Magic Quadrant for Security Information and Event Management

Published 29 June 2021 – ID G00467384 – 58 min readBy Kelly Kavanagh, Toby Bussa, and 1 more

Security and risk management leaders increasingly want SIEM solutions with attack detection, investigation, response and compliance capabilities, but must balance this desire with an understanding of the resources needed to run such solutions. This report will help them identify a suitable vendor.

Market Definition/Description

Gartner’s view of the market for security information and event management (SIEM) solutions focuses on transformational technologies and approaches to meeting the future needs of end users. It does not focus on the market as it is today.Gartner defines this market as catering to customers’ need to:

Collect security event logs and telemetry in real time for threat detection and compliance use cases.
Analyze telemetry in real time and over time to detect attacks and other activities of interest.
Investigate incidents to determine their potential severity and impact on a business.
Report on these activities.
Store relevant events and logs.

The vendors included in this Magic Quadrant have products designed for this purpose, which they market and sell to the security buying center.SIEM technology aggregates event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry data (flows and packets). Event data can be combined with contextual information about users, assets, threats, and vulnerabilities for the purposes of scoring, prioritization and expediting investigations. The data should ideally be normalized, so that events, data and contextual information from disparate sources can be analyzed more efficiently for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology offers real-time analysis of events for security monitoring, advanced analysis of user and entity behaviors, querying and long-range analytics for historical analysis, other support for incident investigation and management, and reporting (for compliance requirements, for example).

Magic Quadrant

Figure 1: Magic Quadrant for Security Information and Event Management

Source: Gartner (June 2021)

A graphic showing Gartner’s Magic Quadrant for Security Information and Event Management.

Vendor Strengths and Cautions

Elastic

Elastic is a Niche Player in this Magic Quadrant. Elastic is based in Mountain View, California, U.S., the Netherlands and Singapore. It has customers worldwide. Its SIEM platform is Elastic Security, which offers endpoint security, following Elastic’s acquisition of Endgame in 2019. Its customers include midsize organizations but mainly large enterprises. Elastic’s SIEM platform became generally available in February 2020. Elastic Security can be deployed on-premises or consumed as SaaS via Elastic Cloud. Elastic has a subscription model featuring Standard (formerly Basic) and Premium tiers (Gold, Platinum and Enterprise), available as self-managed software and via Elastic Cloud. The company’s resource-based pricing model is based on the memory resources used to store, search and analyze data.Strengths

Opportunity to start for free and grow into advanced offerings: Elastic has a history of being used for SIEM use cases through the Elasticsearch, Logstash and Kibana (ELK) Stack. Buyers considering Elastic Security can use the free version under the Standard subscription tier, which includes core SIEM functions. Buyers looking for advanced SIEM features and functionality can subscribe to the Gold, Platinum or Enterprise tiers.
Variety of sources for detection content: Elastic provides Elastic Security buyers with its own out-of-the-box detection content, but content is also available from other sources, such as the Elastic user community and SOC Prime.
Support for threat-hunting activities: Elastic’s Kibana Lens feature enables a business intelligence type of approach to threat-hunting use cases. It combines drag-and-drop visualization capability with the native search capabilities of Elastic’s platform.

Cautions

Learning curve to understand pricing model: Elastic’s pricing model does not correspond to the market norm of volume-, velocity-, user- or asset-based pricing. A resource-based pricing model may prove complex for some buyers when planning for their initial deployment and future growth. Prospective buyers must ensure they understand the implications of resource-based pricing and how to calculate the required capacity, especially when comparing Elastic’s SIEM solution with competing solutions.
Lack of out-of-the-box compliance support: Elastic’s platform offers no packaged compliance dashboards and reports. Detection rules relevant to compliance are available, but not tagged or easily identified and deployed. Users must rely on community or partner development, or create their own dashboards.
Variable platform management user experience: The user experience is not fully consistent across Elastic’s product when it comes to managing and operating the solution. For example, some functions can be managed only via developer tools within Kibana, while others are managed via a task-specific GUI.

Exabeam

Exabeam is a Leader in this Magic Quadrant. Its headquarters are in Foster City, California, U.S., and it has offices worldwide. The majority of its customers are in North America, with the next-largest concentrations being in Europe, Asia/Pacific and Latin America. Most customers are large enterprises, but there are also some midsize clients. Exabeam’s SIEM solution is available on-premises, as SaaS (Exabeam Fusion SIEM [formerly SaaS Cloud]) and for hybrid, federated deployment. It includes Exabeam Data Lake, Advanced Analytics, Threat Hunter, Entity Analytics, Case Manager and Incident Responder. These components can be bundled or acquired separately to augment an existing SIEM product. Add-ons include Exabeam Cloud Connectors and Cloud Archive. Licensing is term-based. Pricing is normally based on the number of users or entities monitored, but there is also optional data volume pricing for SaaS.Strengths

Long-term, searchable log storage: The combination of Exabeam Cloud Archive (for up to 10-year data retention), search across normalized events, anomalies, indicators of compromise, and a timeline of log events with automated enrichment enables hunting and investigation supported by rich context over long time frames.
Modular architecture for tailored deployment: Exabeam’s modular architecture enables customers to select only the capabilities they need for data storage, analytics and response, for example, across multiple hardware, software and cloud form factors. This also enables customers to deploy Exabeam modules to augment a competitor’s SIEM deployment.
Mature and extensive behavioral analytics: Exabeam’s heritage of machine learning (ML)-driven user and entity behavior detections enables it to cover a broad range of use cases. It offers risk scoring and automated context enrichment for users and entities, along with a timeline for investigation and workflow.

Cautions

Regional availability of SaaS: Exabeam Fusion SIEM, and the Cloud Archive add-on module, which runs on the Google Cloud Platform, are not available uniformly across all regions. Customers in unsupported regions may, however, be able to run Exabeam software in the cloud using bring your own license (BYOL) options in local cloud infrastructure.
Sigma support: In contrast to several competing SIEM vendors, Exabeam offers limited support for Sigma community content. Although some Sigma-generated detections are included in out-of-the-box correlations, other detections and analytics are unique to Exabeam’s proprietary data models.
Product ecosystem: Exabeam has no add-on products for advanced endpoint or network detection, but relies on integrations with leading third-party products or open-source solutions. Several competing SIEM vendors offer their own technology, in addition to supporting third-party products.

FireEye

FireEye is a Niche Player in this Magic Quadrant. Its headquarters are in Milpitas, California, U.S. Most of its customers are in North America, with the next-largest concentrations being in Europe, the Middle East and Asia. FireEye provides a number of security detection offerings to complement its FireEye Helix extended detection and response (XDR) platform, including network, email, file analysis, packet capture, endpoint, threat intelligence and managed service offerings. FireEye Security Orchestrator provides security orchestration, automation and response (SOAR) capability, for no additional license cost. Helix is a cloud-based SaaS-only SIEM solution, for which pricing is based on events per second (EPS) for data ingestion.Strengths

Ecosystem of threat-centric solutions: FireEye’s ecosystem offers threat-centric solutions for hosts, networks and the cloud that are integrated with, and complementary to, Helix. There is also an option to overlay 24/7 security operations center (SOC) services from Mandiant Managed Defense. This single ecosystem approach will appeal to buyers looking for a single-vendor sourcing option.
Provision of network sensors with Helix: This augments other data and event collection sources with network metadata telemetry for incident investigation and response.
13-month default data retention period: This is a competitive length, as other cloud SIEM products might offer only 30 or 90 days of default storage.

