid-2019. In June, Onapsis completed its acquisition of Virtual Forge and has begun integrating its CodeProfiler suite into the Onapsis product line. Late in 2018, Checkmarx purchased Custodela, an Ontario-based provider of software security program development and consulting services focused on DevSecOps. Finally, in January 2020, Synopsys acquired Tinfoil Security and intends to merge its DAST and API testing product suit with its existing enterprise AST platform (all acquisitions after the Magic Quadrant cut-off date are noted in this research, but their capabilities are not included in the vendors’ evaluations).

In addition to this activity, we’ve seen some interesting moves by infrastructure players like Microsoft and VMware to make inroads into secure development. In 2018, Microsoft bought GitHub, arguably the world’s leading development repository. In 2019, GitHub acquired Semmle, a code analytics platform, and became a CVE Numbering Authority. The CVE system provides references for publicly disclosed information about security vulnerabilities and exposures, putting GitHub in a unique position for finding and disclosing code vulnerabilities. Also, on 30 December 2019, VMware announced that it was acquiring Pivotal Software for $2.7 billion (both Pivotal and VMware are part of Dell). This puts VMware in a strong position to manage, among other things, the container and software defined network security spaces. While it’s still early, Gartner has seen a market increase in inquiries about container security, so both of these moves are interesting.

The market continues to exhibit signs of increasing consolidation and commoditization, at least with respect to SAST, DAST and SCA for traditional web applications. However, as we can see from the placements in the 2020 AST Magic Quadrant, there continues to be a strong demand for specialty solutions that offer in-depth coverage of specific areas or combine traditional AST with other testing (e.g., code quality, enterprise applications, etc.).

In 2019, the number of Gartner end-user client conversations on DevSecOps and AST increased by 50% over 2018. While most clients do not have a full or even majority DevOps team, many techniques out of the DevOps method are easily adapted to existing coding disciplines. This includes a focus on making security an integral part of the developer work cycle and eliminating “security gates” late in the process. Other trends in 2019 included a rise in interest in container security. While containers continue to be a minor part of the market compared to more traditional applications, inquiry was up 65% over 2018. Similarly, inquiry regarding scanning for known vulnerabilities in open-source code (SCA) rose 20% in 2019.

In general, we have seen the following DevSecOps trends emerging in our client inquiries:

Integration of security and compliance testing seamlessly into DevSecOps, so developers never have to leave their CI or CD toolchain environments
Teams embracing a “developers own their code” philosophy, which extends into security (as well as performance, reliability and code quality)
Scanning for known vulnerabilities and misconfigurations in all open-source and third-party components
An emphasis on removing vulnerabilities with the highest severity and risk, rather than trying to remove all known vulnerabilities in custom code
Giving developers more autonomy to use new types of tools and approaches to minimize friction (such as interactive AST) to replace traditional static and dynamic testing
Scaling their information security teams into DevOps by using a security champion/coach model rather than putting them directly on the teams (which has scalability and cultural issues)
Treating all automation scripts, templates, images and blueprints with the same level of assurance they would apply to any source code
Increased interest in containerization

And we see those trends beginning to be reflected in the toolsets, including:

There is increased availability of SCA tools as part of product offerings across the Magic Quadrant participants.
IDE security plug-ins have not only become the normal expectation for buyers, but increasingly they are expecting the IDE to be the main conduit for reporting, fix suggestions, lessons, gamification and other developer-centric security activity. Anything that requires developers to go “out of band” is generally disfavored.
Fix suggestions are becoming more context-aware, not only with specific instructions, but also with options for involving human review and guidance from tool providers. Tool vendors are providing more options for including some human review of results in addition to ML for the elimination of false positives.
Vendors are starting to deliver options for covering some of the container and microservice attack surfaces, although full container scanning is still a bit off.

See “12 Things to Get Right for Successful DevSecOps” for more on best practices for developers.

This year’s Magic Quadrant shows two distinct trends: One broadening, and one deepening. The first trend is a movement toward all-inclusive platforms that do SAST/DAST/IAST/SCA as well as integrated reporting, CI/CD pipeline integration and a robust developer experience in the IDE. While each vendor will have specific strengths and weaknesses in individual tools, the common theme is that they are full, broad-spectrum platforms. The second trend is movement by some vendors to concentrate on doing a few things very well, often combining aspects of deep security testing with other functions such as code quality analysis, business-critical apps or specific types of testing not covered well by the broad-spectrum players. Both trends result in more choices for security leads and heads of development, both of which can be purchase decision makers.

We have four notable market observations:

Clients with experienced security staff are looking more seriously at using IAST solutions. Gartner saw a 40% increase in inquiry volume around IAST in 2019. For organizations with staff that have previously used SAST/DAST, IAST becomes a viable quick-start alternative, especially if they are making their first AST purchase and the staff are experienced in DevSecOps from previous work. It fits well into the DevSecOps workflow and give developers the opportunity to mix and correlate aspects of both dynamic testing and static analysis. While this is still a small percentage of the volume of DevSecOps calls, its growth represents an interesting, if minor, trend.
Container/microservice security is beginning to appear as an important trend in AST. In 2019, Gartner saw a 60% increase in the number of clients asking about container security. While this still represents a small portion of our call volume on AST, we feel it’s significant. Vendors are beginning to address container security concerns by repurposing some of their existing product suites (e.g., SCA for scanning OS components, SAST for payload scanning, etc.). These solutions do not yet cover the full, complex attack surface that containers represent.
Human-assisted DevSecOps is being offered by more vendors to reduce false positives and to assist developers in their IDE and developer environments. While ML continues to do the heavy lifting for false positive reduction, AST vendors are increasingly offering the option to have results reviewed by humans who can help remove false positives. While fast DevOps organizations continue to prefer automated, rapid turnaround times, other organization with less rigid deadlines and less security experience are taking advantage of FP reduction via human review. Similarly, while many organizations are adopting a “developer security coach” model for assisting coders grappling with security tasks, some are opting to use coaches from vendors provided through chat or other dedicated channels. This supports the goal of making security easy for developers to consume and provides rapid response to common questions.
Many clients are still seeking “one-stop shop” vendors that offer multiple technologies as part of a unified platform, a trend we noted in 2019. To support this effort, buyers are prioritizing vendors that provide multiple technologies and deployment options. Feedback from clients suggests that efforts to “glue together” various specialty tools suffer from complexity and reporting problems (i.e., the results of one tool not being consumable by others, resulting in a loss of context). Efforts to correlate these in-house do not yield the same level of rich data and project tracking and reporting as integrated, enterprisewide platform providers. Application vulnerability correlation helps with this.

Evidence

“NTT Security Corporation Acquires WhiteHat Security” WhiteHat Security blog.

“Synopsys Acquires Tinfoil Security, DAST and API Testing Solutions Provider,” Synopsys blog.

“HCL Technologies to Acquire Select IBM Software Products for $1.8B,” IBM.

“Onapsis Completes Acquisition of Virtual Forge,” Onapsis.

“GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection,” InfoQ.

“VMware Completes $2.7 Billion Pivotal Acquisition,” TechCrunch.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Critical Capabilities for Security Information and Event Management

Published 24 February 2020 – ID G00381141 – 52 min read

Security information and event management solutions keep evolving to address demands across a range of buyers and requirements. Security and risk management leaders responsible for security operations should use this research to evaluate and select the most appropriate solutions.

Overview

Key Findings

SIEM solution capabilities and support, specifically for consumption models, architecture, analytics, user monitoring and operations, are increasingly varying across vendors.
SIEM vendors are trying to solve, with varying degrees of success, the inherent complexities in deploying and operating SIEM tools. However, most SIEM solutions are still too complex for buyers with limited resources and expertise.
Big data technologies as core components of SIEM solutions are starting to become table stakes — for example, Hadoop or Elasticsearch, which are now leveraged by most SIEM solutions.
SIEM vendors have embraced security orchestration, automation and response (SOAR) via native capabilities, OEM and partnerships, or deeper integrations with leading SOAR vendors.
Although most SIEM buyers continue to purchase on-premises software or appliance SIEM solutions, SaaS SIEM is gaining traction, and more SIEM tools are offered as SaaS SIEM only.

Recommendations

IT security and risk management leaders responsible for security monitoring and operations:

Focus your evaluation on the critical capabilities that align to their use cases (e.g., forensics, advanced threat detection and response), requirements, and current and future IT environments (e.g., on-premises versus cloud-based services).
Improve response by leveraging new SOAR-type functionality that the SIEMs are providing natively before purchasing a dedicated SOAR.
Give preference to SIEM solutions that can be consumed as a service to minimize overhead and management if you don’t have complex, on-premises SIEM architecture requirements and are, or plan to be, a heavy user of cloud-based services.

Strategic Planning Assumptions

By 2022, 50% of all SIEM tools will be cloud-native and delivered as a service from the vendor, up from 20% today.

By 2022, 75% of all SIEM vendors in the Gartner Magic Quadrant will offer advanced analytics features, as well as orchestration and automation features, up from 30% today.

What You Need to Know

This document was revised on 2 March 2020. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

Security and risk management leaders evaluating SIEM solutions must start by clearly understanding and describing their scope as well as their use cases, and then defining specific requirements from these inputs in conjunction with applicable stakeholders. These stakeholders should typically go beyond security and IT, and include such teams as audit, lines of business, legal and human resources. Additional factors to consider when evaluating SIEM solutions include:

The scale and complexity of the deployment — for example, the types and locations of data sources in scope for distributed organizations or hybrid multicloud environments.
Architectural considerations for deployment and consumption — for example, will the solution be deployed on-premises, in the cloud, via a hybrid approach or consumed as software as a service (SaaS)?
Operational roles, such as use of internal resources versus service providers, and managed SIEM services
Applicable compliance regimes and mandates, such as data retention and reporting requirements

Gartner recommends that organizations initiate any SIEM project with a clear understanding of their use cases (see “How to Build Use Cases for Your SIEM”) to achieve long-term value from deploying a SIEM solution.

A phased acquisition and implementation approach, in which the most critical drivers and quick wins are implemented in the first phases and more-complex use cases occur in later phases, is also recommended. This will also allow the organization to rightsize its SIEM resources, both from a licensing and an operational costs perspective. This also requires being particularly careful with the selection and implementation of the foundational pieces.

Developing a multiyear, yet fluid, project roadmap for the SIEM solution’s operation and expansion, with input from applicable stakeholders, aligned to the overall business direction as well as information security strategies, will ensure that any solution purchased remains fit for purpose. (For more information on SIEM deployments, see “How to Architect and Deploy a SIEM Solution”). Such a roadmap needs to be revisited regularly, typically after an audit or a significant incident, or as new laws and regulations are adopted. Finally, organizations need to evaluate the SIEM solution vendors’ deployment and ongoing support capabilities, taking into account the resources and expertise available internally to the organization, and through the SIEM vendors and third-party service providers.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1. Vendors’ Product Scores for Basic Searching and Reporting Use Case

Source: Gartner (February 2020)

Figure 2. Vendors’ Product Scores for Compliance and Control Monitoring Use Case

Source: Gartner (February 2020)

Figure 3. Vendors’ Product Scores for Basic Security Monitoring Use Case

Source: Gartner (February 2020)

Figure 4. Vendors’ Product Scores for Complex Security Monitoring Use Case

Source: Gartner (February 2020)

Figure 5. Vendors’ Product Scores for Advanced Threat Detection and Response Use Case

Source: Gartner (February 2020)

Vendors

AT&T Cybersecurity

AT&T Cybersecurity, part of the AT&T Business portfolio, is headquartered in Dallas. AT&T Cybersecurity’s SIEM solution is called Unified Security Management (USM) Anywhere, and is delivered as a SaaS SIEM from the Amazon Web Services (AWS) cloud. The solution includes several built-in capabilities, including asset discovery; vulnerability assessment; intrusion detection system (IDS) for network and cloud; and an endpoint detection and response (EDR) agent. The solution has an app framework that enables integrations with third-party security products for detection, automation and response. USM Anywhere also includes basic user and entity behavior analytics (UEBA) functions. Additional offerings include AT&T Alien Labs, which provides a threat intelligence subscription as part of the core SIEM product via the Open Threat Exchange (OTX) threat intelligence sharing capability. An on-premises software deployment, USM Appliance, is still available and supported. Prospective customers should know that there is no feature parity between to two offerings.

USM Anywhere runs in AWS, and customers deploy data collection sensors as VMware or HyperV images, or templates for 13 supported AWS regions, Microsoft Azure or Google Cloud Platform. Integrations with SaaS solutions are provided via AlienApps. Country-specific data storage is available for the U.S., Ireland, Germany, Japan, Australia, the U.K., Canada, India and Brazil. The solution includes an optional EDR agent for Windows, Linux and Mac. Weekly updates to data collectors are managed by the vendor. EDR agents can autoupdate or be managed by customers.

Detections and alerting in the USM Anywhere platform are largely dependent on the real-time detection rules and analytics methods created and maintained by the vendor based on internally sourced threat research. All rules, response templates, algorithms and associated threat research are included in the solution. Alarms can be viewed in the context of a kill chain or the ATT&CK framework.

USM Anywhere pricing is generally based on data volume (GB per month).

Dell Technologies (RSA)

RSA is a business within Dell Technologies, which is headquartered in Round Rock, Texas. RSA’s NetWitness Platform (RSA NWP) is composed of a variety of components (versions introduced in April 2019 and reviewed for this research):

RSA NetWitness Logs (version 11.3)
RSA NetWitness Endpoint (version 11.3)
RSA NetWitness Network (version 11.3)
RSA NetWitness UEBA (version 11.3), with competencies derived from the acquisition of Fortscale in 2018
RSA NetWitness Orchestrator (version 4.5 introduced in July 2019), an OEM of Demisto’s SOAR solution

RSA NWP can be deployed in a variety of formats, ranging from software to physical and virtual deployments — on-premises and in public cloud services, such as AWS and Azure. It is flexible in how and where those components are installed to support simple deployments through complex, n-tier deployments across on-premises and cloud — infrastructure as a service (IaaS) — environments, as well as geographically distributed environments.

Various on-premises log and data sources, as well as contextual sources, are supported, in addition to common SaaS vendors (Office 365, Salesforce) and cloud service providers (CSPs; such as AWS, Azure and Google Cloud).

Decoders are used to collect logs and data, as well as perform analytics. Concentrators aggregate and index metadata. Smaller environments can use hybrid decoders/concentrators for collection and indexing. Event Stream Analysis is responsible for real-time analysis, correlation and notification. Archivers provide long-term data retention. All of these components are licensed together as part of a single SIEM SKU in the metered pricing model. RSA NWP Endpoint Insights is a free Windows and Linux endpoint agent to capture and forward endpoint logs, whereas the for-pay RSA NWP Endpoint agent has more EDR capabilities. RSA NetWitness Server is the single user interface (UI) into the solution. RSA NetWitness Platform Live is a cloud-based content distribution service. RSA also offers the for-pay NetWitness UEBA for advanced analytics, and NetWitness Orchestrator for SOAR capabilities.

RSA NWP pricing is generally based on data volume (GB per day).

Exabeam

Exabeam is headquartered in San Mateo, California. Its SIEM, branded as Security Management Platform (SMP), is composed of seven products (version 2019.2 was introduced in February 2019 and reviewed for this research):

Data Lake (version i31) for CLM-type functionality
Advanced Analytics (version i48), a user-focused UEBA
Threat Hunter (version i48), for forensics, investigations and searches
Entity Analytics (version i48), an entity-focused UEBA
Incident Responder (version i48), a workflow-automation-focused SOAR
Case Manager (version i48), an incident response/case management platform
Cloud Connectors (SkyFormation v2.4) from the SkyFormation acquisition for cloud coverage

Exabeam takes a module approach to its platform, where different solutions can be purchased individually and run in various combinations. Buyers seeking a SIEM solution will need to purchase Data Lake, Advanced Analytics and/or Entity Analytics (depending on the use cases), and Incident Responder. The platform leverages several big data technologies like Elasticsearch, HDFS, MongoDB, Kafka and Spark.

Exabeam SMP is available as an on-premises deployment or as a SaaS-based solution (Exabeam SaaS Cloud). SMP is offered as physical or virtual appliances. Docker container versions are also available. The solution can be deployed in IaaS, like AWS, Azure and Google Cloud, and hybrid options — through a combination of appliances and software installations — are supported. Exabeam also has partners to deliver managed SIEM on a per-customer basis. Multitenancy is supported via a combination of logical data segmentation and role-based access control (RBAC) controls. Content and integrations can be downloaded by customers and from the Exabeam community portal.

Exabeam SMP pricing is generally based on the number of employees in the organization.

FireEye

FireEye is headquartered in Milpitas, California. FireEye’s SIEM capabilities are delivered by its Helix platform, which integrates with other FireEye security solutions for email, network and endpoint that are sold separately. FireEye Threat Intelligence, supporting detections and threat hunting, and FireEye Security Orchestrator, for workflow automation, are also integrated into the Helix platform. The solution includes (at no added cost) virtual sensors to collect network metadata for monitoring. FireEye also offers services branded Expertise On Demand to provide support for tuning detection rules, investigating alerts and responding to incidents.

FireEye Helix is offered as a SaaS solution, deployed in multiple regions in AWS and managed by FireEye. Data collection is handled via one or more Communications Broker agents running on customer premises or in customer cloud environments. Helix orchestration capabilities are typically deployed on-premises to support integration with vulnerability scanning solutions. Several integrated FireEye security solutions also run in the cloud, but can be optionally operated on-premises, on physical or virtual systems. These solutions also include Communications Broker connectivity to Helix.

FireEye creates and maintains detection rules and analytics algorithms based on internally sourced threat research from Mandiant incident response engagement findings and threat intelligence services. Alerts are created by a combination of real-time rule matching and the postprocessing application of threat intelligence and indicators of compromise against events ingested by the platform. All rules, algorithms and associated threat research is included in the solution, and users can add rules to support additional use cases.

FireEye Helix pricing is generally based on data velocity (events per second [EPS]).

Fortinet

Fortinet is headquartered in Sunnyvale, California. The Fortinet SIEM solution (version 5.2.1 introduced in June 2019 and reviewed for this research) is composed of the following components:

Fortinet FortiSIEM
FortiSIEM Advanced Agent (a for-pay, server-focused endpoint agent for Windows and Linux with some file integrity monitoring [FIM] and EDR capabilities)
FortiGuard IOC (a for-pay threat intelligence subscription feed)
FortiInsight (a for-pay pure-play UEBA tool derived from the ZoneFox acquisition)

Fortinet FortiSIEM is part of Fortinet’s Security Fabric, which allows enhanced collaboration and integration between several of the vendor’s portfolio solutions (e.g., Fortinet FortiSandbox) for additional, multitool use cases.

All FortiSIEM nodes can be deployed as virtual machines, and each component can be deployed on-premises or in a public/private cloud as long as the hypervisor is supported. For small installations, FortiSIEM can be deployed as a single virtual appliance with a local disk or as a hardware appliance (sold by Fortinet). As complexity and performance requirements grow, customers can scale vertically with bigger appliances, and/or can scale horizontally by adding Worker and Collector appliances (virtual or hardware).

FortiSIEM can manage most common on-premises data sources and cloud sources (although Google Cloud Platform, for example, is not supported), and can also ingest network flow data from firewalls and other network devices in the form of NetFlow version 5, version 9, IPFIX, sFlow, JFlow, and Cisco AVC, VPC Flow and Syslog.

FortiSIEM’s distributed architecture consists of three kinds of nodes: Supervisor, Worker and Collector. An additional Report Server node is needed when integrating third-party business intelligence software with FortiSIEM. The Collector node discovers devices in remote locations, gathers events from these devices, parses and then preprocesses the events with enrichment, compresses them, and forwards them to the Supervisor or Worker nodes. Workers process and store events, and perform partial queries sent to the Supervisor. The Supervisor node processes the partial query/rule results from the Worker nodes to produce the final result. FortiSIEM clients can select between a proprietary FortiSIEM NoSQL event database or Elasticsearch for event storage, while the Supervisor node provides a single system database image to the user by unifying the Discovery and Event databases.

FortiSIEM pricing is generally based on the number of assets in scope (number of IP addresses).

HanSight

HanSight is headquartered in Beijing, China. HanSight Enterprise SIEM (version 5.1 introduced in May 2019 and reviewed for this research) is the core product that is part of an ecosystem of solutions that includes HanSight UBA, HanSight NTA, and HanSight TIP (all also at version 5.1). Other solutions available within the HanSight ecosystem include vulnerability management, asset discovery and data loss prevention (DLP). HanSight does not have its own EDR and cloud workload protection platform (CWPP) tools, and instead has partnerships with several Chinese security technology vendors (e.g., 360 Total Security, Magic Shield and Qingteng).

HanSight Enterprise SIEM is available as software, as a hardware appliance (aimed at midsize enterprises) or as a per-customer hosted environment. There are five components that can be deployed in various configurations (all in one, individually, combinations) — Data Collector Clients, NTA, Central Management, Threat/Detection and Incident Management and Elasticsearch. Real-time analytics are performed by the Security Analytics Engine, while batch processing is handled through HanSight Query Language (HQL) search and the UEBA module called HanSight UBA. HQL can implement machine learning algorithms, and the HanSight Notebook allows more-advanced users to create their own machine learning in Python or Java.

HanSight Enterprise SIEM pricing is generally based on data volume (EPS).

IBM

IBM Security is headquartered in Cambridge, Massachusetts. The QRadar Security Intelligence Platform (SIP; version 7..3.2 introduced in May 2019 and reviewed for this research) consists of QRadar SIEM and other separately priced components:

IBM QRadar Vulnerability Manager provides vulnerability assessment.
Network monitoring support in SIP includes IBM QRadar Network Insights for network flows, and the IBM QRadar Network Packet Capture appliance.
QRadar Risk Manager monitors device configurations.
IBM QRadar Incident Forensics provides investigation support.
IBM QRadar Advisor with Watson provides automated research for threats and actors.
IBM QRadar User Behavior Analytics (UBA) is a free add-on module for user-monitoring use cases.
IBM Resilient SOAR, a solution that has supported bidirectional integration between Resilient and the QRadar SIEM solution.

In addition to these IBM QRadar components, IBM offers the Security App Exchange, with integrations developed by IBM and third parties.

QRadar uses a proprietary data store for environmental and event data. Alerts (offenses) are created by a combination of real-time correlation and baselining (vendor-provided and user-created or modified rules) and machine learning analytics to detect anomalous behaviors.

Deployment options include on-premises software, hardware and virtual appliance options (for most components), or deployed as SaaS by IBM via the QRadar on Cloud offering. Smaller deployments can be addressed in an all-in-one appliance, and larger deployments can scale horizontally with additional appliances.

IBM QRadar pricing is generally based on data velocity (EPS).

LogPoint

LogPoint is headquartered in Copenhagen, Denmark. LogPoint SIEM solution is composed of the following modules (generally introduced in June 2019 and reviewed for this research):

LogPoint Core SIEM (version 6.6.1)
LogPoint UEBA (version 2.1.0)
LogPoint Director Console (version 1.5.0)
LogPoint Director Fabric (version 1.5.0)
LogPoint Applied Analytics (version 2.0)

LogPoint can be deployed as an all-in-one virtual or hardware appliance running a hardened version of Ubuntu Linux 16.04 combining the Collector, Backend and Search head. Scalability is achieved via the use of larger appliances and/or additional Collector/Backend modules deployed in key locations. These collection instances parse, normalize, enrich, filter, route, compress and buffer event data. Larger and more complex deployment (e.g., federated model) will introduce LogPoint Director to manage the various components. LogPoint, through the use of NIFI, supports connections to query remote data lakes, including Hadoop and Elastic data stores. LogPoint utilizes Apache Lucene and NoSQL flat-file storage split into several components, raw log data, key/value pair data and enriched data (if available).

The analysis tier in LogPoint is delivered in a hybrid model. Inside LogPoint SIEM, the analysis node of LogPoint, is a component that consumes data from many LogPoint Backends. The Backends stream data in real time toward the analytics node, where data is processed for real-time correlations and alerting. Whenever an analyst requires forensics data or conducts a long-term analysis, queries are executed against the data stores.

The for-pay LogPoint UEBA is delivered through a cloud service that relays insights back to LogPoint SIEM.

LogPoint SIEM pricing is generally based on the number of assets in the organization.

LogRhythm

LogRhythm, headquartered in Boulder, Colorado, brands its SIEM solution as LogRhythm NextGen SIEM Platform (version 7.4 introduced in October 2018 and reviewed for this research). The core SIEM component is the XDR Stack and includes the DetectX, AnalytiX and RespondX components.

Additional modules for user and network monitoring include:

UserXDR (for UEBA capabilities)
NetworkXDR (for NTA capabilities)
LogRhythm System Monitor (aka SysMon version 7.4), a host agent for data collection and EDR capabilities available in Lite and Pro versions
Network Monitor (aka NetMon version 3.9 and NetMon Freemium), the means to collect network data to support NetworkXDR

The platform leverages a mix of Windows and Linux OS, as well as Microsoft SQL and Elasticsearch for data management.

The LogRhythm platform supports large and smaller organizations with two versions — LogRhythm Enterprise and LogRhythm XM (an all-in-one appliance). These can be deployed either on-premises as software, a physical appliance or virtual appliance. IaaS deployments are supported as well, and hybrid models of IaaS and on-premises, and mixing and matching of virtual, physical and software installs, are also supported. LogRhythm’s SaaS SIEM offering is called LogRhythm Cloud. LogRhythm UserXDR is only available as a SaaS offering. Multitenancy is natively supported in the solution. Content is made available to customers via the LogRhythm Knowledge Base and is updated on a weekly basis.

LogRhythm’s core SIEM product pricing is generally based on velocity (messages per second [MPS]).

ManageEngine

ManageEngine has headquarters in India (Chennai), as well as in the U.S. (Austin, Texas). ManageEngine’s core SIEM product is Log360, and there are several modules, individually licensed, that address security and IT operations use cases. These include (versions as of July 2019 and reviewed for this research):

ManageEngine ADAudit Plus (version 6.0; Active Directory change auditing and reporting)
ManageEngine EventLog Analyzer (version 12.0.5; central log management)
ManageEngine Cloud Security Plus (version 4.0; CLM and SIEM for AWS and Azure)
ManageEngine Log360 UEBA (version 4.0; user and entity behavior analysis)
ManageEngine DataSecurity Plus (version 5.0; data discovery and file server auditing)
ManageEngine O365 Manager Plus (version 4.3; Office 365 security and compliance)
ManageEngine Exchange Reporter Plus (version 5.4; Exchange Server change audits and reporting)

Event data is ingested via agent-based and agentless methods, including log import. Alerts are created via real-time correlation rules packed with the solution or developed by users. The UEBA add-on module detects anomalous activities.

ManageEngine Log360 software can be deployed on-premises on physical or virtual systems. The ManageEngine Log360 Cloud solution stores the data collected by the log management module, EventLog Analyzer; however, it is not a SaaS-based SIEM tool. Typical small deployments would make use of the EventLog Analyzer and ADAudit Plus components.

Log360 pricing is generally based on the number of assets in scope (number of IP addresses).

McAfee

McAfee is headquartered in Santa Clara, California. McAfee Enterprise Security Manager (ESM) version 11.2.1 (reviewed for this research) was introduced in July 2019 and is composed of the following modules:

McAfee Event Receiver (ERC), for collection and correlation of data
McAfee Enterprise Log Search (ELS), for Elastic-based log search
McAfee Enterprise Log Manager (ELM), for long-term log storage and management
McAfee Advanced Correlation Engine (ACE), for dedicated correlation including risk and ruleless (behavior-based) correlation, as well as statistical and baseline anomaly detection

Some McAfee ESM modules can be deployed as physical or virtual appliances. Appliances are available in both hardware and virtual (on-premises or cloud) form for ESM, ERC, ELS, ESM, ACE and ADM. Virtual machines can be deployed in AWS, Azure and Oracle cloud environments. They can also be deployed in on-premises virtualized environments running ESX, KVM, Hyper-V and Xen.

The McAfee ERC allows agentless collection of 500-plus data sources. The ERC performs a number of functions, including raw log collection, log parsing and data enrichment. The ERC uses Kafka to publish data to which other components within the environment can subscribe to obtain raw and parsed data. The ERC performs real-time alerting simple analytics. McAfee SIEM Collector is an optional agent, deployable via SCCP, SCCM or McAfee ePO, capable of collecting various logs (e.g., traditional Windows Event logs, flat file logs like DNS or DHCP, or customer defined application logs). The SIEM Collector supports servers acting as a Windows Event Forwarding host. The SIEM Collector can provide a native SQL connector to Microsoft SQL and Oracle RDBMS systems to allow customized queries against database views and tables.

McAfee ESM pricing is generally based on data velocity (EPS).

