This is a GigaOm Research Reprint: Expires Aug 21, 2022

GigaOm Radar for Security Information and Event Management (SIEM) Solutions v1.0

1. Summary

The security information and event management (SIEM) solution space is mature and competitive. Most vendors have had well over a decade to refine their products, and the differentiation among basic SIEM functions is fairly small.

In response, SIEM vendors are developing advanced platforms that ingest more data, provide greater context, and deploy machine learning and automation capabilities to augment security analysts’ efforts. These solutions deliver value by giving security analysts deeper and broader visibility into complex infrastructures, increasing efficiency and decreasing the time to detection and time to respond.

Vendors offer SIEM solutions in a variety of forms, such as on-premises appliances, software installed in the customers’ on-premises or cloud environments, and cloud hosted SIEM-as-a-Service. Many vendors have developed multi-tenant SIEM solutions for large enterprises or for managed security service providers. Customers often find SIEM solutions challenging to deploy, maintain, or even operate, leading to a growing demand for managed SIEM services, whether provided by the SIEM vendor or third-party partners.

SIEM solutions continue to vie for space with other security solutions, such as endpoint detection and response (EDR), security orchestration automation and response (SOAR), and security analytics solutions. All SIEM vendors support integrations with other security solutions. Many vendors also offer tightly integrated solution stacks, allowing customers to choose the solutions they need most, whether just a SIEM, a SIEM and a SOAR, or some other combination. Other vendors are incorporating limited EDR- or SOAR-like capabilities into their SIEM solutions for customers who want the extra features but are not ready to invest in multiple solutions.

With so many options, choosing a SIEM solution is challenging. You will have to consider several key factors, starting with your existing IT infrastructure. Is an on-premises SIEM the right choice for you, or do you want a cloud-based or hybrid solution? Which systems and devices will be sending data to your SIEM, and how much data will it need to collect, correlate, analyze, and store? You should also consider the relative importance of basic capabilities and advanced features, bearing in mind that the basic capabilities may be considerably easier to deploy, maintain, and operate. Will your IT and security teams be able to deploy, maintain, and operate the solution on their own, or should you look for managed services to handle those tasks?

This GigaOm Radar report details the key SIEM solutions on the market, identifies key criteria and evaluation metrics for selecting a SIEM, and identifies vendors and products that excel. It will give you an overview of the key SIEM offering and help decision-makers evaluate existing solutions and decide where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Market Categories and Deployment Types

For a better understanding of the market and vendor positioning, in Table 1 we assess how well SIEM solutions are positioned to serve the following five market segments:

  • Large enterprise: Large enterprises will require high-performance SIEM solutions with the throughput and storage capacity to ingest huge volumes of data. Flexibility in deployment, scalability, and integration with existing infrastructure will be key differentiators.
  • Small-to-medium enterprise: Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, advanced features may be less important than compliance and audit reporting and ease of use and deployment. Newer small enterprises may also rely heavily on cloud-based infrastructure, services, and apps, and favor cloud-based SIEM solutions.
  • Managed service provider: Managed service providers will require multi-tenant architectures, flexibility, and scalability. They may also favor solutions with predictable pricing models.
  • Network service provider: Network providers have a large infrastructure footprint to monitor for both consumer and enterprise customers, spanning wide geographical areas.
  • Cloud service provider: Providers of cloud services must be able to monitor the large number of tenants that use the provider’s underlying infrastructure, ensuring visibility across shared devices to prevent lateral movement and lower the risk inherited from each individual tenant.

In addition, in Table 2 we recognize four deployment models for solutions in this report. These are on-premises, cloud-only, hybrid and multi-cloud, and SIEM as a Service (SIEMaaS).

