You are on page 1of 11

MagicQuadrantforSecurityInformationand

EventManagement
20July2015ID:G00267505
Analyst(s):KellyM.Kavanagh,OliverRochford

VIEWSUMMARY
Theneedforearlydetectionoftargetedattacksanddatabreachesisdrivingtheexpansionofnewand
existingSIEMdeployments.AdvancedusersarelookingtoaugmentSIEMwithadvancedprofilingand
analytics.

MarketDefinition/Description
Thisdocumentwasrevisedon21July2015.Thedocumentyouareviewingisthecorrectedversion.For
moreinformation,seetheCorrectionspageongartner.com.
Thesecurityinformationandeventmanagement(SIEM)marketisdefinedbythecustomer'sneedto
applysecurityanalyticstoeventdatainrealtimefortheearlydetectionoftargetedattacksanddata
breaches,andtocollect,store,analyzeandreportonlogdataforincidentresponse,forensicsand
regulatorycompliance.ThevendorsincludedinourMagicQuadrantanalysishavetechnologiesthathave
beendesignedforthispurpose,andtheyactivelymarketandsellthesetechnologiestothesecurity
buyingcenter.
SIEMtechnologyaggregateseventdataproducedbysecuritydevices,networkinfrastructures,systems
andapplications.Theprimarydatasourceislogdata,butSIEMtechnologycanalsoprocessotherforms
ofdata,suchasNetFlowandnetworkpacket.Eventdataiscombinedwithcontextualinformationabout
users,assets,threatsandvulnerabilities.Thedataisnormalized,sothatevents,dataandcontextual
informationfromdisparatesourcescanbecorrelatedandanalyzedforspecificpurposes,suchasnetwork
securityeventmonitoring,useractivitymonitoringandcompliancereporting.Thetechnologyprovides
realtimecorrelationofeventsforsecuritymonitoring,queryandanalyticsforhistoricalanalysisand
othersupportforincidentinvestigationandcompliancereporting.

MagicQuadrant
Figure1.MagicQuadrantforSecurityInformationandEventManagement

EVALUATIONCRITERIADEFINITIONS
AbilitytoExecute
Product/Service:Coregoodsandservicesofferedby
thevendorforthedefinedmarket.Thisincludes
currentproduct/servicecapabilities,quality,feature
sets,skillsandsoon,whetherofferednativelyor
throughOEMagreements/partnershipsasdefinedin
themarketdefinitionanddetailedinthesubcriteria.
OverallViability:Viabilityincludesanassessmentof
theoverallorganization'sfinancialhealth,thefinancial
andpracticalsuccessofthebusinessunit,andthe
likelihoodthattheindividualbusinessunitwillcontinue
investingintheproduct,willcontinueofferingthe
productandwilladvancethestateoftheartwithinthe
organization'sportfolioofproducts.
SalesExecution/Pricing:Thevendor'scapabilitiesin
allpresalesactivitiesandthestructurethatsupports
them.Thisincludesdealmanagement,pricingand
negotiation,presalessupport,andtheoverall
effectivenessofthesaleschannel.
MarketResponsiveness/Record:Abilitytorespond,
changedirection,beflexibleandachievecompetitive
successasopportunitiesdevelop,competitorsact,
customerneedsevolveandmarketdynamicschange.
Thiscriterionalsoconsidersthevendor'shistoryof
responsiveness.
MarketingExecution:Theclarity,quality,creativity
andefficacyofprogramsdesignedtodeliverthe
organization'smessagetoinfluencethemarket,
promotethebrandandbusiness,increaseawareness
oftheproducts,andestablishapositiveidentification
withtheproduct/brandandorganizationintheminds
ofbuyers.This"mindshare"canbedrivenbya
combinationofpublicity,promotionalinitiatives,
thoughtleadership,wordofmouthandsalesactivities.
CustomerExperience:Relationships,productsand
services/programsthatenableclientstobesuccessful
withtheproductsevaluated.Specifically,thisincludes
thewayscustomersreceivetechnicalsupportor
accountsupport.Thiscanalsoincludeancillarytools,
customersupportprograms(andthequalitythereof),
availabilityofusergroups,servicelevelagreements
andsoon.
Operations:Theabilityoftheorganizationtomeet
itsgoalsandcommitments.Factorsincludethequality
oftheorganizationalstructure,includingskills,
experiences,programs,systemsandothervehicles
thatenabletheorganizationtooperateeffectivelyand
efficientlyonanongoingbasis.
CompletenessofVision
MarketUnderstanding:Abilityofthevendorto
understandbuyers'wantsandneedsandtotranslate
thoseintoproductsandservices.Vendorsthatshow
thehighestdegreeofvisionlistentoandunderstand
buyers'wantsandneeds,andcanshapeorenhance
thosewiththeiraddedvision.
MarketingStrategy:Aclear,differentiatedsetof
messagesconsistentlycommunicatedthroughoutthe
organizationandexternalizedthroughthewebsite,
advertising,customerprogramsandpositioning
statements.
SalesStrategy:Thestrategyforsellingproductsthat
usestheappropriatenetworkofdirectandindirect
sales,marketing,service,andcommunication
affiliatesthatextendthescopeanddepthofmarket
reach,skills,expertise,technologies,servicesandthe
customerbase.
Offering(Product)Strategy:Thevendor'sapproach
toproductdevelopmentanddeliverythatemphasizes
differentiation,functionality,methodologyandfeature
setsastheymaptocurrentandfuturerequirements.
BusinessModel:Thesoundnessandlogicofthe
vendor'sunderlyingbusinessproposition.
Vertical/IndustryStrategy:Thevendor'sstrategy
todirectresources,skillsandofferingstomeetthe
specificneedsofindividualmarketsegments,including
verticalmarkets.