Micro Focus

Micro Focus, headquartered in Newbury, U.K., offers the ArcSight platform as its SIEM solution. Micro Focus ArcSight’s architecture is now based on big data technologies (e.g., Kafka bus for improved data transfers and horizontal scaling of data ingestion) and is composed of the following components (versions are those reviewed for this research):

ArcSight Enterprise Security Manager (ESM; version 7.0 introduced in May 2019), providing core SIEM functions of real-time analytics and monitoring and incident management
ArcSight Logger (version 6.7.1 introduced in May 2019), providing event and data processing and storage
ArcSight Transformation Hub (version 3.0 introduced in July 2019) as part of the Security Open Data Platform (SODP) for data management and routing
Interset UEBA (version 5.8 as of the July 2019 cutoff date for this research) for user and entity monitoring
ArcSight Investigate (version 2.3 introduced in July 2018) for data searching and visualizations to support incident investigation and threat hunting use cases
ArcSight Management Center (ArcMC; version 2.92 introduced in July 2019) is the stand-alone utility used to manage ArcSight components
SmartConnector (version 7.13 introduced in July 2019), Micro Focus’ content for data parsing and normalization

In addition, there are premium add-ons that cover additional content, and Micro Focus has other products in its portfolio that complement ArcSight. Content and third-party technology integrations are managed through the ArcSight Marketplace.

ArcSight components are provided as stand-alone appliances or software that can be installed on the customer’s own infrastructure (physical and virtual) or installed in IaaS. SaaS is not available, but hosted offerings can be provided by third parties. Multitenant functionality is native to ArcSight ESM for managed security service providers (MSSPs), managed service providers (MSPs) and organizations that need to monitor multiple organizations in a single solution.

ArcSight pricing is generally based on data velocity (EPS).

Rapid7

Rapid7 is headquartered in Boston, Massachusetts. Its SaaS SIEM offering is InsightIDR, and the underlying AWS-based Insight platform includes these other modules:

InsightVM (vulnerability assessment)
InsightAppSec (application security)
InsightConnect (SOAR)
InsightOps (log management for IT operations).

Rapid7 offers Insight Agent as its preferred endpoint agent to enable telemetry gathering and basic bidirectional response integration capabilities with Rapid7 InsightIDR, Rapid7 InsightVM and Rapid7 InsightOps. InsightIDR also offers integration with InsightVM, which enables customers to deploy one agent across the environment to instrument and collect vulnerability assessment data while performing detection and response functions. Insight Collectors provide event ingestion, and an unlimited number of Collectors or Agents are available without additional licenses. Rapid7 also offers a managed service built around the Insight platform, including managed detection and response and vulnerability management.

Data is ingested via Collectors (syslog, plus directories, AWS CloudTrail, Azure Event Hubs, etc.) and Agents (which are optional for event collection, but required for response actions and vulnerability management). Alerts are created by vendor-provided and customer-developed rules, and with statistical and machine learning analytics based on open-source, proprietary and AWS technologies. Basic response capabilities using Agents are available from InsightIDR, with more complete integrations available for InsightConnect.

InsightIDR pricing is generally based on the number of assets in scope (number of IP addresses).

Securonix

Securonix is headquartered in Addison, Texas. The Securonix SNYPR SIEM platform consists of the following components (version 6.2 was introduced in October 2018 and the CU4 was introduced in May 2019; both were reviewed for this research):

Securonix SIEM (v.6.2, CU4)
Securonix Security Data Lake (v.6.2, CU4)
Securonix UEBA (v.6.2, CU4)
Securonix SOAR (v.2.0)
Securonix NTA (v.2.0)
Securonix Threat Intelligence (v.2.0)
Securonix Apps (v.6.2, CU4): Insider Threat, Cyber Threat, Cloud Security Analytics, Identity and Access Analytics, Fraud Analytics, Trade Surveillance, Patient Data Analytics, Application Analytics

Securonix SNYPR is available primarily as cloud-delivered SaaS service, although MSSPs and key customers are known to run SNYPR either on-premises or in their own clouds.

Securonix is capable of managing hybrid multicloud environments, with support for most cloud IaaS and PaaS as well as many SaaS applications, on-premises logs and other contextual data, as well as network traffic and flows.

Securonix SIEM architecture is composed of three tiers — ingestion, compute/storage, and master console tiers. The ingestion and data acquisition tier is composed of remote ingesters (aka RIN), which are deployed on-premises in the customer data center or in the cloud, depending on the source of the log events. The data is compressed, encrypted and forwarded by the RINs to the compute/storage tier, where it gets processed — parsed, normalized, enriched, indexed, stored (for compliance) and analyzed for potential threats. The master console tier provides UI and administration services.

Securonix SNYPR is based on the Hadoop stack, and all data is stored and managed in typical big data components. Kafka, Solr, HDFS, HBase and Spark. Analytics are done via a Lambda architecture with streaming and batch-processing services. Analytics applications such as event correlation utilize Spark streaming services to analyze the data in real time, whereas applications requiring lookup of historical data (e.g., risk scoring) utilize the batch-processing layer. Batch processing is also utilized for alerting on historical data, training machine learning algorithms and running hunting queries on historical data.

Securonix SIEM pricing is generally based on the number of employees in the organization.

SolarWinds

SolarWinds is headquartered in Austin, Texas. SolarWinds’ SIEM solution is Security Event Manager (SEM; version 6.7 introduced in May 2019 and reviewed for this research). SEM includes core SIEM features that provide data management, real-time correlation and log searching to support threat and compliance monitoring, investigations and response.

SEM’s architecture is straightforward, with only two components: a virtual appliance for all SEM features and functions, and a multifunction endpoint agent that provides log collection and forwarding, FIM, EDR (including active response functionality), and lightweight DLP capabilities.

Scalability can be achieved either by increasing resources to a virtual appliance or by splitting the SEM database and appliances across multiple virtual machines. Multitenancy is not native, but through the use of a master console, multiple SEMs can be viewed in a single pane.

SEM is complemented with other products in the SolarWinds portfolio for ticketing and case management, user monitoring, and network and application monitoring, through for-pay solutions such as Access Rights Manager, Identity Monitor, Service Desk, Server & Application Monitor and Papertrail, among others.

SolarWinds pricing is generally based on the number of assets in scope (number of IP addresses).

Splunk

Splunk, headquartered in San Francisco, provides SIEM solutions via a combination of:

Splunk Enterprise for core log management capabilities, delivered either on-premises (Splunk Enterprise version 7.3 introduced in May 2019) or as SaaS SIEM via Splunk CloudSplunk Enterprise Security (ES version 5.3.1 introduced in July 2019), also available on-premises or in the cloud as a service
Additional (on-premises-only and for-pay) premium apps include Splunk User Behavior Analytics (UBA) and Splunk Phantom, as well as Splunk Security Essentials for Ransomware and Splunk App for PCI Compliance for more specific use cases

Splunk ES provides core SIEM features and functionality on top of the Splunk core. Splunk UBA complements Splunk ES’s rule, correlation and basic statistical analytics through the addition of machine learning capabilities focused on user and entity anomaly monitoring. SOAR capabilities in Phantom are an enhancement over the adaptive response framework incident management and automation natively provided in Splunk ES.

Splunk is primarily delivered as software, or via SaaS as Splunk Cloud. Splunk can be installed on customer hardware, in virtual environments or in IaaS. Splunk’s architecture contains only Universal Forwarders, Search Heads and Indexers. Universal Forwarders are agents that provide log collection and forwarding. Indexers and Search Heads are the two main components to collect, analyze and visualize data and outputs. The architecture is scalable both horizontally and vertically using these components. Splunk Stream provides a means for collecting network data off the wire. Buyers looking for an appliance-based approach can find offerings from various third parties.

Splunk Enterprise and Splunk Cloud pricing is generally based on data volume (GB per day).

Context

The SIEM market is evolving to address wide demands across a range of buyers.

SIEM tools’ role as the central threat detection technology in enterprises is confirmed, while they are increasingly natively addressing the response phase after the detection. Gartner continues to see security operations centers (SOCs) built around a SIEM solution to deliver threat detection and response services.

At the same time, SIEM continues penetrating the small and midsize business segment, which does not have, nor does it plan to have, the required expertise to manage a SIEM and pursue advanced use cases. SIEM vendors are addressing this need with:

Easier consumption models, such as SaaS SIEM along with predictable pricing models
Stronger packaging of the content, availability of an app store and overall better user experience around the inherent complexity of these tools
Use of advanced analytics to supplement the lack of this skill set in organizations
Use of automation features to augment the availability of organizations

SIEM solutions are modernizing across the log management, analytics and operations tiers to deal with evolving buyer requirements, which requires enhancing features and adding new functionality. As an example, the ability to ingest and analyze data from cloud environments is now expected from clients looking for a SIEM tool. As described in “Technology Insight for the Modern SIEM,” standard architectures have emerged for SIEM tools to address complexities in data management, analytics and operations, via a well-architected three-layer approach. This is done to address the following issues:

As security teams deal with the challenges of increasing volumes of data from a variety of new sources with growing velocities, SIEM technology vendors are adopting big data technologies, such as Hadoop, NoSQL, Elasticsearch and Kafka to replace legacy data management capabilities oriented around proprietary methods and relational databases.
To cope with an evermore hostile threat environment, both external attackers and insider threats, SIEM vendors are adding more sophisticated analytics methods, such as machine learning, to complement existing analytics capabilities, in addition to custom content focused on specific types of threats, such as ransomware or threat profiles modeled after their tactics, techniques and procedures. UEBA technologies (see “Market Guide for User and Entity Behavior Analytics”) have been quickly embraced by existing SIEM vendors (either via self-developed technology or acquisition, or through white labeling), in addition to UEBA vendors that have pivoted to the SIEM technology market. Machine-readable threat intelligence is increasingly made available, both with the core SIEM solution and as a premium feature. However, the quality of out-of-the-box threat intelligence and support for third-party feeds varies among vendors.
At the operational tier, SIEM solution buyer requirements are driving demand for more sophisticated case and incident management features, as well as ways to measure, track, report on and improve the mean time to detect (MTTD) and mean time to respond (MTTR) to threats. The automation of specific activities done manually by SIEM tool users in both investigating events and alerts, as well as in initiating response actions, strongly aligns to the SOAR tool market and its use cases. As a result, SOAR features (see “Innovation Insight for Security Orchestration, Automation and Response”) are starting to be added to SIEM solutions in a trajectory similar to the adoption of UEBA — via acquisitions, white-label partnerships, third-party integrations and native development.

Some SIEM buyers opt for and prefer vendors providing a full portfolio of security solutions that have (pre)integrated their offering within a platform approach, offering a range of threat management — as well as broader security operations — capabilities that complement the vendor’s core SIEM solution. These threat management solutions typically include multifunction endpoint agents, or sensors, that can provide log collection and forwarding, FIM, EDR, and even DLP functions. Network monitoring technologies provide similar capabilities, such as data collection and forwarding of network flow and metadata, partial and full packet capture, and threat detection (via signatures and network traffic analytics). For buyers who are underinvested in these complementary threat detection solutions, the integration and ease of use with the core SIEM solution are beneficial; however, for those buyers who have already invested in third-party solutions, this approach can be less beneficial and reduces flexibility.

As integration with a vendor’s existing technology portfolio, as well as with third-party technologies, increases in importance, in addition to buyer demands for easier management and use of SIEM tools, SIEM vendors are adding or improving centralized management capabilities. These capabilities may follow the app store or marketplace model, or be provided via a support website, where precanned integrations, packaged content and other SIEM solution updates can be accessed.

Context is key for effective threat detection and response. SIEM solutions are becoming more sophisticated in their ability to consume, but also generate, contextual information. The enrichment of log event data upon ingestion at the data tier is becoming more common. The adoption of APIs for data collection, as well as accessing contextual data held in federated repositories (e.g., CMDBs, IAM tools, vulnerability assessment tools), is expanding and continues to grow across vendors. These integrations are also proving important to support the adoption and expansion of orchestration and automation features.

SIEM technologies consumed in a SaaS model (see “Selecting and Deploying SaaS SIEM for Security Monitoring” and “10 Questions to Answer Before Adopting SaaS SIEM”) are gaining in popularity. In fact, some tools, such as those from AT&T Cybersecurity, FireEye, Rapid7 and Securonix, are now offered only as a service (exceptions are possible for key accounts), while almost all vendors offer SaaS SIEM, either natively or via their ecosystem of partners and service providers.

Additionally, log management-as-a-service vendors are beginning to compete in the SIEM space by adding core SIEM capabilities. (For more information on central log management, see “Use Central Log Management for Security Event Monitoring Use Cases”). The trend toward leveraging cloud services to locate the SIEM solution closer to the data source, as well as enable advanced analytics such as UEBA, is a clear catalyst for the current and short-term/midterm SaaS SIEM adoption.

Product/Service Class Definition

SIEM technologies provide core security information management (SIM) and security event management functions, along with a variety of advanced features and complementary solutions and capabilities. This supports near-real-time security event monitoring, threat detection (both real-time and via historical analysis), incident investigation and response, and compliance requirements. Core functions include:

The collection of security event information from a wide variety of sources in a central repository where it can be processed and stored in various forms (e.g., raw version, enriched, normalized)
Real-time and historical analysis, and alerting of potential threats
Reporting and dashboards
Searching across historical data for forensics and threat hunting
Workflow and case management
Integrations and automation for extending the value proposition and achieving more functionality

SIEM technology is typically deployed to:

Monitor, correlate and analyze activity across multiple systems and applications
Discover external and internal threats
Monitor the activities of users and specific types of users, such as those with privileged access (both internal and third parties), and users with access to critical data assets such as intellectual property, and executives
Monitor server and database resource access, and offer some data exfiltration monitoring capabilities
Provide compliance reporting
Provide analytics and workflow to support incident response, and increasingly the ability to orchestrate and automate actions and workflows, powering SOC types of use cases

SIEM technology aggregates and analyzes the event data produced by networks, devices, systems and applications. The primary data source has been time-series-based log data; however, SIEM technology is evolving to process (e.g., for real-time monitoring) and leverage (e.g., for incident investigation and response) other forms of data to obtain context about users, IT assets, data, applications, threats and vulnerabilities (e.g., Active Directory [AD], configuration management database [CMDB], vulnerability management data, HR information and threat intelligence).

Critical Capabilities Definition

Here, we evaluate nine capabilities across SIEM technologies. Security and risk management leaders should use this research to understand the differing capabilities across the SIEM technology landscape aligned to their specific use cases.

Architecture/Deployment/Scalability

This capability encompasses the architecture of the solution and its modules, its deployment alternatives, as well as horizontal and vertical scalability.

SIEM solution architectures must support a variety of buyer environments, ranging from smaller enterprises that may only need a single appliance solution to global enterprises and MSSPs with complex environments that require distributed, n-tier architectures, and even enterprises looking for a cloud-delivered, SaaS SIEM. SIEM tool buyers must evaluate the complexity of deployments, such as an all-in-one box approach versus individual or combined modules to support large-scale deployments, or their ability to send potentially massive amounts of logs through their gateway for SaaS SIEMs. They also need to assess how to deploy those components — for example, using physical or virtual appliances or software, provided as a service, or a combination thereof. To deal with the increase in the volume, velocity and variety (and retention) of data across organizations of all sizes, SIEM solutions are adopting and leveraging big data technologies. Buyers in organizations with “cloud first” policies are looking to SIEM solutions that are delivered as a service or that can be installed in IaaS or hybrid deployments. Support for integrating with an array of security and nonsecurity technologies is also increasingly important, with the growing adoption of APIs in security and other IT technologies.

Cloud Readiness

This capability focuses on emerging or more established use cases centered on cloud, as well as the use of cloud as a deployment alternative for the SIEM solution.

As organizations are looking to benefit from the cloud, some adopt a cloud-first approach that prioritizes the use of cloud services, while most organizations have a hybrid environment with a combination of on-premises assets (e.g., firewalls, routers, servers), and cloud workloads in the form of SaaS solutions (e.g., Office 365) or IaaS/PaaS (e.g., AWS, Azure or Google Cloud Platform). This trend has been sustained over the past few years, to the point where a SIEM tool’s ability to operate in cloud and hybrid environments is now key for most, if not all, organizations.

This critical capability will take into account: (1) the tool’s ability to be delivered as a cloud service (and in this case, whether the solution is an on-premises image merely hosted by the vendor, or whether the solution is a genuine cloud-native SaaS service); and (2) the scope of cloud providers and services that the SIEM tool can natively offer use cases for (and in this case, whether the SIEM tool can interact with them in a bidirectional way).

Operations and Support

SIEM solutions are recognized as complex technologies that can be difficult to deploy, and require ongoing maintenance and support to stay fit for purpose.

Combined with a shortage of available SIEM engineering expertise, the ability to deploy and sustain the administration of SIEM tools becomes increasingly challenging. An integrated management console and user experience that enables efficient management of the SIEM solution is important. From this management console, log and data source management, administration of analytics content (e.g., correlation rules, whitelist matching and machine learning algorithms), reporting, and user administration through role-based access control are provided. Likewise, the SIEM tool should provide an easy way to define and manage automated responses via playbooks and workflow integration.

Vendor support is most visible in maintenance contracts purchased by SIEM tool buyers. This includes product support (e.g., patches, hotfixes, version upgrades and content updates), as well as human support to assist SIEM solution owners. Support is typically provided via remote means, but can vary across options such as email, phone and even access to Slack channels. Support may also be provided in tiers to help buyers who may not need, or can’t afford, expensive support plans. Finally, support for implementation is a crucial element for new SIEM implementations and upgrades, and may be provided directly by the vendor or through designated third parties.

Data Management Capabilities

This capability captures the SIEM tool’s ability to properly and easily manage data, from standard logs from security devices, to NetFlow, packet captures, vulnerability scanning data and external context data.

External context data includes machine-readable threat intelligence (MRTI) or user and asset context, such as AD or CMDB.

The ability to support data acquisition of IaaS and SaaS and IoT/OT devices is increasingly important as well, and clients expect this feature to be provided natively by the tools, as outlined in the Cloud Readiness capability.

A SIEM tool needs access to the right data, and these data points can range widely from on-premises sources to cloud compute sources, and encompass security data sources as well as nonsecurity ones, such as IT, organizational and HR data. These data points can be structured or unstructured, and collected via syslog, push or pull, or invoking API calls. In addition to getting the data via connectors, the SIEM needs corresponding parsers in order to make those data points insightful. Once collected, the data can be stored in raw form or normalized, enriched or contextualized form, or a combination thereof. Tools can also offer compression capabilities to minimize storage requirements, often at the expense of performance. Tools that offer an organization the ability to convince a court that the evidence is sound need to look at the full life cycle of data management, from secure transport of the data sources with nonrepudiation to secure storage with guaranteed integrity of each event and event sequence. Capabilities to provide fine-grained access control (usually RBAC) to logs, along with obfuscation and anonymization features and flexibility to provide multiple retention policies, will also be taken into account.

Analytics Capabilities

This capability describes the tool’s ability to offer the right analytics to get the most accurate insights for multiple use cases.

Once the data is collected, it needs to be analyzed in as real time as possible to detect threats as quickly as possible. To achieve a good level of accuracy, several analytics methods can run in parallel, ranging from simple pattern matching to more complex supervised and/or unsupervised machine learning. Some analytics are open, and clients can understand and modify the analytics, whereas some others are not, and behave more like a black box. Some SIEM tool’s analytics are both powerful and flexible enough to extend beyond threat detection and into adjacent use cases (such as some fraud use cases), and can offer a bench to evolve existing machine learning models or create new ones. Likewise, some SIEM tools map the analytics to known approaches such as Lockheed Martin’s Cyber KillChain, or MITRE ATT&CK frameworks to better understand what is happening in the organization.

While the analytics dynamically compute risk scores for users and/or entities based on actions or events taking place, the tool needs to help organizations prioritize their threat landscape by offering an intuitive UI.

Response and Incident Management

An organization’s ability to quickly open cases at any moment (such as directly from the real-time monitoring UI or during a threat hunt) with full context around the case will accelerate case resolution and improve the overall security posture.

For larger organizations dealing with a deluge of alerts, the tool can apply analytics to help triage cases to the right analysts by mapping skill sets to the focus of the case based on each analyst’s load (e.g., endpoint-centric cases assigned to available endpoint experts). For complex cases, the tool can likewise help the collaboration of multiple analysts by providing simple Slack-like features or advanced RBAC, where analysts with different clearance levels can still collaborate on cases.

Incidents or cases should have the ability to change the status (preconfigured and custom), support notes and annotations, and assign to other users. Integrations with enterprise IT help desk and IT service management (ITSM) systems, enabling interaction with business units outside of security (such as IT operations) are commonly required by buyers.

All steps performed during a case need to be logged and kept securely, as an organization should always be ready to go to court and demonstrate court-ready evidence. Attributes such as nonrepudiation, integrity of each event and integrity of the event sequence are important for incident and case management.

Interfaces that offer the ability to drill down on an alert and/or integrate with forensics and threat hunting capabilities allow rapid and contextual reactions to monitoring (e.g., open a case or launch an investigation).

Content Packaging and Management

Content for SIEM includes collectors and parsers for data sources, complete use cases, compliance packages, rules and models for analytics, and response and playbook capabilities.

All this content must be organized, packaged and managed easily to minimize operational costs of accessing, modifying and deploying content.

This content is required for the SIEM tool to function properly, and leveraging extensive and well organized content provided natively by the vendor, integrators, consultants or the community offers significant value to all organizations, especially the smaller ones, or the larger ones initiating their SIEM journey.

SIEM vendors tend to build ecosystems of technology alliances with complementary security and nonsecurity vendors to offer a rich and robust set of connectors, parsers and additional content such as analytics and/or response capabilities. In this case, ecosystem density is key for larger environments that implement nonstandard technologies or applications. Leveraging vendor-provided native content is particularly important for the response and playbook features, as these connections are bidirectional and integrations need to be done on both sides.

In addition to raw content, the tool should offer a management framework for accessing, updating and managing this content, and enabling its functionality. Particularly important for first-time SIEM buyers and those with limited resources, predefined functions and ease of deployment and support are valued over advanced functionality and extensive customization. The use of an app-store-type feature to provide a centralized location for locating and installing new content, integrations and other features is beneficial for all organizations and use cases.

Forensics and Threat Hunting

Investigation capabilities encompass the ability to use a SIEM tool to search for particular evidence to investigate an incident, be used as a forensics tool or to support threat hunting.

Search features and functionality are fundamental in a SIEM tool, and need to accommodate a wide range of organizational maturity. While some may prefer to search using a descriptive taxonomy and drop-down menus, others may prefer free-flowing search queries with either regular expression (regex) or boolean, or simple vendor-specific language. Response times can vary widely across SIEM tools, and preference should be given to quick response time for wide searches across large datasets, and for a user-intuitive visualization that will help analysts uncover interesting events or patterns. The ability to pivot from result to result, using simple clicks rather than copying and pasting into another console, is important, as is the ability to open a case at any point in a hunt. Finally, SIEM tools capable of searching across several data stores in large and mature organizations should be privileged.

User Experience and User Interface

Because of their flexibility and sheer complexity, SIEM tools are complex to operate and manage. Thus, it’s important for the tool to offer a user experience that is appropriate for both the size and maturity of the client organization, as well as the use case to implement.

Some SIEM tools assume that the client will have a high maturity level, and will offer workflows and operational models that are very efficient but require deeper expertise, while others clearly cater to less mature organizations and offer more guidance to the user, usually at the cost of efficiency.

The user experience encompasses the UI and the presentation layer of these tools, including dashboards, reports, alerts, how configurable these are and how well suited they are for the audience that the tools cater to.

Setup and ongoing management of the tool also vary widely, based on the client environment and the size of the deployment. Some tools aim to be used in SOCs with dozens or hundreds of security analysts, implying requirements to facilitate the description of the SOC team to help triage cases. Other tools typically operate in environments with no dedicated SIEM expertise, and forcing clients to describe their SOC expertise would not make sense.

Tools that offer a user experience that can scale with growing environments should be privileged.

Use Cases

Basic Searching and Reporting

This use case focuses on the simplest use case for SIEM, searching and reporting on the pool of logs.

These searches are often used for basic queries such as “Who logged in this weekend to our VPN concentrator?” and sometimes then run as periodic reports. Often the users are less mature organizations that do not have the skill set, availability or appetite to embark on more complex real-time monitoring use cases. However, these organizations also understand the benefit of using SIEM tools for searching and reporting across the enterprise, and want a path to more sophisticated real-time monitoring use cases.

A tool’s ability to rapidly allow nonexpert users to get an answer to their question, benefit from relevant visualizations, and intuitively pivot to more searches or to the creation of reports will be key to this use case.

Compliance and Control Monitoring

This use case is aimed at demonstrating compliance with specific mandates like PCI DSS, HIPAA or SOX, or best practices or control policies like ISO 27001 or CIS Controls.

These use cases tend to demonstrate that a particular event or series of events has indeed happened, or, on the contrary, never happened. Often in the form of checklists that can be hundreds or thousands of lines long that auditors need to validate, these compliance and control monitoring use cases are hard to manage manually. SIEM tools that offer stronger solutions for compliance and control monitoring use cases will facilitate the whole life cycle for this use case — from providing predefined content that caters to specific compliance and controls, to the way this content is organized in packages that are easy to customize based on unique needs, to how the vendor approaches the updates and new content for these packages, to how easily the reports can be generated and shared with auditors in an automatic way.

Basic Security Monitoring

This use case supports basic broad-based threat detection use cases, as well as capabilities that help new and less mature SIEM buyers and users.

These include ease of deployment and operations, real-time monitoring, and analytics. It typically includes first-time SIEM solution buyers, and buyers focused on less sophisticated use cases. These buyers may be more likely to adopt “single box” solutions and as-a-service and hosted offerings. The focus is on solutions that are easier to implement and manage with packaged content (analytics, reports and responses) that solve discrete threat-monitoring use cases (e.g., ransomware) that do not focus on cloud or IoT/OT security.

Complex Security Monitoring

This use case focuses on SIEM solutions with complex architectures (n-tier, hybrid), environments and user populations, as well as big data-type log and event challenges.

N-tier or hybrid architectures are required to support environments with challenges such as distributed geographies and multiple environments (on-premises, IaaS, SaaS) for data collection; high volumes, velocities and varieties of data collection; and multitenancy requirements. The scope for some use cases could include IoT/OT. Event monitoring, both real time and historic, leverages a variety of analytics in varying degrees of complexity. Best-of-breed security technologies may be employed, which requires integrations for both data collection and incident investigation and response activities.

Advanced Threat Detection and Response

This use case focuses on the early discovery and analysis of advanced and targeted attacks, and the ability to rapidly respond to those attacks.

Advanced threat hunting activities enhanced by the tool are also included in this use case.

Organizations operating in high-risk verticals and environments face an ever-increasing hostile external threat landscape, where adversaries target specific organizations and attempt to compromise them with persistence and an arsenal of tools and tactics in order to achieve their goals. SIEM solution buyers facing these advanced and persistent threat actors look to monitor, detect and respond to attacks across the range of the attack chain in near real time, and through advanced analytics and threat hunting across historic log events and data. These buyers usually seek complementary host and network threat detection and forensics tools, as well as other technologies like SOAR, which are directly integrated, or at least well integrated, with their SIEM solution, to facilitate the rapid investigation and response to detected threats.

In this case, there is a requirement to cross the boundaries between on-premises, cloud and IoT/OT scopes in order to offer a unified view of threats across the full threat landscape.

Vendors Added and Dropped

Added

FireEye and HanSight were added to the SIEM Critical Capabilities research this year, based on their meeting the SIEM Magic Quadrant inclusion criteria.

Dropped

BlackStratus, Netsurion-EventTracker and Venustech were dropped this year because they did not meet the Magic Quadrant inclusion criteria for revenue or geographic presence.

Inclusion Criteria

In this research, we’ve included software products for evaluation. The inclusion criteria are the same as for the SIEM Magic Quadrant:

The product must provide SIM and security event management capabilities to end-user customers via software and/or appliance and/or SaaS.
The SIEM features, functionality and add-on solutions must be generally available as of 31 July 2019.
The product must support data capture and analysis from heterogeneous, third-party sources (that is, other than from the SIEM vendors’ products/SaaS), including from market-leading network technologies, endpoints/servers, cloud (IaaS, SaaS) and business applications
The vendor must have SIEM (product/SaaS license and maintenance, excluding managed services) revenue exceeding $32 million for the 12 months prior to 30 June 2019, or have 100 production customers as of the end of that same period. Production customers are defined as those who have licensed the SIEM and are monitoring production environments with the SIEM. Gartner requires that vendors provide a written confirmation of achievement of this requirement and others that stipulate revenue or customer thresholds. The confirmation must be from an appropriate finance executive within the organization.
The vendor must receive 15% of SIEM product/SaaS revenue for 12 months prior to 30 June 2019 from outside the geographical region of the vendor’s headquarters location, and must have at least 10 production customers in each of at least two of the following geographies: North America, EMEA, the Asia/Pacific region or Latin America.
The vendor must have sales and marketing operations (via print/email campaigns and/or local language translations for sales/marketing materials) targeting at least two of the following geographies as of 30 June 2019: North America, EMEA, the Asia/Pacific region or Latin America.