  • On-premises solutions: These are hardware or software solutions installed on the customer’s premises. Customers are responsible for operations and maintenance, though some will purchase support services through the vendor or a third-party service provider.
  • Cloud solutions: Cloud solutions refer to instances of the SIEM platform that can be installed and run from a cloud environment, typically from an infrastructure-as-a-service offering.
  • Hybrid and multi-cloud solutions: These solutions are meant to be installed both on-premises and in the cloud, allowing customers to build hybrid or multi-cloud storage infrastructures.
  • SIEM as a Service (SIEMaaS): This is a user-friendly consumption model, in which the platform is consumed through a web portal and all the platform deployment and management is managed by the SIEM vendor.

Table 1. Vendor Positioning: Market Segments

Market Segment

Large Enterprise Small to Medium Enterprise Managed Service Provider Network Service Provider Cloud Service Provider
Elastic 3 3 2 2 2
Fortinet 3 2 3 2 0
Huntsman 3 1 3 3 2
IBM 3 1 3 3 3
LogPoint 3 2 3 2 2
ManageEngine 2 2 2 0 0
Micro Focus 3 2 2 2 2
RSA 3 2 2 0 0
Securonix 3 2 3 2 2
Splunk 3 1 3 3 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 2. Vendor Positioning: Deployment Models

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating SIEM Solutions,” Table 3 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of different solutions and define the perimeter of the market landscape.

Table 3 Key Criteria Comparison

Key Criteria

Alarm Fidelity Data Enrichment Automation Threat Hunting SIEM Security Convergence Collaboration
Elastic 3 2 1 3 2 2 3
Fortinet 2 3 3 2 2 2 3
Huntsman 3 2 2 3 2 2 2
IBM 3 3 1 3 3 1 2
LogPoint 2 2 2 3 3 2 2
ManageEngine 2 2 2 2 2 2 1
Micro Focus 2 3 3 2 2 3 2
RSA 2 3 3 2 2 3 2
Securonix 3 3 3 3 2 3 2
Splunk 3 3 2 3 2 1 1
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Finally, Table 4 offers insight into the evaluation metrics for the SIEM category. These are top-line characteristics of solutions that help determine their value and impact on the organization.

Table 4. Evaluation Metrics Comparison

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

Figure 1. GigaOm Radar for SIEM

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to center judged to be of higher overall value. The chart characterizes each vendor on two axes—Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Considering the platform-like nature of the SIEM solutions and the long history of vendors in the space, we position vendors in the Radar graphic relative to each other rather than in absolute terms. For example, if a vendor is placed within the Innovation quadrants, that does not mean the vendor lacks a mature SIEM platform, but rather their solution implements innovative features, or has a different strategy for development. Similarly, if a vendor is placed in the Feature Play quadrants, it means the vendor performs well in select use cases or with specific and differentiated features, while still offering a comprehensive feature set.

As you can see in the Radar chart in Figure 1, most vendors have been positioned within the Leaders circle. While there are important differences among the vendors’ capabilities, we do not expect any one solution to considerably outperform others for SIEM-specific capabilities such as alarm fidelity and data enrichment.

The vendors are distributed across the quadrants to reflect their strategies, stand-out features, and developments. Splunk, Huntsman, and IBM offer mature platforms and continue to develop their core capabilities. Micro Focus, Securonix, and RSA are placed in the Innovation quadrants because they all have a well-defined strategy for development; namely, Micro Focus’ tight lateral integration between different platforms, Securonix’ ML-centered platform, and RSA’s evolved SIEM.

Fortinet’s NOC and SOC integration and ManageEngine’s modular solution place them in the Innovation and Feature Play quadrant. Lastly, LogPoint’s excellent SIEM security and Elastic’s stand-out collaboration tools and unique endpoint capabilities place these vendors in the Maturity and Feature Play quadrant, with LogPoint’s outperformer arrow reflecting its innovative development roadmap.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Elastic

Elastic Security stands out from other SIEM solutions in that it is built on the open source Elastic, Logstash, and Kibana (ELK) stack, which the company today continues to extend as the “free and open” Elastic Stack. After acquiring Endgame in 2019, Elastic delivered its first version of a unified security solution in August 2020, by combining SIEM and endpoint security within the same platform.