Cautions

SaaS-only delivery: For buyers that require an on-premises option, or that have data sovereignty issues that cannot be addressed by Amazon Web Services (AWS) regions, FireEye Helix may not be a feasible option.
Helix analytics: FireEye lags behind other SIEM vendors in several areas, such as heuristic and behavioral analytics, incident risk scoring, and integration with third-party SOAR solutions. The Helix roadmap indicates plans to address these missing or lacking capabilities, but prospective buyers must monitor the delivery of roadmap items, to ensure FireEye will meet their requirements.
No user modification of analytics: Negating or modifying FireEye analytics can require complex rule creation to achieve the desired outcome.

Fortinet

Fortinet is a Visionary in this Magic Quadrant. Fortinet is headquartered in Sunnyvale, California, U.S. It has a global footprint and customers in all major world regions, but especially North America and Europe. Its SIEM solution is FortiSIEM. This product includes Advanced Agents (for Windows-based user and entity behavior analytics [UEBA] capabilities). FortiSIEM integrates with FortiSOAR, FortiAnalyzer and other elements of Fortinet’s security product suite. Pricing is based on devices, EPS and number of agents. FortiSIEM is available as a virtual or physical appliance. Perpetual and subscription licenses are available.Strengths

Support for service providers and complex organizations: Fortinet FortiSIEM offers built-in multitenancy support for complex organizations and service providers, as well as a variety of features specific to them. It also offers a consumption-based model for managed security service providers (MSSPs) with unlimited EPS.
Native asset visibility capabilities: Fortinet FortiSIEM has powerful asset discovery capabilities and a built-in configuration management database (CMDB). The CMDB provides centralized visibility of assets discovered via active scanning and passive log inspection.
Integration of FortiSIEM with the wider Fortinet ecosystem: Fortinet offers a diverse ecosystem of security and network products integrated via the Fortinet Security Fabric. Prospective customers and existing Fortinet clients looking for a single vendor to provide them with threat-monitoring, detection and response solutions should consider Fortinet.

Cautions

Lack of a cloud-delivered option: FortiSIEM is not available as a SaaS solution. Fortinet relies on partners that offer hosting services for FortiSIEM as a means of delivering a SaaS-like experience to buyers. End users can deploy the solution in their own public or private cloud, or in a hybrid cloud model.
Limited coverage for monitoring cloud environments: FortiSIEM’s cloud security coverage is not as strong as that of other competitors. It lacks support for several public cloud infrastructure and platform services (CIPS), and the only cloud access security broker (CASB) supported is Fortinet’s own FortiCASB product.
User and entity behavior analytics options: UEBA is available in two flavors: a premium offering and a more limited version native to FortiSIEM. Both require agent deployment, and lack capabilities that are available from competitors, such as the ability to create dynamic peer groups. However, Fortinet’s roadmap indicates that these gaps will be addressed.

Gurucul

Gurucul is a Visionary in this Magic Quadrant. Gurucul is headquartered in Los Angeles, California, U.S. Its largest concentration of customers is in North America, with the next-largest concentrations being in Europe, Asia, the Middle East and Latin America. Its SIEM solution, Gurucul SIEM, is part of the Gurucul Risk Analytics platform. It is available as SaaS, and for on-premises or hybrid deployment. Components include Log Aggregator, Threat Hunting, Security Data Lake, a Network Traffic Analysis engine, SOAR, as well as Identity Analytics and User & Entity Behavior Analytics. Gurucul offers perpetual and subscription licenses, which can be monthly, annual or multiyear. Pricing is based on the number of users and entities monitored.Strengths

User and identity monitoring capabilities: When the premium Identity Analytics module is licensed, this extends the applicability of Gurucul’s solution from SecOps to identity and access management (IAM) and privileged access management (PAM) teams.
Variety of deployment options: Gurucul offers cloud-based, on-premises and “do it yourself” CIPS options, hybrid (cloud and on-premises) deployment, and integration with a customer’s existing Hadoop-powered data lake. Supported formats include software, containerized, physical appliance, virtual appliance and cloud-based single/shared-tenant. Gurucul supports parent-child deployment options.
Gurucul STUDIO: This component provides a comprehensive analytics builder and rule customization interface for beginners and advanced security analysts alike. Any of the provided data-science-based analytics tools can be customized. Alternatively, users can build their own analytics.

Cautions

Potentially confusing modularity: Prospective buyers may struggle to determine what capabilities, features and functionality Gurucul includes in its different packaging options: Unified Security Analytics, SIEM and XDR. For example, although Gurucul’s solution grew out of the UEBA market, the base SIEM license does not include the full range of UEBA capabilities available in the market, to achieve which it requires an add-on module.
Limited support for cloud service providers: Prospective buyers that require cloud deployments in non-Western regions must check whether Gurucul can, or will, support them in monitoring non-Western infrastructure as a service (IaaS) platforms.
Limited visibility for SIEM: Although Gurucul has taken steps to reorient its sales operations and increase its visibility to SIEM buyers, its mind share for SIEM among Gartner clients remains low.

Huawei

Huawei is a Niche Player in this Magic Quadrant. Huawei has headquarters in Shenzhen, China. Its SIEM customers are largely concentrated in China; others are in the Middle East, Africa and Latin America. Its SIEM solution is called HiSec Insight, and there are numerous additional modules and companion technologies for feature- or architecture-specific requirements. Its customer base is split almost evenly between large and midsize enterprises, but there are also some smaller clients. Pricing for on-premises deployments is based on data velocity (EPS) and volume (gigabytes per day), plus log retention and add-on modules. SaaS deployments are based on the number of Elastic Container Services (ECSs) purchased.Strengths

Behavioral analytics: Analytics has been an area of investment by Huawei. Its user behavior analytics provide dynamic peer-group-based detections. Its ML-based risk ranking for entities reflects factors such as asset value, associated rule-based detections and vulnerability data.
Extensive product ecosystem: Huawei offers a number of integrated capabilities, including network detection and response, sandboxing, deception, user behavior analysis, orchestration and response, and threat intelligence.
Flexibility in relation to form factors: Huawei’s product is available in multiple form factors that can be mixed as needed. These include software, physical and virtual appliances. There are also options for hosting on Huawei’s public or private cloud infrastructure.

Cautions

Limited support for cloud infrastructure monitoring: Monitoring of cloud infrastructures is limited to Huawei’s own cloud. None of the other cloud services are supported out of the box.
Lack of support for SaaS monitoring: Out-of-the-box monitoring of popular SaaS applications is not provided. Huawei’s platform lacks integrations with Microsoft Office 365, Google Workspace, and applications from Workday, Salesforce and Box.
Limited availability: Huawei’s focus on China, emerging markets in Asia/Pacific, and the Middle East and Africa means its product has little exposure to SIEM buyers elsewhere. Nor does Huawei plan immediate expansion to North America and Europe.