Exclusion Criterion:

Capabilities that are available only through a managed service relationship — that is, SIEM functionality that is available to customers only when they sign up for a vendor’s managed security or managed detection and response or managed SIEM or other managed service offering. By “managed services,” we mean those in which the customer engages the vendor to establish, monitor, escalate and/or respond to alerts/incidents/cases.

Table 1: Weighting for Critical Capabilities in Use Cases

Enlarge Table

Critical Capabilities	Basic Searching and Reporting	Compliance and Control Monitoring	Basic Security Monitoring	Complex Security Monitoring	Advanced Threat Detection and Response
Architecture/Deployment/Scalability	5%	5%	10%	15%	15%
Cloud Readiness	5%	5%	5%	5%	5%
Operations and Support	10%	10%	10%	10%	5%
Data Management Capabilities	15%	15%	15%	15%	15%
Analytics Capabilities	5%	10%	10%	15%	20%
Response and Incident Management	5%	5%	10%	10%	20%
Content Packaging and Management	5%	25%	15%	10%	5%
Forensics and Threat Hunting	20%	5%	5%	10%	10%
User Experience and User Interface	30%	20%	20%	10%	5%
Total	100%	100%	100%	100%	100%

Source: Gartner (February 2020)

This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighed in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Table 2: Product/Service Rating on Critical Capabilities

Enlarge Table

Critical Capabilities	AT&T Cybersecurity	Dell Technologies (RSA)	Exabeam	FireEye	Fortinet	HanSight	IBM	LogPoint	LogRhythm	ManageEngine	McAfee	Micro Focus	Rapid7	Securonix	SolarWinds	Splunk
Architecture/Deployment/Scalability	3.0	3.4	3.9	3.2	2.8	2.8	4.1	2.5	3.8	2.3	3.3	2.9	3.5	4.0	2.3	4.0
Cloud Readiness	3.1	3.5	4.1	3.4	2.5	2.7	4.1	2.7	3.6	2.4	3.2	2.9	3.1	4.1	1.8	4.0
Operations and Support	3.2	3.6	4.5	3.5	3.1	3.0	4.7	2.8	4.0	2.5	3.4	3.3	3.7	4.4	2.4	4.2
Data Management Capabilities	2.9	3.4	4.0	2.9	2.8	2.8	4.0	2.5	3.5	2.3	3.1	2.9	3.3	3.9	2.3	4.0
Analytics Capabilities	2.4	3.6	4.3	3.0	2.8	3.1	4.1	2.7	3.5	2.6	3.0	3.3	3.5	4.5	2.1	4.0
Response and Incident Management	2.7	3.3	4.0	3.3	2.7	2.8	3.8	2.7	3.5	2.3	2.9	3.0	3.2	3.9	1.8	3.7
Content Packaging and Management	2.7	3.3	3.9	3.1	2.7	2.7	4.0	2.5	3.5	2.4	3.0	2.9	3.3	3.9	2.2	3.7
Forensics and Threat Hunting	2.8	3.4	4.0	3.3	2.7	2.8	3.7	2.6	3.5	2.3	2.9	2.9	3.2	4.0	1.8	3.6
User Experience and User Interface	2.6	3.3	3.9	3.1	2.7	2.7	3.9	2.5	3.4	2.3	3.0	2.9	3.3	3.9	2.1	3.7

Source: Gartner (February 2020)

Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Table 3: Product Score in Use Cases

Enlarge Table

Use Cases	AT&T Cybersecurity	Dell Technologies (RSA)	Exabeam	FireEye	Fortinet	HanSight	IBM			ManageEngine	McAfee	Micro Focus			SolarWinds	Splunk
Basic Searching and Reporting	2.79	3.40	4.03	3.18	2.76	2.80	3.99	2.58	3.54	2.35	3.06	2.97	3.33	4.02	2.09	3.82
Compliance and Control Monitoring	2.77	3.40	4.04	3.14	2.76	2.80	4.05	2.58	3.55	2.38	3.07	2.99	3.35	4.03	2.15	3.85
Basic Security Monitoring	2.79	3.40	4.04	3.16	2.77	2.81	4.04	2.59	3.57	2.37	3.08	2.99	3.36	4.04	2.14	3.87
Complex Security Monitoring	2.80	3.43	4.07	3.17	2.78	2.84	4.05	2.60	3.59	2.38	3.09	3.01	3.37	4.08	2.13	3.89
Advanced Threat Detection and Response	2.77	3.43	4.07	3.16	2.76	2.86	4.00	2.62	3.57	2.38	3.06	3.02	3.35	4.08	2.08	3.88

Source: Gartner (February 2020)

To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.

“Critical capabilities” are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.

In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.

The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.

Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.

Ratings and summary scores range from 1.0 to 5.0:

1 = Poor or Absent: most or all defined requirements for a capability are not achieved

2 = Fair: some requirements are not achieved

3 = Good: meets requirements

4 = Excellent: meets or exceeds some requirements

5 = Outstanding: significantly exceeds requirements

To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.

The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.

By Gorka Sadowski, Kelly Kavanagh, Toby Bussa

Magic Quadrant for Security Information and Event Management

Published 18 February 2020 – ID G00381093 – 72 min read

https://www.gartner.com/doc/reprints?id=1-5WG67KN&ct=181205&st=sb

Security and risk management leaders increasingly seek security information and event management solutions with capabilities that support early attack detection, investigation and response. Users should balance advanced SIEM capabilities with the resources needed to run and tune the solution.

Market Definition/Description

The security information and event management (SIEM) market is defined by customers’ need to analyze security event data in real time, which supports the early detection of attacks and breaches. SIEM systems collect, store, investigate, support mitigation and report on security data for incident response, forensics and regulatory compliance. The vendors included in this Magic Quadrant have products designed for this purpose, which they actively market and sell to the security buying center.

SIEM technology aggregates event data produced by security devices, network infrastructure, host and endpoint systems, applications and cloud services. The primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry (i.e., flows and packets). Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data may be normalized, so that events, data and contextual information from disparate sources can be analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time analysis of events for security monitoring, query and long-range analytics for historical analysis, and other support for incident investigation and management, and reporting — e.g., for compliance requirements.

Magic Quadrant

Figure 1. Magic Quadrant for Security Information and Event Management

Source: Gartner (February 2020)

Vendor Strengths and Cautions

AT&T Cybersecurity

AT&T Cybersecurity, part of the AT&T Business portfolio, is headquartered in Dallas, Texas. AT&T Cybersecurity’s SIEM solution is Unified Security Management (USM) Anywhere, which is delivered as a software as a service (SaaS) solution. It packages several other security elements with SIEM, including asset discovery, vulnerability assessment, an intrusion detection system (IDS) for network and cloud, and endpoint detection and response (EDR). An on-premises software deployment, USM Appliance, is available and is still supported; however, the vendor continues to focus more on the USM Anywhere SaaS offering. USM customers can connect to the Alien Labs Open Threat Exchange (OTX) via an API key to gain additional indicators of compromise (IoCs) and threat intelligence sharing capability.

The AlienVault USM Appliance and Anywhere products are licensed on the amount of data analyzed (gigabyte per month) and are offered as subscription-only. There is also licensing for managed security service provider (MSSP) partners who want access to USM’s central management console, USM Central, which provides unified dashboards across multiple USM Anywhere deployments.

Advancements during the past 12 months include the addition of an EDR agent to the USM portfolio to provide threat visibility and automated response actions for the major OSs. USM Anywhere now has threat visibility and response capabilities for Google Cloud, as well as enhanced case management features for analysts performing investigations.

Small and midsize businesses (SMBs) in financial services and healthcare verticals, which need SIEM as a service (SaaS SIEM) delivery models with bundled security controls that don’t require extensive database or application monitoring or advanced analytics, should consider AT&T Cybersecurity’s USM Anywhere.

Strengths

Deployment: The SaaS form factor, combined with predefined content for detections and dashboards, offers relatively quick deployment and initial operation, compared with on-premises SIEM.
Operations: Detection content is updated frequently by the vendor. The USM Anywhere detection rules and dashboards are updated weekly, based on the findings of the AT&T Alien Labs threat intelligence team.
Product: AT&T Cybersecurity offers strong integrations with its own technologies for endpoint agent deployment/management, network intrusion detection, vulnerability scanning/asset discovery and threat intelligence. Native file integrity monitoring (FIM) and EDR capability is above average, although support for third-party solutions is more limited than that of many of its competitors.
Product: Customers that must manage data residency requirements for multiple geographic regions can monitor 13 Amazon Web Services (AWS) regions, with central management available via the USM Central App. Data residency is supported in nine countries: the U.S., Ireland, Germany, Japan, Australia, U.K., Canada, India and Brazil.

Cautions

Market Understanding: AT&T Cybersecurity must manage a complex go-to-market approach for security monitoring. AT&T Cybersecurity offers SaaS SIEM and a managed security offering to end users; however, it competes with a large number of third-party service providers that offer managed services to end users via USM Appliance. AT&T Cybersecurity must create clear messaging regarding its target buyers, and how those buyers can get managed services support for their monitoring solutions. In addition, vendors must balance investments in capabilities relevant to MSE buyers with those relevant to managed services providers, because these target markets typically have differing priorities for features and functions.
Product: Out-of-the-box integrations relevant to enterprise SIEM deployments are missing or limited. USM Anywhere does not integrate with identity repositories for user authentication, nor is there integration with ERP solutions or third-party, big data platforms or security orchestration, automation and response solutions. Other integrations, via the AlienApps ecosystem, are limited. Support for infrastructure as a service (IaaS) monitoring depends on the deployment of USM Anywhere sensors in AWS and Azure, and Google Cloud Platform (GCP). Monitoring of SaaS via AlienApps is limited to Microsoft Office 365, Google G Suite, Box and Okta, and a handful of others.
Product: USM Anywhere support for user monitoring is basic, compared with many of its competitors. The product does not have native user and entity behavior analytics (UEBA) capability, nor does it provide integrations with third-party UEBA solutions.
Product: There is no feature parity between USM Appliance and USM Anywhere, with more development funding being invested in USM Anywhere.
Customer Experience: AT&T Cybersecurity received clearly mixed reviews for service and support, log management/reporting, and for real-time monitoring from customers, based on Gartner customer feedback via inquiry, and Peer Insights and vendor references.

Dell Technologies (RSA)

RSA is a business within Dell Technologies, which is headquartered in Round Rock, Texas. Its main offices are in Bedford, Massachusetts, as well as Bracknell, U.K.; Singapore; Tokyo, Japan; and Brazil.

The RSA NetWitness Platform (RSA NWP) is composed of several components: RSA NetWitness Logs, RSA NetWitness Endpoint, RSA NetWitness Networks, RSA NetWitness UEBA, and RSA NetWitness Orchestrator. UEBA competencies derive from the 2018 acquisition of Fortscale, while the RSA NetWitness Orchestrator security orchestration automation and response (SOAR) is an OEM of Demisto’s SOAR solution.

Licensing is based on the nature of the tool, with pricing for RSA NetWitness Logs, including all components to run the SIEM, based on data volume. (Metered licensing on a perpetual or term basis is the default for all new customers.) Its legacy pricing model can be licensed by appliance capacity (for physical appliances). Clients can add other for-pay components, such as:

RSA NetWitness Endpoint — based on the number of endpoints
RSA NetWitness UEBA — based on the number of users monitored
RSA NetWitness Network — based on metered volume or legacy appliance capacity
RSA NetWitness Orchestrator (Demisto OEM reviewed in this research) — based on the number of security analysts

Customers can mix appliance and metered licensing to enable granular capacity growth across the deployment architecture.

RSA NWP Version 11.3, introduced in April 2019, offers some improvements in the RSA NetWitness Endpoint, the introduction of RSA NetWitness Endpoint-specific UEBA models, and a tighter integration between the SIEM and the UEBA solutions.

Enterprises with a mature security operations capability seeking a single-vendor SIEM platform, with native endpoint, network and UEBA modules, as well SOAR capabilities, and support for analytics, forensics/hunting and reporting/compliance, should consider RSA NetWitness Platform.

Strengths

Deployment: Organizations can mix and match appliances, virtual appliances and software to build functional stacks, enabling flexible deployments and horizontal scalability capabilities.
Product: This is mature technology that’s well-suited to advanced threat defense (ATD) use cases, thanks to multistage analytics encompassing RSA NWP’s wide portfolio of additional, natively integrated solutions for ubiquitous view and analytics across endpoints and networks.
Product: RSA NWP offers a multistage analytics engine with interesting, unsupervised modeling capabilities across endpoints, network and users.
Product: RSA NWP has a strong feature set in support of forensics and threat hunting, with ubiquitous access of forensics artifacts across a wide RSA technology stack — e.g., fetch running process list from endpoints, or packet capture (PCAP) analysis natively inside the NWP user interface (UI).
Deployment/Support: RSA offers RSA Live accessible directly from the NWP console, for access to all RSA NWP content.
Sales Execution: RSA has an extensive worldwide ecosystem of channel partners and service providers offering local support for NWP, for integration, management and/or operations.

Cautions

Product Strategy: RSA’s NWP SOAR strategy is based on OEM relationships in a dynamic market (Demisto before the Palo Alto Networks acquisition, and Threat Connect after. RSA indicated they will support Demisto for several years). Clients should validate that RSA’s SOAR partner fits their requirements.
Product: The UEBA capabilities offer fewer models than some of its competitors. RSA NetWitness’s Network UEBA models are slated for release in 1Q20.
Deployment/Support: RSA NWP is not available from the vendor as a SaaS offering, although some RSA partners offer that capability. Organizations that want a vendor-delivered SaaS SIEM may find limitations in the product and should be comfortable with its cloud security roadmap.
Product: Compared with competitors targeting the midmarket, the RSA NetWitness Platform is more complex to deploy and operate for less-mature buyers.

Exabeam

Exabeam’s Security Management Platform (SMP) is composed of seven products: Exabeam Data Lake, Exabeam Cloud Connectors, Exabeam Advanced Analytics, Exabeam Threat Hunter, Exabeam Entity Analytics, Exabeam Case Manager and Exabeam Incident Responder. The SMP is available as software for on-premises deployments, and is offered as a cloud-based SIEM, hosted and managed by Exabeam. There are several form factors for on-premises deployments: hardened physical appliances, virtual appliances, dockerized containers, and private or public cloud deployments (in Amazon, Google and Azure). Moreover, an on-premises deployment can consist of multiple form-factor (i.e., physical, virtual and cloud) options.

Exabeam’s licensing and pricing models are straightforward. Each of the SMP products is sold as a one- or three-year subscription, and priced by the number of employees in the organization, with the exception of Entity Analytics, which is priced by the number of assets monitored.

During the past 12 months, Exabeam has made several enhancements to SMP:

A single UI for Advanced Analytics, Threat Hunter, Case Manager and Incident Responder
Threat intelligence services delivered via the cloud
Better alignment with the MITRE ATT&CK framework
Improved alert triaging, allowing for richer user and entity context with alerts
Risk-score-based activities related to an alert

Enterprises with security operations teams looking for a modular SIEM capable of delivering on simple through complex security use cases, using a pricing structure not based on volume, with native UEBA and SOAR (both for-pay) capabilities should consider Exabeam SMP.

Strengths

Deployment/Support: SMP enables phased adoption of capabilities that can start with a core SIEM (Data Lake, Advanced Analytics, Case Manager), then expand to Incident Responder for SOAR or Cloud Connectors for SaaS and IaaS use cases.
Product: Exabeam SMP provides a strong foundation for monitoring users, entities and identities. This is performed by the core analytics module (Advanced Analytics) via the native UEBA features in the application (e.g., peer group analysis and monitoring for deviations in behavior).
Product: Exabeam’s Smart Timelines supports less-experienced SIEM users by leveraging machine learning (ML) to organize relevant logs and events in a timeline view, which simplifies investigation and response activities.
Sales: Exabeam’s pricing model is simple. It reduces the buying friction, because it’s not based on volume, but rather on the number of employees in the organization per product, except for Entity Analytics, which is licensed by number of assets.
Market Understanding: Exabeam has demonstrated strong growth and increased visibility with Gartner clients, primarily in North America, through its marketing efforts.
Customer Experience: In Gartner customer inquiry, Peer Insights and vendor references, customers give positive evaluations of several elements, such as deployment and support services, evaluation and contract negotiation, and stronger-than-typical marks for behavior analytics.

Cautions

Market Understanding: Although it has sales operations in multiple geographies, Exabeam is still predominantly purchased by buyers in North America. Buyers outside of North America should validate coverage for sales, professional services and support (whether direct or through partners) for their organizations’ locations.
Market Understanding: Exabeam is still building out its partner network, especially for services such as managed SIEM. Buyers looking for an SIEM-plus-services engagement should confirm the companies Exabeam has identified as partners that are trained/certified, and can address operational and use-case development requirements.
Marketing Execution: Exabeam should better define capabilities relevant to buyers in vertical industries in which the challenges may be different from those of the general buying public (e.g., energy and utilities). Buyers looking for vertical-specific capabilities should confirm that there is appropriate coverage with Exabeam SMP — e.g., content specific to their verticals in the form of out-of-the-box detections and compliance report templates.
Customer Experience: Based on Gartner inquiry feedback, Peer Insights and vendor references, Exabeam can improve on its integration and deployment, and ease of customization of existing rules, predefined reports, and product quality and stability in SMP.

FireEye

FireEye is headquartered in Milpitas, California. FireEye Helix is the core component of the FireEye SIEM. Helix integrates with other, separately licensed, solutions from FireEye for email, network, endpoint and cloud security. FireEye also offers Expertise On Demand, services for tuning rules, investigating alerts, complementing security teams and responding to breaches. FireEye Helix is offered as SaaS SIEM, hosted in AWS and managed by FireEye. Integrated FireEye security solutions also run in the cloud, but can be optionally operated on-premises, either on physical or virtual systems in a hybrid environment. FireEye Helix is available as subscription-only, and pricing is based on events per second (EPS) in tiers as low as 100 EPS or as high as 150,000 EPS.

During the past 12 months, FireEye has added several enhancements, such as IoC context enrichment, orchestration capabilities for detection and response, and Expertise On Demand. In addition, the cloud integrations portal for cloud-to-cloud direct API integrations requires no customer-deployed appliances.

Organizations leveraging FireEye email, network, endpoint and/or cloud security products, or looking for end-to-end detection and response capabilities in one security solution, with the option for managed services, should consider FireEye.

Strengths

Product: Helix includes packaged queries, curated by FireEye, to provide next-step guidance for investigations. More-extensive playbooks and response integrations are available with the FireEye Security Orchestrator.
Product: FireEye provides an extensive, open API that enables access to all elements available through the UI, which enables users to develop integrations and programmatically interact with the solution.
Deployment/Support: The Helix platform has an extensive set of threat detection rules managed by FireEye and updated daily based on the vendor’s strong threat intelligence data acquisition capabilities.
Product: Integrations with the FireEye Endpoint (formerly HX), Network (formerly NX) and Email products for endpoint, network and email forensics provide extensive capabilities for investigations based on forensic data. FireEye threat intelligence is fully integrated, and additional FireEye utilities support evidence collection (Evidence Collector) and response actions (FireEye Security Orchestration).
Deployment/Support: FireEye’s Managed Detection and Response service offering enables customers to use the Helix platform to perform their own searches and investigations, with 24/7 monitoring and response support from the vendor.
Product: FireEye references give positive marks for most capabilities of the product. There is limited feedback from Gartner customers via inquiry or Peer Insights.

Cautions

Product: Support for IaaS and SaaS threat detection is less mature than several competitors. Helix provides detection rules for AWS and Microsoft Office 365, but not yet for other popular IaaS and SaaS applications.
Deployment/Support: Helix’s event acquisition features are not as mature as those of many of its competitors. Helix lacks autodiscovery of event sources, and there is no capability for end users to develop new parsers. Log management capabilities depend on the features available from the underlying AWS platform. Customers should validate that the data management available on the AWS platform is sufficient for their requirements.
Product: Compliance reporting capabilities are limited, compared with those of more-established competitors — e.g., there are dashboards only for Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) mandates.
Product: FireEye is growing its technology partner ecosystem, but not all integrations are available throughout the FireEye portfolio. Potential customers should validate that the third-party integrations available with FireEye products — through Security Orchestration, the Helix platform, or the FireEye Network, FireEye Endpoint or other products — support the use cases required.

Fortinet

Fortinet is headquartered in Sunnyvale, California, with 58 offices globally and regional headquarters in Sunrise, Florida; Sophia, France; Sydney; Singapore; and Tokyo.

The Fortinet SIEM solution FortiSIEM includes:

FortiSIEM Advanced Agent — an agent for Windows and Linux, with some FIM and EDR capabilities
FortiGuard IoC — a for-pay threat intelligence subscription feed
FortiInsight — a for-pay, pure-play UEBA tool derived from the ZoneFox acquisition

Fortinet FortiSIEM is part of Fortinet’s Security Fabric. This allows enhanced collaboration and integration among several of Fortinet’s portfolio solutions (e.g., Fortinet FortiSandbox) for additional, multitool use cases.

FortiSIEM is licensed on the number of assets in scope (number of IP addresses), as well as total EPS and number of FortiSIEM agents. Licenses can be perpetual or subscription (term)-based. For nonvirtual appliance deployment, the hardware appliance purchase is an additional cost.

Fortinet FortiSIEM Version 5.2.1, introduced in March 2019, presented the concept of Explorer View that helps security analysts pivot from results to searches when doing forensics and threat hunting, support for IPv6, and additional pseudonymization features to help General Data Protection Regulation (GDPR) customers.

Fortinet FortiSIEM has strong support for organizations with existing Fortinet solutions, or managed service providers (MSPs) supporting Fortinet products, and MSSPs looking to offer Fortinet FortiSIEM as a service, using a low-friction/risk approach.

Strengths

Product Strategy: Fortinet FortiSIEM will appeal to Fortinet-centric organizations, because it directly integrates with several of Fortinet’s technologies (e.g., endpoint, sandbox, mail and deception) via the Fortinet Security Fabric for bidirectional automated remediation actions.
Product: Fortinet FortiSIEM offers a solid set of compliance packages natively out of the box (e.g., PCI, COBIT, SOX, ISO, ISO 27001, HIPAA, GLBA, FISMA, NERC, GPG13 and SANS), as well as IT operations and network operations use cases via packaged content.
Product: Fortinet FortiSIEM has powerful asset discovery features and can automatically build an organization’s configuration management database (CMDB) by actively scanning the environment and passively listening to network traffic.
Product: Fortinet FortiSIEM delivers on most nonadvanced security use cases, but can also be used as an IT operations and network operations tool, due to its performance and availability monitoring and CMDB capabilities.
Customer Experience: Overall customer satisfaction with FortiSIEM in Gartner inquiry feedback and Peer Insights is generally positive, and aligned with that of many competitors, with higher marks than several competitors for the product’s threat intelligence capabilities.
Sales Strategy: Fortinet has a partner program for MSSP with pay as you go (PAYG) partnership models that can encourage MSSPs to deliver FortiSIEM as a service.

Cautions

Product Strategy: Fortinet customers planning to support OT/Internet of Things (IoT) monitoring will need to use partner products to parse events and integrate CMDB information.
Product Strategy: Fortinet FortiSIEM’s cloud security functional coverage is not as strong as other competitors — e.g., it lacks support for GCP and IBM Cloud.
Product: Fortinet FortiSIEM’s real-time advanced analytics capabilities lag those of some competitors — for example, it can’t dynamically establish peer groups. FortiInsight offers more UEBA features, but only for endpoints running FortiInsight agent.
Product: Organizations looking to use Fortinet FortiSIEM as a case and incident management platform for forensics or threat hunting will find that the case creation and management is less intuitive than other tools, and there are no native integrations with threat-hunting tools.
Sales Strategy: Fortinet does not offer SaaS SIEM. Clients seeking it will need to use Fortinet’s MSSP partner.
Customer Experience: Customers express lower satisfaction with FortiSIEM sales/support-related areas. This may indicate that Fortinet’s partner-led go-to-market strategy is not as strong for SIEM as for other products.

HanSight

HanSight is a vendor with headquarters in Beijing, China. HanSight primarily sells in China, as well as other areas of the Asia/Pacific (APAC) region (e.g., Japan and Singapore) and Latin America through channel partners. HanSight Enterprise SIEM is the core product. It is part of an ecosystem of solutions that includes UEBA; network traffic analytics (NTA), with IDS capabilities; vulnerability management; asset discovery; data loss prevention (DLP); and threat intelligence management. EDR and cloud workload protection platform (CWPP) capabilities are provided through partnerships with several Chinese security technology vendors.

The platform is available as software, a hardware appliance (for smaller deployments) or as a hosted platform. HanSight’s on-premises solutions are licensed as perpetual plus annual maintenance. Enterprise SIEM is priced by data velocity (EPS), with a tiered discount. Other modules are priced by the number of users (UEBA), the sensors deployed and bandwidth (NTA), and assets (VM and Assets). Hosted Enterprise SIEM is based on the standard pricing, plus an uplift for hosting the application, and is licensed on a subscription model.

During the past 12 months, HanSight added its HanSight Query Language (HQL) for search capabilities, introduced the DLP add-on, and added event aggregation and incident timeline visualizations.

Organizations in China — particularly those in the banking and financial sectors looking for an SIEM with an ecosystem for their security operations focused on supporting technologies in the region — should consider HanSight.

Strengths

Product: HanSight offers a strong ecosystem of technologies that complement its core SIEM solution, which will appeal to organizations looking to instrument a modern security operations center (SOC) from a single vendor.
Product: The platform leverages modern big data technologies and approaches, and also offers a version delivered as a service.
Product: HQL and the search function include features such as an integrated development environment (IDE)-style analysts’ notebook capability, as well as the ability to share saved searches via quick response (QR) code.
Customer Experience: Based on Gartner Peer Insights and vendor customer references, users give above-average scores for service and support, compared with the competition, especially for support.

Cautions

Operations: HanSight primarily competes in the Chinese market and has limited visibility outside that market. Channel partners outside the APAC region are limited to Latin America. There is no direct sales channel in North America or Europe.
Product: Monitoring coverage is still variable. There is good coverage for cloud environments, including AWS and Alibaba; however, support for virtual environments, such as VMware and Hyper-V, is not yet available, nor is data collection from Azure.
Product Strategy: Some features and functionality (e.g., threat intelligence management) are localized to Chinese and are unavailable in other languages.
Customer Experience: Based on feedback from Gartner Peer Insights and vendor references, log management and incident management capabilities are areas for improvement.

IBM

IBM Security provides a range of security technologies and services, and is headquartered in Cambridge, Massachusetts. The QRadar Security Intelligence Platform is primarily built around the QRadar SIEM solution and composed of several other separately priced components:

IBM QRadar Vulnerability Manager — integration of vulnerability assessment data
IBM QRadar Network Insights — QFl application visibility and packet content inspection
QRadar Risk Manager — network device configuration monitoring and threat simulation capabilities
IBM QRadar User Behavior Analytics (UBA) — a free add-on module that addresses some insider threat use cases
IBM QRadar Incident Forensics — forensic investigation support
IBM QRadar Advisor with Watson — advanced-analytics-based root cause identification and attribution engine

IBM also offers the Security App Exchange, which enables QRadar customers to download curated content developed by IBM or third parties to extend IBM QRadar’s coverage or value proposition. Other relevant IBM solutions include the IBM QRadar Network Packet Capture appliance, for stronger network forensics capabilities, and IBM Resilient, a SOAR solution that has supported, bidirectional integration between Resilient and the QRadar SIEM solution. This can help organizations streamline their security incident workflow processes.

IBM QRadar SIEM can be deployed on-premises, via hardware virtual appliances and software packages, or it can be hosted in the cloud via IBM’s cloud-based SIEM solution, QRadar on Cloud (QROC). Core SIEM licensing is based on the customer’s event velocity (number of EPS across the data sources in scope) and flows per minute (FPM). It can be procured via a perpetual license or subscription — the latter is offered only if the customer is purchasing QROC. Pricing for other components in the IBM QRadar Security Intelligence Platform depends on their respective metrics, e.g.:

The number of flows for IBM QRadar Network Insights
The number of assets in scope for IBM QRadar Vulnerability Manager
The number of systems from which configuration data is pulled for IBM QRadar Risk Manager

QRadar Network Insights is available only in hardware appliance format, and QRadar Incident Forensics is only sold as a perpetual license.

During the past 12 months, IBM has improved alert efficiency via its Tuning App, simplified data ingestion from various sources, whereby extracting event properties from a common log format can be accomplished with little or no customization required. IBM has also mapped its QRadar Advisor with Watson to the MITRE ATT&CK framework.

IBM has a wide customer base on the end-user and MSSP side, and tends to appeal to larger organizations, by offering a robust platform to build a threat detection and response function. However, smaller organizations can also benefit from the QRadar SIEM solution, with its relative ease of use and extensive out-of-the-box content for less-advanced security use cases.