Elastic offers a superior user experience and an intuitive, dynamic, and highly responsive interface. Its seamless design, rapid search, and level of detail combine to rank it high on the key criteria for threat hunting, as well as in the evaluation metrics for capability and usability. Furthermore, the platform features graphical views of events and timelines, which equips security analysts with the right tools to investigate long-term threats in a context-rich environment.

Supported by flexible pricing—including a free version—Elastic is positioned well in both the total cost of ownership and scalability evaluation metrics. The platform is suitable for companies of all shapes and sizes, from small-to-medium businesses to large corporations, including those in highly regulated industries such as finance and public sector.

Elastic’s security solution is a SIEM platform with extended endpoint security capabilities, which will include full-featured EDR in the near future. However, compared to other players in the space, Elastic Security lacks capabilities in security-related areas such as SOAR or UEBA. This positions the platform lower on the automation key criterion.

Elastic is, however, strong on collaboration. The platform supports excellent communication between security analysts by allowing annotations and comments on most functions, accompanied by full audit trails that ensure visibility across all the actions undertaken in the platform.

Strengths: The “free and open” foundation on which the platform is built positions it well across the defined evaluation metrics. The graphical user interface and seamless design are both standout aspects of the tool.

Challenges: Elastic can improve in the convergence and automation criteria, where its capabilities are limited compared to other vendors featured in the report.

Fortinet FortiSIEM

Fortinet is a key player in the security space, and its FortiSIEM product consolidates its position in the market. With a strong portfolio of security products and the research conducted through FortiGuard labs, Fortinet further enhanced its position by strategically acquiring AccelOps in 2016 to set foot in the SIEM space.

FortiSIEM ranks high on the data enrichment and collaboration metrics due to its strategic decision to integrate full configuration management database (CMDB) capabilities in its SIEM. This feature differentiates FortiSIEM from other solutions, enabling security analysts to have full information over affected devices, empowered by features such as file integrity and endpoint monitoring. This CMDB integration brings closer the network and security operations teams, offering analysts a comprehensive view of the network and security infrastructure through a single interface.

FortiSIEM also scores full marks on the automation metric because it has automated many processes that were traditionally carried out by security and network analysts. These include infrastructure discovery, incident mitigation, and detecting network configuration changes. For customers with more advanced automation requirements, Fortinet also offers a SOAR product that can integrate and enhance FortiSIEM.

FortiSIEM’s rapid-scale architecture allows organizations to scale up the platform quickly by deploying additional worker and collector nodes. This scalable system, combined with the platform’s multi-tenancy capability, makes Fortinet’s SIEM suitable for managed security service providers.

Strengths: FortiSIEM is one of the few solutions that works toward true cross-team collaboration and integration, namely between the SOC and NOC. The product also has very good data enrichment capabilities.

Challenges: While a SaaS deployment model is on Fortinet’s roadmap, it is not available at the time of this writing. Similarly, FortiSIEM may lack capabilities for cloud service providers.

Huntsman SIEM Enterprise and SIEM MSSP

Huntsman is an Australian company with a strong presence in the UK market and clients in both the private and public sectors, including defense, intelligence, and law enforcement. It offers SIEM Enterprise and SIEM MSSP solutions, with a strong focus on simplifying and optimizing security operations through automation and workflow support. Huntsman also offers an Analyst Portal SOAR solution as a separate licensed module, and an optional Scorecard module that provides details about a system’s patch status and software versions, in addition to misconfigurations and other vulnerabilities.

Huntsman’s SIEM solution is a single product, delivered as software, deployable on-premises or in public and private cloud environments. Huntsman does not offer a SaaS option. Its SIEM MSSP product supports multi-tenancy to manage business units as separate siloes or as federated units managed by a single team able to share threat intelligence across multiple end customers.

Huntsman provides strong security controls for its SIEM solution through fine-grained role-based access control, and a full-access record and audit trail of SIEM/SOC operations. It supports multi-classification networks for government clients, and compliance monitoring and reporting for GDPR, ISO27001, and a number of other standards.