IBM

IBM is a Leader in this Magic Quadrant. It is based in Armonk, New York, U.S. IBM’s operations focus on North America, Europe, Asia/Pacific, Latin America and the Middle East. IBM Security provides numerous security solutions, in addition to its QRadar SIEM solution, such as Guardium, Trusteer, X-Force Threat Intelligence, Cloud Pak for Security, Verify Access, Privileged Identity Manager, QRadar Network Insights (QNI; for network detection and response [NDR]), WinCollect and QRadar Vulnerability Manager (QVRM; for vulnerability assessment). Licensing is available for server-based, unlimited capacity for on-premises deployments only (perpetual or subscription license). Capacity-based (EPS) licensing is available for on-premises and SaaS deployments (QRadar on Cloud [QROC]).Strengths

Ability to event filter at the collection layer: IBM QRadar can remove undesired data before it is forwarded for correlation and storage. This gives users the ability to fine tune their security-relevant data sources to reduce EPS costs, and use lower-cost native log management for data that is less relevant to security use cases.
Simplified deployment and management of analytics: IBM’s QRadar Use Case Manager (UCM) enables a user to search and filter for any analytic condition, and turn on or off, edit, copy and visualize analytic dependencies. UCM also extends to MITRE ATT&CK coverage and presents required data source types for tactics, techniques and procedures (TTP) detection.
Support for Purdue Model Levels 2 (and above) in operational technology and industrial control system environments: IBM QRadar offers this using the Disconnected Log Collector (DLC) as a data diode that prevents bidirectional access. Flow collectors can monitor network traffic in passive mode.

Cautions

Transition of product lines: IBM is in the process of integrating QRadar functionality into its Cloud Pak for Security platform in order to modernize its capabilities and end-user experiences. Big shifts in products are often incremental and may take longer than anticipated to complete.
Lack of native collaboration and chat features: For these, IBM QRadar users have to use third-party solutions or a SOAR add-on. Prospective buyers should check whether their chosen collaboration tools will integrate with QRadar.
Potential for complex contracts: Scoping parameters, deployment models and add-on solutions may result in complex contracts. Pricing can be based on EPS, flows, number of users, number of servers, and number of automated actions, with perpetual and subscription licenses possible in a single proposal. IBM Security customers on Gartner’s Peer Insights platform tend to give IBM lower scores for pricing and contract flexibility than those received by many competitors.

LogPoint

LogPoint is in a Niche Player in this Magic Quadrant. LogPoint is headquartered in Copenhagen, Denmark. It has customers worldwide, but with a concentration in Europe. Its SIEM solution offers UEBA and the LogPoint Director (including Director Console and Director Fabric). Complementary solutions include LogPoint for SAP and Applied Analytics. Licensing is by subscription, with pricing based on the number of assets monitored. UEBA is licensed separately, and priced by number of employees and assets. SIEM form factors include physical appliance and software appliance. UEBA is available only as SaaS. LogPoint acquired agileSI in August 2020 to bolster its SAP security capabilities.Strengths

Marketing and products aligned with specific use cases: LogPoint markets product-specific capabilities, such as SAP security monitoring and Evaluation Assurance Level (EAL) 3+ certification, to relevant organizations (such as those using SAP ERP) and sectors like government and manufacturing.
Support for service providers and complex organizations: LogPoint has native multitenant capabilities. Additionally, the LogPoint Director solution add-on supports central management of multi-instance deployments, which will appeal to service providers and organizations looking for a SIEM solution that can support a parent-child deployment model (for example, those with a headquarters that supports various lines of business).
Native data privacy and protection features: Capabilities such as data masking and obfuscation help address privacy and data protection requirements related to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Cautions

Footprint outside Europe: Europe is both LogPoint’s home market and its largest market. LogPoint lags behind many competitors in terms of direct sales in other regions. LogPoint indicates, however, that it is addressing this issue by investing in, and maturing, its sales operations, as well as by expanding into other regions to complement the activities of its channel partners.
Limited form factors: LogPoint’s SIEM solution is available only as an appliance (physical or virtual) — there is no SaaS offering. UEBA is delivered as SaaS, but not available on-premises. Buyers looking for a hosted option need to install LogPoint’s solution in their own public or private cloud environment, or use partners that can offer a hosted option. Prospective UEBA buyers should confirm how any data protection and residency requirements can be met.
Basic capabilities for incident management and response: Incident response capabilities, such as case management and support for response actions, are basic. LogPoint lacks a native SOAR option, unlike many competitors, to appeal to buyers that want an integrated SIEM and SOAR solution from the same vendor. LogPoint relies on API integrations with several popular IT service management (ITSM) and SOAR solutions.

LogRhythm

LogRhythm is a Leader in this Magic Quadrant. Its headquarters are in Boulder, Colorado, U.S. Its SIEM platform includes several add-on components to deliver endpoint, network and user behavior analytics capabilities. A large majority of its SIEM customers are in North America and Europe, with the rest in Asia/Pacific, the Middle East and Africa, and Latin America. Its customer base is skewed toward midsize enterprises and smaller organizations, though large enterprises have also purchased its platform. There is a cloud-hosted deployment option, but most customers deploy its platform on-premises. Licensing is available on a perpetual basis (priced by average number of messages per second per day) or a subscription basis (priced by number of employees).Strengths

Extensive resellers: LogRhythm has a strong team of reseller partners in every major world region. This strength is mirrored by broad support from managed service providers to help modestly resourced buyers manage and monitor its SIEM platform.
Pilot and proof of concept (POC) options: Buyers can take advantage of several types of pilot and POC program, ranging from prepilot workshops to hosted, scenario-based test-drive exercises and “try and buy” options.
Investigation and case management workflow: LogRhythm provides mature and refined investigation and case management capabilities that assemble context and enable users to create an evidence base for case disposition.

Cautions

Limited cloud-based options: LogRhythm’s recent acquisitions and product roadmap demonstrate progress in preparing to offer cloud-native SIEM capabilities, but the vendor lags behind many competitors in this regard. Some competitors introduced cloud-based SIEM offerings two years ago, and have since adopted a cloud-first approach for new customers. Recent entrants into the SIEM market are cloud-native providers.
Branding: LogRhythm takes a confusing approach to the naming of its product’s components and capabilities. A more straightforward naming scheme would provide greater clarity to prospective buyers.
Move to the cloud: LogRhythm faces the challenge of developing a new cloud-based platform and introducing its capabilities to buyers, while at the same time maintaining its legacy platform and executing its plans to migrate customers to the new platform.

ManageEngine

ManageEngine is a Niche Player in this Magic Quadrant. Based in Pleasanton, California, U.S., ManageEngine provides a number of security products, among which Log360 is its SIEM solution. Related solutions (or available modules) include Advanced Behavioral Analytics, Advanced Threat Analytics, Cloud Security Plus and DataSecurity Plus. Log360 is available as SaaS or on-premises, but does not support both in a hybrid model. Licensing is available on an annual subscription or a perpetual basis. Pricing for SaaS deployment is based on the amount of data stored in the cloud over a specific period, whereas on-premises pricing is based on the number of event sources or assets.Strengths

Out-of-the-box incident response playbooks and workflows: ManageEngine’s Log360 solution provides many of these, with features that allow for custom content creation. For organizations with an existing incident or case management system, Log360 integrates with popular ticketing and incident management platforms.
Reporting engine: ManageEngine’s reporting engine is comprehensive, with support for numerous compliance-framework-focused outputs and alerting based on compliance violations.
Product support: Reviewers on Gartner’s Peer Insights platform have praised ManageEngine’s support for the Log360 product.

Cautions

Use-case support: There is a noticeable lack of support in ManageEngine’s Log360 solution for, among other things, cloud services, applications and operational technology, industrial control systems, and Internet of Things (IoT) asset monitoring.
Support for third-party solutions: Third-party collaboration products, external SOAR, UEBA, endpoint security and NDR technologies are notably absent from the list of technologies supported by ManageEngine Log360.
Limited deployment options: ManageEngine Log360 supports either on-premises or cloud deployment in its Zoho cloud environment, not a hybrid mix.