Strengths

Sales Strategy: IBM has extensive internal resources and partnerships to support sales, deployment and operational support, including managed services for QRadar, across multiple geographic regions.
Deployment/Support: QRadar offers users extensive options in deployment architecture, with a choice of form factors that can be deployed in various combinations. These include physical and virtual appliances that can be all-in-one and separate components, as well as bring-you-own-license for cloud deployment. The exception is the Network Insights component, which is available as a physical appliance only.
Operations: QRadar has extensive open API to enable customers and partners to develop integrations with the platform. The app marketplace has extensive integrations provided by IBM and by third parties.
Product: QRadar offers strong capabilities for managing the collection of events. Users can configure logging to automatically detect multiple event formats, with options to filter them, forward them to real-time analytics or to bypass the analytics tier and send to the data store. Direct forwarding of events to the data store does not contribute to the EPS licensing metric.
Sales Strategy: QRadar includes UBA in the base licensing for QRadar, so there is no additional cost to acquire UBA.
Product: The QRadar Advisor with Watson offers strong support for incident investigation by providing context enrichment from internal and external sources, suggesting next steps based on attacker actions and prioritizing alerts for further action.

Cautions

Pricing: The several licensing models and pricing schemes for the various components associated with the QRadar platform present a complex set of choices for potential customers. Models include perpetual and term licensing, based on several factors that include data velocity, number of assets, and whether the technology is deployed on-premises or in the IBM cloud. A QRadar solution might include a mix of perpetual and term licensing, depending on the technology and deployment choices.
Product Strategy: QRadar offers limited options for data collection for forensics from endpoints/hosts. IBM’s lack of native EDR capability is in contrast with the fuller capabilities for network monitoring. Customers must deploy third-party products or rely on its WinCollect agent or Sysmon for Windows collection.
Operations: The modernization of the user experience (UX) for QRadar is still a work in progress, and the UI is not consistent across the various components of the platform.
Pricing: IBM is demonstrating increasing reliance on their add-on products, available for additional cost, such as Resilient and QRadar Advisor for incident response capabilities, such as prioritization, investigation, context assembly and other response actions.
Innovation: The components of the QRadar platform are at differing levels of maturity and integration with other components and with new IBM cloud management offerings. Users should confirm that roadmap commitments for capabilities relevant to their own operations are on track.
Customer Experience: Based on Gartner customer feedback via inquiries, Peer Insights reviews and vendor references, QRadar’s analytics and behavior profiling, and the vendor’s sales/contracting processes are areas for improvement.

LogPoint

LogPoint is headquartered in Copenhagen, Denmark, with offices in Europe, The Middle East and Africa (EMEA; e.g., London, Paris and Munich); in the U.S. (Boston); and the APAC region (e.g., Kathmandu). LogPoint SIEM solution is composed of the following modules:

LogPoint Core SIEM
LogPoint UEBA
LogPoint Director (which includes Console and Fabric)
LogPoint Applied Analytics

LogPoint’s core SIEM license is a subscription based on the number of assets (number of IP addresses), and includes all modules, except LogPoint UEBA, which is licensed for additional cost, based on the number of employees and assets.

LogPoint SIEM and all of their components can be deployed on-premises via a physical or software appliance (based on a hardened version of Linux Ubuntu), while the UEBA solution is delivered as a SaaS model. LogPoint Version 6.6.1 introduced in June 2019 offered improvements in incident investigation via data mining and visualizations, while UEBA Version 2.1.0 can detect anomalies across users and entities.

LogPoint will appeal to enterprises and MSSPs looking for a European vendor, and to privacy-conscious organizations looking for an SIEM with predictable, asset-based licensing, and basic incident response capabilities.

Strengths

Pricing: LogPoint will appeal to organizations looking for an SIEM vendor with predictable pricing based on number of assets. LogPoint offers special pricing models for selected verticals. As an example, LogPoint offers hospitals a fixed fee based on the number of beds, municipalities a fixed fee based on the number of inhabitants, and universities a fixed fee based on the number of students.
Product Strategy: LogPoint is an EMEA-based SIEM provider with an acute appreciation of privacy requirements that delivers advanced features in data masking and obfuscation for GDPR and CCPA requirements. LogPoint is the only SIEM that has obtained a Common Criteria EAL 3+ certification.
Product: LogPoint offers two stages of enrichment of data: at ingest time for static data (e.g., IP to MAC) and at time of search, with latest available threat intelligence.
Sales/Partner Strategy: LogPoint has developed a dense ecosystem of channel and MSSP partners in Europe, making LogPoint widely available as a product or a service.
Product: LogPoint is natively multitenant through a federated model in which each tenant is connected to a management fabric, facilitating adoption by MSSPs.
Market Understanding: LogPoint has carved some niche markets with interesting capabilities and security use cases for organizations extensively using SAP, or utilities using specific IoT equipment, such as Siemens wind turbines.

Cautions

Sales Execution: LogPoint’s U.S. expansion remains nascent; LogPoint has less visibility among Gartner’s North American clients, and outside EMEA generally.
Product Strategy: Although LogPoint is natively available as ready-to-run images for AWS and Azure, the SIEM is not available as SaaS from LogPoint, but UEBA is only available as SaaS.
Product Strategy: LogPoint makes extensive use of query languages for rules, dashboards and alerts, which require training and familiarity with the syntax.
Product: Case management and SOC collaboration features are basic and might not support all aspects of SOC operations. Integrations are provided with several SOAR products.
Product: Clients looking to get advanced analytics capabilities for typical UEBA use cases, such as user monitoring need to be ready to purchase the additional UEBA module as the core SIEM’s native ML capabilities are limited.
Product: Collection and parsing for custom-made data sources (e.g., custom business applications) is done via “plug-ins,” which need to be developed by LogPoint or configured by the customer. Cloud monitoring feature set is emerging — for example, there is no support for GCP or IBM Cloud.

LogRhythm

LogRhythm is headquartered in Boulder, Colorado, and brands its SIEM solution as LogRhythm NextGen SIEM Platform. The core SIEM component is the XDR Stack, which is made up of DetectX, AnalytiX and RespondX. Add-on modules include UserXDR, LogRhythm’s rebranded UEBA product, and NetworkXDR, which provides NTA capabilities, as well as System Monitor (SysMon Lite and Pro) and Network Monitor (NetMon and NetMon Freemium). It is available in configurations for large (LogRhythm Enterprise) and midsize (LogRhythm XM) enterprises. It can be deployed on-premises as software, a physical appliance or a virtual appliance, in IaaS or hybrid environments.

LogRhythm’s cloud-based SIEM offering, LogRhythm Cloud, is also available, and hosted and administered by the vendor. The XM solution is an all-in-one appliance; horizontal scalability is possible as the various discrete components that make up the LogRhythm platform can be deployed as stand-alone as required. Multitenancy is also natively supported.

LogRhythm’s core product, the XDR Stack, is licensed based on data velocity (aka messages per second [MPS]). Although UserXDR is licensed based on the number of users being monitored, and NetworkXDR (or NDR) and Network Monitor are licensed based on gigabits per second (Gbps), System Monitor is priced per agent. Licenses are available as perpetual or term, along with enterprisewide agreements. At the beginning of October 2019, LogRhythm announced its Unlimited Data Plan (ULP) offering to help eliminate consumption-based capacity tracking and improve budget predictability.

During the past 12 months, LogRhythm has introduced its cloud-based version, branded as LogRhythm Cloud. It has introduced a software-license model decoupled from their physical hardware (allowing the solution to be installed on customer hardware, in IaaS or a hybrid model across LogRhythm appliances, customer infrastructure and IaaS). It has also added enhanced automation, integrations and case management features, and its Echo and LogWars features leverage its SIEM as a training tool for users.

Organizations that prefer a single-vendor ecosystem to instrument their security operations team for threat monitoring and response, and compliance use cases, along with flexible deployment options, should consider LogRhythm.

Strengths

Product Strategy: LogRhythm offers a single-vendor-ecosystem approach for buyers that want a unified solution that includes core SIEM, network monitoring, endpoint monitoring and UEBA.
Deployment/Operations: The range of professional services, from onboarding to ongoing support, is extensive. LogRhythm customers can take advantage of various co-pilot products to provide additional support for initial implementation, and for ongoing operations and use of the solutions.
Deployment: LogRhythm has a strong set of options for running its core SIEM solution, including physical hardware, software (for installation on-premises or in IaaS, such as AWS, Azure and Google Cloud), and as SaaS.
Product: LogRhythm offers an extensive range of compliance reports across a variety of industries and regulations worldwide.
Customer Experience: LogRhythm customers offer generally positive feedback on product capabilities.

Cautions

Product Strategy: LogRhythm continues to lag competitors in areas such as moving the platform toward a modern SIEM architecture (e.g., it’s still a mix of Windows Server, MS SQL and Linux OS), and the lack of a dedicated SOAR offering.
Market Understanding: Support for monitoring in IaaS is lagging, compared with competitors. It’s unclear whether API, Sysmon or other agents (e.g., Beats) may be the preferred mechanism to collect data out of cloud services provider (CSP) environment.
Marketing Execution: LogRhythm has added new branding on top of its product names, with the XDR Stack branding. However, this adds more complexity into an existing mix of product names and features (Next Gen SIEM, CloudAI [for UEBA], Sysmon, Netmon, LogRhythm Cloud, AI Engine, etc.). Buyers should validate what is being proposed to them and determine whether the products and components meet their use cases and requirements.
Product: Customers that require on-premises-only deployments will need to address the cloud-only delivery of CloudAI capabilities.
Customer Experience: Feedback from Gartner customer inquiries, from Peer Insights review and from vendor references on capabilities, such as the usefulness of predefined reports and the effectiveness of predefined rules represent opportunities for improvement. Customers offer mixed feedback on deployment and support ease.

ManageEngine

ManageEngine has headquarters in India (Chennai), as well as in the U.S. (Austin, Texas). ManageEngine’s core SIEM product is Log360, but also includes several other modules — at an additional cost — that can integrate with Log360 and address security and IT operations use cases. These include:

ManageEngine ADAudit Plus — Active Directory (AD) change auditing and reporting
ManageEngine EventLog Analyzer — central log management
ManageEngine Cloud Security Plus — central log management (CLM) and SIEM for AWS and Azure
ManageEngine Log360 UEBA
ManageEngine DataSecurity Plus — data discovery and file server auditing
ManageEngine O365 Manager Plus — Office 365 security and compliance
ManageEngine Exchange Reporter Plus — Exchange Server change audits and reporting

ManageEngine Log360 is a software SIEM solution that can be deployed on-premises on physical or virtual systems. It is offered as a perpetual or term license, and pricing is based on the number of event sources or assets in scope. Individual components are licensed based on the number of assets (which varies depending on the specific component). A web-based, cloud-hosted log storage platform, ManageEngine Log360 Cloud, is available. It stores the data collected by the log management module, EventLog Analyzer. However, it is not a SaaS-based SIEM tool. Log360 Cloud is available as a subscription, with pricing based on the storage space required. Cloud Security Plus’ pricing is based on the number of cloud accounts in scope, with upsell pricing for additional AWS S3 buckets.

During the past 12 months, ManageEngine has made the following advancements for the Log360 SIEM solution:

The ability to create and manage incident workflows
Integration with ManageEngine Log360 UEBA — providing user activity anomaly detection capabilities, storage optimization and the indexing of performance improvements
The addition of the DataSecurity Plus module — providing data discovery, file storage analysis and Windows file server auditing capabilities

SMBs with Windows-centric and AWS/Azure environments that want to address IT operations, in addition to basic security event monitoring and threat detection use cases, should consider ManageEngine.

Strengths

Product: ManageEngine provides above-average compliance reporting, including PCI DSS, HIPAA, FISMA, SOX, GLBA, GDPR, and several other industry- and region-specific mandates that are included out of the box.
Product: Log360 supports automatic discovery of syslog devices on a customer network, which can be added to the event sources monitored by the solution.
Operations: Several response workflows are included with Log360. Actions associated with these include blocking USBs, disabling users and killing processes. Some actions may require other ManageEngine products.
Customer Experience: ManageEngine customers, based on Gartner Peer Insights data and vendor-supplied reference data, indicate generally strong satisfaction with ManageEngine and the capabilities of Log360. Areas where there is room for improvement include those identified in the Cautions section, such as integrations with other products, and user, data and application monitoring.

Cautions

Product Strategy: Several integrations relevant to enterprise SIEM deployments are missing or limited. There is no support for security orchestration, automation and response solutions, FIM or EDR products, UEBA products, or ERP solutions. Log360 does not have open APIs to support customer integrations.
Product: Data monitoring support is limited to MS SQL and Oracle logs, with no support for DLP or database audit and protection (DAP). Network-based monitoring is only supported via third-party solutions.
Product: Support for management of log data is limited. For example, Log360 does not support multiple log data retention policies.
Product: User monitoring is a work in progress. The ADAudit Plus product provides AD monitoring, and ManageEngine has added basic anomaly detection and risk scoring. However, richer UEBA capabilities are not available.
Product: Support for ATD is limited. Payload detection, network traffic analysis and forensics support require third-party products.

McAfee

McAfee is headquartered in Santa Clara, California, with main offices in Slough, U.K.; Singapore; Tokyo, Japan; and Sao Paulo, Brazil.

McAfee Enterprise Security Manager (ESM) is composed of the Event Receiver (ERC), Enterprise Log Search (ELS), Enterprise Log Manager (ELM), and the Advanced Correlation Engine (ACE). In addition, McAfee ESM can be extended and enhanced with McAfee Direct Attached Storage (DAS) for additional log storage capacity, or McAfee Global Threat Intelligence (GTI) for IP reputation. Other use cases require additional modules such as McAfee Application Data Monitor (ADM) for Layer 7 application monitoring, or McAfee MVISION Cloud (McAfee’s CASB product) for UEBA features on cloud access.

McAfee ESM is sold as perpetual licenses for physical or virtual appliances. Its pricing model is based on velocity (EPS, aka MPS). It is sized according to the expected EPS in the given customer environment. Customers can increase EPS capacity and/or data source volume until the capacity of their appliance is reached, and can cluster appliances for additional horizontal scalability. McAfee Global Threat Intelligence is sold on an annual subscription basis, and priced according to model (hardware) or core count (virtual) of the ESM appliance purchased.

McAfee ESM’s version 11.2.1, which was introduced in July 2019, is the one analyzed in this research. This version leverages McAfee’s Data Streaming Bus (DSB) architecture, which enables resiliency for hierarchical ESMs, and message routing/forwarding to internal or third-party modules.

Organizations with mature, complex environments and significant investment in McAfee technology for data protection and endpoint security should consider McAfee ESM.

Strengths

Product Strategy: McAfee offers integration among its broad portfolio of solutions addressing security operations and can complement McAfee ESM (e.g., McAfee Threat Intelligence Exchange, or McAfee Active Response for advanced orchestration capabilities).
Product: McAfee ESM offers powerful bidirectional integrations for automated responses with McAfee MVISION EDR, Advanced Threat Defense (ATD), Network Security Platform (NSP) and Web Gateway (MWG).
Product Strategy: McAfee’s ecosystem of technology alliances (McAfee SIA) offers more than 115 active partners, of which 44 are direct ESM integrations or content contributors.
Product: McAfee ESM data acquisition and management feature set is particularly strong — for example, implementing McAfee’s Data Streaming Bus scalability, and support for federated organizations with complex governance requirements.
Sales Strategy: McAfee enjoys a strong global presence — for example, in EMEA, with a dense ecosystem of channel and services partners available to organizations requiring consulting, implementation, operations and/or managed services.

Cautions

Product: McAfee ESM lacks UEBA, and its UBA content pack affords a limited set of use cases. There is no dynamic peer grouping done by the tool.
Product: Although McAfee ESM can provide analytics-based risk scores for suspicious events, the product lags competitors in mapping of these events against frameworks such as Cyber Kill Chain or MITRE ATT&CK to create a timeline of an attack.
Product: McAfee’s ESM native SOAR capabilities for response and playbook automation outside McAfee’s portfolio (e.g., MVISION EDR, McAfee Active Response, McAfee Advanced Threat Defense) lag those of competitors.
Product: Clients should validate that ESM will support their data governance requirements. There is no native encryption for the data stored (data at rest) in ESM. Masking/obfuscation capabilities for data at rest are limited to IP addresses for events stored in the event database.

Micro Focus

Micro Focus, headquartered in Newbury, U.K., offers its ArcSight platform as its SIEM solution. The ArcSight solution is composed of the core SIEM solution, data collection and management components, UEBA, and incident investigation and management. Other add-ons include content-specific packages for compliance, application monitoring and other use cases. Other products in the Micro Focus portfolio also support security use cases, including Application Defender and Voltage data protection solutions. Micro Focus also offers ArcSight Marketplace as the source for customers to identify and implement content packages and technology integrations. ArcSight can be deployed via physical appliances or as software. Pricing for the ArcSight platform is primarily based around EPS, except for Interset UEBA, which is priced by the number of employees.

During the past 12 months, Micro Focus acquired Interset for UEBA, and split the ArcSight Data Platform (ADP) solution into two stand-alone components: Logger and Security Open Data Platform (SODP) with the Transformation Hub. It also introduced new pricing models for the ArcSight portfolio, based around only EPS (e.g., removing volume-pricing elements).

Enterprises with mature security monitoring operations that require high data ingestion capabilities and scalable options, along with the flexibility to route data to various sources, should consider ArcSight.

Strengths

Product Strategy: Micro Focus acquired Interset UEBA in February 2019, adding an in-house UEBA capability that may be integrated more tightly with the ArcSight SIEM. The Interset technology replaces the OEM version of Securonix previously sold with ArcSight.
Product Strategy: The ArcSight platform supports large enterprises and service providers with environments that require scalable and distributed architectures that can prefilter, and then ingest data at high velocities, along with flexible data-routing options — e.g., Logger, Investigate or a stand-alone Elasticsearch environment.
Product: ArcSight has a comprehensive set of out-of-the-box compliance use cases and support for mapping events to MITRE ATT&CK.
Customer Experience: Reference customers give above-average marks to ArcSight’s real-time monitoring capabilities and its ease of customizing correlation rules.

Cautions

Product: Micro Focus must invest in capability upgrades to the ArcSight platform, such as improving the UI/UX and further integrating the Interset product. Buyers and existing ArcSight customers should evaluate the roadmap from Micro Focus to confirm that it will meet their current and planned requirements.
Innovation: Micro Focus is lagging competing vendors offering native SOAR capabilities, a SaaS offering, and deeper support for monitoring IaaS and SaaS and other new environments of concern to customers, such as OT and IoT.
Deployment: Deployment options for the solution vary by component. Connectors, Logger and ESM are available as software and physical appliances. There are images available for ArcSight Management Center, ESM and Logger in AWS and Azure. Investigate and Transformation Hub have completed the containerization process. No SaaS options are available to buyers.
Sales Execution: Based on Gartner customer inquiry, Micro Focus ArcSight rarely appears on shortlists for new SIEM deployments outside the Middle East and India.
Customer Experience: Based on Gartner customer inquiries, Peer Insights reviews and vendor references, Micro Focus needs improvement in sales/contracting and technical support. The same sources indicate that product functions that lag those of competitors include deployment and support simplicity, behavior profiling, analytics, query/investigation capabilities, workflow, and case management.

Rapid7

Rapid7 is based out of Boston, Massachusetts. The company’s Insight platform is composed of InsightIDR (its core SIEM/UEBA offering), InsightVM (vulnerability assessment), InsightAppSec (application security), InsightConnect (SOAR) and InsightOps (log management for IT operations). Rapid7 offers Insight Agent as its preferred endpoint agent to enable telemetry gathering and basic bidirectional response integration capabilities with Rapid7 InsightIDR, Rapid7 InsightVM and Rapid7 InsightOps. InsightIDR also offers integration with InsightVM, which allows customers to deploy one agent across the environment to instrument and collect vulnerability assessment data, while performing detection and response functions.

Rapid7 InsightIDR is a SaaS SIEM solution deployed in AWS, leveraging Insight Collectors or Insight Agents deployed in the customer’s organization to collect, centralize and transmit logs. Rapid7 offers 24/7 threat monitoring and investigation and response functionality via its Managed Detection and Response (MDR) service offering.

Rapid7 InsightIDR’s licensing is subscription-based and is priced by the number of assets in scope (typically servers, desktops and laptops) in a customer’s environment, with tiered pricing for larger numbers of assets.

In April 2019, Rapid7 acquired NetFort, a small NTA company, with the intent to use its network sensor to collect, analyze and send network data to the Insight platform. Other enhancements during the past year include new FIM capabilities, cloud detections and support for AWS and Azure environments, as well as enhanced automation capabilities on an endpoint, and tighter integration with case management tools, such as ServiceNow and JIRA.

SMBs that have limited security operations resources looking for a SaaS-based SIEM solution should consider Rapid7, given the breadth of the Insight platform offerings and option to outsource 24/7 detection and response to the same vendor.

Strengths

Deployment and Support: InsightIDR is a SaaS offering, and requires only the deployment of endpoint agents or collectors on-premises. The architecture provides for relatively easy customer proof of concept (POC) engagements, and fast rollover into production use. Rapid7 manages all patches and platform updates, as well as detection, response and report content updates.
Product Strategy: Rapid7’s portfolio of complementary technologies (e.g., vulnerability management and SOAR) helps organizations address several aspects of security operations, including threat detection and response. For those clients still concerned with 24/7 monitoring of their Rapid7 environment, Rapid7 can offer managed services for threat detection and response based on InsightIDR.
Product: InsightIDR offers strong support for UBA, with out-of-the-box use cases based on anomalous activities. In general, there is a user-centric lens in the incident identification and investigation features of the product, because context and risk scores for users are available to analysts throughout.
Product: Native support for FIM and endpoint is strong, compared with that of competitor vendors. The endpoint agent can also be used to deploy deceptive credentials, a differentiator among SIEM products.
Customer Experience: Based on feedback from Gartner customer inquiry, Peer Insights reviews and vendor references, Rapid7 users give the vendor generally strong marks, and especially strong for simplicity of deployment (and POC engagements).

Cautions

Product Strategy: InsightIDR has integrations among the technology components of the Insight platform, but a relatively small technology alliance ecosystem. Bidirectional integrations with third-party detection, analytics and response technologies are limited, and there are no integrations with big data platforms. The InsightConnect product is required to enable additional integrations with response and bidirectional technologies.
Product Strategy: Reliance on agents for log collection limits support for OT/IoT use cases to InsightIDR’s honeypot deployments. The acquisition of Netfort may bring additional capabilities to these use cases via network monitoring.
Market Understanding: InsightIDR does not support data masking for obfuscation, although logs can be tokenized. Potential customers should validate that the InsightIDR data collection and analysis features support compliance with specific privacy requirements.
Product: InsightIDR runs on top of AWS, and log management, encryption and archiving depend on the capabilities of that platform and are subject to the licensing conditions of the platform. Customers should validate that the log archiving/management capabilities of InsightIDR align with their own requirements.
Customer Experience: Feedback from Gartner customers via inquiry, Peer Insights reviews and vendor references indicate that application monitoring and the availability of third-party resources for services are areas for improvement.

Securonix

Securonix is headquartered in Addison, Texas. Securonix’s SIEM platform consists of the following components: Securonix SIEM, Security Data Lake, UEBA, SOAR, NTA, Threat Intelligence and Apps that provide support and packaged content for addressing specific use cases.

In 2019, Securonix moved to a SaaS SIEM, based in AWS, as the standard deployment model, and most new customers use that model. Customers deploy Remote Ingestor Nodes (RINs) for data collection and transport to the cloud. The solution is offered as a term-based subscription (perpetual licenses are available on an exception basis), and the Securonix pricing model is based on the number of customer employees. There is an additional cost element for hosting, which is based on EPS, plus data storage volume and duration requirements.

Capabilities introduced during the past year include shared multitenant architecture, the SNYPR-EYE deployment and management console, a new OEM, resell and technology-based capabilities for NTA and SOAR, endpoint and database monitoring, and cloud and identity monitoring.

Mature security organizations looking for full-featured, analytics-driven SaaS SIEM, capable of powering an SOC for threat detection and response across complex use cases (e.g., insider threat); hybrid environments (e.g., multiclouds); threat hunting; and compliance, should consider Securonix SIEM.

Strengths

Product Strategy: Securonix has strong cloud support and commitment. Its SIEM is cloud-native and is offered as a service, with three different tenant models (shared, dedicated and isolated).
Product: Securonix offers multilayer analytics, with UEBA capabilities for advanced analytics and behavior modeling across both users and entities, support for complex and advanced use cases (e.g., APT, insider threat and fraud), and mapping of detected attacks to common frameworks, such as the MITRE ATT&CK framework.
Product Strategy: Securonix provides extensive out-of-the-box content, organized in vertical packages (most for an additional cost). It includes complete use cases, analytics, alerts, dashboards and even response playbooks.
Product Strategy: The introduction of SNYPR-EYE provides SIEM managers isolation from the Hadoop technologies, while enabling those with sufficient resources to access underlying Hadoop infrastructures.
Product: Securonix offers advanced obfuscation features, with role-based access control (RBAC) workflows, as well as native encryption features that go beyond those provided natively by AWS.
Customer Experience: Based on Gartner customer inquiry, Peer Insights reviews and vendor reference data, Securonix receives high marks for analytics and user-monitoring capabilities.

Cautions

Deployment/Support: Securonix’s approach to filling functional coverage gaps by OEM, resell and technology partnerships introduces risks, because dependencies are created. Clients should understand both parties’ roadmaps and longer-term commitments, and assess support and maintenance structures.
Marketing Execution: Securonix’s efforts in marketing its brand and tools need continued investment, and should better leverage its technology alliance, partner and OEM relationships (such as those mentioned above).
Product Strategy: Securonix has introduced SNYPR-EYE to improve the platform management experience, and content packages for faster time to value for specific use cases and verticals. However, it will be difficult for Securonix SIEM to continue addressing complex use cases and mature organizations, while remaining simple enough to appeal to nonmature organizations.
Deployment and Operations: The enablement of the full functional coverage of Securonix SIEM, especially features that address advanced use cases, such as multiproduct insider threat, requires effort and expertise.

SolarWinds

SolarWinds is headquartered in Austin, Texas, and offers its SolarWind Security Event Manager (SEM) SIEM solution. SEM includes core SIEM features that provide data management, real-time correlation and log searching to support threat and compliance monitoring, investigations and response. SolarWinds SEM is composed of the Manager and Console, and also includes a multifunction endpoint agent. As a complement to SEM’s core features, SolarWinds portfolio includes products for ticketing and case management, network and application monitoring, and virtual platform monitoring. SolarWinds SEM is priced by number of data sources monitored (aka nodes) and workstations. Licenses are perpetual with annual maintenance. SolarWinds has announced plans to introduce subscription-based pricing in 2020.

SEM is deployed as a self-contained virtual appliance that includes all components (e.g., database and correlation engine). SEM can also be deployed in Microsoft Azure or Amazon AWS.

During the past 12 months, SolarWinds has rebranded Log and Event Manager (LEM) to SEM, along with a new versioning scheme introduced in November 2019. It has also begun to support HTML5-based UIs and UX (migrating away from Flash), and has introduced the ability to deploy SEM into AWS.

SMBs with compliance-focused use cases looking for a simplified overall SIEM experience, as well as existing SolarWinds customers looking to integrate security monitoring into their environments, should consider SolarWinds SEM.

Strengths

Deployment/Operations: SolarWinds emphasizes a do-it-yourself (DIY) approach through a combination of self-service POC (via a 30-day trial version), simplified pricing model, ease of deployment and operation, and a robust peer user community called THWACK. It has received high scores from reference customers.
Product: SolarWinds SEM offers a large, out-of-the-box repository of threat detection rules and compliance content, as well as FIM capabilities included with the solution that support a wide variety of operating systems (e.g., Windows, Linux, macOS and IBM AIX).
Customer Experience: Reference customers give real-time monitoring capabilities high marks, compared with the product’s other capabilities, and ease of deployment, integration and support simplicity are above average, compared with the competition.

Cautions

Marketing Strategy: SolarWinds SEM is predominantly sold in North America and Europe; however, it lacks marketing visibility and channel partners outside these two regions.
Pricing: Licensing models are limited to perpetual only, and deployment options are limited to just virtual appliances for SEM.
Product: SolarWinds lacks features built into many competing SIEMs — for example, native case management/incident management functionality and support for monitoring cloud environments. Customers can leverage other products in the SolarWinds portfolio to complement SEM — for example, Service Desk for case management, and Papertrail and Loggly for log collection and monitoring from cloud environments.

Splunk

Splunk is headquartered in San Francisco, California. The company’s Security Operations Suite includes core products, Splunk Enterprise or Splunk Cloud. There are three security-specific solutions: Splunk Enterprise Security (ES), which Gartner considers mandatory for SIEM; Splunk UBA; and Splunk Phantom. All three are sold as premium, stand-alone products. Splunk Enterprise and Splunk Cloud provide event and data collection, search, and visualizations for various uses in IT operations and some security use cases. ES delivers most of the security content and event-monitoring capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities. UBA adds unsupervised ML-driven, advanced analytics. Phantom provides SOAR capabilities and is designed to provide automated remediation and mitigation of security incidents. Additional apps for security use cases are available through Splunkbase, such as Splunk App for PCI Compliance.