Huntsman is focused currently on improving the productivity and efficiency of the security operations team by streamlining and automating workflows and presenting clear and actionable data visualizations and risk metrics. It recently introduced a highly flexible MITRE ATT&CK heat map and is developing additional visualizations that graphically represent the progress of an attack across an enterprise.

The company is also working to leverage additional data sources, including endpoint telemetry, vulnerability management, and patch deployment solutions, and Huntsman’s own internal threat intelligence technologies to improve its contextual and risk-based alerting.

Huntsman’s pricing is based on events per second (EPS). It offers a number of purchase options, including multi-year licenses that include maintenance and support, annual subscriptions, and utility pricing based on actual end-customer usage per month for MSSPs.

Strengths: Huntsman’s SIEM solutions prioritize ease of use over the advanced features of more complex offerings. They are likely to appeal to organizations that want incident detection and compliance monitoring, but need plenty of support from automated workflows. Huntsman’s flexible purchase options, strong multi-tenancy capabilities, and the availability of Huntsman’s Analyst Portal SOAR solution are additional strengths.

Challenges: Huntsman has been focused primarily on Australian and UK compliance requirements and public sector customers. As it moves into other markets, it may need to develop reporting capabilities for a wider range of compliance regimes.

IBM QRadar

IBM has a strong security portfolio, including the QRadar Security Intelligence platform, which features SIEM at the core of the platform. QRadar SIEM is a well-established and mature platform with deep features, which make the platform rank high on a variety of metrics, including alarm fidelity, data enrichment, threat hunting, and SIEM security. The comprehensive platform has a long learning curve and requires fine tuning, but becomes highly efficient once it has been calibrated to the customer’s requirements.

Compared to other players in the space, QRadar SIEM ranks lower in automation. The platform supports automation of security intelligence, but does not support workflow automation or other features that can simplify analysts’ tasks. While IBM has a SOAR offering, it is not integrated within QRadar SIEM or the QRadar SEcurity Intelligence platform.

While the QRadar Security Intelligence platform comprises multiple security modules including UEBA, Advisor with Watson, and Vulnerability Management, these features are not directly integrated into the SIEM platform. This approach is different from that of other leading competitors, which focus on convergence and often include these additional features within the SIEM platform at no additional cost.

QRadar SIEM is suitable for large organizations, managed security providers, and cloud and network operators. Due to high cost and high complexity, the platform is not a prime choice for small and medium enterprises that only need to satisfy basic use cases. QRadar can be deployed as either a physical or virtual appliance, or even as SaaS, referred to as QRadar on Cloud, or QRoC.

Strengths: QRadar has all-around powerful capabilities and is a good choice for large organizations, managed security providers, and cloud and network operators. Its multiple deployment models and suite of additional security features allow QRadar to meet a wide range of requirements.

Challenges: The main challenge with IBM’s QRadar is its cost, which makes the product unviable for small-to-medium sized organizations. Furthermore, the solution ranks low on convergence, which goes hand in hand with the high TCO, as other security intelligence solutions must be bought separately.

LogPoint SIEM

The LogPoint SIEM is a solid solution with exceptional security and privacy controls. It is the only SIEM that has achieved Common Criteria EAL 3+ certification. LogPoint is a European company, headquartered in Copenhagen. Naturally, it offers GDPR compliance monitoring and reporting capabilities and is well-positioned to provide the same capabilities for the California Consumer Privacy Act (CCPA) and other new privacy regulations.

LogPoint is developing some innovative features that could differentiate it from its competitors in the near future. These include edge security analytics, in which data preprocessing happens at the edge, reducing the amount of data sent and decreasing the cloud SIEM workload, as well as a bring-your-own-ML feature and AI-based conversion of unstructured threat intelligence.