McAfee

McAfee is a Niche Player in this Magic Quadrant. McAfee is headquartered in San Jose, California, U.S. Its customer base spans the world, but most of its clients are in North America. McAfee’s Enterprise Security Manager (ESM) includes several components for logging and analytics. McAfee also has a large ecosystem of other security solutions that integrate with ESM, including Application Data Monitor, MVISION Cloud and MVISION EDR. There are perpetual licenses for physical or virtual appliances, and pricing is based on the appliance size (measured in cores) that can support a defined amount of data (measured in EPS). McAfee ESM Cloud, introduced in July 2020, is available on an annual subscription, priced by expected EPS.Strengths

Hosted cloud offering: McAfee ESM Cloud was released in 2020 to offer buyers another deployment option. It is a hosted version of ESM that uses Oracle Cloud, which has good coverage of most regions, including the Middle East.
Support for compliance use cases and requirements: Buyers that need coverage for a range of compliance regulations and standards around the world will be well supported by McAfee ESM.
Ability to consolidate SIEM and other solutions: Buyers who want a SIEM product and to standardize on a single vendor’s product ecosystem should consider McAfee. It offers a range of complementary solutions, such as an endpoint detection and response (EDR) solution, a CASB, an intrusion prevention system and a secure web gateway.

Cautions

Limited advanced features and add-ons: McAfee lags behind competing SIEM vendors that offer cloud-native SIEM options, ML-powered UEBA and SOAR add-on solutions.
Requirement for add-ons for a range of cloud environments: Native monitoring of popular SaaS solutions and CIPS by McAfee ESM is limited to Microsoft Office 365, AWS and Microsoft Azure. Other SaaS apps and CIPS require use of MVISION Cloud or an integration with a third-party CASB.
Potential impact from sale of enterprise business: In March 2021, McAfee announced the sale of its enterprise business to Symphony Technology Group. This sale may introduce uncertainty for existing customers and potential buyers. Those considering McAfee for SIEM should check its roadmap and future support for McAfee ESM.

Micro Focus

Micro Focus is a Niche Player in this Magic Quadrant. It is headquartered in Newbury, U.K., and has offices and customers across the world. Its ArcSight SIEM platform consists of several components for event collection/logging, alerting, investigation, analytics and response. ArcSight customers are mostly large enterprises, with the remainder split evenly between small and midsize organizations. Customers are relatively evenly distributed across North America, Europe and Asia/Pacific, with smaller numbers in the Middle East and Africa and Latin America. Licensing is primarily perpetual. Pricing is based on EPS. ArcSight Intelligence (UEBA) is available on a subscription basis, priced by number of users. Additional subscription options are planned.Strengths

Modernization: Micro Focus has reworked and modernized several components of its ArcSight architecture to support greater scalability and performance for data ingestion and management, improved reporting and a better UI. There is a roadmap for additional modernization.
UEBA and SOAR: Micro Focus has improved ArcSight’s integration with the Interset UEBA technology it acquired in 2019. In 2020, it acquired SOAR capability, which is already integrated into the platform.
MITRE ATT&CK mapping: Micro Focus’ platform offers extensive mapping of detection content to the MITRE ATT&CK framework.

Cautions

Lack of consistency in deployment options: Work on Micro Focus’ ArcSight architecture is in progress, and this may complicate selection, deployment and management of its solution. Although components are available as software images, support for deployment in other formats differs. Some components are available as physical appliances. Some are available in a containerized framework. Some are available with support for cloud-native services in select clouds.
Limited cloud and SaaS coverage: Micro Focus’ out-of-the-box monitoring capabilities for SaaS and cloud infrastructure are more limited than those of many competitors. Although Microsoft Office 365 applications are supported, several other popular SaaS business applications, including those of Salesforce and Workday, require connector customization. AWS CloudTrail and other services are supported, as are several Microsoft Azure services, but other cloud platforms require connector customization.
POC and pilot support: Micro Focus has no formalized and generally available POC or pilot program. POC requests are addressed on a case-by-case basis, with the exception that CrowdStrike customers can request a POC for the SaaS UEBA capability via the CrowdStrike market. By contrast, several SIEM competitors have extensive and easy-to-access POC and pilot programs.

Microsoft

Microsoft is a Visionary in this Magic Quadrant. Based in Redmond, Washington, U.S., Microsoft has a global base of customers. Its SIEM product, Azure Sentinel, became generally available in September 2019. It is delivered only as SaaS via Microsoft’s Azure cloud services. Azure Sentinel is available in all Azure regions except China. Licensing is via subscription. Pricing is primarily based on the volume of data ingested, via reserved capacity or pay as you go. Use of services for extra data storage, automation and “build your own machine learning” incurs additional cost. Microsoft has a large ecosystem of security solutions, such as endpoint protection platforms, EDR solutions and CASBs, that integrate with Azure Sentinel.Strengths

Cloud-native SIEM product: Since Azure Sentinel is cloud-native and built in Azure, it scales up and down elastically, as needed, to support users. Buyers do not have to worry about managing capacity, and license changes are not applicable, particularly with the pay-as-you-go option. Users can change their license model monthly. The pricing model aligns with a true SaaS approach, whereby customers can consume as in a pay-as-you-go model or buy a set amount of reserved capacity.
Breadth and scope of product portfolio: Microsoft offers a rich ecosystem of security and other IT solutions (Microsoft 365 Defender, Azure Defender, Office 365 and Azure) that are natively integrated with Azure Sentinel. This will appeal to customers who have invested in these Microsoft solutions.
Integration capabilities: Azure Sentinel has a robust API interface that allows for flexible interfaces, based on a user’s needs and requirements. This will appeal to organizations that want to interface with Azure Sentinel using different methods, not just via the Azure Sentinel workspace interface (like MSSPs).

Cautions

Lack of SIEM functionality in some areas: Azure Sentinel customers will find that functions that are native to many vendors’ SIEM offerings, such as connectivity to ITSM solutions, require the use of Azure Logic Apps, another piece of the Azure ecosystem. Additionally, out-of-the-box compliance reporting for common requirements and standards is limited. Azure Security Center provides coverage for CIPS-related compliance with ISO 27001, PCI Data Security Standard (DSS) and Azure CIS. Watchlists are a preview feature at the time of writing.
Need for familiarity with Azure ecosystem: Users need some familiarity with the Azure ecosystem, as Azure Sentinel is an app that runs within Azure and relies on other Azure services to complement it (such as Log Analytics and Logic Apps). It is also important to understand how the different components of Azure Sentinel are priced and to manage their consumption, especially in a pay-as-you-go model.
Suitability of SaaS model for some buyers: Some customers may be unable to take advantage of Azure Sentinel — for example, those seeking an on-premises solution because they have data residency requirements, or those that want a traditional licensing model (based, for example, on operational expenditure on a perpetual basis with maintenance included). It might actually be possible to fulfill data residency requirements with Azure Sentinel, but prospective customers need to examine the currently available Azure regions and investigate those that are planned.