There are multiple deployment options: software on-premises, in IaaS and as a hybrid model. Splunk hosts and operates Splunk Cloud, which is a SaaS solution using AWS infrastructure. Splunk Enterprise and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures.

Splunk Enterprise and Cloud licensing is based on the amount of data ingested into the platform (or gigabytes per day). The only difference is Splunk Cloud includes pricing based on the amount of data retained as storage in Splunk’s AWS environment. Lower pricing is available for data coming from high-volume, low-value log sources, such as Domain Name System (DNS) and NetFlow. ES is also licensed on a consumption basis and is priced as a percentage of Splunk Enterprise. UBA is licensed by the number of user accounts in an organization. However, if customers prefer to coordinate UBA licensing with their other Splunk licenses, they can choose to purchase a consumption-based license for UBA, with pricing as a specified percentage of ES. All of Splunk’s Security Operations Suite products are now only available as term licenses, with various options for enterprisewide pricing and true-ups. Phantom has two different licensing models. One is priced by the number of events on which users take action, and the other is priced by the number of licensed seatholders, or users of the tool.

Splunk’s most important enhancements during the past 12 months include enhanced, real-time monitoring via ES Event Sequencing, the ability to implement security automation with threat intelligence, healthcare-specific vertical content to address prescription theft and patient privacy violations. In late October 2019, Splunk released a cloud-based solution called Mission Control, to more tightly integrate the Enterprise Security, Phantom and UBA products. Mission Control was not GA, and thus not evaluated, during the research phase of the Magic Quadrant.

Organizations seeking an SIEM solution that can grow from basic use cases to more-advanced use cases via add-on capabilities should consider Splunk. Buyers that want a single vendor to support the data and analysis requirements beyond security and across their organizations should also consider Splunk.

Strengths

Deployment: Multiple delivery options for Splunk Enterprise and Enterprise Security include software (which can be deployed on-premises, in IaaS or in a hybrid mode); cloud-hosted; and via appliances (leveraging third parties).
Product Strategy: Splunk’s approach to providing centralized data collection and analysis, with premium solutions on top of the core product, appeals to organizations that want one solution that can support multiple teams (e.g., IT operations, security operations, data and analytics). Buyers can start with one use case or team and then expand into others with limited friction.
Market Understanding: Splunk has fostered a dense ecosystem of partners and technology alliances capable of extending Splunk’s native value via Apps that are use-case- or vendor-specific. Splunkbase is a strong example of how application marketplaces can be used to deliver content and product integrations in a single UX.
Customer Experience: Splunk customers give high marks for ease of integration, quality and availability for end-user training, and the quality of the peer community, compared with their competition.
Marketing Execution: Splunk’s marketing approach and cross-organization selling opportunities have made it highly visible with Gartner clients, ranging from midsize to large, global, multinational enterprises.

Cautions

Customer Experience: Reference customer overall scores for evaluation and contract negotiation, service and support, pricing and contract flexibility, and value for money spent are below most of its competitors. This reflects ongoing concerns raised by Gartner clients about the cost of Splunk. Splunk has introduced several new pricing options, but it’s too soon to evaluate whether those changes will improve Splunk’s lagging perception on pricing, licensing and cost.
Product Strategy: Splunk’s lack of endpoint and network sensors will require buyers to find complementary third-party solutions to fill out the requirements of a modern SOC (e.g., SIEM + UEBA + SOAR + EDR + NTA). Integrations with leading vendors are supported through Splunkbase apps.
Product Strategy: Although Splunk has aligned the pricing model of UBA with that of Splunk Enterprise and Splunk Enterprise Security, Splunk UBA is on a separate technology stack. It is not yet integrated into core Splunk, and remains an on-premises or hosted model, which may affect Splunk Cloud buyers.
Operations: Splunk’s content is available across several platforms, must be licensed separately to access that content, and requires multiple mechanisms for organizing and updating the content — e.g., across premium apps and solutions (such as ES, UBA and Phantom).

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may reflect a change in the market and, therefore, different evaluation criteria, or a change in that vendor’s focus.

Added

FireEye and HanSight were added to the Magic Quadrant this year, based on meeting the inclusion criteria.

Dropped

BlackStratus, Netsurion-EventTracker and Venustech were dropped from the Magic Quadrant this year, because they did not meet the inclusion criteria for revenue or geographic presence.

Inclusion and Exclusion Criteria

To qualify for inclusion, vendors need:

A product that provides SIM and SEM capability to end-user customers via software and/or appliance and/or SaaS.
SIEM features, functionality and add-on solutions that were generally available as of 31 July 2019.
A product that supports data capture and analysis from heterogeneous, third-party sources (that is, other than from the SIEM vendor’s products/SaaS), including market-leading network technologies, endpoints/servers, cloud (IaaS or SaaS), and business applications.
SIEM (product/SaaS license and maintenance, and excluding managed services) revenue exceeding $32 million for the 12 months prior to 30 June 2019, or have 100 production customers as of the end of that same period. Production customers are defined as those that have licensed the SIEM and are monitoring production environments with the SIEM. Gartner will require that you provide a written confirmation of achievement of this requirement and others that stipulate revenue or customer thresholds. The confirmation must be from an appropriate finance executive in your organization.
To have received 15% of SIEM product/SaaS revenue for 12 months prior to 30 June 2019 from outside the geographical region of the vendor’s headquarters location. It should have at least 10 production customers in each of at least two of the following geographies: North America, EMEA, the APAC region and Latin America.
Sales and marketing operations (via print/email campaigns, local language translations for sales/marketing materials) targeting at least two of the following geographies as of 30 June 2019: North America, EMEA, the APAC region and Latin America.

Exclusion criteria includes capabilities that are available only through a managed services relationship. That is, SIEM functionality that is available to customers only when they sign up for a vendor’s managed security or managed detection and response or managed SIEM or other managed services offering. By managed services, we mean those in which the customer engages the vendor to establish, monitor, escalate and/or respond to alerts/incidents/cases.

Evaluation Criteria

Ability to Execute

Product or Service evaluates the vendor’s ability and track record to provide product functions in areas such as real-time security monitoring, security analytics, incident management and response, reporting, and deployment simplicity.

Overall Viability includes an assessment of the technology provider’s financial health, the financial and practical success of the overall company, and the likelihood that the technology provider will continue to invest in SIEM technology.

Sales Execution/Pricing evaluates the technology provider’s success in the SIEM market and its capabilities in presales activities. This includes SIEM revenue and the installed base size, growth rates for SIEM revenue and the installed base, presales support, and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.

Market Responsiveness/Record evaluates the match of the SIEM offering to the functional requirements stated by buyers at acquisition time, and the vendor’s track record in delivering new functions when they are needed by the market. Also considered is how the vendor differentiates its offerings from those of its major competitors.

Marketing Execution evaluates the SIEM marketing message against our understanding of customer needs, and also evaluates any variations by industry vertical or geographic segments.

Customer Experience is an evaluation of product function and service experience in production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. This criterion is assessed by conducting surveys of vendor-provided reference customers, in combination with feedback via inquiry, Peer Insights and other interactions from Gartner clients that are using or have completed competitive evaluations of the SIEM offering.

Operations is an evaluation of the organization’s service, support and sales capabilities, and includes an evaluation of these capabilities across multiple geographies.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Product or Service	High
Overall Viability	Medium
Sales Execution/Pricing	High
Market Responsiveness/Record	High
Marketing Execution	Medium
Customer Experience	High
Operations	Medium

Source: Gartner (February 2020)

Completeness of Vision

Market Understanding evaluates the ability of the technology provider to understand current and emerging buyer needs, and to translate them into products and services. SIEM vendors that show the highest degree of market understanding are adapting to customer requirements in areas such as early targeted attack and breach detection, as well as simplified implementation and operation, while also meeting compliance reporting requirements.

Marketing Strategy evaluates the vendor’s ability to effectively communicate the value and competitive differentiation of its SIEM offering.

Sales Strategy evaluates the vendor’s use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.

Offering (Product) Strategy is an evaluation of the vendor’s approach to product development and delivery that emphasizes functionality and feature sets as they map to current requirements. Development plans during the next 12 to 18 months are also evaluated. The SIEM market is mature. There is little differentiation among most vendors in areas such as support for common network devices, security devices, OSs and consolidated administration capabilities. We weight more strongly coverage for emerging event sources, such as IaaS and SaaS, and environmental context.

Despite the vendor focus on expansion of capabilities, we continue to heavily weight simplicity of deployment and ongoing support. Users, especially those with limited IT and security resources, still value this attribute over breadth of coverage beyond basic use cases. SIEM products are complex and tend to become more so as vendors extend capabilities. Vendors able to provide effective products that users can successfully use as a service, or deploy, configure and manage with limited resources will be the most successful in the market.

We evaluate options for co-managed or hybrid deployments of SIEM technology and supporting services, because a growing number of Gartner clients are anticipating or requesting ongoing service support for monitoring or managing their SIEM technology deployments.

Vertical/Industry Strategy evaluates vendor strategies to support SIEM requirements that are specific to industry verticals.

Innovation evaluates the vendor’s development and delivery of SIEM technology that is differentiated from the competition in a way that uniquely meets critical customer requirements. Product capabilities and customer use in areas such as application layer monitoring, identity-oriented monitoring and incident investigation are evaluated, in addition to other capabilities that are product-specific, and needed and deployed by customers. There is a strong weighting of capabilities that are needed for advanced threat detection (ATD) and incident response: user, data and application monitoring; ad hoc queries; visualization; orchestration and incorporation of context to investigate incidents; and workflow/case management features.

For Geographic Strategy, although the North American and European markets produce the most SIEM revenue, Latin America and the APAC region are growth markets for SIEM and are driven primarily by threat management and secondarily by compliance requirements. Our overall evaluation of vendors in this Magic Quadrant includes an evaluation of vendor sales and support strategies for those geographies, as well as product features to support local and regional compliance requirements regarding data residency and privacy.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Market Understanding	High
Marketing Strategy	Medium
Sales Strategy	Medium
Offering (Product) Strategy	High
Business Model	Not Rated
Vertical/Industry Strategy	Medium
Innovation	High
Geographic Strategy	Medium

Source: Gartner (February 2020)

Quadrant Descriptions

Leaders

The SIEM Leaders quadrant is composed of vendors that provide products that are a strong functional match with general market requirements, and have been the most successful in building an installed base and revenue stream in the SIEM market. In addition to providing technology that is a good match with current customer requirements, Leaders also show evidence of superior vision and execution for emerging and anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and have demonstrated positive customer feedback for effective SIEM capabilities and related service and support.

Challengers

The Challengers quadrant is composed of vendors that have multiple product and/or service lines, at least a modest-size SIEM customer base, and products that meet a subset of the general market requirements. As the SIEM market continues to mature, the number of Challengers has dwindled. Vendors in this quadrant would typically have strong execution capabilities, as evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole, or from other factors. However, Challengers have not demonstrated a complete set of SIEM capabilities, or they lack the track record for competitive success with their SIEM technologies, compared with vendors in the Leaders quadrant

Visionaries

The Visionaries quadrant is composed of vendors that provide products that are a strong functional match with general SIEM market requirements, but have a lower Ability to Execute rating than the Leaders. This lower rating is typically due to a smaller presence in the SIEM market than the Leaders, as measured by installed base, revenue size or growth, smaller overall company size or general viability.

Niche Players

The Niche Players quadrant is composed primarily of vendors that provide SIEM technology that is a good match with a specific SIEM use case or a subset of SIEM functional requirements. Niche Players focus on a particular segment of the client base (such as the midmarket, service providers, or a specific geographic region or industry vertical) or may provide a more limited set of SIEM capabilities. In addition, vendors in this quadrant may have a small installed base or be limited, according to Gartner’s criteria, by other factors. These factors may include limited investments or capabilities, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor’s value in more narrowly focused markets or use cases.

Context

SIEM technology provides:

SIM — Log management, analytics and compliance reporting
SEM — Real-time monitoring and incident management for security-related events from networks, security devices, systems and applications

SIEM technology is typically deployed to support three primary use cases:

ATD — Monitoring, alerting in real time, and longer-term analysis and reporting of trends and behaviors regarding user and entity activity, data access, and application activity. Threat detection includes the incorporation of threat intelligence and business context, in combination with effective ad hoc query capabilities.
Basic Security Monitoring — Log management, compliance reporting and basic real-time monitoring of selected security controls.
Investigation and Incident Response — Dashboards and visualization capabilities, as well as workflow and documentation support to enable effective incident identification, investigation and response.

Organizations should define their specific functional and operational requirements, and consider SIEM products from vendors in every quadrant of this Magic Quadrant. Product selection decisions should be driven by organization-specific requirements in areas such as:

The relative importance of basic capabilities versus advanced features
Budget constraints
The scale of the deployment
The complexity of product (deploying, running, using and supporting)
The IT organization’s project deployment and technology support capabilities
Integration with established applications, data monitoring and identity management infrastructure

(See “Toolkit: Security Information and Event Management RFP” for more details.)

Organizations that plan to use external service providers (ESPs) for deployment, configuration or ongoing operations of the SIEM should consider products that have adequate service availability from the SIEM vendor or third-party providers.

Security and risk management leaders considering SIEM deployments should first define the requirements for SEM and reporting. The project will benefit from the input of other groups, including audit/compliance, identity administration, IT operations and application owners. Organizations should also describe their network and system deployment topology, and assess event volume and rates, so that prospective SIEM vendors can propose solutions for company-specific deployment scenarios. The requirements definition effort should also include phased deployments and enhancements — new use cases, which might require new investigation and response capabilities — beyond the initial use cases. This Magic Quadrant evaluates technology providers with respect to the most-common technology selection scenario: an SIEM project that is funded to satisfy a combination of threat monitoring/detection/response and compliance reporting requirements.

Market Overview

Demand for SIEM technology remains strong. The SIEM market grew from $2.319 billion in 2017 to $2.597 billion in 2018 (see “Market Share: All Software Markets, Worldwide, 2018”). Threat management (and specifically threat detection and response) remains the primary driver, and general monitoring and compliance are secondary. In North America, there continue to be many new deployments by organizations with limited security resources that need to improve monitoring and breach detection, often at the insistence of larger customers or business partners. Compliance reporting also continues as a requirement; however, most buyers regard it as “table stakes.”

There continue to be new deployments by larger companies that are conservative adopters of technology. Large, late adopters and smaller organizations place high value on deployment and operational support simplicity. We continue to see organizations of all sizes that are reevaluating SIEM vendors to replace SIEM technology associated with incomplete, marginal or failed deployments.

The SIEM market is mature and competitive. During this broad adoption phase, multiple vendors can meet the basic requirements of typical customers. The greatest area of unmet need is effective detection of and response to targeted attacks and breaches. The effective use of threat intelligence, behavior profiling and analytics can improve detection success. SIEM vendors continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies, and Gartner customers are increasingly expressing interest in developing use cases based on behavior.

SIEM deployments tend to grow in scope over a three-year period to include more use cases and more event sources. As the number and complexity of use cases increase, there is typically greater demand for resources to run, tune and operate the SIEM, and to respond to incidents.

SIEM Vendor Landscape

The vendor landscape for SIEM is still evolving, with recent entrants bringing technologies that deliver higher levels of sophistication for analytics use cases and, in several cases, cloud-native SaaS offerings. Vendors with more-mature SIEM technologies are moving swiftly to update their architecture and introduce cloud-based models. Almost all vendors continue to enhance investigation capabilities and introduce integrations for response actions via native capabilities or acquired/third-party SOAR solutions. The SIEM market is characterized by a relatively small number of vendors that have large customer bases, and others with smaller, but rapidly increasing customer bases.

Splunk, Micro Focus, IBM, and LogRhythm command a significant share of market revenue, but several vendors with smaller shares command strong interest among Gartner customers, due to their strength supporting analytics-focused use cases, or their SaaS consumption model, or both. Smaller SIEM vendors are typically focused on specific market segments, such as buyers of their other products, buyers seeking SIEM plus monitoring services, or MSSP or MSP partners.

Notable developments in the market include the announcement of a preview version and, in August, general availability of Microsoft Azure Sentinel, and the availability of Backstory from the Alphabet company Chronicle (which was brought in under Google Cloud). Although these SaaS offerings did not meet the deadline date for inclusion in this research, Gartner customers have expressed interest in how they might affect their existing SIEM deployments and their longer-term SIEM plans.

Elastic, Graylog, Sumo Logic, Devo and other vendors that have previously targeted log collection and analysis for IT operations use cases are adding more support for security use cases. In some cases, they’re marketing them as SIEM. Although they didn’t meet the inclusion criteria for the research, Gartner customers have expressed interest in whether they might be able to satisfy security use cases and enable a single log and event collection architecture for security and for IT operations.

Several SIEM vendors are not included in the Magic Quadrant because of a specific vertical market focus and/or inclusion criteria thresholds and competitive visibility levels:

Odyssey Consultants, based in Cyprus, and several vendors based in China — including DBAPPSecurity, Venustech, Qi An Xin Group — offer SIEMs based on modern, big data and analytics architectures, but have limited visibility among Gartner customers.
Netsurion-EventTracker is focused on MSEs, and offers a central log management solution, as well as more full-featured SIEM, with optional services available for deployment, tuning and security monitoring.
BlackStratus supplies SIEM to MSSP, and offers a cloud-based CyberShark SaaS SIEM focused on midsize buyers.
Huntsman Security (the operating name of Tier-3 Pty Ltd.) is an SIEM vendor with a presence primarily in the U.K. and Australia, focused on governments and critical infrastructure organizations.
Lookwise has a market presence primarily in Spain and South America. The distinguishing characteristic of Lookwise is the threat intelligence feeds from S21Sec, which are focused on the banking and critical infrastructure sectors.
HelpSystems, with its Vityl product suite, provides operational event correlation, business process monitoring and SIEM solutions to customers in Europe and South America.

SIEM Services

Gartner customers increasingly indicate that they are seeking external service support for their SIEM deployment, or are planning to acquire that support in conjunction with an SIEM product (see “How and When to Use Co-managed Security Information and Event Management”). Motivation to seek external services includes lack of internal resources to manage an SIEM deployment, lack of resources to perform real-time alert monitoring or lack of expertise in expanding deployment to include new use cases (e.g., for ATD). We expect demand by SIEM users for such services to continue to grow, driven by more customers adopting 24/7 monitoring requirements and implementing use cases that require deeper SIEM operational and analytics expertise. We also expect increased interest in acquiring use-case content via third-party vendors, such as SOC Prime.

SIEM vendors may support these needs via managed services with their own staff or outsourcing services, or by using partners. SaaS SIEM includes vendor support and maintenance of the platform, often in a public cloud environment. However, customers need to use their own resources (or other service providers) to configure content and monitor and investigate events. MSSPs, which offer real-time monitoring and analysis of events, and collect logs for reporting and investigation, are another option for SIEM users (see “Innovation Insight for SIEM as a Service”). Customer-specific requirements for event collection and storage, alerting, investigation, and reporting may prove problematic for ESPs, and SIEM users exploring services should evaluate the fit of the ESP to meet current and planned use cases.

SIEM Alternatives

The complexity and cost of buying and running SIEM products, as well as the emergence of other security analytics technologies, have driven interest in alternative approaches to collecting and analyzing event data to identify and respond to advanced attacks. The combination of Elasticsearch, Logstash and Kibana (aka the ELK Stack or Elastic Stack) is a leading example. There has also been an emergence of alternatives to broad-based SIEM solutions that are focused primarily on the log collection and security analytics elements. Vendors competing in this space include Elastic.io, Cybraics, Empow, Elysium, Jask (acquired by Sumo Logic), MistNet, PatternEx, Qomplx, Rank Software and Seceon.

Organizations with the resources to deploy and manage these, and develop and maintain analytics to address security use cases, may be able to get a solution that addresses enough of their requirements for lower cost, compared with commercial technologies. Gartner continues to track the development of this approach. There is some feedback from clients that the workload involved in engineering these solutions to scale and the development effort needed to support the required event sources and analysis are significant, despite the software being free. This may affect total cost of ownership (TCO) and negate the objective of being less expensive than a commercial SIEM deployment.

Several providers offer MDR services that differ from those of MSSPs, with the goal of identifying and responding to advanced threats in the customer environment. This is typically achieved through the analysis of selected network and endpoint data (see “Market Guide for Managed Detection and Response Services”). The scope of services and event sources is typically smaller than those available from an MSSP, or covered by an SIEM deployment. They do not typically compete directly against the SIEM vendor or MSSP, where customers have broader use-case requirements. However, the MDR services claim effective ATD capabilities, and may compete for SIEM budgets in organizations with sufficient resources to support those use cases. Gartner will continue to monitor the space to assess how MSS, MDR, logging and SIEM interact and intersect.

Evidence

Automated social media listening tools were used to track users’ responses on social media and public discussion forums. The time period for the analysis was from 1 November 2016 through 30 September 2019. “Social media mentions” or “conversations volume” denote the inclusion of a monitored keyword in a textual post on a social media platform. High counts of mentions should not be considered an indication of “positive sentiment” or a measure of “adoption” by default.

Social media sources considered for this analysis included Twitter, Facebook (publicly available information only), Instagram, images (comments only), aggregator websites, blogs, news, mainstream media, forums and videos (comments only). All geographical regions of the world were analyzed for this study, except China. The social media data here is nonrepresentative of China, due to restrictions imposed by the country on foreign-owned social media platforms.

Social media analytics study results are not “market representative,” but largely “indicative.” They reflect the aggregate crowdsourced opinion about a topic on social media.

Additional research contributions were provided by Ritesh Srivastava, from the Gartner Social Media Analytics team.

Evaluation Criteria Definitions

Ability to Execute

Completeness of Vision

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Gartner Observations – SIEM, MDR, NTA, MTA, EDR

Image result for gartner SOC Visibility Triad

SOC Visibility

Threat Detection Trinity.png

The Threat Detection Trinity

Hunt via ArcSight Investigate
Real-time correlations via ArcSight ESM (now with distributed correlation)
Detection analytics with ArcSight User Behavior Analytics (UBA)
https://www.microfocus.com/media/white-paper/power_of_the_threat_detection_trinity_wp.pdf

SOC Visibility Triad is actually missing a few details – Structured and Unstructured Monitoring, East-West/North-South Traffic. (User email, web and application traffic.)

Detection technologies such as SIEM, EDR and NTA are effective only when use cases are appropriately defined, implemented and tuned. (Key points by Anton Chuvakin at Gartner on 1/28/2019)
A process to manage security monitoring use cases is a prerequisite for the success of any detection capability.
Most organisation include some third-party providers, such as MSSPs or MDR providers, in their detection and response plans. However, outsourcing functions and responsibilities does not mean outsourcing accountability.
Ensuring the effectiveness of both basic and advanced detection and response capabilities requires not just tools, but also the entire triad of people, processes and technology.
Security operations center (SOC) owners struggle to make the right technology investments, and unfortunately chase the latest and greatest technologies that may dilute, rather than enhance, the efficacy of the SOC. (‘Selecting the Right Tools for your SOC’ by Tony Busa at Gartner on 1/23/2020)
Looking to peers with SOCs or trying to benchmark against others in their vertical is of limited use. Each SOC is constructed to meet its own organization’s nuances, and current and target maturity level.
Artificial intelligence (AI)- and machine learning (ML)-powered technologies, or any that promise to fully automate your SOC, are not going to magically transform an SOC from low maturity to high maturity overnight. Your SOC needs trained staff and fine-tuned workflows to use and operate tools that support its goals and capabilities.
SRM leaders are failing to identify and understand relevant threats and risks to the organization, which increases the chances of devastating security incidents. Lack of initial and continuous threat modeling affects all components of the SOC target operating model, resulting in increased risk and reduced efficacy of SOC operations. (‘Create a SOC Target Operating Model to Drive Success’ by John Collins at Gartner on 1/15/2020.)
Without operational alignment and defined agreements for an SOC, SRM leaders face resistance and avoidance from other business units, increasing the risk of security incidents with direct fiscal impact on the business.
Security and risk management leaders often struggle to convey the business value of their security operations centers to non security leaders, resulting in reduced investment, poor collaboration and eroding support.
‘SOCs are like snowflakes, no two are alike…’
1. Infrastructure, People Process Technology
2. Digital Transformation
3. Digital Workforce
4. Business Innovation
5. Mergers, Acquisitions & Divestitures
6. Geography Expansion
7. Regulations and Laws
8. Cloud, NOC, SOC, Fraud

References;

Create an SOC Target Operating Model to Drive Success
- https://www.gartner.com/doc/3979602
- https://blogs.gartner.com/john-collins/giving-soc-direction-target-operating-model/
Gartner, Tips for Selecting the Right Tools for Your Security Operations Center, Toby Bussa, Jeremy D’Hoinne, 23 January 2020.
- https://swimlane.com/resources/gartner-selecting-right-tools-soc/
- https://www.fireeye.com/offers/rpt-gartner-selecting-the-right-soc-model.html
- https://www.dxc.technology/security/insights/144650-putting_on_the_right_soc_to_fit_your_security_operations
- https://www.huntsmansecurity.com/blog/choosing-soc-service-model-considerations/
- https://www.splunk.com/en_us/blog/security/find-your-matching-soc.html
- https://logrhythm.com/solutions/security/soc-enablement/
Anton Chuvakin
Applying Network-Centric Approaches for Threat Detection and Response
- https://www.gartner.com/doc/3904768

Market Guide for Security Orchestration, Automation and Response Solutions

Published 27 June 2019 – ID G00389446 – 26 min read

SOAR solutions are gaining visibility and real-world use driven by early adoption to improve security operations centers. Security and risk management leaders should start to evaluate how these solutions can support and optimize their broader security operations capabilities.

Overview

Key Findings

The SOAR technology market aims to converge security orchestration and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP) capabilities into single solutions.
Early adopters of SOAR technologies have been organizations and managed security service providers with mature security operations centers (SOCs) that understood the benefits of incorporating SOAR capabilities into their operations. However, use cases implemented by early adopters have not evolved over the last 12 months and are stuck in a rut, limiting the long-term potential for SOAR in security operations.
SOAR solutions are not “plug-and-play.” Even though solutions have a library of out-of-the-box use cases and integrations, buyers are reporting multiweek professional services engagements to implement their initial use cases, as every organization’s processes and technologies deployed are different.
Orchestration and automation are starting to be localized in point security technologies, usually in the form of predefined, automated workflows. This is not the same as a full-featured SOAR solution.

Recommendations

Security and risk management leaders overseeing security operations should:

Prepare for their SOAR implementations by having a starting set of defined processes and workflows that can be implemented. Out-of-the-box plays and integrations are a starting point but can rarely be implemented without some customizations.
Plan for the implementation and the ongoing operation and administration of SOAR tools by using a mix of professional services and internal resources.
Put a contingency plan in place in the event the SOAR tool is acquired by another vendor. Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.

Strategic Planning Assumption

By year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.

Market Definition

This document was revised on 3 July 2019. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

Gartner defines security orchestration, automation and response (SOAR) as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These can be orchestrated via integrations with other technologies and automated to achieve a desired outcome and greater visibility. Additional capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes.

Most SOAR tools are still strongest in their original “home offerings,” which are security incident and response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs). Currently, the most common use case for SOAR by an organization is to define incident analysis and response procedures in a digital workflow format — such as plays in a security operations playbook. Additionally, these tools facilitate the use and operationalization of threat intelligence in security operations, which enhances the ability to predict, prevent, detect and respond to the prevailing threat landscape that a company faces.

Market Description

To understand the evolving SOAR market, it is necessary to define the specific terms used — namely, orchestration and automation — in the context of security operations:

Aggregation: The ability to aggregate/ingest data across sources. This may take the form of alerts, signals or other inputs from other technologies such as an alert from a SIEM tool or an email sent to a group mailbox. Other data that is ingested may include user information from an identity and access management (IAM) tool or threat intelligence from multiple sources.
Enrichment: Whether after incident identification or during data collection and processing, SOAR solutions can help integrate external threat intelligence, perform internal contextual look-ups or run processes to gather further data according to defined actions.
Orchestration: The complexity of combining resources involves coordination of workflows with manual and automated steps, involving many components and affecting information systems and often humans as well.
Automation: This concept involves the capability of software and systems to execute functions on their own, typically to affect other information systems and applications.
Response: Manual or automated response provides canned resolution to programmatically defined activities. This includes activities from a basic level — ticket creation in an IT service desk application — to more advanced activities like applying some form of response via another security control, like blocking an IP address by changing a firewall rule. This functionality is the most impactful, but also applies to the most complex use cases.