LogPoint has taken a modular approach to security monitoring and analytics. The LogPoint SIEM, which can be deployed as a single physical appliance or as software spread across multiple physical or virtual servers, provides basic log management and incident detection and investigation capabilities. LogPoint’s Director for SIEM module provides multi-tenancy capabilities for MSSPs or for large enterprise deployments. The company also offers a threat intelligence application as a free plugin, a LogPoint for SAP module to integrate SAP applications with the SIEM, and a UEBA SaaS application available as an add-on service.

LogPoint provides strict role-based, four-eyes access controls to protect the integrity of log data and user privacy. Its UEBA app does not receive plaintext log data; instead, the SIEM hashes data before sending it via an encrypted tunnel, and the UEBA app analyzes the hashed data and sends the results back to the SIEM. LogPoint’s data privacy module can encrypt data fields that contain personal information (PI) for additional privacy protection, and LogPoint can be configured to route sensitive log data to secured repositories. And of course, LogPoint will track cross-border flows for compliance purposes.

LogPoint’s SIEM provides a good balance of capability and ease of use. It has developed a strong library of supported log sources and will provide solutions to support other commercial off-the-shelf applications required by customers at no additional cost. Although it may not have the level of automation and case management offered by some of its competitors, it integrates tightly with many third-party SOAR systems that do provide those features.

LogPoint also ranks high on threat hunting, offering security analysts a wide range of features to search through vast amounts of information and create macros. It also leverages ML-enabled UEBA capabilities and integrates the MITRE ATT&CK framework as visualizations and predefined alerts mapped to the techniques.

LogPoint offers predictable pricing based on the number of devices sending logs to the SIEM rather than data volume or EPS. It also uses a tiered storage model to provide more economical storage for compliance data while maintaining ready access to data needed for analytics.

Strengths: LogPoint is a good choice for companies looking for a solid SIEM solution with excellent support for privacy compliance at a predictable price. With an emphasis on basic SIEM capabilities, the solution is easier to deploy and operate than many of its competitors with broader feature sets.

Challenges: LogPoint does support log collection from some cloud services, but does not have as much cloud coverage as some of its competitors. Its current reliance on SOAR integration also leaves it somewhat lacking in automation and case management for incident response. LogPoint’s roadmap is oriented to address these challenges.

ManageEngine Log360

ManageEngine’s suite of products is the Swiss Army knife of network management, enhanced with security features. Its main SIEM platform, Log360, takes a modular approach to information and event management, integrating several products into a single console. Users can mix and match multiple products to create a bespoke solution, or choose the whole suite for a comprehensive SIEM.

A feature worth noting within the Log360 platform is the machine learning powered UEBA facility. It can detect anomalies by recognizing shifts in user or entity activity. It helps identify, qualify, and investigate threats that may otherwise go unnoticed by extracting more information from logs to give better context.

While Log360 is suitable for a range of small and large organizations, its capabilities are limited from a network or cloud service provider’s perspective. In addition, its cloud visibility is currently limited, supporting only log collection for cloud environments. However, these developments are part of ManageEngine’s roadmap, so we expect these capabilities to improve over the next few years.

Log360 has good automation capabilities, and supports the creation of workflows that automate common procedures carried out by security analysts. The solution also features an analytics system, which classifies events in trend reports and system events that help security practitioners with analysis and response. It features out-of-the-box correlation rules, including for common ransomware attacks. The custom correlation rule builder allows analysts to correlate seemingly unrelated events from across the network to detect attacks.

Strengths: ManageEngine’s modular approach to SIEM allows customers to build a solution that fits their needs. The platform supports a robust range of features and capabilities, and has ongoing ML-related developments at a competitive price.

Challenges: While the modular approach is aligned with ManageEngine’s wider product portfolio, Log360 may lack more comprehensive SIEM-specific capabilities compared to other security-focused or SIEM-focused vendors featured in this report.

