Gartner has just published its annual Magic Quadrant report for Security Information and Event Management (SIEM) Technology. In its report, the industry research firm rates 15 vendors on how their products address customers' needs for security intelligence and analytics, ranking them on their ability to execute and completeness of vision.
Gartner graphs the rankings, with completeness of vision on the X-axis and the ability to execute on the Y-axis. The graph is sectioned into four quadrants, with the upper-right quadrant the "Leaders," the upper-left the "Challengers" (strong execution but weaker on vision), the lower-right the "Visionaries" (strong on vision but weaker on execution), and the lower-left the "Niche Players."
IBM Security QRadar rated highest in the Leaders quadrant, followed by Hewlett-Packard, McAfee, Splunk and LogRhythm.
The report gave IBM's QRadar high marks for its "integrated view of the threat environment using NetFlow DPI and full packet capture in combination with log data, configuration data and vulnerability data from monitored sources." Additionally, feedback from IBM customers indicates that the technology is "relatively straightforward to deploy and maintain in both medium-size and large environments."
Gartner deemed QRadar to be a good fit for mid-size and large enterprises that need general SIEM capabilities, and also for use cases that require behavior analysis, NetFlow analysis and full packet capture.
HP's ArcSight Express should be considered for midsize SIEM deployments, according to Gartner. ArcSight's Enterprise Security Manager (ESM) is appropriate for larger deployments, as long as sufficient in-house support resources are available, according to Gartner. ESM provides a complete set of SEM capabilities that can be used to support a security operations center. ArcSight Express provides a simplified option for midsize SIEM deployments.
Splunk is a good fit for security organizations that require customizable security monitoring and analytics, and is an especially good fit for use cases that span security and operations, and for deployments with a focus on application monitoring, according to the report.
"Splunk's strong presence in IT operations groups can provide the security organization with early hands-on exposure to its general log management and analytics capabilities, "pre-SIEM" deployment by operations for critical resources, and in-house operations support for an expanded security-focused deployment," Gartner said.
Two vendors occupy this quadrant: EMC (RSA) and NetIQ.
The report concluded that RSA Security Analytics is best suited for organizations that have high-security environments and the staff to support a complex technology that requires extensive customization, along with a need for log-based monitoring and network-level monitoring.
NetIQ's Sentinel was deemed a good fit for organizations that require "large-scale security event processing in highly distributed environments (such as retail)," and Gartner noted it is an "especially good choice for organizations that have deployed NetIQ IAM infrastructure and need security monitoring with an identity context."
AlienVault is the only vendor in this quadrant. "The AlienVault USM platform should be considered by organizations that need a broad set of integrated security capabilities at relatively low cost compared with other commercial offerings, and by organizations that want a commercially supported product that is based on open source," Gartner's report said.
The Niche Players
Topping the list of niche players are SolarWinds and TrustWave. Other vendors in this quadrant are Tibco Software, Tenable Network Security, Event Tracker, AccelOps and BlackStratus.
SolarWinds LEM is a good fit for small- or mid-size companies that require SIEM technology that is easy to deploy as well as companies that use other SolarWinds' operations monitoring components, Gartner said. Trustwave is a good fit for mid-size organizations that require a combination of compliance-oriented services and SIEM technology.
Gartner said in its report that the SIEM market is dominated by just a few large vendors -- HP, IBM, McAfee, EMC (RSA) and Splunk -- that command about 60 percent of market revenue. Other large vendors such as Tibco are also in the mix. There are still a few small vendors that are doing well, but Gartner said there would be "increasing stress on many of the small remaining vendors."
The number one reason businesses are adopting security information and event management technology is to detect data breaches, while compliance remains the secondary motive, Gartner said.
While the SIEM market is mature and competitive, the greatest area of unmet need is effective targeted attack and breach detection, Gartner said. But the situation can be improved with stronger threat intelligence, the addition of behavior profiling and better analytics.
"SIEM is a $1.5 billion market that grew 16 percent during 2013 -- with an expected growth rate of 12.4 percent during 2014," the report said. "During this period, the number of Gartner inquiry calls from end-user clients with funded SIEM projects increased by 12 percent over the previous 12 months."