Source:Gartner(July2015)

VendorStrengthsandCautions
AccelOps
AccelOpsprovidesfullyintegratedSIMandsecurityeventmanagement(SEM),fileintegritymonitoring
(FIM),configurationmanagementdatabase(CMDB),andavailabilityandperformancemonitoring(APM)
capabilities.Thevendor'sprimaryfocusisitsSIEMsolutionforsecurityoperationsandmanagedsecurity
serviceproviders(MSSPs),butAccelOpsalsoprovidesatightlyintegratedAPMsolution.
MSSPcustomerstypicallyuseboththeSIEMandAPMcapabilitiestoprovideabroadsecurityanddevice
healthmonitoringservicetotheircustomers.Forendusercustomers,thefocusinmostcasesisSIEM,
butabout25%ofendusercustomershaveaddedtheAPMcomponent.
Updatesinthelastyearhaveincludednewintegrationswithopensourceandcommercialthreat
intelligencefeeds,anewcapabilitytoassociateremediationactivitieswithspecificcorrelationrules,and

Innovation:Direct,related,complementaryand
synergisticlayoutsofresources,expertiseorcapital
forinvestment,consolidation,defensiveorpre
emptivepurposes.
GeographicStrategy:Thevendor'sstrategytodirect
resources,skillsandofferingstomeetthespecific
needsofgeographiesoutsidethe"home"ornative
geography,eitherdirectlyorthroughpartners,
channelsandsubsidiariesasappropriateforthat
geographyandmarket.

theadditionofover200newreporttemplates.AccelOpshasalsoreleasedVisualAnalytics,adding
dynamicallygeneratedandinteractiveHTML5dashboards.AnAPIforworkflowintegrationand
bidirectionalnativesupportforServiceNow,ConnectWise,LandeskandRemedyforcehavealsobeen
added.
AccelOpsisagoodfitforenterprisesandMSSPsthatrequireacombinationofsecuritymonitoringand
APMwithintegratedCMDBcapabilities.ItisalsowellsuitedforIToperationsteamswithacombined
operationsandsecurityfunction.
Strengths
AccelOps'combinationofSIEM,FIMandAPMcapabilitiescanbeusedtounifysecurityand
operationsmonitoringfromlogbasedandNetFloweventsources,
AccelOpshasastrongfocusonintegratingoperationalandsecuritycapabilitiestosupport
remediationandincidentmanagement.
Thevendorprovidesstrongsupportfordeploymentinavirtualizedenvironment,aswellasinpublic,
privateandhybridclouds.
Customersreportthatthetechnologyisrelativelyeasytodeploy,withpositivefeedbackforthe
depthandflexibilityofcustomization.TheaverageofAccelOpsreferencecustomersatisfaction
scoresforscalabilityandperformance,predefinedreports,reportcreationandcustomization,ease
andeffectivenessofadhocqueries,productstability,andsupportexperienceishigherthanthe
averagescoresforallreferencecustomersinthoseareas.
Cautions
Outoftheboxsupportforsomethirdpartysecuritytechnologies,suchasdatalossprevention
(DLP),applicationsecuritytesting,networkforensicsanddeeppacketinspection(DPI),isbasic.
TheaverageofAccelOpsreferencecustomersatisfactionscoresforpredefinedcorrelationrulesand
easeofcustomizingthemislowerthantheaveragescoresforallreferencecustomersinthose
areas.
AccelOpshasrelativelylowvisibilityincompetitiveevaluationsofSIEM.