Micro Focus ArcSight

ArcSight is a well-known name within the security space, having been developed over more than 20 years. After ArcSight became part of the Micro Focus portfolio, the SIEM platform became a central piece of Micro Focus’ security strategy. This gives ArcSight a high rating in the convergence metric, as it offers a complete end-to-end SecOps solution that consists of SIEM, UEBA, SOAR, and big data threat hunting. These features all reside on a unified platform that includes common storage, a shared data platform, and a unified interface.

Similarly, ArcSight also scores maximum marks for the automation metrics because it offers a full-blown SOAR solution built into the SIEM platform at no additional cost. However, it is worth considering that while Micro Focus is tightly integrating these capabilities within its SIEM platform, development is still ongoing. A truly seamless experience might be available in the near future as the consolidation reaches maturity.

In creating a fully integrated solution that can scale, Micro Focus faces a number of challenges that buyers should investigate. These include the learning curve and a user experience that can become unsustainable quickly when many capabilities are added in a single platform. Scaling and technical support also need a significant portion of the vendor’s resources to ensure that any change management issues can be addressed quickly.

ArcSight’s approach to layered analytics is a distinguishing aspect that simplifies threat detection. It can provide security operation centers with an end-to-end enterprise security operations platform powered by an advanced correlation engine that can detect known threats in real time. Furthermore, ArcSight leverages unsupervised machine learning to detect unknown threats using behavioral analysis, as well as big data threat hunting.

ArcSight ranks high on data enrichment, due to its SmartConnectors feature, which enriches security based on 480 data source types. This comprehensive list can support further flexible integration with non-standard sources such as legacy or proprietary systems.

Strengths: Micro Focus has a well-defined strategy that combines multiple security products, including ArcSight SIEM, into a unified platform. The vendor ranks high on enrichment, automation, and convergence, and we expect the integrated platform to mature quickly in the near future.

Challenges: The main drawback of the ArcSight SIEM is its incomplete SaaS deployment, currently limited to only its UEBA and threat-hunting features. In addition, it’s worth considering the integration among these multiple features and evaluating how seamless the analysts’ experience can be with the platform. It’s also important to look at the learning curve that comes with a multitude of features contained in a single platform.

RSA NetWitness

Having developed its SIEM platform over the past 15 years, RSA fully embraces the concept of an evolved SIEM, which makes the platform rank high on the convergence and automation metrics. NetWitness goes beyond the traditional capabilities of a SIEM, including extended detection and response (XDR), user behavior analytics (UBA), and automation and orchestration.

A distinguishing feature of NetWitness is its integration of a fully featured network capture and analytics solution (NTA/NDR). This combination of packet and metadata capture, static file analysis, threat intelligence, and orchestration workflows, enables analysts to perform thorough investigations and identify threats that are not detectable with logs alone.

These capabilities are further backed up by RSA NetWitness Detect AI, which leverages a continuously tuned machine learning algorithm that can identify anomalous behaviors and detect unknown threats.

As with other vendors that rank high on convergence, buyers considering RSA NetWitness need to be mindful of user experience and learning curves. It is also worth looking at existing documentation and technical support, especially with respect to change management and scalability, such that all the extended features consolidated in the SIEM platform can work as intended.

Netwitness can support a variety of deployment models, including on-premises, private, and public cloud deployments, as well as hybrid where required. However, NetWitness does not currently offer a complete software-as-a-service model—although the platform does offer several SaaS based components, including a cloud-based SIEM for logs. While RSA NetWitness is suitable for managed security service providers, as well as small and large organizations, its capabilities for network and cloud service providers require improvement.

Netwitness ranks high on automation due to its integrated orchestrator, which uses a playbook mechanism for automated response actions, automatic detection, and machine learning-powered insights.

Strengths: With the concept of “evolved SIEM” at the core of RSA’s strategy, NetWitness is a powerful solution that ranks high on automation, convergence, and data enrichment. The platform distinguishes itself with a network capture feature that can offer low-level information that may not be available with other platforms.