Buyers are expressing demand for SOAR for several reasons:

Staff shortages: Due to staff shortages in security operations, clients describe a growing need to automate repeatable tasks, streamline workflows and orchestrate security tasks resulting in operational scale. For instance, if you have a team, SOAR can give them more reach — but this is not a tool to get instead of a team. Also, organizations need the ability to demonstrate to management the organization’s ability to reduce the impact of inevitable incidents.
Continued evolution of threats and increases in volume: As organizations consider threats that destroy data and can result in disclosure of intellectual property and monetary extortion, they require rapid, consistent, continuous and more frequent responses with fewer manual steps.
Improving alert triage quality and speed: Security monitoring systems (such as SIEMs) are known to cost a significant amount to run and generate a high number of alerts, including many found to be “false positives” or simply not relevant after additional investigation. Security and risk management leaders then treat alert triage in a very manual way, which is subject to mistakes by the analysts. This leaves real incidents ignored. SOAR helps improve the signal-to-noise ratio by automating the repeatable, mundane aspects of incident investigation. This creates a positive situation where analysts can spend more time investigating and responding to an event instead of spending most of their time collecting all the data required to perform the investigation.
Need for a centralized view of threat intelligence: A large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly, conversion of intelligence into action.
Reducing time to respond, contain and remediate: Organizations are dealing with increasingly aggressive threats, such as ransomware, where rapid response of only minutes at best is required in order to stand a chance of containing the threat that is spread laterally in your environment. This scenario forces organizations to reduce the time they take to respond to those incidents, typically by delegating more tasks to machines. Reducing the response time, including incident containment and remediation, is one of the most effective ways to control the impact of security incidents. Like a brush fire, the sooner you can get to it, the smaller it is, and therefore the easier it is to put out.
Reducing unnecessary, routine work for the analysts: SOC analysts are often working with multiple tools. They are looking at a stream of row and column SIEM console alerts, threat intelligence (TI) service portals for information about the entities involved, and endpoint detection and response (EDR) for context on what is happening on the affected endpoint. They may even be using workflow tools to control the triage and investigation processes.

SOAR supports multiple activities for security operations decision making such as, but not limited to, the following:

Prioritizing security operations activities: Use of a SOAR solution requires organizations to consider questions about their processes. Which are most critical? Which ones consume the most staff time and resources? Which ones would benefit from automation? Where do we have gaps in our documented procedures? The preparation and planning for SOAR, and its ongoing use, help organizations prioritize and manage where orchestration and automation should be applied and where it can help improve response. This response can then lead to improvements in security operations and showing a demonstrable impact on business operations (e.g., faster time to detect and respond to threats that could impact business operations and optimization of security operations staff and budget).
Formalizing triage and incident response: Security operations teams must be consistent in their responses to incident and threats. They must also follow best practices, provide an audit trail and be measurable against business objectives.
Automating response: Speed is of the essence in today’s threat landscape. Attacks are increasing in speed (e.g., ransomware is now being automated to spread with worm functionality), but security operations are not automated. Having the ability to automate response action offers SOC teams the ability to quickly isolate/contain security incidents. Some responses can be fully automated, but at this time many SOAR users still inject a human to make the final decision. However, even this reduces the mean time to respond for the organization compared to being fully dependent on “human power.”

Market Direction

In 2015, Gartner described SOAR (which was then considered “security operations, analytics and reporting”) as resources that utilized machine-readable and stateful security data to provide reporting, analysis and management capabilities to support operational security teams. In 2017, as this market matures, Gartner observes three previously distinct technologies: security orchestration and automation (SOA), security incident response platforms (SIRPs), and threat intelligence platforms (TIPs), as depicted in Figure 1.

Figure 1. SOAR Types

This convergence is still valid in 2019, with vendors increasingly adding features from areas of SOAR other than the area from which they first started. The acquisitions that happened in the last two years, however, may expand the use of such solutions to a broader scope. For example, after the acquisition of Phantom by Splunk, SOAR may become embedded into its SIEM and also used for IT operations use cases such as infrastructure monitoring, application performance monitoring and troubleshooting. SOAR selection in 2019 and beyond is being driven by use cases such as:

SOC optimization
Threat monitoring and response
Threat investigation and response
Threat intelligence management

Several major acquisitions have occurred in the last several years, as shown in Table 1.

Table 1: SOAR Acquisitions

Enlarge Table

Month/Year	Acquisitions
February/2016	FireEye (Helix) acquired Invotas
April/2016	IBM acquired Resilient Systems
June/2016	ServiceNow acquired Brightpoint Security
June/2017	Microsoft acquired Hexadite
July/2017	Rapid7 acquired Komand
February/2018	Splunk acquired Phantom Cyber
February/2019	Palo Alto Networks acquired Demisto

Source: Gartner (June 2019)

The Future of SOAR

Numerous acquisitions have been occurring consistently for three years. Vendors are looking to build a “security platform” to add SOAR to, either natively or via acquisition, suggesting that more acquisitions are a real possibility. This scenario requires buyers’ attention to create a contingency plan in case their SOAR tool is acquired by another vendor. At the same time, SOAR products must be vendor-agnostic to maintain value due to integration. The reality will more likely be that for some time independent solutions will continue to do a better job with their singular focus on roadmap execution and better treatment of being “vendor neutral” with available integrations.

SOAR can be the central hub for an organization to achieve several goals: monitoring the event from SIEM or other security controls; orchestrating different security products to construct the context; helping prioritize multiple concurrent items and incidents; and then driving response.

It’s still early days for SOAR (see “Innovation Insight for Security Orchestration, Automation and Response” and “Preparing Your Security Operations for Orchestration and Automation Tools”). However, the promise of improving the efficiencies and consistencies of SOC activities, as well as being able to offer more customized processes to managed security service (MSS) customers, is compelling. Some managed security service providers (MSSPs) have adopted SOAR technologies in earnest and have embedded them at the core of their delivery platforms. Based on conversations with SOAR technology vendors and MSSPs, we expect most MSSPs to adopt and embed SOAR capabilities over the next three years.

Other vendors are exploring the ability to work with not just traditional technologies but also cloud security and even nonsecurity use cases. For instance, during the creation of a new workload in the cloud without proper authorization, the playbook would notify operations and security and isolate (or delete) the workload until it is properly approved. Gartner recognizes the potential of using the orchestration and automation capabilities outside of security use cases, but this is not a really among the reasons that Gartner clients are implementing SOAR.

Use cases will continue to determine the capabilities that are important for each organization. For example, in the case of incident response, case management is highly valued by Gartner clients, but there are organizations that consider themselves ticket-driven companies. In that case, the organization is not willing to give up its ticket system, making case management irrelevant for that specific enterprise.

SOAR solutions with a broader scope of use cases will require role-based access control (RBAC) capabilities to allow segregation of duties as well as views of information.

Market Analysis

The SOAR market is still an emerging market, as examined in “Emerging Technology Analysis: SOAR Solutions,” and it is forecast to grow up to $550 million in the five-year (2018-2023) time frame (see “Forecast Analysis: SOAR, Worldwide”). Gartner clients are still lagging in their incident response (IR) capabilities and are asking for other solutions that would help them to improve their IR. Many organizations implement SOAR tools with use cases primarily focused on making their SOC analysts more efficient such that they can process more incidents while having more time to apply human analysis and drive response actions much quicker. Historically, they were not aware of the existence of these types of solutions. There are now more clients aware of SOAR solutions, which is fueling further adoption. This awareness is broadening; even SOAR vendors claim to have less work evangelizing about the technology and more conversations about their capabilities and differentiators. However, improving detection and response activities is just one of several opportunities for the use of SOAR tools to support security operations activities.

Since SOAR is often used as an umbrella term that covers security operations, security incident response and threat intelligence, many vendors are driving their existing solutions in the fight for market leadership.

Clients should recall that the selection of the right product will depend on the use cases.

For example, some vendors can ingest security events from a SIEM and apply enrichment to promote better triage capabilities, which include threat intelligence correlation but lag in case management. In such cases, an integration with an external case management system would be imperative to fulfill the incident response needs.

For the security operations use case — often the main purpose of a SOAR solution (see Figure 2) — an organization must have mature processes to be successful (see “Make Sure Your Organization Is Mature Enough for SOAR”). Security and risk management leaders should have an SOC with well-established processes and verify the level of API integration that would be possible with their current security toolset.

Figure 2 reflects the use of the continuous adaptive risk and trust assessment (CARTA) strategy for continuous monitoring and visibility, which includes a continuous set of activities that can be performed by an SOC team by using SOAR technology. CARTA’s value is that it is continuous, and one element helps and inform other elements, allowing for continuous improvement in your organization’s ability to improve both security posture and digital resilience.

Figure 2. SOAR Overview

Another aspect of the SOAR market is the pricing models that exist. The most common models are based on number of analysts (named), number of events and three tiers (each tier will determine which capabilities are available). For more information, see “Negotiate a Favorable Contract for Security Event Monitoring Technologies by Analyzing Licensing Models.”

The most common models are based on:

The number of (named) analysts using the tool
The number of events coming to the SOAR
The number of playbooks or actions the SOAR will perform
A tiered approach with higher tiers unlocking additional functionality and value

Gartner clients have systematically expressed frustration with pricing models that are hard to predict. It is very hard on 1 January to know how many events will hit the SOAR, or how many actions/playbooks the SOAR will do for the whole year.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Introduction

A list of vendors is provided below. It is not, nor is it intended to be, a list of all vendors or offerings on the market or a competitive analysis of the vendors’ features and functions (see Note 1). This is also not a definitive list of each provider’s services.

Table 2: Representative Vendors in the Security Orchestration, Automation and Response Market

Enlarge Table

Vendor	Product, Service or Solution Name
ATAR Labs	ATAR
Ayehu	Ayehu NG Platform
Cyberbit	SOC 3D
CyberSponse	CyOPs
D3 Security	D3 SOAR
Demisto	Demisto Enterprise
DFLabs	IncMan
EclecticIQ	EclecticIQ Platform
IBM	Resilient
Splunk	Phantom
Rapid7	InsightConnect
Resolve	Resolve
ServiceNow	Security Operations
Siemplify	Siemplify
Swimlane	Swimlane
Syncurity	IR Flow
ThreatConnect	ThreatConnect
ThreatQuotient	ThreatQ

Source: Gartner (June 2019)

Vendor Profiles

ATAR Labs

Founded in 2017 in Turkey, ATAR helps manage SOC activities by offering three main capabilities: playbooks and automation, incident management, and SOC analytics. ATAR provides comprehensive automation and tight SIEM integrations. ATAR also has capabilities to monitor key performance indicators (KPIs) via customizable dashboards.

Ayehu

Founded in 2007, the Ayehu NG platform is a web-based IT automation and orchestration solution for security and IT operations. Its key features are playbook scheduling, enabling selective alerts to support remote control of incidents, audit trail generation, rollback of changes to workflows and role-based access to workflows in order to maintain access segregation for both teams (IT and security). Also, Ayehu NG uses machine learning to suggest playbooks and creation of rules. In addition, Ayehu NG bridges the gap between IT and security operations (network operations center [NOC] and SOC), streamlining automated workflow processes and tasks, and resolving IT and security alerts and incidents to improve SLAs.

Cyberbit

Founded in 2015 as a spinoff of Elbit Systems, Cyberbit delivers SOAR through its SOC 3D platform. SOC 3D is based on three major capabilities: orchestration, automation and big data investigation, and includes a playbook builder for playbook creation and editing. Cyberbit also offers Cyberbit Range for training and simulation, SCADAShield and SCADAShield Mobile for OT visibility and detection of threats, and Cyberbit Endpoint Detection and Response (EDR) for endpoint detection and response. These products can optionally integrate with the SOAR platform for IT/OT detection and response.

CyberSponse

Founded in 2011, CyberSponse is one of the few cybersecurity companies that is bootstrapped, with no outside investor or investment firm. Their current CyOps SOAR tool focuses mainly on incident response orchestration and automation, vulnerability management, fraud automation, and case management. Included within its playbook automation are some TIP features. CyOps has more than 275 out-of-the-box connectors and 200 out-of-the-box playbooks utilizing all major vendors and technologies.

D3 Security

Founded in 2002 to support incident/case management for security and privacy, D3 Security emerged in 2004 with a focus on incident response. D3 Security is self-funded by its founders with no outside investment. Today, D3 Security offers a SOAR tool designed to respond to adversarial intent with automated kill chain playbooks based on the MITRE ATT&CK framework or other tactics, techniques and procedures (TTP) resources. The tool has powerful RBAC and chain-of-custody features, TIP capabilities, and more than 200 connectors to date. The tool is sold as a modular platform with specific modules sold separately. For each module, pricing is based on the number of users (e.g., SOC analysts, not the number of employees in the organization).

Demisto

Founded in 2015, Demisto raised $69 million and was acquired by Palo Alto Networks in February 2019 for $560 million — emphatic proof of the perceived value of these tools. Demisto’s focus has been to optimize the efficiency of security operations by offering a single platform for SOC analysts to manage incidents, automate and standardize incident response processes, and collaborate on incident investigations. Demisto makes use of machine learning (ML) to support functions such as incident triage or to offer SOC analysts some suggestions for next steps. Demisto offers a War Room for analysts to collaborate on investigating incidents, with action being autodocumented for post-incident reporting. Demisto offers robust incident/case management and playbook automation features, and more than 300 product integrations out-of-the-box. Pricing is based on the number of users (e.g., SOC analysts, not the number of employees in the organization).

DFLabs

As a technology company since 2013, DFLabs is a SOAR provider focusing on incident response and threat intelligence that can be used on the SOC, computer security incident response team (CSIRT) and MSSP. The SOAR solution promotes the security incident life cycle using R3 Rapid Response Runbooks (referred to as playbooks by other vendors) that execute workflows and data enrichment, notification, containment, and custom actions. DFLabs uses machine learning in two situations: for recommendation of actions based on steps for similar or related threats and for triage to prefilter security events. DFLabs’ incident management support enables the documentation of physical and logical evidence and audit logs, document policies, procedures, and best practices in the knowledge base.

EclecticIQ

Founded in 2014, EclecticIQ is a provider of technology and services for the aggregation, analysis and sharing of threat intelligence and its operationalization through downstream integrations. A key feature of EclecticIQ is the ability to enable analysts to leverage intelligence-led techniques for threat hunting, incident response, threat and threat actor enumeration, and tracking. Another capability, called Fusion Center, eases selection of upstream intelligence sources by offering single and fused bundles of intelligence at fixed prices. Clients can select from a wide range of commercial and open-source threat intelligence feeds that are fused according to the themes most relevant to the customer.

IBM Resilient

IBM Resilient, founded in 2010 as Co3 Systems and acquired by IBM in 2016, provides workflow, case management, and orchestration and automation capabilities for security and privacy teams at hundreds of customers. The three features that Resilient focuses on are case management, orchestration and automation, and human- and machine-based intelligence. The solution is delivered via software for on-premises deployments or via SaaS model; it is also available as an MSSP offering for managed service providers and forms part of IBM’s X-Force Threat Management Service offering. Resilient also leverages the IBM X-Force Exchange where IBM, technology partner and user-created apps can be shared.

Rapid7

Founded in 2000, Rapid7 acquired Komand — a SOAR vendor — in July 2017 and is now offering a SOAR called InsightConnect. InsightConnect’s security orchestration and automation helps security analysts optimize SOC operations through a library of more than 270 plug-ins and a visual workflow builder that requires little to no code. The automation capabilities in Rapid7’s vulnerability management (InsightVM) and cloud SIEM solutions with embedded UEBA solutions (InsightIDR) mean that customers can automate processes for automation-assisted patching and threat containment. InsightConnect is only available as a cloud-based solution, and is part of Insight, Rapid7’s broader security management platform.

Resolve

Founded in 2014, Resolve’s orchestration and automation platform aims to bridge security and IT processes with prebuilt connectors for both security and IT infrastructure systems. The Resolve platform focuses mainly on incident response and case management but has expanded preventive measure capabilities such as secure provisioning, patch management and audit trails. The platform provides playbooks on NISTSP 800-61 Revision 2 (the Computer Security Incident Handling Guide | CSRC). Also, its case management capability stores all artifacts and actions that relate to the incident and provides a contextual recommendation for each step to accelerate response.

ServiceNow

Security Operations is the product from ServiceNow that provides a security orchestration and automation solution that is used by hundreds of customers. Security Operations is delivered from the Now Platform as SaaS and provides workflow, case management, orchestration and automation, and threat intelligence management. Additional capabilities also address vulnerability management and security operations metrics, reporting and dashboards, and configuration compliance, as well as governance risk and compliance. Three service packages (Standard [security incident response or vulnerability response], Professional and Enterprise) are available with Enterprise being required to get the fullest set of SOAR capabilities, including orchestration.

Siemplify

Founded in 2015 in Tel Aviv, Israel, Siemplify is used mainly for SOC activities with an easy-to-use user interface. Siemplify provides context-driven investigation capabilities that visually correlate incidents and group alerts to help the analyst reduce time to respond. Along with case management, it helps control the flow of incidents across the SOC analysts. Also, Siemplify uses machine learning capabilities to prioritize and suggest which analyst would be best for a specific incident. Multitenancy capabilities are also promoted for managed service users. Siemplify also provides dashboards and reporting for tracking and SOC metrics, and recently added crisis management and analyst collaboration modules as part of version 5.0.

Splunk

Phantom Cyber, founded in 2014, was acquired by Splunk in 2018. The Splunk Phantom solution provides orchestration and automation capabilities along with case management functionality. Splunk Phantom is deployed on-premises as software. Additional functionality includes its central view, called Phantom Mission Control, as well as its recommendation capability, called Mission Guidance. Logical data separation is available to provide multitenancy capabilities for managed services users. The licensing model is based on events per day (EPD). An event is only considered a notable event if it was acted upon. In other words, not everything ingested into the Phantom solution is actioned; thus, not all the events will be charged for. Once an event is actioned, the customer has unlimited actions within that specific event. They can do whatever they need to, for example, run playbooks multiple times.

Swimlane

Founded in 2014, Swimlane focuses on the orchestration and automation of existing security controls interacting with over 850 APIs for an organization’s existing technology stack and can let an organization reuse existing scripts. A key capability is for clients to develop playbooks that visually represent complicated security operations workflows using a drag-and-drop-type of paradigm where analytics and automation can be brought to bear on operations. This allows for security teams to achieve better accuracy, consistency and time efficiency for analysts.

Syncurity

Syncurity was founded in 2014. The Syncurity IR Flow solution focuses on orchestration, automation, dashboards and reporting, with alert triage, incident management and collaboration capabilities. The solution is positioned as end-to-end case management. Validated incidents that can be programmatically defined are handled through automation to allow for focusing on unvalidated events requiring analyst involvement. Dynamic risk scoring is a feature, and an analyst workbench is provided for investigation and cross-analyst collaboration. The solution is delivered as software, and support is provided as on-premises or private cloud deployment for enterprises and managed security service providers, including multitenancy and granular role-based access control (RBAC) features.

ThreatConnect

Founded in 2011, ThreatConnect has an architecture delivering both threat intelligence platform (TIP) and security orchestration and automation (SOA) features from the same product. ThreatConnect’s large ecosystem of integrations (built internally and by third parties) allows for the application of intelligence from both internal and external sources to security processes and workflows. In recent years, ThreatConnect has expanded on its TIP heritage to also deliver further orchestration and automation capabilities that aid in a wide range of SOAR use cases.

ThreatQuotient

Founded in 2013, ThreatQuotient delivers the ThreatQ platform that relies on threat intelligence and contextual information to drive a score-driven triage process to help prioritize actions across a variety of security operations use cases. Also, ThreatQ delivers a user interface that supports investigation to: improve the understanding of threats, promote collaboration across different teams and enable the execution of playbooks to perform data enrichment and other response actions. Also, the offering uses a learning system that captures other systems feedback to collaborate with other incident triage, taking into consideration results of previous events using a self-tuning capability that makes the system more and more customer-specific over time.

Market Recommendations

Security and risk management leaders should consider SOAR tools in their security operations to meet the following goal: improve security operations efficiency and efficacy.

SOAR tools offer a way to orchestrate and automate response. A common use case would be consuming events from a SIEM to enrich the context of an alert. The events most amenable to automation are the ones with the lowest risk of being false positive. For example, with a user credential lockout, SOAR can be used to execute a playbook to validate if this event is based on human error (e.g., user forgot the password) or verify if this event might be a brute-force attack. For both options, the analyst would have to execute a series of steps that would force the account to change the password, which could be automated through consistent workflow execution. This is beneficial for many reasons, including:

Performing the task faster equals better time to resolution. The longer an issue is left unaddressed, the worse it can become, leaving the organization in a potentially risky situation for longer periods of time. Ransomware, for example, is a threat that can get exponentially worse with time.
Staff shortages are a critical issue for many organizations. The ability to handle processes more efficiently means that security analysts can spend less time with each incident and will thus be able to handle and respond to more incidents, allowing response to more incidents despite fewer resources being available.

SOAR Tool Advice

In terms of product selection, security and risk management leaders should favor SOAR solutions that:

Deliver the use cases needed to complement their set of security products to manage their SOC. For instance, some clients prefer to use the company ticket system instead of a dedicated case management solution; but, instead, they value the threat investigation capabilities more. Buying a SOAR solution today must be driven by the use case: SOC optimization, threat monitoring and response, threat investigation and hunting, and threat intelligence management.
Offer the capability to easily code an organization’s existing playbooks that the tool can then automate, either via an intuitive UI and/or via a simple script.
Optimize the collaboration of analysts in the SOC, for example, with a chat or IM framework that makes analysts’ communication more efficient, or with the ability to work together on complex cases.
Have a pricing cost that is aligned with the needs of the organization and that is predictable. Avoid pricing structures based on the volume of data managed by the tool or based on the number of playbooks run per month, as these metrics carry an automatic penalty for more frequent use of the solution.
Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-premises or a hybrid of these — to accommodate organizations’ security policies and privacy considerations, or organizations’ cloud-first initiatives.

Note 1Representative Vendor Selection

Gartner is tracking 28 vendors in the SOAR market. The vendor list below, capped at 18, includes only sample representative vendors that appear most frequently in analyst interactions with Gartner clients.

Note 2Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market dynamics.

Magic Quadrant for WAN Edge Infrastructure

Published 26 November 2019 – ID G00376745 – 67 min read

WAN edge infrastructures are undergoing major changes as infrastructure and operations leaders responsible for networking face dynamic and expanding business demands. I&O leaders must identify vendors that address the requirement to support applications with on-premises and cloud-based deployments.

Strategic Planning Assumptions

Through 2021, more than 80% of SD-WAN solutions will continue to be delivered on dedicated hardware, rather than universal customer premises equipment (uCPE), due to performance, price and simplicity.

By 2023, to deliver cost-effective scalable bandwidth, 30% of enterprise locations will only have internet WAN connectivity, compared with fewer than 10% in 2019.

By 2024, to enhance agility and support for cloud applications, 60% of enterprises will have implemented SD-WAN, compared with fewer than 20% in 2019.

Market Definition/Description

Wide-area network (WAN) edge infrastructure provides network connectivity from distributed enterprise locations to access resources in both private and public data centers, as well as the cloud, via infrastructure as a service (IaaS) and software as a service (SaaS). It is typically procured by senior networking leaders in the infrastructure and operations (I&O) organization. This market is evolving from traditional branch routers (often called “customer edge routers” in a Multiprotocol Label Switching [MPLS] implementation). It is undergoing dramatic change, driven by the needs of digital business transformation and the demands of line of business (LOB) managers.

The market for branch office WAN edge functionality continues to shift from dedicated routing, security and WAN optimization appliances to feature-rich software-defined WAN (SD-WAN) and, to a lesser extent, uCPE platforms. SD-WAN is replacing routing and adding application aware path selection among multiple links, centralized orchestration and native security, as well as other functions. Consequently, it includes incumbent and emerging vendors from multiple markets (namely routing, security, WAN optimization and SD-WAN), each bringing its own differentiators and limitations.

WAN edge functionality can exist on or off the enterprise premises via physical or virtual appliances, and is typically sourced from network equipment providers (and their channels), network service providers (NSPs) or managed network service (MNS) providers. WAN edge infrastructure must be agnostic to the underlying network transport provider and services.

In the North American market, more than 60% of deployments are historically do-it-yourself (DIY). In much of the rest of the world, a managed service approach is favored. In general, we see a trend toward more managed services, even though SD-WAN makes managing the WAN easier. At the same time, this introduces new challenges, with the greater use of internet transport. Large global organizations usually prefer a DIY approach, whereas midsize organizations are more likely to favor a managed services approach. Many companies are now comparing DIY and managed service options as part of the evaluation process.

Increasingly, vendors are differentiating their SD-WAN solutions in the following categories:

Ease of use
Application performance — including WAN optimization, voice optimization and ensuring quality of experience (QoE)
Security
Pricing and pricing models
Support for cloud workloads

Magic Quadrant

Figure 1. Magic Quadrant for WAN Edge Infrastructure

Source: Gartner (November 2019)

Vendor Strengths and Cautions

Aryaka

Aryaka is a privately held company, based in San Mateo, California. Gartner estimates that Aryaka’s SmartCONNECT managed SD-WAN service has more than 800 customers. SmartCONNECT combines the Aryaka Network Access Point (ANAP) CPE with the Aryaka Global Core backbone, which the edge devices connect. The service includes SD-WAN, WAN optimization and visibility, as well as options for remote access, integrated perimeter security from third-party vendors, and the procurement and management of internet access. In addition, the Aryaka backbone supports the controlled routing of traffic, not only to applications in enterprise data centers, but also to cloud-hosted applications via both direct cloud gateways and internet gateways.

The solution is sold as a managed service, so it is not aligned for DIY customers. Gartner expects the vendor to focus on enhancing cloud connectivity integration, security vendor service chaining and advanced analytics going forward. Aryaka is well-suited for organizations that are geographically widely distributed and/or want SD-WAN with WAN optimization, delivered as a service.

Strengths

Aryaka provides an all-in-one SD-WAN, private backbone and managed service solution, making procurement easier for customers interested in that model.
The private global backbone, with direct cloud gateways offered by Aryaka, provides a solution to optimize application performance.
Aryaka’s SD-WAN includes WAN optimization, to boost application performance, especially over long distances.

Cautions

Aryaka supports only internet and Ethernet connections to its services, limiting hybrid SD-WAN configurations and making migrations from MPLS more complex.
SmartCONNECT is a managed service that will not appeal to those enterprises that prefer to manage their own SD-WAN networks (DIY clients).
Enterprises with footprints limited to a single country/smaller area or are too far from an Aryaka point of presence (POP), will not benefit as much from the Aryaka backbone and WAN optimization features.

Barracuda

Barracuda is a privately held company based out of Campbell, California. Gartner estimates that Barracuda has more than 20,000 WAN edge — mainly next-generation firewall (NGFW) — customers. Barracuda leverages its prior experience in selling security products as a basis for delivering SD-WAN functionality to its flagship CloudGen Firewall offering. CloudGen Firewall is available as a physical appliance and as a virtual network function (VNF), in addition to being available as a virtual appliance on Azure, Amazon Web Services (AWS) and Google Marketplaces. Beyond basic and advanced firewall functionality, CloudGen Firewall also includes features such as WAN optimization and real-time traffic remediation, using packet duplication.

Despite offering a broad mix of WAN edge functionality, CloudGen Firewall is not offered as a cloud management solution (but can be hosted in the public cloud) and offers limited path selection criteria. Gartner expects Barracuda to focus on delivering a cloud-based management platform to provide scale, easier deployment and configuration. Barracuda should be considered by enterprises for SD-WAN opportunities with the primary focus on security.

Strengths

Barracuda includes comprehensive security capabilities including NGFW, antivirus, botnet and spyware protection, Domain Name System (DNS) security, and a built-in secure web gateway (SWG).
The solution has broad capabilities, including SD-WAN with enterprise-grade features, such as WAN optimization and real-time traffic remediation.
The vendor offers wide support for deployment as a VNF via most major virtualization platforms, including VMware, Xen, Kernel-based Virtual Machine (KVM) and Hyper-V.

Cautions

Gartner has had few SD-WAN inquiries in which Barracuda has been mentioned, which suggests the vendor has limited visibility and awareness in the SD-WAN market.
The path selection mechanism uses less-sophisticated techniques for failover. For example, for real-time traffic, packet loss and jitter are not used in the failover algorithm.
At the time of this research, traffic analytics is overly technical and managing the data is cumbersome. This is in conflict with the otherwise simple operation of the solution.

Cisco

Cisco is a publicly traded company based in San Jose, California, with more 100,000 WAN edge customers (primarily Integrated Services Routers [ISR] customers). Gartner estimates that more than 800 customers use Cisco’s flagship SD-WAN, powered by Viptela. More than 13,000 use Cisco’s SD-WAN powered by Meraki MX, which is deployed mainly as a security appliance. The Viptela offering can be delivered on dedicated vEdge appliances, recent models of ISR 1000 and ISR 4000; and Aggregation Service Routers (ASR) 1000 routers. It is also delivered as virtual software in cloud services or on Cisco’s Enterprise Network Compute Platform (ENCS) 5000 Series. Gartner has observed Cisco leading with the Viptela on IOS XE solution (deployed on the ISR) in the market with its rich set of features. However, many Gartner clients and Cisco channel partners have reported reliability and scalability issues with the product. As an alternative, Cisco does offer the vEdge solution. The Viptela offering supports complex architectures with sophisticated routing, application performance capabilities and a broad set of advanced security functionality.