AlienVault
TheAlienVaultUnifiedSecurityManagement(USM)solutionprovidesSIEM,vulnerabilityassessment
(VA),assetdiscovery,networkandhostintrusiondetection(NIDS/HIDS),andfileintegritymonitoring
(FIM).AlienVaultUSMprovidescentralizedconfigurationandmanagementofallAlienVaultcomponents.
TheAlienVaultUSMiscomposedofopensourcecomponents,suchasOpenVAS(VA),Snort,Suricata
(IDS)andOSSEC(HIDS/FIM),andcombinesthesewithSIEMtoprovideaunifiedsecuritysolution.
AlienVaultalsooffersopensourceSIM(OSSIM),afree,opensourceversionofitssolutionwithareduced
featureset.AlienVaultUSMextendsOSSIMwithscalingenhancements,logmanagement,consolidated
administrationandreporting,andfederationforMSSPs.ThevendoralsoprovidestheAlienVaultOpen
ThreatExchangeandThreatIntelligence.AlienVault'sOpenThreatExchangecommunityenablessharing
ofInternetProtocol(IP)andURLreputationinformation.AlienVaultLabsprovidesanintegratedthreat
intelligencefeedtoitscommercialproductsthatincludesupdatestosignature,vulnerability,correlation,
reportingandincidentresponsecontent.
AlienVaultUSMisavailableasanappliance,softwareandvirtualimage,aswellasviaAmazonElastic
ComputeCloud(EC2).Thesensor,loggerandservercomponentsofUSMcanbedeployedcombinedin
onesystem(allinonearchitecture),orasseparateserversinhorizontalandverticaltierstoscaleto
diversecustomerenvironments.
Attheendof2014,AlienVaultreleasedUSMforAmazonWebServices(AWS),apurposebuiltnativeEC2
offeringprovidingassetdiscovery,AWSinfrastructureandvulnerabilityassessment,andAmazon
CloudTrailmonitoringcapabilities,amongothers.Thevendor'stargetmarketisenterpriseswithsmaller
securitystaffsandlimitedsecurityprogramsthatneedmultipleintegratedsecuritytechnologiesata
lowercostandwithgreatersimplicity.TheAlienVaultUSMplatformshouldbeconsideredbyorganizations
thatneedabroadsetofintegratedsecuritycapabilitiesatrelativelylowcost,andbyorganizationsthat
willacceptacommerciallysupportedproductthatisbasedonopensource.
Strengths
AlienVaultUSMprovidesavarietyofintegratedsecuritycapabilities,includingSIEM,fileintegrity
monitoring,vulnerabilityassessment,assetdiscovery,andbothhostbasedandnetworkbased
intrusiondetectionsystems.
Customerreferencesindicatethatthesoftwareandapplianceofferingsaremuchlessexpensive
thanthecorrespondingproductsetsfrommostcompetitorsintheSIEMspace.
AlienVaultoffersasimplifiedlicensingmodelbasedonutilizedappliances,ratherthanoneventsper
second(EPS).
TheaverageofAlienVaultreferencecustomersatisfactionscoresforpredefinedcorrelationrulesand
reports,andtheabilitytocreatecustomcorrelationrules,ishigherthantheaveragescoresforall
referencecustomersinthoseareas.
Cautions
Althoughtheintegratedcombinedcapabilitiesprovideagreaterthanthepartssecurityposture,
theyare,inmanycases,opensourceandnotbestofbreed.
Identityandaccessmanagement(IAM)integrationislimitedtoActiveDirectoryandLDAP
monitoring,andapplicationintegrationisprimarilywithopensourceapplications.
AlienVault'sworkflowcapabilitiesdonotincludeintegrationswithexternaldirectoriesforworkflow
assignments.
TheaverageofAlienVaultreferencecustomersatisfactionscoresforeaseofreportcreationand
customization,easeandeffectivenessofadhocqueries,productqualityandstability,andsupport
experienceislowerthantheaveragescoresforallreferencecustomersinthoseareas.