Challenges: Compared to other vendors, NetWitness currently does not offer a complete SaaS deployment model, although its Detect AI and Orchestrator products are available as SaaS. A common challenge NetWitness users may experience is the learning curve and the overall experience of managing a large number of features within a single platform.

Securonix

Securonix ranks high on a variety of metrics, which is a testament to the company’s strategy for creating a next-generation SIEM that is well-integrated, comprehensive, and aspires to provide a true end-to-end security analytics and operations platform. What also differentiates Securonix from other vendors of similar capabilities is its approach to the cloud. It is one of few vendors that provides a native and robust SaaS deployment model and has even implemented a bring-your-own-cloud model.

Another feature that makes Securonix’s SIEM platform distinctive is the vendor’s Threat Research Lab, which continuously monitors emerging threats and develops detection content that can be applied by customers in production. In addition, Securonix offers prepackaged content that can be deployed using its automated content dispenser. The content includes use cases such as Insider Threat Detection, Fraud Analytics, Threat Hunting, Compliance Reporting, and Identity and Access Analytics.

While other SIEM vendors implement machine learning capabilities to enhance existing features, Securonix took a different approach, putting ML at the core of the platform. It leverages both supervised and unsupervised machine learning to achieve capabilities such as behavior pattern and rare event detection, as well as automated phishing and spam identification.

The vendor scores high on a number of metrics, including alarm fidelity, data enrichment, automation, and threat hunting. For convergence, the Securonix platform includes capabilities relating to UEBA, Security Data Lake, and SOAR. As part of the recent Jupiter release, Securonix offers Autonomous Threat Sweep, which enables automated threat hunting through which the customers receive reports with threat hunting outcomes, at no extra cost.

Buyers interested in Securonix’s SIEM need to consider user experience, learning curve, and available documentation. These will be essential to ensuring that the platform’s capabilities can be used as intended, and that the platform’s complexity will not be a hindrance for security analysts.

Strengths: Securonix ranks high across a wide range of metrics and supports most use cases, deployment models, and verticals. It is a well-developed platform that distinguishes itself by putting machine learning at the core of the solution, which may secure Securonix’s position as a leader in the SIEM space.

Challenges: To support security analysts in using Securonix’s comprehensive SIEM, it’s important to consider the learning curve and overall user experience. This process could address challenges related to the platform’s time-to-value and disruptions caused by security analyst churn.

Splunk Enterprise Security

Splunk Enterprise Security (ES) is a mature and powerful platform that equips security analysts with all the information they need to conduct investigations and respond to threats. It ranks high on alarm fidelity, data enrichment, and threat hunting because the platform uses a multitude of datapoints, such as network, endpoint, and access to offer organization-wide visibility and security intelligence.

Besides Enterprise Security, Splunk’s security portfolio also includes UBA—which works closely with ES for advanced analytics and threat detection—and Phantom, its SOAR offering. While these platforms complement each other very well, their level of integration is not as deep as other vendors’, which makes Splunk score lower on the convergence metric.

When integrating with Splunk UBA, Enterprise Security ingests behavioral anomalies to gain additional context around known and unknown threats, and leverages a two-layer machine learning system to surface only the most important threats.

Splunk Enterprise Security supports multiple deployment models, including on-premises appliances, virtual instances in public or private clouds, Saas, or a combination of any of those.

Enterprise Security’s out-of-the-box content makes the platform easy to use and lowers the analyst’s learning curve. This content helps create and tune alerts, perform contextual searches, and increase the speed of detection and analysis. Furthermore, the Use Case Library enables faster detection of and incident response to both new and known threats.

Enterprise Security can help analysts investigate compromised systems using Event Sequencing, Investigation Timelines, and Investigation Workbenches. These features are designed to tackle common challenges security analysts face, making the platform rank high on the threat hunting key criteria, as well as the usability and capability evaluation metrics.

Splunk recently moved away from ingestion-based pricing, and now uses simpler, more predictable pricing based on the number of protected devices. Additionally, Security Cloud, which is Splunk’s new, cloud-native solution, was released recently. We look forward to evaluating it comprehensively in the future.

