2010 Gartner MQ for SIEM
May 15, 2010 The 2010 Gartner Magic Quandrant for Security Information and Event Management.
I took some liberties with the MQ in order to segment it out the information in the report for my own analysis. Simple geographical/mathmatical groupings were applied and a few notes added.
The cluser of providers in the middle was not unexpected as I have a similar group in my head as I think about this. Having an outlyers like RSA to me means that RSA’s vision resonated very well with Gartner. As it should, however I’d expect that to be meaningful once they get to that execution. I can’t find the rationale for them escaping the “Clump”. I did use RSA’s relative position as a measuring stick to divide the clump and segment out a couple of “Maybe’s”
The “Clump”: Symantec, IBM, CA, LogLogic, Novel, SenSage, LogRhythm, Trustwave, NetIQ, TriGeo, NetForensics, eIQnetworks
The “Maybes”: Nitro and Q1 Labs
The “Others” Quest, Prism, Tenable, LogMatrix
Next Year: AlienVault and several others might add more to the middle of the page. Splunk was left off of SIEM this year for a reason and I applaud Gartner for doing so!
Note: I do beleive that the The Strengths and Cautions tell a little better story this year than previous years.
Trends and Subplots:
1. The re-emergance of NetIQ & SenSage as a SIEM (and SenSage’s continued relationship with HP) is interesting.
2. The “Clump” is a great way to illustrate that there are way to many products that are virtually indistinguishable to the market.
3. I’d had expected more from Q1 via the Enterasys and Juniper OEM deals. I also expected Tenable to fair a little better, but Security Center 4 was just released so I understand it’s standing based on a review of the older technology.
4. Enterprise Players (RSA, IBM, CA, Symantec) seperating out functionality into various products instead of having it all within the SIEM. I think these guys are ranked a bit too high and right. RSA with Archer will be a great improvement, someday. Even more importantly RSA has a chance with EMC to really do well in virtualization if they focus on it. We’ll see what happends.
5. The exists a Vast Ocean between ArcSight and the rest of the field. Out of the “Clump or Maybe’s” I’d expect 1 or 2 to rise over the next year and begin to challenge more directly for #2 in the space. This will require innovation on either User Anomaly/Behavior (beyond IAM), System Config (FIM?), Network Content (beyond netflow), and of course ease of use for Security Use-Cases such as Threat Monitoring and Dynamic Updates!
6. The inability to execute in a viable manner with applications, hosts attributes, vulnerability information or even get data out of the system still plagues many vendors in this space - whether or not they admit to it. Read between the lines of the report to figure out who this affects.
You should read the report. Each of the vendors will have copies linked off their webpages and with minimal registration you should have it in a matter of seconds. Enjoy!
Reader Comments (15)
Not sure why Splunk not being there is such a good thing while TriGeo being there isn't a bad thing
Having splunk not being tossed into a SIEM bowl is a good thing since splunk is not a SIEM. That proves that you can achieve success outside of rigid Gartner-defined standards...IMHO
BTW, awesome analysis.
MQ does have a few mysteries and I am wondering why/how it happened. E.g. SS (not heard of for a while) and SY (almost got EOL'ed)
I'm reading this more as that Gartner sees ArcSight as most useful to a very mature organization with rigid SIEM processes. They see Symantec as secondary to ArcSight, but also applicable along with a mature process.
For companies that do not have mature processes, and perhaps not a lot of money for SIEM -- it appears Gartner is recommending Tenable.
For those somewhere in-between (or perhaps where good pre-existing relationships exist), Gartner is suggesting that RSA, IBM, CA, LogLogic, and SenSage are performing well along the trajectory.
I don't buy into the logic of your "Clump". You appear to be reading this MQ incorrectly. Novell, LogRhythm, Trustwave, NetIQ, TriGeo, NetForensics, and eIQnetworks do not appear well liked by Gartner -- do not fit with natural processes or capital planning, and appear to not understand the market of SIEM -- while the others I mentioned are well liked.
To continue, Q1 Labs appeared to perform extremely well compared to, say, Nitro, Quest, Prism, and LogMatrix -- Quest and LogMatrix the worst among them.