BlackStratus
BlackStratushasthreeofferings:LogStorm,SIEMStormandComplianceStorm.LogStormprovideslog
managementcapabilitiesaimedatMSSPsandsmalltomidsizeenterprises,andisavailableasvirtualand
hardwareappliances.SIEMStormprovidesfeaturessuchasmultitenancyandsecurityevent
management(SEM)capabilities,includinganalytics,historicalcorrelationandthreatintelligence
integration,andisdeployableassoftwareorvirtualimages.SIEMStormcanbedeployedincombination
withLogStorm,utilizingitasthestorageandcollectiontier.ComplianceStorm,introducedin2014,isa
cloudbasedserviceforlogretentionandscheduledreportingformeetingregulatoryandcompliance
mandates.
LogStormandSIEMStormprovideanintegratedincidentmanagementandticketingsystemguidedby
theSANSsevenstepincidentremediationprocess,andSIEMStormalsoallowsthetrackingofSLA
metricstoaccommodateMSSPandservicecentricenvironments.
Inthepast12months,BlackStratushasaddedconsolidatedcrosstenancyreportingandmonitoring.
BlackStratusisagoodfitforserviceprovidersrequiringacustomizableSIEMplatform,andforservice
centricenduserorganizationslookingtorwellformedmultitenancysupport.
Strengths

LogStormandSIEMStormprovideabidirectionalintegrationAPItoenablecustombuiltservice
architectures.
SIEMStormprovidesalargeselectionofoutofthebox,specialpurposedashboardsforrolessuch
assecurityoperationscenter(SOC)support.LogStormandSIEMStormincludeafullyintegrated
incidentandticketmanagementsystembasedontheSANSsevenstepremediationprocess.
BlackStratusoffersasimplifiedlicensingmodelbasedonbackendstorage,ratherthananEPS
basedmodel.
TheaverageofBlackStratusreferencecustomerssatisfactionscoresforproductqualityandstability
andsupportexperiencearehigherthantheaveragescoresforallreferencecustomersinthose
areas.
Cautions
Outoftheboxsupportforthirdpartydatasourcesislimitedandmayfrequentlyrequirecustom
scripting.
BlackStratushasonlyselectivetechnologyintegrationpartnershipsordeepthirdpartyintegrations.
Advancedsecuritycapabilities,suchascommercialthreatintelligencefeeds,networkforensic/DPI
andIAMintegrations,arecurrentlynotsupported.BlackStratushasfocusedonsalestosecurity
serviceproviders,andhasnotbeenveryvisibleincompetitiveevaluationsforenduser
deployments.
TheaverageofBlackStratusreferencecustomerssatisfactionscoresforoverallscalabilityand
performance,effectiveness,customizationofpredefinedcorrelationsandreports,andeaseand
effectivenessofadhocqueriesislowerthantheaveragescoresforallreferencecustomersinthose
areas.

EMC(RSA)
TheSecurityAnalyticsplatformfromRSA,TheSecurityDivisionofEMC,providesvisibilityfromlog,full
networkpacket,NetFlowandendpointdatacapture.Thesystemperformsrealtimemonitoringand
alerting,forensicinvestigation,analytics,andincidentmanagement.Theplatformincludesphysicalor
virtualappliancesfordataacquisition(Decoderscaptureandenrichnetworkandlogdata,Concentrators
indexdata,BrokersaggregatedatafromConcentrators,andtheEventStreamAnalysisserverdoes
complexcorrelation,eventprocessing,alertingandincidentmanagement).Longtermdatastorageis
providedbyArchivers,andtheRSAdatasciencemodelsprovidecomplexanalysisofhistoricaldata.
Elementsofthesolutioncanbecombinedinoneapplianceordistributedtomeetcustomerdeployment
requirements.AcloudbasedfeedcalledRSALiveprovidesautomaticcontentupdates,including
correlationrules,reportsandthreatintelligencefeeds.
Recentfeatureimprovementsincludebuiltinincidentmanagementwithworkflowcapability,supportfor
NetFlowandsupportfortheCEFlogformat.Otherimprovementsincludeoperationalfeaturesforeasier
softwareupgrades,faultmanagementandhealthmonitoringfortheSecurityAnalyticsplatform.
RSASecurityAnalyticsshouldbeconsideredbysecurityconsciousorganizationsthatneedlogbasedand
networklevelmonitoringforthreatdetectionandinvestigation,andhaveanincidentresponseteam(or
SOC)orarelatedserviceproviderforconfiguringandtuningacomplextechnology.
Strengths
RSA'sSecurityAnalyticsplatformcombinesanalyticsandeventmonitoring,investigation,and
threatintelligenceacrossnetworkpackets,NetFlow,endpointsandlogdata.
Modulardeploymentoptionsenablecustomerstoselectnetworkoreventandlogmonitoringand
analysiscapabilitiesasneeded.
IntegrationswithRSAArchertechnologiesprovideadditionalcontextualdata,workflow,incident
management,runbooks,reporting,managementanalyticsandmetricstosupportSOC
requirements.
Cautions
TheaverageofRSAreferencecustomersatisfactionscoresforscalability,predefinedrulesand
reports,ruleandreportcustomizationfeatures,adhocqueries,productqualityandstability,and
supportexperienceislowerthantheaveragescoresforallreferencecustomersinthoseareas.
TheoutoftheboxSecurityAnalyticsuserinterfaceisbasic.Thepredefinedviewsanddashboards
requiregreatercustomizationthanthoseofcompetitors.
SecurityAnalyticsprovidesonlybasicincidentmanagementcapabilities.Richerworkflowcapabilities
requireintegrationswithRSASecurityOperationsManagement.