NetWitness

NetWitness, an RSA business, is a Niche Player in this Magic Quadrant. NetWitness is headquartered in Bedford, Massachusetts, U.S. It has a global customer base of mostly large enterprises. The NetWitness Platform (NWP) includes NetWitness Logs, Network, Endpoint, IoT, UEBA and SOAR. Perpetual and term licenses are offered. Pricing of components is based on data volume (Logs and Network), number of endpoints (Endpoint), active accounts (UEBA), and users and playbooks (SOAR). During the past 12 months, NetWitness was sold and spun out of Dell Technologies as a stand-alone business within RSA.Strengths

Support for security operations centers (SOCs) wanting a single-vendor ecosystem: NetWitness’ NWP is a comprehensive platform that will appeal to SOCs that want a single vendor for modern SOC instrumentation, including integrated SIEM, UEBA, SOAR, EDR, network threat analytics (NTA, including packet capture), and IoT monitoring technologies.
Hybrid deployment options: For organizations looking for an on-premises or hybrid model with their private clouds or public CIPS, the NWP is highly flexible in terms of where and how components can be deployed. Licensing of NetWitness Logs is based on data consumption, not product components (such as decoders, log collectors, concentrators and brokers), so as many components as are required can be utilized without increasing the license cost.
Support options: NetWitness offers a variety of training options through the RSA University — remote, self-paced and in-person. An on-demand subscription is also available for access to training when needed.

Cautions

Limited SaaS option: NetWitness’ options for cloud SIEM are limited to Orchestrator (SOAR), IoT monitoring and the Detect AI product. Buyers have to handle their own deployments of other NetWitness components in their own private clouds or CIPS. Alternatively, they can choose a partner from the NetWitness ecosystem to provide a cloud option. NetWitness indicates that a hosted option is a near-term roadmap item.
Complexity: NetWitness Logs and Network can be complex, depending on the architectural requirements, and may therefore prove challenging for organizations that are less mature and lacking resources. Buyers considering NWP should consider drawing on NetWitness’ partner ecosystem for deployment and ongoing operational management support.
Cloud service monitoring: NWP’s support for CASB solutions is limited to Netskope and Proofpoint. Some popular SaaS apps, like those of Workday and Box, do not have native API integration support. CIPS like AWS, Azure and Google Cloud are supported, however. Other cloud services — from IBM and Oracle, among others — are supported, but not via API integrations. Nonintegrated SaaS and CIPS require the Universal Rest API Plugin, NetWitness’ Log Collector or Log Decoder, a Python-based plug-in or a Logstash instance.

Odyssey

Odyssey is a Niche Player in this Magic Quadrant. Odyssey is based in Cyprus, and its operations are heavily focused on Europe and the Middle East. Odyssey provides a number of security solutions, including EDR and security services. Its SIEM product is ClearSkies SaaS NG SIEM. Related solutions (or available modules) include the Identity and Access Service module, ClearSkies NG Endpoint Detection & Response (EDR), and ClearSkies NG Active Defense. ClearSkies is available as SaaS only, and the licensing model is subscription-based. Pricing is based on data volume (gigabytes) per day.Strengths

Simplicity of product licensing: Odyssey’s SIEM product is licensed by volume (gigabytes per day) as a subscription, which is simple. Options for three-, six- and 12-month licenses are available. Each period offers a fixed amount of data, an analysis window (in weeks), support for a certain number of users and storage. Additional options are available in the same subscription windows and are priced accordingly (for example, per EDR agent, portal user, deception decoy or beacon trap).
Potential for integration with EDR solution: Odyssey has its own EDR solution, which can be integrated with its ClearSkies SIEM solution.
Optional deception add-on: Odyssey offers Active Defense as an optional deception add-on, which is unusual in the SIEM sector.

Cautions

Concentration on southern Europe and the Middle East and Africa: Odyssey has only a very small number of clients in the Americas and Asia/Pacific.
Lack of some modern SIEM capabilities: Odyssey is lacking in capabilities such as incident response, integration with service desk tools (although ServiceNow is supported), and support for common SaaS solutions and CIPS.
Extremely limited support for cloud services and application monitoring: Odyssey supports only the Microsoft Graph API and Office 365 Management Activity API for monitoring Office 365, and deployment is limited to its own private cloud and Sahara Net.

Rapid7

Rapid7 is a Leader in this Magic Quadrant. Rapid7 is headquartered in Boston, Massachusetts, U.S. Its SIEM solution, InsightIDR, runs on the cloud-based Insight platform. Other products available include InsightVM (vulnerability management), InsightAppSec, InsightConnect (SOAR), DivvyCloud (cloud security posture management) and Enhanced Network Traffic Analysis. Customers of the InsightIDR platform are concentrated most heavily in the U.S., followed by Europe and Latin America. InsightIDR is offered on a term license, with a straightforward pricing model based on the number of assets monitored.Strengths

One platform with multiple security products: Rapid7’s core SIEM platform offers logging and threat detection, including UEBA, via endpoint agents, and deception technology, along with incident management and reporting. Optional add-ons from Rapid7 offer vulnerability management, network monitoring, orchestration and response, and cloud security posture management.
Curated experience for modestly resourced customers: Rapid7 manages detection content and threat intelligence feeds on the Insight platform, thus minimizing the need for customers to do so.
Managed detection and response service: This is available from Rapid7, at additional cost. It represents a single source for customers that want access to the SIEM product and need service support for monitoring and investigation.

Cautions

Compliance: Rapid7’s out-of-the-box support for regulatory compliance reporting formats is limited to PCI DSS and the U.S. Health Insurance Portability and Accountability Act (HIPAA). Customers with other requirements need to create dashboards and reports.
Geographic availability: InsightIDR is hosted on AWS. Buyers who need their data to reside in specific geographies should confirm that Rapid7 enables this. At the time of writing, InsightIDR is not available in South America or the Middle East.
Customization: Buyers with requirements for extensive development of detections and analytics specific to their environments and use cases should carefully assess whether Rapid7’s out-of-the-box content and rule customization facilities meet their needs.

Securonix

Securonix is a Leader in this Magic Quadrant. Securonix is headquartered in Addison, Texas, U.S., and has offices elsewhere in the U.S., the U.K., Singapore and India. Its SIEM solution includes Next-Gen SIEM, Security Data Lake, UEBA, SOAR, NDR, threat intelligence, adversary behavior analytics and several use-case specific apps (such as for healthcare and SAP). Most Securonix customers are in North America, followed by Europe, Asia/Pacific, the Middle East and Africa, and Latin America. Customers are mostly large enterprises, but there are also some midsize customers. Smaller customers are served by managed service partners. Most buyers opt for term licenses, but perpetual licenses are available.Strengths

Data privacy controls: Securonix provides extensive controls to support data privacy, including granular role-based access control, extensive data masking flexibility and a workflow for unmasking.
Managed service partner support: Securonix has secured partnerships with numerous large managed service partners over the past 18 months. These enable midsize and smaller organizations to use its product with the support of expert services.
Threat intelligence support: Securonix provides extensive threat intelligence platform (TIP) capabilities natively. It also provides out-of-the-box integrations with a broad range of third-party TIP products.

Cautions

Platform management on-premises: End-user customers using Securonix SIEM solution on-premises have reported that deploying and managing it have proved complex and challenging undertakings. They recommend seeking training and assistance from professional services.
Product support: Users have reported lower levels of satisfaction in several product support areas than is the case for many of Securonix’s competitors for on-premises deployments. Securonix has hired senior leaders in engineering, customer success and operations to drive service improvement.
On-premises scalability: Prospective buyers should check Securonix’s ability to meet workload requirements for large-scale on-premises deployments.