I don't like or appreciate your analysis. Maybe you should get with Gartner before you make advanced judgments like these. It would also help to compare these products to the literature i.e. "Statistical Techniques for Network Security: Modern Statistically-Based Intrusion Detection and Protection" -- http://isbn.nu/159904708X
Good points across the board.
RE: Splunk/Trigeo. Splunk as great of a tool, but simply stated Splunk is not a SIEM. Does it have a place in the enterprise? Maybe, but that depends on the goals of the organization. As a SIEM? Not yet or at least not without certain applications being written for it and applied to your environment. That is in no way intended to be a "hit" against the technology or the company. Every tool has its purpose and Splunk does a great job in Log Management (Collection and Search at least) and IT Search.
TriGeo is interesting because of their focus on the SMB and not the enterprise, but yet they made the MQ. To me to see TriGeo and not see AlertLogic is interesting as well.
RE: Surprises. Anton points out some interesting things about certain companies on the list that I'm hoping he'll explore in his analysis of the market soon!
RE: @Andre
I appreciate the time you took to comment. I agree with you that a larger analysis is required and I'm working on it! I've spent many years working on these technologies and methods to differentiate between them and have attempted to provide methods for organizations to do it for themselves. I've always pushed to define requirements before choosing a solution. I don't care who the leaders are, just that the technologies continue to evolve and allow security teams to focus on harder problems.
This year's SIEM MQ independently crystallized for me that there exists a "Clump" (horrible word I know, it was 0200) or if you prefer 2 and maybe even 3 tiers of tech in the SIEM space. That seems to be true for both the actual technology and the business perspective. I thought I'd take the opportunity to expand on some recent (and planned) blog posts talking about that separation and even suggesting some steps forward. It was less about the actual Gartner MQ and more about what I'd like to do to help move the market forward.
Rightly or wrongly there is what Gartner intends, what analysts see, what marketing teams will use and what customers will comprehend from these MQ's. Which is right? None of them and all of them.
To me a major point of this post was that I've actually done a pretty in-depth analysis of tech/biz of most of the players and I've come to the conclusion that there is a group of nearly indistinguishable players in the middle (tech, revenue, market share). The definition and focus on the "Clump" is an opportunity for me to express why these vendors need to differentiate themselves further, by tech and/or business model. Hopefully, my next few posts will better articulate where my thoughts are around this topic. In short, there is a ton of opportunity that I don't think has been exploited yet, but I also think that these companies had better figure it out quickly because the tech/biz gap is widening between them and the overall leader(s) and 20+ players won't survive the long term.
I'd love to continue the conversation with you if you have the time, perhaps on an upcoming podcast or via email/skype/phone. I'd love to learn more about how you see this space and from what perspective you approach it.
-Rocky
Interesting analysis - this segment is very crowded, for sure. I think there is a change coming, though.
Based on some research from CSO Mag showing that more than 2/3 of enterprises are looking to swap out their existing log/SIEM solution for something better, a sea change is due. You can see the results of this in the data on how long it takes for companies to discover breaches:
* Verizon study: "weeks or months" in 75% of cases
* Helpnet Security study: 156 days
* Trustwave study: averaged 686 days of exposure
That is way too long! It gets much easier if you vet potentially malicious activities against the results of those activities -- in real time -- to reduce noise, false positives, etc.
@DM
I don't disagree at all that there is both change and consolidation coming. I think it might be a stretch to point incident identification time as a failure of a technology specifically. There are failed teams, technologies and processes in equal parts there. A swap of tech when the other two are flawed only further compounds the issue and delays any idea of incident identification.
I look forward to seeing what you guys (tripwire) are bringing to the market over the next few months.
@Rocky - I fully agree. Technology can help cut through the noise if it's deployed properly, but it is useless unless people have clear processes & policies, good discipline, and a solid understanding of risk to the organization.
I see a lot of enterprises with a collection of 'failed' products because "they didn't work" - and other enterprises that use the same products but achieve awesome results. It's definitely not just a technology problem!
Keep up the great work - love your site.
Thanks for a great post, Rocky. As one of the vendors mentioned, it wouldn't be fair for me to comment on the other vendors, clumpy or otherwise. However, we at ArcSight do agree with your "vastly superior" rating and believe it is borne out in our happy customers and increasing market share :)
Hey Rocky!