EventTracker
EventTrackertargetsitsSIEMsoftwareandserviceofferingprimarilyatmidsizecommercialenterprises
andgovernmentorganizationswithSEMandcompliancereportingrequirements.EventTrackerSecurity
Centerisavailableassoftwareonly,andprovidesSIMandSEMfunctions.TheEventTrackeragent
providessupportforfileintegritymonitoringandUSBcontrol.Therearealsoaddonsavailablefor
vulnerabilityandconfigurationassessment.Basicprofilingcapabilitiesareprovidedviaabehaviormodule
thatcanestablishabaselineofauserconfigurableperiodoftimeandcanissuealertsonanydeviations
fromnormalactivity.RemediationactionscanbeexecutedviaascriptingAPI.
During2014,EventTrackeraddedsupportforThreatIntelligencefeeds,expandeditsAttackSignature
feedsandimprovedsupportforanalyzingapplicationlogs.Aserviceofferingforonpremises,AWSand
Azureinstallationswasalsomadeavailableforenduserbuyersandmanagedservicepartners.
Midsizebusinessesrequiringasoftwarebasedsolutionforlogandeventmanagement,compliance
reporting,andoperationsmonitoringviaonpremisesorcloudhostedSIEM,withoptionalbasic
monitoringservices,shouldconsiderEventTracker.
Strengths
EventTrackeriseasytodeployandmaintain,withcomplianceandusecasespecificknowledge
packsthatprovideprebuiltalertsandcorrelationrulesandreports.
TheaverageofEventTrackerreferencecustomersatisfactionscoresforscalabilityandperformance,
predefinedcorrelationrulesandreports,creatingandmodifyingreporttemplates,adhocqueries,
productqualityandstability,andtechnicalsupportishigherthantheaveragescoresforall
referencecustomersinthoseareas.
EventTrackerincludesabehavioranalysismodulethatprovidesprofilingandanomalydetection
functions.
Servicessuchasperiodiclogreviews,auditassistanceandhealthchecksareavailablefromthe
vendoratalowcost.
Cautions
Thevendortargetsthemidmarket,butisnotasvisibleoncustomershortlistsasotherSIEM
vendorsthatarealsotargetingthissegment.
EventTrackerlacksintegrationswithmanyadvancedtechnologies,suchasuserbehavioranalysis,
advancedthreatdetectionandnetworkforensics.
EventTracker'scapabilitiesforapplicationmonitoringaremorelimitedthanotherSIEMproducts

targetingenterprisedeployments,astheylackintegrationwithmajorpackagedapplications.
Fullincidentmanagement,includingticketing,requiresanexternalsolution.