Splunk

Splunk is a Leader in this Magic Quadrant. Headquartered in San Francisco, California, U.S., Splunk has a global but U.S.-centric customer base. Splunk SIEM includes the core product, Splunk Enterprise, and Splunk Cloud, Enterprise Security and Mission Control. Premium, but not natively integrated, offerings exist for UEBA and SOAR. Splunk’s offering can be deployed as software or via Splunk Cloud. Splunk Enterprise and Enterprise Security are licensed on subscription, with pricing models that include volume ingested per day, infrastructure/workload, tiered pricing and enterprise license agreements. In October 2020, Splunk released Mission Control as a SaaS-based solution for central visibility of Splunk Enterprise Security, User Behavior Analytics (UBA) and Phantom.Strengths

Support for buyers wanting core SOC tools to support existing technology investments: Splunk’s approach will appeal to buyers who want a core platform that provides SIEM, UEBA and SOAR solutions, along with integration with a variety of third-party technologies. Splunk is flexible for buyers who require out-of-the-box integrations and support, which Splunk provides via its Splunkbase apps, APIs, Mission Control Plug-in Frameworks, and Phantom integrations.
New pricing models to address different usage patterns: Splunk has expanded its license models over the past several years to offer buyers options beyond data-ingestion-based pricing. New options include workload-based pricing (using virtual CPUs on-premises and virtual compute units for Splunk Cloud), in addition to tiered pricing models available to non-public-sector buyers (Predictable Pricing). Buyers now have different options available, the better to align their Splunk usage with different pricing models.
Visibility with buyers: Splunk maintains a high level of visibility to SIEM buyers in North America and Europe. It is less visible to buyers in Asia/Pacific, Latin America and the Middle East.

Cautions

Price and contract flexibility: Feedback from Gartner clients indicates concerns about the cost of Splunk. Reviewers on Gartner’s Peer Insights platform have tended to give Splunk lower scores for pricing and contract flexibility than those received by many competitors.
Lack of fully cloud-native security operations suite: Splunk Enterprise Security is offered in Splunk Cloud, but buyers wanting an entirely cloud-delivered option that includes Splunk UBA and Phantom must deploy those solutions in their own CIPS, or ask Splunk whether hosted options are available in their geographies. Mission Control can help minimize the impact by providing a single UI for all three solutions, regardless of where they are deployed.
Geographic support for Splunk Cloud: Buyers in North America, Europe and Asia/Pacific are supported by appropriate points of presence for Splunk Cloud. But buyers in the Middle East, Africa and Latin America will need to check whether they can be supported, if they have concerns about, or requirements for, data residency.

Sumo Logic

Sumo Logic is a Visionary in this Magic Quadrant. Headquartered in Redwood City, California, U.S., Sumo Logic also has offices in Europe (including the U.K.) and Asia/Pacific. Most of Sumo Logic’s SIEM customers are in North America, with the next-largest concentrations being in Asia/Pacific and Europe. Its SIEM product is called Cloud SIEM Enterprise, which is available only as an AWS-based SaaS offering. Licensing is subscription-based (with pricing based on data ingestion) or credit-based (with credits being used to enable specific resource usage, such as for occasional search or continuous analytics), with tiering options.Strengths

Pricing model flexibility: Sumo Logic offers a pricing model with three elements: credit-based pricing, data tiering and solution packaging. This gives customers the flexibility to select the pricing scheme that best matches their planned data ingestion and investigation workloads, independent of the event rate and numbers of data sources or users.
Cross-customer visibility and insights: Sumo Logic’s multitenant architecture enables anonymized analytics across the customer base to improve the tuning of detections and workflows. Some of these capabilities may not be immediately visible to buyers, but can result in improved performance of the solution over time. Other user-facing solutions provide threat analytics and recommendations based on cross-customer analysis of specific data sources and threat feeds.
Robust event filtering, masking and routing: Sumo Logic’s event collector supports extensive filtering to manage ingestion, masking and hashing in order to help meet data privacy needs. It also supports flexible routing and bandwidth management for low-bandwidth environments.

Cautions

Analytics coverage: Sumo Logic’s out-of-the-box security detection capabilities are not as extensive as those available in other vendors’ SIEM products. Advanced analytics for user behavior are not as mature as those of several SIEM competitors.
Resource estimation: Sumo Logic’s credit-based model may challenge buyers who lack experience with estimating the ingestion volume and investigation resources needed to meet their requirements. Buyers should establish processes to monitor credit usage and budgets to avoid license capacity issues.
Uneven support for integrations: Although users can install and run most apps from Sumo Logic’s application library, an app for PCI compliance and another for security analytics require enterprise licensing and a paid professional services contract to install and configure.

Venustech

Venustech is a Niche Player in this Magic Quadrant. Venustech is based in Beijing, China. Most of its customers are in Asia/Pacific, with smaller numbers in the Middle East and Africa. Its SIEM product is Venusense Unified Security Management. Related solutions (or available modules) include Cybersecurity Situation Awareness, Security Analytics, NTA, Configuration Verification, Business Supporting Security Management, and Asset Exploration and Management. The SIEM product is available as SaaS and on-premises. Licensing is perpetual or subscription-based, with special licensing for MSSPs and for organizations in the education sector. Pricing is based on the number of log sources, but pricing by number of employees is an option for SaaS models.Strengths

Differentiated access to regions and countries: Venustech offers this by working with Chinese state-owned enterprises, which many Western SIEM vendors have little or no access to.
Advanced batch and stream processing technologies: Venustech uses these to enable advanced security analytics, such as UEBA features (offered as an add-on), and to provide functionality so that users can create their own analytics.
Comprehensive custom rule creation features (including condition trees and graphical views): Rules can be nested for complex correlation, and include thresholds, counts and actions to take. Intelligence enrichment can be configured in a similar way to a TIP solution.

Cautions

Support for customers outside China with compliance requirements: Venustech’s SIEM product provides a compliance package for Chinese customers, but at extra licensing cost. Prospective buyers elsewhere should check whether Venustech can support their regulatory compliance requirements.
Support for SaaS apps outside China: Venustech does not support SaaS apps beyond China, and its CIPS support is limited to Alibaba, Tencent, Huawei and Inspur.
Support for third-party solution investments: Venustech’s product may not support, for example, machine-readable threat intelligence solutions. SOAR integration is limited to its own solutions.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

Elastic
Gurucul
Huawei
Microsoft
Odyssey
Sumo Logic
Venustech

Note also that NetWitness, a stand-alone business within RSA, replaces Dell Technologies (RSA).

Dropped

AT&T Cybersecurity, which now positions its SIEM offering as a service delivery platform.
HanSight, which did not meet the commercial requirements for inclusion in this Magic Quadrant.
SolarWinds, which did not meet the analytics-related requirements for inclusion in this Magic Quadrant.

Inclusion and Exclusion Criteria

The inclusion criteria represent the specific attributes that Gartner analysts considered necessary for a vendor to be included in this Magic Quadrant.To qualify for inclusion, a vendor needed to fulfill the following criteria:

The vendor’s product had to provide security information management (SIM) and security event management (SEM) capabilities to end-user customers via software and/or appliance and/or SaaS.
The vendor’s SIEM product had to provide a range of detection analytics, from basic correlation though advanced analytics (such as machine learning for UEBA), via native capabilities or via tight integration with an add-on product sold by the SIEM vendor.
SIEM features, functionality and add-on solutions had to be generally available as of 1 November 2020.
The vendor’s product had to support data capture and analysis from heterogeneous, third-party sources (that is, sources other than the SIEM vendor’s own products and SaaS), including market-leading network technologies, endpoints, servers, and cloud (IaaS or SaaS) and business applications.

