1 Introduction / Executive Summary
Security Information and Event Management (SIEM) solutions have dominated the enterprise security market for nearly two decades, and even nowadays they are still widely used to power security operations centers (SOCs) in large companies or managed security services for smaller ones.
At the beginning of the Digital Transformation era, when perimeter-focused tools like firewalls were no longer able to protect corporate networks, the scope of cybersecurity was gradually shifting towards threat detection. Back then, SIEM tools were hailed as the ultimate solution to all security challenges.
With centralized collection and management of security-related data across all corporate IT systems and a set of rules to identify known malicious activities in that stream of security events, the only thing that remained was to analyze each finding and respond accordingly. In addition to providing visibility into the overall security posture, SIEMs serve as a convenient tool for compliance reporting.
Unfortunately, it did not take long to realize that SIEM solutions were failing in delivering on their promises, with companies deploying them facing multiple obstacles and challenges. High deployment and operational costs, consistent failures to react to modern cyber threats in time, and, last but not least, the growing skills gap to staff the security teams needed for efficient security operations were the most common problems of legacy SIEM solutions.
Even with fairly simple rule-based detection capabilities, traditional SIEMs tend to generate an overwhelming number of alerts with a high percentage of false positives. Lacking any risk scores or other meaningful metrics for their impact, they make it very difficult to prioritize analysis. When it comes to analyzing a discovered incident, traditional SIEMs offer few automation capabilities and usually do not support two-way integration with security devices like firewalls and thus do not make forensic investigations any easier for analysts, since their job remains largely manual and time-consuming.
For years, organizations have been looking for better alternatives to replace their aging SIEMs. Some experts have even proclaimed that SIEM as a concept is no longer relevant, and they should give way to modern alternatives, such as XDR – the emerging "Extended Detection and Response" technology. However, the SIEM market itself has also been constantly evolving in recent years, and modern products bear little resemblance to their ancestors.
Over the last decade or so, the security analytics market has undergone profound changes thanks to several groundbreaking technologies that emerged after the first generation of SIEM tools. These include such fundamental developments as Big Data frameworks, public clouds, and artificial intelligence, and machine learning. By incorporating these technologies into their products, as well as augmenting them with further new capabilities (such as user behavior analytics, intelligent decision support for analysts, sophisticated forensic tools, orchestration and automation for incident response, and so on), vendors can offer their customers substantially modernized, scalable and intelligent solutions and ensure that SIEMs remain a core component of modern enterprise security architectures.
The market for these modern security intelligence and automation solutions continues to evolve, with solutions gaining new capabilities, merging previously standalone tools into integrated platforms, and, last but not least, changing names, definitions, and licensing policies. Some vendors continue to offer these capabilities as separate products or platform modules – such as UEBA, SOAR, or even NDR – while others deliver various capabilities under the single overarching "Next-Gen SIEM" banner.
Companies looking for an upgrade for their aging SIEM solution now have to face a tough task – to look behind the alphabet soup of various security technologies, identify the most necessary capabilities that would address their specific requirements, and then choose a solution or a combination of solutions to modernize their security operations centers. Unfortunately, there is no universal recipe that would fit all possible customer sizes, industries, or geographies.
This Leadership Compass should be seen as an additional tool that can help you identify your requirements and map them onto capabilities offered by specific vendors, taking into consideration your scale, available skill set, and, of course, budget constraints.
- SIEM solutions have dominated the enterprise security market for nearly two decades, but unfortunately, due to high operating costs and an increasing shortage of skilled security experts, traditional SIEMs can no longer keep up with the scale and sophistication of modern cybersecurity threats.
- The biggest shortcoming of legacy SIEM tools is their inability to deal with the overwhelming number of generated security alerts and to separate the relevant ones that need to be investigated from the useless statistical noise.
- Currently, the SIEM market is experiencing strong pressure from alternative approaches such as specialized security monitoring solutions for different attack surfaces (endpoints, networks, APIs, databases, etc.) and unified XDR solutions; however, SIEM solutions themselves continue to evolve, expand their coverage and address their historical challenges.
- Modern technologies like machine learning that powers behavior analytics, threat hunting, and remediation ensure that the usability and productivity of SIEM tools improves significantly
- Incorporation of advanced security orchestration, automation, and response (SOAR) capabilities either directly or via two-way API integrations ensures that forensic analysis and incident response can be automated to a high degree, reducing the time needed to react to a breach.
- The ongoing trend of delivering security solutions from the cloud affects SIEM platforms as well – the support for cloud-based and hybrid deployments is available from every relevant vendor in this market.
- The number of fully-managed, cloud-only SIEM solutions offered as-a-Service continues to grow; smaller, agile and innovative startups and even some large veteran vendors like Microsoft opt for this approach.
- The market consolidation trend continues: capabilities like UEBA or SOAR, which just a few years ago were offered as standalone tools from independent vendors, are now increasingly integrated directly into SIEM products through acquisitions.
- Still, the market is far from reaching maturity and stagnation, this can be immediately observed in this Leadership Compass' findings: we have a healthy mix of large veterans and innovative startups among the leading SIEM offerings.
- The overall leaders in the Intelligent SIEM Platforms market are (in alphabetical order): Exabeam, FireEye, Fortinet, Gurucul, IBM, Micro Focus, Microsoft, NetWitness (RSA), and Securonix.