HP
HP'sArcSightSIEMsolutionincludesEnterpriseSecurityManager(ESM)softwareforlargescale,SEM
focuseddeployments,andArcSightExpress,anappliancebasedofferingforESMforthemidmarketwith
preconfiguredmonitoringandreporting.ArcSightLoggerappliancesandsoftwareprovidelogdata
collectionandmanagementfunctionsthatcanbeimplementedstandaloneorincombinationwithESM.
HPprovidesadditionalmodules,suchasApplicationView,providingruntimeapplicationvisibilitybasedon
HPFortifytechnology,andHPArcSightUserBehaviorAnalytics,providingintegrateduserbehavior
analysis(UBA)capabilitiesbasedonatechnologypartnershipwithSecuronix.ArcSightlicensingis
primarilybasedonconsumptioninGBperday.
HPaddedanumberofimprovementsin2014,notablyfullyintegratedhighavailabilitycapabilitiesfor
ArcSightESM,anupdatedWebUIforArcSightLoggerandenhancementstotheArcSightManagement
Centerthatincludeenhancedhealthmonitoringanddistributedmanagementfeatures.
ArcSightExpressshouldbeconsideredformidsizeSIEMdeployments.ESMisappropriateforlargescale
deploymentsaslongassufficientinhousesupportresourcesareavailable,andfororganizationsseeking
tobuildadedicatedSOC.
Strengths
ArcSightESMprovidesacompletesetofSIEMcapabilitiesthatcanbeusedtosupportanSOC,
includingafullincidentinvestigationandmanagementworkflow.
HPArcSightUserBehaviorAnalyticsprovidestrueandfullUBAcapabilitiesinconjunctionwithSIEM.
HPArcSighthasawidevarietyofoutoftheboxthirdpartytechnologyconnectorsandintegrations.
ArcSightcontinuestobeveryvisibleincompetitiveevaluationsofSIEMtechnologies.
Cautions
UserfeedbackindicatesthatthefatclientconsoleUIforArcSightESMisconsidereddated.HPplans
toreleaseaWebbasedinterfaceinthenearfuture.
HPArcSightdeploymentproposalsroutinelyincludemoreprofessionalservicesthancomparable
offerings.
CustomersstillprovidefeedbackstatingthattheyfindESMtobemorecomplexthanotherleading
solutions.
TheaverageofArcSightreferencecustomersatisfactionscoresforscalabilityandperformance,
effectivenessofpredefinedcorrelationrulesandtheeaseofcustomizingthem,reportcreationand
modification,querycapabilities,andproductqualityandstabilityislowerthantheaveragescoresfor
allreferencecustomersinthoseareas.Customersupporthasbeencitedasafrequentissueby
Gartnerclients.

IBMSecurity
IBMSecurity'sQRadarPlatformincludestheQRadarSIEM,LogManager,VulnerabilityManager,Risk
Manager,QFlowandVFLowCollectors,andIncidentForensics.QRadarcanbedeployedasanappliance,a
virtualapplianceorasSaaS/infrastructureasaservice(IaaS).Componentscanbedeployedinanallin
onesolutionorscaledbyusingseparateappliancesfordifferentfunctions.TheQRadartechnologies
enablecollectionandprocessingoflogdata,NetFlowdata,DPI,fullpacketcaptureandbehavioranalysis
forallsupportedsources.
Recentenhancementsincludeincidentforensicssupport,newdatastorageappliances,improvedquery
supportacrosslogs,flowdata,threatintelligence,andvulnerabilityandassetdata.Thecapabilityto
replayhistoricaleventdatathroughcurrentcorrelationrulesisalsonowavailable.IBMplanstoimprove
incidentresponseworkflowcapabilities,enablesharingofthreatintelligencedata,andintroducemore
advancedanalyticssupportforincidentinvestigationandresponse.
IBMoffersahybriddeliveryoptionforQRadar,withanonpremisesQRadardeployment,aSaaSsolution
hostedonIBMCloudandoptionalremotemonitoringfromIBM'smanagedsecurityserviceoperations
centers.MidsizeandlargeenterpriseswithgeneralSIEMrequirements,andthosewithusecasesthat
requirebehavioranalysis,networkflowandpacketanalysis,shouldconsiderQRadar.
Strengths
QRadarprovidesanintegratedviewoflogandeventdata,withnetworkflowandpackets,
vulnerabilityandassetdata,andthreatintelligence.
Customerfeedbackindicatesthatthetechnologyisrelativelystraightforwardtodeployandmaintain
inbothmodestandlargeenvironments.
QRadarprovidesbehavioranalysiscapabilitiesforNetFlowandlogevents.
TheaverageofIBMreferencecustomerssatisfactionscoresforscalabilityandperformance,
effectivenessofpredefinedcorrelationrules,reportcreation,adhocqueries,productqualityand
stability,andtechnicalsupportishigherthantheaveragescoresforallreferencecustomersinthose
areas.
Cautions
QRadarprovideslessgranularroledefinitionsandintegrationswithenterprisedirectoriesfor
workflowassignment,comparedwithcompetitors'products.
QRadarcustomersreportissueswithearlyversionsofQRadarVulnerabilityManager,including
limitedfunctionality,instability,latefeatureupdatesandsupportdelays.