The vendor had to have SIEM revenue (product/SaaS license and maintenance revenue, excluding revenue from training, professional and managed services) exceeding $50 million for the 12 months prior to 30 September 2020, or have 250 end-user production customers, or have added 50 new logo end-user production customers as of the end of the same period. Production customers were defined as those who had licensed the SIEM offering and were monitoring production environments with it.
The vendor had to receive 15% of its SIEM product/SaaS revenue for the period 1 October 2019 through 30 September 2020 from outside the region in which it had headquarters, and have at least 15 end-user production customers in each of at least two of the following regions: North America, Europe, the Middle East and Africa (EMEA), Asia/Pacific, Latin America.
The vendor had to have sales and marketing operations (via in-region sales offices or named in-region resellers) targeting at least two of the following regions as of 30 September 2020: North America, EMEA, Asia/Pacific, Latin America.

Excluded from consideration were:

Capabilities available only through a managed services relationship — that is, SIEM functionality available to customers only when they sign up for a vendor’s managed security, or managed detection and response, or managed SIEM, or other managed services offering. By managed services, we mean those in which the customer engages the vendor to establish, monitor, escalate and/or respond to alerts, incidents and cases.

Honorable Mentions

AT&T Cybersecurity: This vendor’s USM Anywhere offering is being repositioned as a service delivery platform, rather than a SIEM offering.
Devo: This vendor did not meet the functional or commercial requirements for inclusion in this Magic Quadrant.
Graylog: This vendor did not meet the functional requirements for inclusion in this Magic Quadrant.
HanSight: This vendor did not meet the commercial requirements for inclusion in this Magic Quadrant. It was acquired by Qihoo 360 Technology in June 2020.
Logsign: This vendor did not meet the commercial requirements for inclusion in this Magic Quadrant.
Netsu

Questions to Answer Before Adopting Cloud SIEM Solutions

ARCHIVEDPublished 27 July 2020 – ID G00722245 – 13 min readBy Kelly Kavanagh, Gorka Sadowski, and 1 more

Cloud-based options for SIEM are becoming more commonplace. Security and risk management leaders should use this research to help determine if cloud SIEM is an appropriate solution to meet their SIEM requirements and use cases.

Overview

Key Findings

Security information and event management (SIEM) technology delivered as a service can simplify and reduce the time to implement, administer, maintain and scale SIEM solutions, compared with on-premises versions.
Perceptions of cloud SIEM that dissuade buyers from considering it as an option include concerns about the security of providers’ environments (whether cloud or data center), the impact on internet bandwidth, service availability, regulatory compliance and vendor lock-in.
Especially for midsize enterprise and smaller organizations, the benefits of offloading platform and software management to the SIEM vendors, and getting access to features like advanced analytics and more frequent content update, increasingly offset the perceived challenges in using a SaaS version.
Traditional SIEM products are incorporating features that leverage cloud infrastructure, such as advanced analytics.

Recommendations

Security and risk management leaders responsible for security operations should:

Use cloud SIEM to mitigate resource constraints to deploy and manage SIEM on-premises or to enable redeployment of resources from SIEM platform management to security investigation and response activities.
Prioritize vendors offering cloud SIEM delivered in the primary public cloud service used by their organization.
Plan for a cloud SIEM implementation as if deploying on-premises SIEM. Activities such as establishing use cases, identifying log sources and understanding how to get data to the vendor’s SIEM (for example, appliance to aggregate logs, host agents) are still mandatory for success.

Strategic Planning Assumption

By 2023, 90% of SIEM solutions will have capabilities that are only delivered via the cloud (for example, log storage, analytics, incident management), up from 20% currently.

Analysis

Cloud SIEM, specifically cloud-native and cloud-hosted, is an increasingly appropriate option for organizations evaluating SIEM technologies for security monitoring and operations (see Figure 1). Interest in cloud SIEM is increasing among Gartner clients, but adoption remains lower relative to on-premises SIEM (15% to 20% of all new SIEM deployments, based on feedback from Gartner clients and SIEM technology vendors). Barriers to cloud SIEM adoption include lack of experience with cloud SIEM, lack of response from vendors regarding buyer concerns about cloud SIEM, buyer misconceptions about risks of cloud SIEM, concerns about the costs of moving data to and from the cloud, and restrictive implementations by vendors that can offset SaaS benefits. This research poses a series of questions that SIEM buyers should ask vendors regarding their cloud SIEM offerings.Figure 1. Types of Cloud SIEM Offerings

Different models of cloud SIEM: cloud-native, cloud-hosted, and customer-deployed

Cloud SIEM will be the future of how many organizations consume SIEM technology. There is already a variety of vendors with offerings. The benefits of a cloud SIEM model can outweigh the risks for many organizations. For example, approximately 55% of Gartner Peer Insights respondents since March 2017 reported that it took up to three months to deploy their SIEM solution. That means that about 45% of SIEM solution deployments take more than three months to complete, with 20% taking six months or longer. Cloud SIEM deployment can be substantially faster than on-premises deployments.Customers can realize benefits from cloud SIEM in deployment, maintenance, ongoing operations and scalability. Cloud SIEM deployment greatly reduces the need for shipping, receiving, installing and configuring SIEM appliances (whether physical or virtual) before the first log sources can even be consumed by the SIEM solution. Buyers can realize faster time to value as a result. Maintenance activities are similarly reduced. The vendor handles platform maintenance for availability, performance, bug fixes and feature/function updates.Customers can redeploy engineering resources that would otherwise handle those tasks to higher-value work. The SIEM vendor typically also provides content updates for rules, analytic models, dashboards and reports. The elasticity to expand (and contract) the capacity of the SIEM solution as required may be extremely beneficial for short-term bursts of compute-intensive analytics, for accommodating seasonal changes in requirements, or when business activities like a merger or divestiture occur. A process to expand capacity may take minutes to hours to implement for a customer, compared to the typical one-way elasticity for on-premises SIEM solutions. For example, where physical appliances are involved, it could take weeks to months to implement additional capacity — for example, procuring the equipment, the planning and approvals, and then the physical installation and configuration.However, buyer perceptions of using cloud SIEM can still present an impediment to buying. Feedback from Gartner clients as to why they will not, or cannot, use a cloud SIEM approach include:

Organizational policies that do not support the use of SaaS, which is rare these days outside of specific verticals. For example, there may be organizational policies that dictate that all data, or even a subset that may include sensitive personally identifiable information or customer/partner identifiable information, cannot leave the organization’s premises.
Misunderstandings about the shared responsibility relationship between customer and vendor, including concerns about the security controls of the delivery environment used by the vendor (whether their own premises, private cloud services or public cloud services; see the Strategic Planning Assumptions in “Clouds Are Secure: Are You Using Them Securely?”).
Corporate policy requiring the SIEM technology to be purchased as a capital expense (capex), which does not fit the operational expense (opex) model employed by most SaaS vendors. This concern is increasingly expressed for on-premises deployments as more vendors adopt subscription pricing models.
Worry about the impact on the internet network links, leading to increased traffic and additional costs.
Concerns about the availability of the services because control of the technology is out of the customers’ hands (for example, the portal or management interface is unavailable due to a distributed denial of service [DDoS] attack or technical issue).
Cloud SIEM customers being locked into the solution, with recovery of their data difficult or impossible if the agreement with the vendor is terminated or expires.