Not a bad analysis. Having watched and been part of the SIM market for many years I find the current state of both the vendor and the customer space indicative of a crux in this particular apostrophe. This year's MQ gives a reasonably good view if you have been following the progression.
Of the four fools behind Protego (RIP MARS, we loved you well) I was the most resistant to the SIM idea a decade ago. Prior to that as the PIX guy I had killed off management efforts (fyi - from 1998-2001 the PIX Firewall Manager did not actually work, and only a single customer in the entire world noticed ;~). In those days people did not manage security, they deployed devices. Actually integrating security management of a large number of devices was at the time a much large issue in my opinion than people were aware of (you have to be able to say "billions of events" with a straight face or don't bother coming out), and earlier attempts were mere eye-candy without the scope to actually do the job.
Since then things have progressed in both the vendor and user space, to interesting extents.
o The SANS 2009 Log Management Survey shows a strong shift from a previous desire for folks to simply have their logs stored somewhere to much more focus on actually using them for something (a certain logging vendor's recent pant's-drop in pricing is an indication of the validity of that view, imho).
o The SIM (sigh, "SIEM") user community has become much broader and much more sophisticated. Even five years ago, it was rare to find an audience who came into the room with an existing understanding of what it meant. Today it is normal to find folks attending meetings or seminars who not only understand the ideas but have existing hands-on experience with a SIEM of some description.
o The size of the SIM user base is crossing over from being a niche group meeting in a broom closet off the main event to being one of the main topics. The early-mid Naughties (what the heck did we ever agree to call that decade?) was a battle for tens - nay, hundreds! - of customers. Today there seems to be about 20,000 (maybe 30,000 if you squint real hard) SIEM deployments out there, about half commercial and half open source (we at AlienVault thank the second half who love us and are busy sending greeting cards to the first half ;~). The adoption curve is perhaps analogous to firewalls circa 1994 or thereabouts, and the slope is still similarly steep. Inasmuch as those of us in the vendor space can continue to make our offerings more accessible to this broadening base the positive feedback of a large market will continue to accelerate the maturity of both the offerings themselves and the users looking to acquire them.
o Not unlike the early firewall market, the vendor landscape is beginning to morph. ANS Interlock, DEC Seal and Gauntlet could have been forecast to rule the firewall market in 2010, but that would have been an overly simplistic view. Whether our friends wearing the 800-lb gorilla suit in the SIEM space can avoid following the Check Point path in that analogy remains to be seen, but like CP they are driving awareness as only a large single-product specializing vendor can do, and that is good for the entire market.
We will see whether your comment about us pans out, but from my heavily-biased glasses I think you are dead on (we'd like to be upper-right from Rick in 2011, but we may have to wait one more year for that... ;~). The difference between the OSSIM I first noticed in 2006 and the AlienVault I joined forces with this year is instructive of the path that is ours to follow if we do the right things. Time will tell how we do with that, but if I didn't think we'd fulfill your prediction for next year I wouldn't be here this year.
I'll cross-post this comment on the new AlienVault blog and link back to your blog diary here. Good discussion, good comments and always good to share thoughts with you, Rocky!
-cheers!
-chris
AlienVault Blog Diary
@Chris,
Thank you for the insightful comments. I wish AlienVault the best of luck with the new blog and more importantly with business over the coming years! At some point I'll have to get a VM up and running with real data and do an in-depth review on the current technology.
@Rick
That'll teach me to write at 2AM and throw softballs like "clump" :) The separation is vast and the MQ clearly indicated it as does the CC. I'm encouraged at the level of detail they went to in order to indicate the differences.
@Chris... Love the Zappa Reference. Now I have to check out OSSIM;)
rocky...nice blog entry. was perusing the net for some siem related content and landed up on your blog. i thought it would be prudent to leave a comment after reading #5 about the addition of user behavior/anomaly detection. Couldnt be better timing. At Securonix, we have developed a very cool technology to do just that and are integrating with a number of siem vendors (cant leak out any names yet :)...look forward to getting you to try our stuff some time...cheers
Is it possible to watch any demo?or webcast?
You should also includes those SaaS log management providers.