IntelSecurity
IntelSecurityprovidesMcAfeeEnterpriseSecurityManager,whichcombinesSIMandSEMfunctions,and
isavailableasaphysical,virtualorsoftwareappliance.Thethreeprimarycomponentsthatmakeupthe
SIEMofferingaretheEnterpriseSecurityManager,theEventReceiver(ERC)andtheEnterpriseLog
Manager,whichcanbedeployedtogetherasoneinstance,orseparatelyfordistributedorlargescale
environments.
Capabilitiescanbeextendedandenhancedwitharangeofspecializedaddonproducts,suchasAdvanced
CorrelationEngine(ACE),DatabaseEventMonitor(DEM),ApplicationDataMonitor(ADM),andGlobal
ThreatIntelligence(GTI).
Amongtheenhancementsreleasedinthepast12monthsweresupportforAWSdeploymentandnew
dashboardsforriskanalyticsandcyberthreatmanagement,aswellasimprovedcaseandincident
managementcapabilities.McAfeeEnterpriseSecurityManageralsoreleasedanintegrationwithMcAfee's
AdvancedThreatDefense(ATD)andThreatIntelligenceExchange(TIE)foradvancedthreatmonitoring
anddefense.
McAfeeEnterpriseSecurityManagerisagoodchoicefororganizationsthatutilizeotherIntelSecurity
technologies,aswellasthoseseekinganintegratedsecurityframeworkthatincludesadvancedthreat
defenseormonitoringofindustrialcontrolsystems.
Strengths

Outoftheboxthirdpartydevicesupportiscitedasastrengthbyendusers.TheaverageofIntel
Securityreferencecustomerssatisfactionscoresforscalability,reportcustomization,adhocqueries
andsupportexperienceishigherthantheaveragescoresforallreferencecustomersinthoseareas.
DeepintegrationswithIntelSecurity'sEnterpriseSecurityDatabaseEventMonitorandApplication
DataMonitorprovideindepthdatabaseandapplicationmonitoringforselectedtechnologies.
EnterpriseSecurityManagerhasstrongsupportformonitoringoperationaltechnology(industrial
controlsystems[ICSs]),andsupervisorycontrolanddataacquisition(SCADA)devices.
CustomersreportthatintegratingmultipleMcAfeesecurityproductsoftenyieldsgoodsynergiesand
providesbettersolutionsthanwereotherwiseavailable.
Cautions
IntelSecurity'smanyadvancedSIEMfeaturesandcapabilitiesinareassuchasendpointintelligence
andautomatedresponserequireintegrationswith,orfurtherinvestmentsin,otherIntelportfolio
products.SomerequireePolicyOrchestrator(ePO)toactasmiddleware.
NetFlowcanbeusedtogenerateeventsandalerts,butisnotautomaticallyusedtoenrichlog
basedevents.
Userfeedbackindicatesthatversion9.4.xhasbeentroubledbysomestabilityandperformance
issues.TheaverageofIntelSecurityreferencecustomerssatisfactionscoresforpredefined
correlationruleeffectivenessandcustomization,predefinedreportsandnewreportcreation,and
productqualityandstabilityislowerthantheaveragescoresforallreferencecustomersinthose
areas.

LogRhythm
LogRhythmsellsitsapplianceandsoftwarebasedSIEMsolutionstomidsizeandlargeenterprises.
LogRhythm'sSIEMconsistsofseveralunifiedcomponents:theEventManager,LogManager,Advanced
IntelligenceEngine(AIEngine)andConsole.Fordistributedlogcollection,SiteLogForwardersare
available,andanagentisalsoprovidedforLinux,UnixandWindowsforlocallogcollection.Network
forensiccapabilitiessuchasDPI,NetFlowmonitoringandfullpacketcapturearesupportedvia
LogRhythm'sNetworkMonitor.LogRhythm'sSystemMonitorAgentsincludebasichostactivity
monitoringcapabilitiessuchassystemprocessmonitoringfileintegritymonitoringforWindows,Linux
andUnixandWindowsregistrymonitoring.
Inthepastyear,LogRhythmhasaddedanewincidentresponseandcasemanagementworkflow
capabilitythatincludesacentralizedevidencelockerandincidentresponsecollaborationtools.Ithasalso
expandedthescopeofsupporteddevicesforlognormalizationandapplicationsfornetworkmonitoring.
TheAIEnginehasbeenupdatedtoincluderiskbasedprofilingandbehavioralanalyticstoidentify
statisticalanomaliesfornetwork,useranddeviceactivity.
LogRhythmisanespeciallygoodfitfororganizationsthatrequireanintegratedcombinationofSIEM,
endpointandnetworkmonitoringcapabilities,andthoseorganizationsthatvalueeaseofdeploymentand
predefinedfunctionovera"buildyourown"approachtomonitoring.
Strengths
LogRhythmcombinesSIEMcapabilitieswithendpointmonitoring,networkforensicsandincident
managementcapabilitiestosupportsecurityoperationsusecases.
GartnerreceivesconsistentuserfeedbackstatingthatLogRhythm'ssolutionisstraightforwardto
deployandmaintain,andprovideseffectiveoutoftheboxusecasesandreportingtemplates.
TheaverageofLogRhythmreferencecustomerssatisfactionscoresforscalabilityandperformance,
effectivenessofpredefinedrules,usefulnessofpredefinedreports,easeofuseandeffectivenessof
predefinedqueries,productqualityandstability,andsupportexperiencesupportishigherthanthe
averagescoresforallreferencecustomersinthoseareas.
LogRhythmcontinuestobeveryvisibleinthecompetitiveSIEMtechnologyevaluationsofGartner
clients.
Cautions
Userfeedbackindicatesthatcreatingnewreportingtemplatescouldbemoreintuitive.
Usersreportthatoptionsforreportingfocusedonalerttrendingarelimited.