Some of these concerns are entirely legitimate. For example, Gartner clients that are government agencies and bureaus, nongovernmental organizations (NGOs), and companies that are part of government supply chains all report having policies that stipulate that data cannot leave their premises. However, concerns about the vendor’s hosting environment and the impact on network bandwidth are concerns appropriate to any SaaS consumption, but have not stopped organizations from embracing SaaS. Global growth in 2018 was 20.7% (see “Market Share: Enterprise Application Software as a Service, Worldwide, 2019”).The following list of questions and related commentary are not meant to be exhaustive. They represent the most common questions to be addressed by the buyer and/or the SIEM solution vendors being considered to make a determination whether cloud SIEM is appropriate. The questions are also designed to address the sources of most concern by customers considering cloud SIEM. Prospective buyers should heavily weight vendors who can respond affirmatively to these questions. Where vendors respond “no” or with a qualified affirmative, buyers should assess whether other means, such as additional technical controls and contractual requirements, will compensate. These questions can be leveraged to supplement “Toolkit: RFP for Security Information and Event Management.”Can the vendor meet my technical and budget requirements for data transport to/from and storage in the cloud SIEM environment?There are several elements to this question. The first is the use of resources, such as network bandwidth, to move data in the scope of monitoring from the environment where the data is generated into the cloud SIEM. There may be costs associated with the movement of data as well. For example, data generated in an IaaS environment may be subject to costs as it is moved out of the environment. Another element is how the data will be treated to meet your policy or regulatory requirements. Must the data be filtered, obfuscated and/or encrypted for transport? Must data reside in specific geographic regions? Must it be encrypted for long-term storage? Are there costs associated with moving the data when the relationship with the cloud SIEM vendor ends? The cloud SIEM vendor should demonstrate that these requirements can be met and that the life cycle costs for doing so are disclosed.Does the vendor’s license model and provisioning practice allow for granular, on-demand elasticity for data ingestion, compute and storage requirements?Many SIEM solution vendors claim their solutions are SaaS when they may be just a cloud-hosted version. For example, the vendor manually installs an instance of its software in its data center or in IaaS, managed as a stand-alone instance, where upward or downward elasticity is manually handled by the vendor. Also, pricing is similar to its on-premises models, where you have to buy a set amount of capacity, and it can only grow and never contract. A hosting model may be acceptable, but details of how close to SaaS the solution is should be provided by the vendor. Prospective customers should understand the costs and constraints regarding scaling the underlying infrastructure to accommodate growth in event sources or data volume, new use cases, or seasonal business fluctuations. For example, does that happen dynamically or does the SIEM vendor need to manually provision/deprovision capacity? If manually, how long does it take?Can the vendor provide third-party security evaluations of the cloud platform and vendor operations for delivering the SIEM solution?It is important to gain an appropriate level of assurance that your data will be securely accessed and managed in the provider’s platform (for example, protected from inappropriate access or disclosure). Vendors should be able to demonstrate and provide evidence of formal third-party security evaluation, such as ISO/IEC 27001, AICPA SOC 2 Type 2 or FedRAMP (if applicable). If the vendor is based in a public cloud, do not rely entirely on the cloud provider’s evidence. It’s vitally important that you assess how the cloud SIEM vendor is leveraging the cloud provider’s security and configuration capabilities.Does the vendor offer sufficient data collection, transport and storage options to support the volume, velocity of data and variety of event sources needed to support my use cases?The optimal method for data collection and storage may differ based on the type of data, the source, the volume or velocity, the use cases the data supports and the retention requirements. Vendors should be able to support a variety of methods, including on-premises collector appliances, agents, API access, batch ingestion, and on-demand acquisition from on-premises and cloud-based sources. Ensure the vendor supports options for compression to reduce transport and storage costs. Make sure the vendor offers data retention options that allow you to avoid paying for extended retention of data with limited long-term value for detection and response and not subject to regulatory or policy requirements.Is the SIEM solution cloud-native?Cloud SIEM may be cloud-native SaaS or cloud-hosted. For many users, the answer to this may have no effect on their day-to-day experience with the SIEM. However, Gartner expects that SIEM vendors with cloud-native solutions will, over the midterm, be more effective in maintenance and operations activities for their SIEMs, in introducing functional updates and applying corrections for bugs or vulnerabilities, and in accommodating short-term, bursty or seasonal changes in capacity requirements. This outcome may be important to buyers placing a premium on availability, response stability and cost of the SIEM.Can the vendor offer service-level agreements (SLAs) and evidence of process maturity in delivering rapid feature, function and content updates while maintaining product availability and functionality?One of the benefits of a SaaS model is that updates, both functional and performance-related, can be released much faster compared with the traditional approach of maintaining on-premises software deployments that rely on content updates, minor and major release updates, hotfixes, and patches. This can be beneficial for cloud SIEM users since new features and fixes are made available more quickly and frequently. However, this can introduce risks, such as features being pushed out before they are truly ready for production use, product instability, and new vulnerabilities in the solution if the vendor does not have robust DevOps and DevSecOps practices in place. Conversely, this agility also means that performance and security issues can be resolved more rapidly.Does the vendor have mature processes for deployment, management and break-fix for SIEM components such as agents, appliances and network sensors that will reside in my environment?Some SIEM vendors are taking a platform approach to their solutions that offers add-on technologies beyond just the core SIEM tool, such as network traffic analysis, file integrity monitoring (FIM), endpoint detection and response (EDR), and vulnerability assessment. Many of these add-on technologies are deployed within a customer’s environment close to the sources being monitored. Alternatively, they are add-on modules to the core SIEM environment that traditionally would have been installed alongside the SIEM solution or on a separate appliance or server. If planning to use these add-on solutions, it’s important to know if they are: supported by the vendor in its cloud SIEM version and what, if any, impacts this creates either from an architecture or operations perspective.Will the vendor commit for SIEM availability of at least 99.5% (insert your own requirements here) for its cloud SIEM and provide resilience options to address IaaS and connectivity issues?Availability can be affected by outages in the underlying cloud platform, issues with the vendor’s application, connectivity between vendor and customer, and issues with on-premises elements of the SIEM solution. Another consideration is how any outages or losses of connectivity (whether on the buyer’s or vendor’s side) might affect security operations. It is important to understand what plans the vendor has in place to deal with these issues, both planned and unplanned. How will the vendor communicate to you when there are planned or unexpected outages? What happens if there is an extended outage? Are SLAs for availability offered? It also requires buyers to have appropriate contingency plans when outages are experienced. Will you have sufficient capacity to store logs until logs can be forwarded? How will security monitoring and operations continue to function without access to the SIEM?Will the vendor agree to service transition arrangements to enable the transfer of log data and other content as needed at the end of the service period or prior to that?You need to ensure that your data is returned at contract termination and that the vendor will provide sufficient attestation that it has removed/returned your data that was in its possession. You must also ensure you have access to your data for sufficient time to move it off the vendor’s systems if the vendor is unable to continue providing SIEM. Retaining ownership of and guaranteed access to, for example, the log and event data, alerting rules, analytics, reports, playbooks, and threat intelligence that are created and modified when using a cloud SIEM are important considerations when ending use of the solution. This question is not exclusive to cloud SIEM. However, due to the nature of SaaS, there can be challenges with extracting the logs, data and context back on-premises or to a different cloud platform. Having a good understanding and documented agreements for what happens once the use of the cloud SIEM solution expires is critical, especially for those organizations that must hold logs for extended periods of time (for example, 365 days for Payment Card Industry Data Security Standard [PCI DSS])

rion: This vendor’s EventTracker solution is positioned more as a service delivery platform than as an end-user SIEM solution.
SolarWinds: This vendor did not meet the requirement for analytics capabilities.