Key Criteria for Evaluating Security Information and Event Management (SIEM) Solutionsv3.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. SIEM Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take
  8. About Andrew Green

1. Summary

Security information and event management (SIEM) solutions consolidate multiple security data streams under one roof. Initially, SIEM solutions supported early detection of cyberattacks and data breaches by collecting and correlating security event logs. Over time, they evolved into sophisticated systems capable of ingesting huge volumes of data from disparate sources, analyzing data in real-time, and gathering additional context from threat intelligence feeds and new sources of security-related data.

With more and more digital infrastructure and services becoming mission-critical to every enterprise, SIEM tools must handle higher volumes of data. Therefore, vendors and customers increasingly focus on cloud-based SIEM solutions, whether SaaS or cloud-hosted models, for their scalability and flexibility. Compared to their on-premises counterparts, a fivefold increase in the number of alerts generated by a SIEM tool can easily be scaled in the cloud, while a similar change in on-premises deployments can require manual provisioning of additional infrastructure to support the increase.

As the nerve center of the security operations center (SOC), SIEM solutions are in a prime position to expand their capabilities through native developments, integrations with third-party security tools, or by consuming other tools altogether via mergers and acquisitions. An ongoing trend shows SIEM solutions integrating security orchestration, automation, and response (SOAR) solutions to create a product with deep end-to-end capabilities for managing security operations. This integration has launched a new category of products in the security market—the converged SIEM.

With increasing functions and responsibilities, SIEM solutions are now balancing between a comprehensive portfolio of capabilities on the one hand and usability and user experience (UX) on the other, all while recognizing an overlap with existing security tool deployments. Given more interdependencies, IT buyers must be aware of how deploying a SIEM solution will impact their existing ecosystem of security products, the costs involved, and the analyst experience.

The GigaOm Key Criteria and Radar reports provide an overview of the SIEM market, identify capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting a SIEM solution, and detail vendors and products that excel. These reports give prospective buyers an overview of the top vendors in this sector and help decision-makers evaluate solutions and decide where to invest.

How to Read This Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.