The Cisco SD-WAN powered by Meraki solution is primarily marketed to lean IT organizations with basic requirements, promoting ease of use and simplicity, but it lacks native application performance capabilities. However, the Viptela and Meraki offerings do not share common hardware or management frameworks, limiting investment protection should the customer want the features of the other solution. Gartner expects the vendor to focus on application performance capabilities, advancing multidomain policy enforcement, as well as multicloud integration going forward. Cisco is relevant in all vertical industries, company sizes and geographic locations, and should be considered for all WAN edge opportunities globally when the preferred platform supports the required features and scale.

Strengths

Cisco has a broad range of SD-WAN offers and platforms, together with complementary features, such as security, LAN/WLAN and application performance.
Cisco has strong enterprise network channels, brand awareness, and existing customer base, and it offers support for both DIY and MNS deployment.
Cisco’s cloud security platform, Umbrella, integration is supported on both the Viptela and Meraki platforms.

Cautions

Cisco’s SD-WAN, powered by Viptela on the IOS XE platform, has stability and scaling issues, as reported by Gartner clients and Cisco channels. Also, some customers who’ve purchased Cisco ISR hardware during the past few years have informed Gartner that they had to upgrade their hardware platforms to support Viptela due to throughput limitations.
Cisco has broad, separate and overlapping SD-WAN offerings that don’t share a common management platform, hardware platform or sales teams. Consequently, clients and channel partners have a hard time choosing the most appropriate solution, which increases the likelihood of a suboptimal selection.
The Cisco licensing structure is complex and can be confusing to end clients.

Citrix

Citrix is a publicly traded company based in Fort Lauderdale, Florida. Gartner estimates that Citrix has more than 1,200 WAN edge customers deployed globally. Citrix’s flagship WAN edge products are its Citrix SD-WAN appliances (physical, virtual and cloud), which are managed via the Citrix SD-WAN Center. The solution is cloud-managed and includes optional, fully featured WAN optimization, as well as an optional cloud gateway service for cloud onramp capabilities. The product scales from small sites to large headquarters and is increasingly demonstrating success with larger deployments. In addition, the vendor has some native security functionality, but it is not as advanced as some of the other vendors in this research.

Gartner expects this vendor to focus on delivering a lower-cost, smaller-footprint branch device, adding more-advanced native security features, as well as artificial intelligence/machine learning (AI/ML) performance diagnostics and remediation capabilities going forward. Citrix SD-WAN should be considered for organizations with existing Citrix software, as well as organizations of all sizes, geographic locations and vertical industries looking for SD-WAN solutions, especially when sourcing on a DIY basis.

Strengths

Citrix SD-WAN includes an optional, fully featured WAN optimization capability, as well as cloud gateways for cloud onramp access to cloud workloads.
Citrix SD-WAN is managed via the same user interface (UI) as other Citrix products, which can simplify operations for existing Citrix customers.
Citrix can sell its SD-WAN solution in combination with its digital workspace solutions providing added performance and convenience for end customers.

Cautions

Citrix only has a small number of service provider partners offering managed SD-WAN services using its platform; hence, this may limit the vendors’ ability to grow in the market.
Citrix SD-WAN lacks a full, native, advanced security suite beyond its native application layer firewall; instead, it relies on partners for unified threat management (UTM) or cloud security services.
Some enterprises don’t see Citrix as a network vendor, which may limit its growth in the market.

CloudGenix

CloudGenix is a privately held company based in San Jose, California. Gartner estimates that CloudGenix has more than 800 WAN edge customers, primarily delivered as SD-WAN. Its flagship offering includes Instant-On Network (ION) devices, which support SD-WAN functionality, as well as basic firewalling capability. ION appliances are available in both hardware and software form factors and also exist in the AWS and Azure marketplaces. The vendor’s management portal is delivered as a cloud service, with intuitive workflow and strong analytics functionality.

CloudGenix supports a wide range of routing and network topologies, but no WAN optimization or native advanced security. We expect CloudGenix to continue focusing on autonomous networking and the cloud-delivered branch with its CloudBlades platform. CloudGenix should be considered by enterprises primarily in North America looking to deploy SD-WAN with a focus on application and network visibility as well as cloud-delivered solutions.

Strengths

CloudGenix’s CloudBlades provides turnkey service chaining that allows users to integrate their SD-WAN with various cloud services that are part of the vendor’s ecosystem.
The vendor’s Clarity solution offers visibility into network health and application performance.
The vendor’s graphical user interface (GUI) is straightforward and intuitive for organizations to operate.

Cautions

The vendor has a limited geographic installed base and channel coverage outside North America, which may limit the vendor’s growth in the market or support for customers in other regions.
CloudGenix has had limited adoption by carriers offering managed services as it tends to be adopted by more DIY-focused clients, so this may limit the vendor’s ability to grow.
The vendor lacks several capabilities offered by competitors, including support for WAN optimization and native advanced security features.

Cradlepoint

Cradlepoint is a privately held company headquartered in Boise, Idaho. Gartner estimates Cradlepoint has more than 5,000 WAN edge customers. Cradlepoint has been focused on enabling connectivity to small branch and retail locations, with a specific emphasis on 4G/Long Term Evolution (LTE) connectivity. It addresses the SD-WAN market with its NetCloud, AER series of routers and Cloud Virtual Router (CVR) products. The NetCloud suite includes an NGFW, with advanced features, such as intrusion prevention system/intrusion detection system (IDS/IPS) and URL filtering, which is in keeping with Cradlepoint’s historic focus of providing small form factor functionality.

Although Cradlepoint solutions focus on 4G/LTE-driven use cases, their support for wired transport analytics is not as sophisticated as other solutions included in this research. Its GUI is not as easy to use as other vendors in this research. Gartner expects that Cradlepoint will make investments on 5G integration, expanded cloud functionality via Azure, as well as expand the functionality and compatibility of its portfolio to address midsize and large enterprises. Cradlepoint should be considered by organizations in North America, Europe, and the Asia/Pacific (APAC) region, especially when 4G/LTE connectivity is a primary requirement.

Strengths

Cradlepoint’s expertise in providing cost-effective small branch solutions makes it attractive for deployments in which integrated security, WAN edge and Wi-Fi functionality is required.
The vendor offers advanced built-in security including a NGFW, SWG, IPS and IDS, micro-segmentation capabilities, network access control (NAC), and content filtering.
Cradlepoint has proven experience with successful deployments larger than 1,000 sites with small footprint environments.

Cautions

Although Cradlepoint offers traditional quality of service (QoS), it does not support real-time traffic remediation, such as forward error correction (FEC) or Packet Duplication, which may be a requirement for challenging WAN circuit environments such as broadband and LTE.
Lack of cloud provider support beyond AWS, as well as the lack of availability on cloud marketplaces, makes Cradlepoint a less attractive solution for enterprises that are expanding their cloud presence.
Cradlepoint’s solution lacks the ability to failover to another transport, due to elevated packet loss, and provides limited wireline performance metrics data.

FatPipe Networks

FatPipe Networks is a privately held company based in Salt Lake City, Utah. Gartner estimates that FatPipe has more than 1,600 WAN edge customers, primarily midmarket-focused and in North America. FatPipe offers a broad array of WAN products including secure routers, link aggregators/load balancers and WAN optimization appliances. Its flagship WAN edge offering is the FatPipe SD-WAN, which includes the company’s MPVPN CPE (physical and virtual) and its Symphony orchestrator.

FatPipe has deployed its SD-WAN products across multiple industries. The solution has broad capabilities with SD-WAN, application performance and security; however, the GUI is complex and not as easy to navigate, when compared with other products in this research. Gartner expects the vendor to focus on visibility and analytics, as well as supporting the Internet of Things (IoT) use cases going forward. FatPipe should be considered for WAN edge opportunities, primarily in the North American midmarket, particularly when mission-critical application performance is required.

Strengths

FatPipe has a broad set of capabilities, including SD-WAN, application performance, and some security that have been deployed across customers, mainly in the midmarket.
FatPipe was a pioneer in path selection, which is now a key SD-WAN capability; thus, it has expertise supporting hybrid WAN use cases.
FatPipe has been operating for approximately 18 years, so it has proved itself over a long period of time.

Cautions

FatPipe has limited market presence outside North America, which restricts the pool of networking personnel familiar with its products. This limits FatPipe’s ability to sell and support its products in geographic locations outside North America.
FatPipe has limited experience in complex deployments beyond 100 sites, which limits applicability for many larger organizations.
FatPipe has limited visibility in the market, as evidenced by Gartner taking few inquiry calls regarding its solution.

Fortinet

Fortinet is a public company headquartered in Sunnyvale, California. Gartner estimates that Fortinet has more than 21,000 WAN edge customers primarily used as UTM/NGFW for the midmarket. Fortinet addresses the SD-WAN market with its flagship product, FortiGate Secure SD-WAN, which leverages Fortinet’s strong position in delivering networks built around pervasive security. FortiGate is available in appliance, network function virtualization (NFV), and via all major cloud marketplaces, including Alibaba. FortiGate delivers a strong, built-in security stack to its WAN edge architecture and includes NGFW, IPS/IDS, Secure Sockets Layer (SSL) decryption/encryption, DNS filtering and antivirus. However, the vendor has been slow to develop cloud-based security solutions, as well as hosted cloud gateways.

Fortinet enables management of the FortiGate platform via FortiManager or via FortiGate Cloud. Both management platforms extend management capabilities across Fortinet’s network ecosystem, providing a single plane of glass for wired LAN/WLAN, SD-WAN and security (sometimes referred to as SD-Branch). Gartner expects Fortinet to make investments in increasing its cloud-based capabilities in access and security, as well as further investments in its SD-Branch portfolio. Fortinet should be considered by organizations of all sizes and verticals for SD-WAN projects globally, especially when strong, built-in security capabilities are a key requirement.

Strengths

Fortinet’s direction of delivering a highly integrated solution consisting of SD-WAN, routing, advanced security and application performance gives them broad market and use case appeal, regardless of organizational size.
Fortinet’s investments in new custom SD-WAN-specific application-specific integrated circuits (ASICs) yield throughput and performance at a competitive price point when leveraging the full suite of SD-WAN features.
Fortinet’s global channel, managed services and partner ecosystem ensure that it can support both DIY and managed services adopters.

Cautions

Fortinet has minimal presence with carrier-based SD-WAN service portfolios, which will limit its ability to be sourced globally.
Despite their enterprise-class features, Fortinet’s products have been used mainly as security appliances and less as networking solutions; this limits its experience in this market.
Fortinet has limited experience in highly complex networking solutions and cloud-first deployments.

HPE (Aruba)

Aruba operates as a subsidiary of Hewlett Packard Enterprise (HPE), which is a publicly traded company based in San Jose, California. Aruba is a long-established networking Wi-Fi and LAN switching vendor. Gartner estimates that Aruba has more than 250 WAN edge customers. This is low, compared with other vendors in this research, mainly due to Aruba’s recent entrance into the market. Its flagship WAN edge solution includes branch gateways, physical and virtual (for AWS and Azure) headend gateways, and the Aruba Central Cloud Platform. Aruba is repositioning itself from a predominantly leading wired LAN and WLAN vendor to a WAN edge vendor by developing its SD-Branch solution. This combines switching, WLAN, WAN and security in a simplified fully orchestrated solution.

On the WAN side, Aruba has scalable orchestration, some native advanced security capabilities (Layer 7 firewall and content filtering), but limited application performance capabilities in the areas of WAN optimization and voice optimization. We expect Aruba to focus on enhancing its UTM capabilities, expanding support for cellular wireless/LTE, and using AI/ML to drive WAN decision making. Aruba is relevant to Gartner clients in nearly all vertical industries, sizes and geographic locations, especially for users looking to simplify and consolidate their WAN/LAN management.

Strengths

Aruba Central Cloud Platform is a solid, scalable orchestration platform that simplifies deployment, management and service assurance of wireless, wired and SD-WAN environments.
Aruba has experience supporting enterprise network clients with its existing WLAN and wired LAN customer base.
Aruba has seen some recent success in winning large WAN edge enterprise accounts.

Cautions

Aruba is better known in the wired LAN and WLAN market segment and less known in the WAN edge segment, which may limit its ability to compete.
Aruba has limited application performance capabilities for real-time traffic, such as forward error FEC and packet duplication, and WAN optimization for non-real-time traffic.
Aruba has been late to this market, so many of the channel partners have already selected other SD-WAN solutions, which may limit its ability to compete.

Huawei

Huawei is a privately held company headquartered in Shenzhen, China. Gartner estimates that Huawei has more than 50,000 WAN edge customers, many located in the APAC region. Huawei provides a full suite of networking infrastructure hardware, software, servers, cloud and consumer devices. Huawei addresses the WAN edge market with its CloudWAN, NetEngine AR series of routers, and the AR series uCPE devices. The NetEngine AR routers are available as an appliance, the AR1000 NFV, and as virtual appliances on AWS, Azure and Huawei Public Cloud.

Huawei offers a full-network-stack SD-WAN product, which includes a comprehensive security suite. This includes an NGFW, IDS/IPS, URL and content filtering. Although Huawei’s solution delivers broad functionality, the GUI seems more complicated and less user-friendly than others included in this research. Gartner expects Huawei to make investments in expanding automation in its WAN edge portfolio through the use of AI and ML, as well as intent-based networking and analytics. Huawei should be considered by organizations outside the U.S. and Canada of all sizes and verticals for all WAN edge solutions, when a turnkey solution from a single supplier is desired.

Strength

Huawei’s broad portfolio checks most of the WAN edge feature boxes, including full SD-WAN, flexible deployment form factors, a capable integrated security stack and basic WAN optimization.
Huawei is a dominant vendor in China, and it is also a major presence in the APAC region, as well as in South America, and Europe, the Middle East and Africa (EMEA).
Huawei has experience and proven scale, with extremely large deployments — more than 5,000 branch locations.

Cautions

Geopolitical upheaval and security concerns by North American and, to a lesser extent, some EU governments have severely limited adoption and availability in these geographies. Potential adopters in these locations should verify government restrictions, which may preclude adoption.
Huawei SD-WAN cloud service, which is useful when deploying SD-WAN over public internet, is available only in China.
Huawei’s GUI is more complicated and less-user-friendly than other vendors included in this research.

Juniper Networks

Juniper Networks is a publicly traded company based in Sunnyvale, California. Gartner estimates that Juniper has more than 23,000 primarily security-focused WAN edge customers and is a long-established networking and security vendor. Its flagship WAN edge solution is its Contrail SD-WAN, comprising its SRX Series Services Gateways (physical, virtual and cloud) and Contrail Service Orchestration. The vendor provides a full portfolio of WAN edge platforms, including its MX routers and NFX secure uCPE network function virtualization appliances, which can host WAN edge functions.

Juniper supports many routing protocols and architectures for complex networks, SD-WAN and advanced security capabilities; however, it lacks WAN optimization functionality. Furthermore, the vendor primarily relies on managed service providers (MSPs) as a go to market. Gartner expects Juniper to focus on expanding the interfaces supported (both WAN and Wi-Fi), simplify LAN/WAN orchestration, and enhance application performance metrics. Juniper is relevant to Gartner clients in nearly all vertical industries and geographies and should be considered for all security-led WAN edge opportunities globally, particularly those that will be consumed as a service.

Strengths

Juniper has a broad set of WAN edge network capabilities, including a variety of form factors, interfaces, a cloud-managed solution, routing and security, along with a service orchestrator (Contrail Service Orchestration), which simplifies deployment and management.
Juniper has longstanding relationships with communications service providers (CSPs), and a large and loyal installed base. This means there is a large pool of networking personnel familiar with Juniper’s products who can aid with implementation and operation.
Juniper is focused on leveraging its recent Mist Systems acquisition to incorporate more LAN/WLAN/WAN integration, which will simplify orchestration and management for end users.

Cautions

Many of Juniper’s target service providers have already aligned with Juniper’s competitors for SD-WAN. As a result, it may be difficult for customers to obtain Juniper-based managed services from their preferred service providers.
Juniper lacks native WAN optimization and doesn’t support FEC for voice optimization.
Juniper lacks visibility and awareness in the market as evidenced by the vendor being mentioned in few SD-WAN inquiries, compared with the larger competitors in this market.

Nuage Networks

Nuage Networks is based in Mountain View, California, and is a division of publicly traded Nokia, based in Espoo, Finland. Gartner estimates that 1,400 enterprises are using Nuage’s Virtualized Network Service SD-WAN products, predominantly via its approximately 70 NSP partners. Nuage’s Virtualized Network Services (VNS) include its Virtualized Services Directory (VSD), the Virtualized Services Controller (VSC), and the Network Services Gateway (NSG) CPE (physical, virtual and cloud). The vendor has developed a scalable SD-WAN solution with comprehensive routing capabilities. It leverages well-established relations with NSPs worldwide to deploy SD-WAN as a service, although it has only limited experience dealing directly to support DIY enterprise accounts.

The solution does not include any WAN optimization functionality to support non-real-time traffic, but does support some optimization for real-time traffic. Gartner expects the vendor to focus on developing more ruggedized form factors for supporting IOT, enhancing support for voice applications and expanding its path selection capabilities. Nuage is a good fit for enterprises that require SD-WAN with scalability or that prefer to consume WAN Edge solutions as a managed service.

Strengths

Nuage’s SD-WAN products are available through a large number of service provider partners.
The Nuage SD-WAN products are architected for software deployment on NFV platforms, allowing them to integrate easily with other virtual network software.
Nuage’s VNS SD-WAN offer integrates with its Virtualized Cloud Services (VCS) data center network overlay offering a more simplified solution.

Cautions

Because Nuage predominantly delivers its products via service providers, it has a limited number of direct enterprise customers and channels, limiting its brand recognition and experience with customers who prefer a DIY approach to sourcing their SD-WAN products.
Nuage has limited native advanced security and WAN optimization functionality, preferring to rely on third-party software on NFV platforms to support these capabilities.
Nuage’s path selection capability is limited to supporting two underlay connections, thereby restricting its applicability to some enterprises.

Oracle (Talari Networks)

Headquartered in Redwood City, California, Oracle is a publicly traded company known primarily for its database, cloud and business applications. Gartner estimates that it has more than 500 WAN edge customers. Oracle acquired Talari Networks in late 2018 and rebranded its fail-safe SD-WAN to Oracle SD-WAN. Oracle SD-WAN offers comprehensive support for application analytics, path selection, and active real-time traffic mitigation. Although the solution is focused on delivering WAN edge connectivity for mission-critical applications including E911 networks, there is limited native advanced security. Consequently, Oracle relies on partnerships with Zscaler or Palo Alto to address NGFW requirements.

Oracle has a suboptimal small-platform solution with no integrated Wi-Fi or LTE and also lacks an Oracle-hosted, cloud-based management platform. Gartner expects Oracle to focus on delivering Oracle-hosted cloud management, in addition to increasing Oracle SD-WAN’s capability for supporting high-density, cloud-based architectures. We expect Oracle SD-WAN technology to enable greater WAN edge functionality in its session border controller (SBC) products. Oracle SD-WAN should be considered for regional and global deployments in which latency-sensitive and/or mission-critical traffic survivability (such as a contact center) and application performance is a primary requirement.

Strength

Oracle has experience supporting mission-critical traffic requirements, such as call centers, government agencies and emergency responders.
Oracle offers strong path selection, application analytics and application performance capabilities.
Oracle’s enterprise voice experience — with its widely deployed SBC and global sales, support, and partner network complement its SD-WAN offering, thereby increasing capabilities, as well as reach.

Cautions

Oracle has limited experience deploying SD-WAN with networks greater than 250 branches.
Although Oracle has some native security features, it lacks a native advanced security stack (such as NGFW), which may limit the appeal of its SD-WAN product for companies requiring a turnkey WAN edge solution. Instead, it relies on partners to deliver this functionality.
Oracle’s SD-WAN solution has limited adoption into MSPs and carrier SD-WAN portfolios, reducing its appeal to organizations that prefer to consume from those providers.

Peplink

Peplink is a public company listed on the Hong Kong Stock Exchange as Plover Bay Technologies. Peplink is headquartered in Hong Kong, and Gartner estimates that it has more than 8,500 WAN edge customers. Peplink addresses the WAN edge market with two SD-WAN products: Balance and Max, which deliver wired and wireless SD-WAN, respectively. Peplink SD-WAN platforms are administered via the InControl 2 cloud-based management platform. Peplink also addresses the need to remediate real-time application and voice traffic with its SpeedFusion WAN smoothing, which uses FEC as its active remediation mechanism. However, it offers no WAN optimization for non-real time traffic. The platform can be secured via its limited advanced native security suite, which includes IDS/IPS and web filtering.

Peplink has experience providing LTE-based connectivity as part of its SD-WAN functionality, but has limited application analytics. Gartner expects Peplink to invest in expanding virtual support for its products and integration of 5G support. Organizations in any geography should consider Peplink when LTE connectivity is a primary consideration for a WAN edge deployment.

Strengths

Peplink’s SpeedFusion technology enables link bonding flexibility, which can enable capabilities to use multiple links to be combined to meet increased bandwidth needs, while keeping costs low.
Peplink has experience with WAN edge deployments in challenging environmental conditions, such as those found in the oil and gas, maritime, and transportation markets.
Peplink has proven scalability in large, distributed deployments with more than 5,000 sites.

Cautions

Peplink’s application analytics capabilities are not as granular as the other solutions described in this research.
Although most of Peplink’s customers are in North America and Europe, it has limited sales and support resources of its own in these areas. The company relies heavily on its limited channel partnerships at all levels of the sales and support cycle.
Peplink’s security capabilities are not as comprehensive as some other solutions described in this research.

Riverbed

Riverbed is privately owned and is based in San Francisco, California. Gartner estimates that Riverbed has more than 30,000 customers, with 3,000 SD-WAN customers. Riverbed’s flagship WAN edge offerings are SteelConnect and SteelHead SD, which supports SD-WAN with WAN optimization in a single integrated appliance. Riverbed devices are available as physical and virtual form factors and are centrally administered by SteelConnect Manager (cloud-based or on-premises). Riverbed does not offer vendor-hosted cloud gateways as a service. However, virtual appliances are available on AWS, Azure, Google Cloud, IBM Cloud and Oracle Cloud, and global SaaS acceleration is offered as a vendor-hosted managed service.

The vendor doesn’t have native advanced security or FEC/packet duplication functionality for real time traffic optimization. After the cut-off date for this research, Riverbed announced an OEM agreement with Versa to deliver scalable routing, SD-WAN and advanced security to address large-enterprise use cases. Gartner expects this OEM relationship to be a core focus going forward. Riverbed is suitable for midsize and large organizations worldwide across verticals, particularly those that want SD-WAN and WAN optimization in a single, integrated device.

Strengths

The vendor has substantial experience in large global enterprises with WAN optimization and has incumbency in many accounts. Leveraging this capability, Riverbed provides an integrated appliance that includes WAN optimization and SD-WAN.
Riverbed recently announced an OEM partnership with Versa in an attempt to address the large-enterprise market more effectively.
Riverbed offers a vendor-hosted SaaS acceleration solution offered as a cloud-managed service.

Cautions

The Versa deal attempts to offer an SD-WAN solution for large-enterprise organizations; however, Riverbed is the only vendor in this research that will be sourcing core SD-WAN functionality via an OEM agreement. Consequently, there is increased risk going forward, as opposed to Riverbed having full organic control.
Riverbed has limited native advanced security capabilities and needs to rely on partners for this functionality; this complicates sourcing and management for enterprise clients.
Gartner has received reports of code instability from clients, which has limited Riverbed’s ability to grow in the market.

Silver Peak

Silver Peak is a privately held company headquartered in Santa Clara, California. Gartner estimates that it has approximately 3,000 customers, with more than 1,500 on its flagship WAN edge platform. Silver Peak’s WAN edge product is Unity EdgeConnect SD-WAN appliances (e.g., physical, virtual and cloud), with optional Unity Boost WAN optimization and Unity Orchestrator (on-premises or cloud). Silver Peak’s SD-WAN products are available from a wide range of partners, including multiple NSPs.

Silver Peak has strong application performance with WAN optimization and real-time optimization, as well as strong analytics. However, the vendor has limited native advanced security capabilities. Gartner expects Silver Peak to focus on orchestration, extending orchestration for ecosystem services and cloud analytics. Silver Peak should be considered by organizations in all verticals and sizes for WAN edge opportunities in North America, EMEA and the APAC region, especially when WAN optimization functionality and path conditioning are required.

Strengths

Silver Peak’s SD-WAN product has strong application performance capabilities, including WAN optimization and real-time traffic optimization (e.g., FEC). Its WAN optimization solution also can be priced as a subscription and shared across a domain.
Gartner sees more channels and MSPs selling the Silver Peak solution, which shows the vendor’s channel expansion and relevance to various client consumption models.
Silver Peak’s roadmap is aligned with future client needs, with a focus on automation and ease of use.

Cautions

The Silver Peak SD-WAN products lack a native full advanced security suite, instead relying on third-party firewalls or cloud security services.
Silver Peak’s WAN edge offering lacks cloud gateways, requiring enterprises or MSPs to create these, if required.
Silver Peak has limitations with their small footprint devices (such as not having integrated Wi-Fi) typically required for small, remote branch offices.

Teldat

Teldat is an established, privately held communications company based in Madrid, Spain, and Nuremberg, Germany. Gartner estimates that Teldat has more than 1,000 WAN edge customers. Teldat offers a broad range of voice and data products, including LAN, WAN, WLAN and voice. Its flagship WAN edge offering is the Teldat M8 Smart, an SD-WAN edge gateway and the Cloud Network Manager (CNM) controller. The vendor provides routing, SD-WAN, some native advanced security functionality including IDS, A/V, and cloud content filtering. However, the vendor offers no WAN optimization or real-time optimization capabilities.

Teldat operates globally, but focuses primarily in Western Europe and Latin America, and delivers products primarily through carriers and MSPs. Gartner expects Teldat to focus on offering automatic customization for service providers, as well as AI/ML for improved network operations. Teldat should be considered by customers in Western Europe and Latin America who prefer a managed service for their WAN edge devices.

Strengths

Teldat has a strong presence in Europe and Latin America, where more than 95% of its customers are headquartered.
Teldat has successfully deployed large-scale WANs of more than 1,000 locations.
Teldat offers a management console that is available as an over-the-top service, which many customers prefer to simplify operations.

Cautions

Teldat has limited expertise with DIY enterprises, because it focuses heavily on selling through carrier and MSP partnerships in Europe and Latin America.
Teldat doesn’t support WAN optimization capabilities, nor does it support any voice optimization capabilities.
Although hard down failover is immediate, performance-based path selection rerouting can take up to 30 seconds.

Versa

Versa is a privately held company based in San Jose, California. Gartner estimates that Versa has more than 1,000 WAN edge customers. Versa focuses on branch and WAN functions, including routing, SD-WAN and security. Its flagship WAN edge offering is Versa FlexVNF software, and the requisite management and orchestration. FlexVNF supports scalable and advanced routing, comprehensive SD-WAN, multiple advanced security functions (such as NGFW, A/V, and content filtering), as well as the hosting of third-party VNFs. Although Versa supports FEC and packet duplication for real-time traffic, there are no native WAN optimization features. Instead, Versa supports hosting third-party WAN optimizations solutions as a VNF.

FlexVNF can be delivered on a branded appliance, on a whitebox hardware appliance or as a virtual instance in AWS. Azure, Google, Alibaba and Tencent clouds and as a software appliance delivered on white boxes Versa has been more successful selling through managed services providers versus do it yourself (DIY) customers. Gartner expects Versa to focus on its midmarket solution and small or midsize business (SMB) clients through its Versa Titan secure cloud service, which delivers an SD-Branch solution integrating routing, SD-WAN and security for LAN and WAN connectivity. Versa should be considered primarily by all enterprises in North America, the APAC region and EMEA, particularly when enhanced security functions, flexible deployments options and a managed service are desired.

Strengths

Versa offers advanced feature depth and breadth, with enhanced security, SD-WAN and voice optimization in an integrated solution.
Versa has strong relationships with CSPs and managed service partners as its primary go to market.
Versa has expanded its partner base with a strategic OEM partnership with Riverbed (integrating Versa VNFs on Riverbed platforms). This will give it access to large global enterprises in which Riverbed is the incumbent and increase its ability to grow and sustain in the market.

Cautions

Versa lacks native WAN optimization, relying instead on hosting third-party virtual appliances.
Versa has less experience with direct enterprise DIY, because most of its customers are sold through MSPs.
Current production network deployments are limited beyond 800 branches.