Strengths: Splunk Enterprise Security is a powerful, analyst-focused SIEM that ranks high in alarm fidelity, data enrichment, and threat hunting. Its feature set and capabilities also make the platform rank very well across most evaluation metrics.

Challenges: Compared to other vendors featured in the report, Splunk Enterprise Security ranks lower on convergence and collaboration. While the platform is tightly integrated with Splunk’s UEBA capabilities, the SIEM platform does not act as the central platform that aggregates SOAR and XDR features under one roof. Similarly, cross-team collaboration, such as between the NOC and SOC, is not a focal point of Enterprise Security.

6. Analyst’s Take

Security information and event management technology is a mature space. In fact, it is reaching a tipping point, and soon a simple SIEM solution will no longer be competitive in the market. Due to the nature of its design—SIEM as the central repository of information for security analysts—the technology is in prime position to swallow the capabilities of other security solutions such as SOAR, UEBA, and EDR. Whether the result will be called simply a next-gen SIEM, or an entirely different name, we expect that SOCs will need only one main platform for collection, filtering, investigation, response, and reporting.

We have captured this trend at a high level under the convergence metric, so we can see how vendors approach this consolidation at different rates or from different angles. Whether they have already started to implement additional capabilities in SIEM, create a tight integration between two different products, or simply bundle multiple products together into an end-to-end solution, a traditional and standalone SIEM likely will be unfit for the SOC of the future.

The caveat regarding this trend is the complexity of the solution. SIEMs were already hard to use effectively, which is the main reason why the SOAR market came into being—to pick up the unrelenting number of SIEM alarms security analysts had to deal with. The SIEM vendors of the future will be those who have found a way to navigate the user experience and onboarding for the next-gen SIEM.

For today’s buyer, we recommend choosing a vendor whose roadmap matches your expected requirements over the next few years. Consider your use cases, and weigh user experience heavily, especially in cases when vendors already have the capability to deliver multiple functionalities under the same platform.

7. About Chris Grundemann

Chris Grundemann

Chris Grundemann is a passionate, creative technologist and a strong believer in technology’s power to aid in the betterment of humankind. He is currently expressing that passion by helping technology businesses grow and by helping any business grow with technology.

Chris has well over a decade of experience as both a network engineer and solution architect designing, building, securing, and operating large IP, Ethernet, and Wireless Ethernet networks. He has direct experience with service provider and enterprise environments, design and implementation projects, for-profit and not-for-profit organizations, big picture strategic thinking and detailed tactical execution, and standards and public policy development bodies. Chris frequently works with C-level executives and senior engineering staff at internet and cloud service providers, media and entertainment companies, financials, healthcare providers, retail businesses, and technology start-ups.

Chris holds eight patents in network technology and is the author of two books, an IETF RFC, a personal weblog, and a multitude of industry papers, articles, and posts. In addition to being the lead research analyst for all networking and security topics at GigaOm, he is the co-host of Utilizing AI, the Enterprise AI podcast. He is also a cofounder and Vice President of IX-Denver and Chair of the Open-IX Marketing committee. Chris has given presentations in 34 countries on 5 continents and is often sought out to speak at conferences, NOGs, and NOFs the world over.

Currently based in West Texas, Chris can be reached via Twitter.

8. About Logan Andrew Green

Logan Andrew Green

Logan Andrew Green is an experienced technologist, whose areas of expertise include enterprise IT, fintech, Internet of Things, artificial intelligence, and fixed and mobile connectivity. His engineering experience as an operational support system designer and radio networks optimization engineer helps him assess new technologies from both a technical and commercial perspective. Currently, Logan oversees Vodafone’s portfolio of managed IT products targeted at large enterprises. He has also been working as a technical writer and business strategist across the technology industry, helping mid-sized organizations define their propositions, offerings, and market positioning.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2021 "GigaOm Radar for Security Information and Event Management (SIEM) Solutions" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.