VMware

VMware is a publicly traded company based in Palo Alto, California. Gartner estimates that VMware has more than 5,500 WAN edge customers deployed globally. VMware’s SD-WAN offering is VMware SD-WAN by VeloCloud, which includes physical and virtual edge appliances, cloud gateways and orchestration, which can be on-premises, or hosted by an MSP or VMware. The solution includes strong SD-WAN functionality that, when combined with its gateways (some of which are hosted by carriers and some by the vendor), offers enterprises a scalable platform for accessing cloud workloads. VMware has proved itself able to scale for large global deployments. VMware offers three subscription levels to align with different use cases and price points primarily based on network scale and cloud connectivity.

The vendor’s solution doesn’t have native advanced security capabilities or traditional WAN optimization functionality, but it does have optimization for real-time traffic and cloud based applications. Gartner expects VMware to focus on multicloud integration, performance analytics and self-healing networks going forward. VMware should be considered by organizations of all sizes and verticals for all SD-WAN opportunities globally.

Strengths

The VMware SD-WAN solution offers a wide range of deployment options for the edge devices. They can be physical or virtual with optional cloud gateways and orchestration, which can be cloud-based, MSP-hosted or cloud-hosted.
VMware SD-WAN has a proven track record of being able to fulfill large, complex global networks of greater than 1,000 sites. In fact, it has some of the largest SD-WAN deployments.
VMware has a wide range of go-to-market partners, including multiple global NSPs, as well as VMware and Dell channels; this provides enterprises with many ways to consume the solution.

Cautions

The VMware product lacks native advanced security functionality; instead, it relies on partner firewalls instantiated on its platform or cloud security services.
VMware lacks traditional WAN optimization capabilities.
VMware lacks native support for IPv6, which may limit the vendor’s ability to support certain types of deployments.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may reflect a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

HPE (Aruba) was added due to a new product offering that meets the inclusion criteria.

Dropped

Cato Networks was dropped, because it failed to meet inclusion criteria based on our assessment and data provided by the vendor.

Forcepoint was dropped because it failed to meet inclusion criteria based on our assessment and data provided by the vendor.

Inclusion and Exclusion Criteria

To qualify for inclusion, vendors need to show relevance to Gartner clients by:

Providing hardware and/or software that addresses the enterprise WAN edge requirements outlined in the Market Definition/Description section. Alternatively, they may address this need by delivering a managed service that uses in-house developed hardware/software to deliver the service.
Producing and releasing enterprise WAN edge networking products for general availability as of 1 June 2019. All components must be publicly available, be shipping and be included on the vendors’ published price list as of this date. Products shipping after this date, and any publicly available marketing information may only have an influence on the Completeness of Vision axis.
Provide commercial support and maintenance for their enterprise WAN edge products (24/7) to support deployments on multiple continents. This includes hardware/software support, access to software upgrades, and troubleshooting and technical assistance.

Product Capabilities

Vendors must have generally available products that support all of the following capabilities. These capabilities must be supported natively on branch CPE:

The ability to function as/replace the branch office router/CPE (including BGP, OSPF, support hub and spoke, mesh, and partial mesh topologies for a minimum of a 100-site network) with traffic shaping and/or QoS
Centralized management for devices (with GUI), including reporting and configuration changes, and software upgrades
Zero-touch configuration for branch devices
VPN (Advanced Encryption Standard [AES] 256-bit encryption) and NGFW or firewall with the ability to redirect to an SWG
Dynamic traffic steering based on business or application policy (not limited to only DiffServ Code Point [DSCP]/ports, IPs/circuits or 5tuple) that responds to network conditions (changes in packet loss, latency, jitter, etc.) in an active/active configuration
At least 100 well-known application profiles included (auto discovered)
Application visibility identifying specific traffic that traverses the WAN
At least two of the following WAN interfaces: Ethernet, xDSL, Tx/Ex, fiber and 4G/LTE
Software (ability to operate as a VNF at the branch or in the network and to be hosted in at least one cloud provider, such as AWS) and hardware form factors

Financial Performance

Vendors must show relevance to Gartner’s enterprise clients by meeting at least one of the following with their WAN edge infrastructure solutions that meet the product inclusion criteria:

Demonstrate scalability by servicing at least three customers with active support contracts that have at least 100 sites each.
Show relevance to Gartner’s enterprise clients on a global basis with at least one of the two below criteria:
- At least 25 customers with active support contracts and 10 sites each headquartered in two or more geographic regions (NA, SA, EMEA or APAC). This means 25 customers in one region and another 25 customers in a different region.
- At least 10 customers with active support contracts and 10 sites each headquartered in three or more geographic regions (North America, South America, EMEA or APAC). This means 10 customers each in three different regions, for a total of more than 20 customers.
Meet at least one of the four criteria below:
- Total WAN edge infrastructure revenue of at least $20 million in the 12 months ending December 2018
- Total WAN edge infrastructure revenue of $13 million in the 12 months ending December 2018, with at least a 100% growth rate during the previous 12 months
- At least 20,000 WAN edge infrastructure sites deployed and under active support contracts
- At least 300 WAN edge infrastructure customers under active support contracts with 10 or more sites deployed each

Exclusion Criteria

We exclude NSPs, non-NSPs or other providers/vendors that do not own their WAN edge technologies because they deliver their offerings with commercial vendor products as the underpinning technology.

Vendors of Note

Gartner estimates that more than 70 vendors compete in the WAN edge market; many with specialized offerings. The vendors listed below, along with several others, did not meet the inclusion criteria, but are notable for their offerings and may be of interest to readers of this research:

128 Technology is a privately held company based in Burlington, MA. Although 128 Technology didn’t meet the inclusion criteria, it is relevant to enterprises looking for a software-driven solution.
Bigleaf Networks is a privately held company based in Beaverton, Oregon. Although Bigleaf didn’t meet the inclusion criteria, they are relevant to some midmarket customers.
Cybera is a privately held company based in Franklin, Tennessee. Although Cybera didn’t meet the inclusion criteria, it is relevant to large, distributed retail enterprises that are primarily U.S.-based.
Infovista is a privately held company based in Massy, France. Although Infovista didn’t meet the inclusion criteria, it is relevant to enterprises with a specific focus on application performance.
Forcepoint is a privately held company based in Austin, Texas. Although Forcepoint didn’t meet the inclusion criteria, it is relevant to enterprises with a specific focus on security.
Cato Networks is a privately held company based in Israel. Although Cato didn’t meet the inclusion criteria, it is relevant to the midmarket, with security and cloud access requirements.
Sangfor Technologies is a public company based in China. Although Sangfor didn’t meet the inclusion criteria, it is relevant to enterprises that have a specific focus on security and are based in the APAC region.
Lavelle Networks is a private company based in India. Although Lavelle didn’t meet the inclusion criteria, it is relevant for enterprises located in India.
Multapplied is a private company based in North Vancouver, BC, Canada. Although Multapplied didn’t meet the inclusion criteria, it is relevant to organizations that purchase from selected service providers.
Lancom Systems is a private company based in Munich, Germany. Although Lancom didn’t meet the inclusion criteria, it is relevant to distributed organizations that are based primarily in Europe.

Evaluation Criteria

Ability to Execute

Product/Service: Core goods and services that compete in and/or serve the defined market. This includes current product and service capabilities, quality, feature sets, skills, etc. This can be offered natively or through OEM agreements/partnerships, as defined in the Market Definition and detailed in the subcriteria.

Evaluates vendors by looking at their overall WAN edge networking portfolios, including all hardware and software aspects of WAN edge networking. This includes physical and virtual CPE, controllers, gateways, and the relevant automation, management and orchestration of those components. We consider the breadth and depth of WAN Edge functions that the vendor offers, as well as automation and integration within broader networking workflows and orchestration. Particular attention will be paid to management that is application/business-outcome-focused. We consider product and architectural migration strategies, and the ability to address customers’ multicloud deployment requirements, application performance, security, traffic steering, scalability and resiliency needs. We focus on the vendor’s flagship enterprise offering and/or the products they lead with for enterprise accounts.

Overall Viability: Viability includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. This evaluates the likelihood of the organization to continue to offer and invest in the product, as well as the product position in the current portfolio.

Sales Execution/Pricing: The organization’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel. We also include the vendor’s estimated market share and growth.

Evaluates presales and go-to-market sales activities of both the vendor and its channels, and includes analysis of how the vendor interacts with its customers and prospects. The second aspect of this criterion includes our evaluation of the cost-effectiveness of the solutions for purchase and support over their useful life, and the ability to recognize and position the most appropriate solution in specific sales situations.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness to changing market demands. This includes how well the vendors’ offerings match buyer’s requirements at the time of purchase.

We assess the vendor’s track record in delivering new capabilities when the market needs them in terms of timing and scope. This criterion also considers the vendor’s history of responsiveness in terms of changing market demands. This evaluation is not limited to products, it involves pricing/licensing as well.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, social media, referrals and sales activities.

Focuses on how the vendor is perceived in the market, and how well its marketing programs are recognized in generating awareness. For WAN edge infrastructure, the evaluation focuses on how well the vendor is able to influence and shape perception in the market through marketing activities and thought leadership. An additional indicator for this criterion is how often Gartner clients inquire about a specific vendor in terms of its capabilities and reputation or in a shortlist evaluation process.

Customer Experience: Products and services and/or programs that enable customers to achieve anticipated results with the products evaluated. Specifically, this includes quality supplier/buyer interactions technical support, or account support. This may also include ancillary tools, customer support programs, availability of user groups, service-level agreements (SLAs), etc.

Looks at all aspects of the customer experience (including pricing, setup, day-to-day production, as well as support), with a heavier weighting on postsales service and support activities. This includes customer’s experience with the vendor’s WAN edge products and services used in their production environments. This also includes initial provisioning, as well as the day-to-day operation and management of WANs. It includes the ability to upgrade software and work with technical support to solve problems. Hardware and software quality and how customers describe their experience with the vendors’ products are evaluated.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Product or Service	High
Overall Viability	High
Sales Execution/Pricing	Medium
Market Responsiveness/Record	High
Marketing Execution	Medium
Customer Experience	High
Operations	Not Rated

Source: Gartner (November 2019)

Completeness of Vision

Market Understanding: Ability to understand customer needs and translate them into products and services. Vendors with a clear vision of their market listen, understand customer demands, and can shape or enhance market changes with their added vision.

Assesses the vendor’s ability to look into the future needs and drive new ideas into product roadmaps and offerings. This includes the vendor’s understanding of the core WAN edge infrastructure buyers as described in the Market Definition, as well as understanding the competitive nature of the market. In this market, we look at the vendor’s ability to address the challenges associated with distributed branch office locations. This may include simplified central management, large-scale deployments, latency/bandwidth challenges, automation, multicloud networking, changing application deployment scenarios (including on-premises), IaaS/PaaS, and SaaS architectures, openness, choice and investment protection.

Marketing Strategy: Clear, differentiated messaging consistently communicated internally, externalized through social media, advertising, customer programs and positioning statements.

Evaluates the ability of the vendor to influence the market through its messaging and marketing campaigns. Furthermore, this includes the extent to which the vendor articulates a clear, consistent and differentiated message that is aligned with end-user needs. We look for consistent communication throughout the organization and through its website, advertising, customer programs and positioning statements, as well as statements of direction and product roadmaps.

Sales Strategy: A sound strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service, and communication. This also includes partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.

Evaluates the vendor’s use of direct and indirect sales to extend the scope and depth of its market reach. Furthermore, this includes the extent to which the vendor articulates a clear, consistent and differentiated sales strategy that engages with buyers. It involves the development of effective go-to-market strategies, alliances and partnerships leveraging value-added resellers (VARs), SIs, Master Agents, NSPs, MSPs and OEM resellers as appropriate. In addition, this includes how the vendor exploits new business models that are emerging due to market and technology transitions.

Offering (Product) Strategy: An approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements.

Evaluates how the vendor plans and invests in R&D to continue to innovate in the key market transitions identified in the Market Definition/Description and Extended Market Definition sections. This includes product roadmaps around existing and future WAN edge functions. This also includes not just the raw functions, but also the vendor’s overall architecture across the portfolio.

Business Model: The design, logic and execution of the organization’s business proposition to achieve continued success.

Assesses the soundness and logic of a technology provider’s underlying business proposition and how revenue/profitability is derived.

Vertical/Industry Strategy: The strategy to direct resources (e.g., sales and product development), skills, and products to meet the specific needs of individual market segments, including verticals.

Measures the vendor’s ability to address the unique requirements of particular vertical industries and to employ the associated sales channels to build a sustainable business advantage.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes.

Measures the vendor’s ability to address emerging WAN edge requirements, and/or increasing value to enterprise customers. We look at how the vendor invests in new technologies to move its business and the market forward, with a focus on technologies that are differentiated, unique and offer high value to the enterprise buyer. Specific examples include application centricity, intent-driven networking, security, improved management and automation, and even nonproduct innovations, such as consumption-based pricing and new models (e.g., hybrid offerings that bundle product and managed services).

A key attribute in the WAN edge market is for the vendor to innovate in technology areas that meet emerging enterprise market requirements around simplified management of hybrid WAN architectures, including increasing levels of automation. Innovation is not a checkbox of current and proposed product features. It is not limited to product; it can cover multiple aspects of the vendor’s strategy that delivers new capabilities that differentiates it in the marketplace, including new pricing and operational models.

It measures the vendor’s ability to address any unique product requirements of particular geographies and to use the associated messaging, partnerships, as well as sales channels, to build a sustainable business advantage.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table

Evaluation Criteria	Weighting
Market Understanding	High
Marketing Strategy	Medium
Sales Strategy	Medium
Offering (Product) Strategy	High
Business Model	Medium
Vertical/Industry Strategy	Low
Innovation	High
Geographic Strategy	Low

Source: Gartner (November 2019)

Quadrant Descriptions

Leaders

A Leader has demonstrated a sustained ability to address changing requirements for enterprise WAN edge. A Leader also can drive, shape and transform the market, as well as maintain strong relationships with its channels and customers.

Challengers

A Challenger has demonstrated sustained execution in the marketplace, and has clear, long-term viability in the market. However, a Challenger has not shown the ability to drive, shape and transform the market.

Visionaries

A Visionary has innovated in some key areas of WAN edge, such as path selection, link remediation, automation, operational efficiency and cost reductions. Visionaries often help to transform the market, from driving new ideas, including new business models, to solving enterprise challenges.

Niche Players

A Niche Player has a complete or near-complete product offering, but has limitations, such as geographic reach or vertical market focus. A Niche Player has a viable product offering, but has not shown the ability to transform the market or maintain sustained execution.

Context

Market Forecast

The WAN edge market (which comprises SD-WAN plus traditional branch routers) is forecast to generate a compound annual growth rate (CAGR) of −6.5% in end-user spending from 2018 through 2023. However, this is the result of the robust growth of SD-WAN (+23.4% CAGR) and the decline of traditional branch office routers (—23.9% CAGR). The decline is due to the lower average selling price of SD-WAN hardware and software.

Gartner expects a functional consolidation of WAN edge functions into a single device to cause declines in the number of devices shipped and the total market size. This is evidenced by dedicated WAN optimization appliances, which are increasingly delivered as an added feature as part of SD-WAN. This bodes well for buyers, as multifunction devices typically sell for less than several dedicated devices.

The increase in WAN speeds from 1.5/2.0 Mbps legacy interfaces and 10 Mbps Ethernet interfaces to speeds and throughputs of 1 Gbps and beyond will drive up the prices of WAN edge equipment, although at a slower rate than the corresponding increase in link speeds, because there isn’t a linear relationship. In other words, the price per bit will go down.

Market Overview

Gartner’s view of the market is focused on transformational technologies or approaches delivering on the future needs of end users. It is not exclusively focused on the market as it is today.

This dynamic market, with emerging client needs, has created a deeply fragmented vendor landscape, with both large established vendors and smaller providers from multiple segments competing for market share. Differentiation can be feature-based (e.g., ease of cloud connectivity, embedded NGFW or application performance), business-model-based (e.g., pure subscription or WAN as a service using proprietary technologies) or go-to-market (e.g., direct, master agents, product-focused VARs or system integrators [SIs] as MSPs). Some vendors focus on feature depth on a specific use case or two, while others choose an “all-in-one offering” approach. Scale of deployment and the ability to support complex environments remain differentiators at the high end of the market, where some customers require deployments of several thousand branches across multiple geographies.

Market Drivers

The WAN edge market is primarily driven by seven factors:

Refresh of existing branch office router equipment that is at end of support or lacks the desired capabilities
Renewal of NSP or managed service contracts, where a new service provider also means new equipment
The changing traffic patterns resulting from the increasing use of cloud and multicloud resources, which renders the traditional hub-and-spoke from remote branch to on-premises data center WAN architecture obsolete
By distributing internet access to the branch, the security perimeter changes, which typically drives new solutions
The expansion of capacity (i.e., physical build-outs) within existing locations
The desire to increase agility and automation to address the needs of digital business transformation and lower opex
The desire to consolidate more than one branch function, such as routing, security and WAN optimization

Moving forward, Gartner views SD-WAN and NFV as key technologies to help enterprises transform their networks from fragile to agile. NFV can be in the cloud or on-premises, and Gartner expects to see more functions supported in the cloud. The resulting deployments will increasingly become a choice between a thick branch with more functions operated locally, versus a thin branch with more functions operated in the cloud. Increasingly, we see the consolidation and integration of network and security functions to be a driver in this decision.

Vendor Landscape Changes

Just a few years ago, the WAN edge market was dominated by a few suppliers with long histories of providing routing. Security and WAN optimization was often provided by separate dedicated appliances, and even when device consolidation was available, cost savings were small.

With the acceptance of SD-WAN and the demonstration that routing was increasingly becoming commoditized, companies that often offered adjacent solutions are now aggressively competing.

This Magic Quadrant covers well-known incumbent vendors, as well as a number of smaller suppliers. In total, the WAN edge market is estimated to have more than 70 suppliers that Gartner is aware of, and more are likely to enter the market. We expect this market to remain extremely fragmented during the next few years, with little sign of significant consolidation. It is likely that more than 10 mainstream suppliers will remain, as we look out five years.

WAN refresh opportunities often now involve several trusted existing suppliers and one or two new providers. In many cases, vendors from adjacent markets are competing by bundling multiple functions (e.g., security plus routing) in a single offering that is priced only slightly higher than a single-function offering. Additionally, some of these incumbent solutions can be upgraded to offer SD-WAN by just updating the software on-site and retaining the hardware already deployed.

Market Recommendations

I&O leaders responsible for building and operating WANs should:

Build a hybrid WAN architecture with SD-WAN products, if you have a mix of public and private applications.
Shortlist at least two vendors (for example, pure play or pivoting vendor) in addition to your incumbent WAN Edge vendor for any significant WAN expansion or router refresh.
Quantify the total cost of ownership (TCO) for any SD-WAN deployment. Savings may fund an early refresh, but a detailed end-to-end, life cycle analysis is required (see “Fact or Fiction: Does SD-WAN Really Save You Money?,” “Technology Insight for SD-WAN” and “Toolkit: Calculate the Before-and-After SD-WAN Expenses”). It is more common that WAN edge solutions have more opex-friendly business models, with a strong shift from upfront capital expenditures (capex) to annual license subscriptions, which may dramatically increase your TCO. Quotes should include all platform, license and support costs for a three-year baseline to perform a proper evaluation.
Choose WAN as a service for your next refresh if you are looking for a managed network service, prefer opex to capex, or prefer to rent, rather than own your equipment (see “DIY vs. MNS: Enterprises Must Reassess Their Network Sourcing Model to Prepare for SD-WAN” and “Debunk the Misperceptions About Network as a Service”).
If choosing managed SD-WAN, then evaluate both NSP and non-NSP (such as MSPs, independent software provider (ISP) aggregators and SIs) options (see “Market Guide for Managed SD-WAN Services”).
Favor WAN edge vendors that can facilitate automation. As a key part of vendor evaluation, include an evaluation of the operational model of any new WAN edge solution to determine potential savings and differentiation among competing vendors.
In highly distributed organizations, leverage ISP aggregators who can ease the procurement and management of internet access circuits (see “4 Steps in Selecting ISP Aggregation Services”).

Extended Market Definition

Characteristics of the Market

Typical business outcomes: The fundamental business outcome is connectivity between enterprise users, applications and services that reside in distributed locations. Locations include headquarters, branches, corporate data centers, colocation/hosting facilities, SaaS providers and cloud service providers. Increasingly, buyers require improved agility, automation, flexibility and application control.

Market: WAN edge infrastructure provides network functions that support connectivity for distributed locations (typically branches). This market includes functionality that Gartner defines as traditional routers, security appliances, WAN optimization controllers (WOCs), WAN path controllers and SD-WAN.

Typical buyers: Within the enterprise, CIOs, CTOs, the vice president of I&O, the director of networking, and network and telecom managers are typically the buyers of WAN edge infrastructure. Branch managers, as well as enterprise architects, are strong influencers in larger enterprises as well.

How buyers shape their buying decisions: When selecting WAN edge infrastructure, buyers typically focus on several factors including vendor incumbency and familiarity, feature/functionality, pricing options, performance, form factor, deployment options, ease of management, visibility/analytics, customer support/experience, overall product architecture, vertical focus and geographical strength. The solution set is strongly influenced by changing traffic patterns affecting the enterprise WAN.

Deliverables: The primary deliverables include network functions that enable connectivity for users at branches. Typical network functions include edge routing, security and VPN, WAN optimization, WAN path control and SD-WAN. These functions can be delivered to the enterprise as integrated, dedicated hardware appliances (such as routers, WOCs, security or SD-WAN edge-devices) or as a software instance of these functions (e.g., a VNF). These may reside at the customer premises, in provider points of presence (POPs) or as a network-based/cloud service.

How providers package, market and deliver: Buyers typically source their WAN edge infrastructure products directly from network equipment suppliers, or via a network or MSP (that is, as a managed service). WAN edge infrastructure can be procured via purchase, leasing, subscription or consumption-based pricing models. Furthermore, there is a diverse set of deployment options for these networking functions, including via hardware appliances, software (e.g., VNF) or cloud-based services.

Characteristics of WAN Edge Solutions

WAN edge solutions are characterized by the following elements:

Physical interfaces: This refers to physical interfaces to plug into the service providers’ circuits. Ethernet is rapidly becoming the default connection and link speeds are increasing to multigigabit speeds. Flexible options beyond just Ethernet offer more value to customers.

Physical topology: Traditional hub-and-spoke WAN architectures are no longer suitable for most enterprises. Enterprises are altering their WAN architectures in support of new digital business initiatives and the adoption of public cloud services (e.g., SaaS, IaaS and PaaS). The rationale behind this is that migration of applications to the public cloud can lead to distinct challenges, including:

Network performance problems as traffic is backhauled, which typically increases latency and congestion
WAN expenses increase due to backhauled internet traffic with cost of paying for bandwidth twice (MPLS to the data center and from the data center to the internet).

Routing, WAN Optimization and Security

With part of the first phase of SD-WAN, we saw some SD-WAN deployments deployed behind traditional routers. However, as SD-WAN routing functionality has improved, vendor products have largely been proved, and traditional routers are reaching end of life, we see SD-WAN operating as the main WAN edge function in customer networks.

Increasingly we are seeing two approaches from vendors where they are natively incorporating multiple functions into their solution (e.g., SD-WAN, WAN optimization and security) or partnering with other point solution vendors.

Deployment Options

We see several deployment methods available for the enterprise to consume network functions:

Dedicated hardware appliance — This is the traditional style of deployment, in which a single network function is delivered as a turnkey integrated hardware appliance. Although still common, the trend is to move aware from this option as on-site technology becomes obsolete or inefficient. If retained, we do see the trend of at least the on-site router migrating to an SD-WAN solution.
Multifunctional integrated platform — This platform combines proprietary hardware and software to deliver multiple functions, such as WAN optimization, routing and security. This can be deployed in two ways:
- Native functionality by the vendor
- Partnership by the vendor with another best-of-breed solution that is tightly integrated
Examples include FortiGate appliances, Silver Peak Unity EdgeConnect with Unity Boost, VMware SD-WAN by VeloCloud, and Versa’s FlexVNF.
Virtualized network function — This is a software-based instance of a network function that can be delivered on an x86-based computing platform. Nearly all routing, WAN optimization and SD-WAN vendors deliver a VNF version of their software.
uCPE platform — This multifunctional platform supports an NFV architecture, designed around industry standards to run multiple virtual functions, with possibly different vendors’ functions in the same device. The platform allows multiple VNFs to be installed, and typically makes use of industry-standard x86 devices, rather than function-specific appliances. Juniper Networks’ NFX and Cisco ENCS are examples of a hardware uCPE platform. Universal CPE is one delivery method for an NFV deployment with the functions residing on-premises. With the goal to increase the agility of enterprise networks, enabling them to respond to changing needs more rapidly in a more on-demand manner and avoid vendor lock-in. Today, uCPE is primarily a carrier-driven technology, and has near-term adoption challenges with pricing, performance, standard orchestration and networking integration. However, we expect these challenges to subside in the next couple of years.
Cloud-based OTT — Network function is delivered via a cloud platform, and the enterprise subscribes to the functionality. An example is Aryaka, which provides WAN optimization and other application performance functionality. Additionally, we are seeing security delivered in this model, which will drive adoption of the thin CPE model.

Consumption Models for WAN Edge Infrastructure

Enterprises consume WAN edge infrastructure functionality in multiple ways, including:

DIY — Enterprise owns and manages WAN edge functionality itself.
NSP — NSP manages the WAN transport and, optionally, the WAN edge equipment.
MNS — Managed NSPs include SIs, MSPs, and ISP aggregators that managed the WAN edge equipment and may resell third-party access or, in some cases, allow organizations to bring your own access (BYOA)
Hybrid — This is a combination of at least two of the above.

On a global basis, most WAN edge infrastructure is provided as a managed service, either via a NSP, SI, MSP or ISP aggregator. Conversely, in North America, the predominant way of managing WAN edge infrastructure for a large enterprise is DIY. Overall, Gartner sees the trend for more MNSs and the growth is expected to come from non-NSP providers. Additionally, we see an increasing trend of co-management where the client retains control over business policies and the MSP controls how those policies are enforced.

In this research, we focus primarily on WAN edge functionality that can address multiple consumption models.

Evidence

Gartner analysts conducted more than 3000 Gartner client inquiries on the topic of WAN between 1 July 2018 and 30 June 2019.

Gartner analysts conducted more than 700 Gartner client inquiries on the topic of SD-WAN between 1 July 2018 and 30 June 2019.

Market size forecast sources are from “Forecast: Enterprise Network Equipment by Market Segment, Worldwide, 2016-2023, 1Q19 Update.”

All vendors in this research responded to an extensive questionnaire regarding their current/future data center networking solutions.

We surveyed reference customers provided by vendors in this research. All vendors in this research provided reference customers, although not all reference customers completed the survey (n = 125).

Analysts reviewed Gartner Peer Insights data for this market.

Social Media Conversation Analysis: Gartner analyzed social media activity regarding WAN edge topics and applicable vendors. Automated social media listening tools were used to track user responses on social media and public discussion forums as leading indicators for consumer sentiment, preferences and activities.

The data tracked is specific to quantifiable keywords and phrases, as well as qualitative assessments and evaluations of results and use cases.
Definition of social media mentions: “Mentions” are the text inclusion of a monitored keyword in a post on a social media platform. High mention count should NOT be interpreted as “positive sentiment” by default.

Duration of the Research: The time period for the analysis of the overall mention count was considered to be between 1 August 2016 and 23 July 2019. Considering a different time interval may change the most-talked-about conversations.

Evaluation Criteria Definitions

Ability to Execute

Completeness of Vision

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

The Forrester Wave: Global Managed Security Services Providers, Q3 2020

Market Guide for Network Detection and Response

Overview

Key Findings

Recommendations

Market Definition

Market Description

Market Direction

Market Analysis

Representative Vendors

Market Introduction

Table 1: Representative Vendors in Network Detection and Response

Vendor Profiles

Awake Security

Blue Hexagon

Bricata

Cisco

Corelight

Darktrace

ExtraHop

Fidelis

FireEye

Flowmon

Gigamon

GREYCORTEX

Hillstone Networks

IronNet

Lastline

Plixer

Vectra

Market Recommendations

Note 1Representative Vendor Selection

Note 2Other Vendors That We Are Tracking

Note 3: Kaspersky

Selecting the Right SOC Model for Your Organization

Overview

Key Findings

Recommendations

Strategic Planning Assumption

Analysis

Definition

Description

SOC Models

Table 1: Five Primary Operational SOC Models for Typical Organizations

Virtual SOC

Multifunction SOC

Hybrid SOC

Dedicated SOC

Command SOC

Benefits and Uses

Adoption Rate

Risks

Recommendations

Note 1ITIL 4 Incident and Incident Management Definitions

Magic Quadrant for Application Security Testing

Strategic Planning Assumptions

Market Definition/Description

Magic Quadrant

Vendor Strengths and Cautions

CAST

Strengths

Cautions

Checkmarx

Strengths

Cautions

Contrast Security

Strengths

Cautions

GitLab

Strengths

Cautions

HCL Software

Strengths

Cautions

Micro Focus

Strengths

Cautions

Onapsis

Strengths

Cautions