MicroFocus(NetIQ)
InNovember2014,MicroFocusacquiredNetIQ(aspartofAttachmate).InApril2015,MicroFocus
announcedthattheNetIQproductswouldbebroughtintotheMicroFocusportfoliobrandingand
packagingchangesforSIEMandotherproductsmayoccurin2015.NetIQSIEMiscomposedofthree
packages:Sentinel,SentinelLogManagerandChangeGuardian.Optionalhostmonitoringagentsarealso
available.SentinelandChangeGuardianareofferedbothassoftwareandvirtualappliancedeployments.
SentinelintegrateswithothercoreNetIQtechnologies(AppManager,IdentityManager,AccessManager,
DirectoryandResourceAdministrator,andSecureConfigurationManager).NetIQmademodest
enhancementstoSentinelduringthepast12months.Developmentplansincludemoresupportfor
largescaledatastorageandanalytics,enhancementandextensionofcurrentanalytics,better
visualizationanduserinterfaces,andsupportforthreatexchangeformats.
Sentinelisagoodfitfororganizationsthatrequirelargescalesecurityeventprocessinginhighly
distributedenvironments(suchasretail),andisanespeciallygoodchoicefororganizationsthathave
deployedNetIQIAMinfrastructureandneedsecuritymonitoringwithanidentitycontext.
Strengths
SentinelandSentinelLogManagerareappropriateforlargescaledeploymentsthatarefocusedon
SEMandthreatmonitoring.
IntegrationswithotherNetIQtechnologiesprovidecapabilitiestosupportusermonitoring,identity
andendpointmonitoring,andenforcement/responseusecases.
NetIQagenttechnologycanprovideguaranteeddeliverymechanismsoverandabovenative
platformauditfunctionsoragentlessmethodsforusecasesthatrequireuseranddataaccess
monitoringforservers.
NetIQcustomersgiveSentinelaboveaverageoraveragemarksforreportcreationand
customization,andeaseofadhocqueries.
Cautions
NetIQSentinelhaslowvisibilityincompetitiveevaluationsofSIEMamongGartnerclients.
NetIQprovidesgenericcapabilitiestopulldataforcontext,aswellastoimportfrombigdata
repositories.However,itdoesnotprovidespecificintegrationswithsolutionssuchasentitybehavior
analyticsplatforms.
NetIQhasagenericabilitytointegratethreatintelligencefeeds,aswellaspackagedsupportfor
opensourcefeeds(e.g.,malware)andWebroot.However,supportstilllagsbehindcompetitors.
Usabilityandreportingoftheresultswhenreplayinghistoricaleventdataagainstcorrelationrules
arelimitedwhencomparedwithsomecompetitors.
TheaverageofNetIQreferencecustomersatisfactionscoresforscalabilityandperformance,
correlationrulecustomization,usefulnessofpredefinedreports,effectivenessofadhocqueries,

productqualityandstability,andsupportexperienceislowerthantheaveragescoresforall
referencesacrossthoseareas.

SolarWinds
SolarWindsLog&EventManager(LEM)softwareisavirtualappliance.SolarWindspositionsLEMasan
easytodeployanduseSIEMforresourceconstrainedsecurityteamsthathavenorequirementsforbig
dataadvancedanalyticsormalwaredetectionintegration.LEMhasintegrationswithSolarWinds'other
productsforoperationsmonitoringtosupportactivitiessuchaschangedetectionandrootcauseanalysis.
SolarWindsLEMisagoodfitforsmallormidsizecompaniesthatrequireSIEMtechnologythatiseasyto
deploy,andforthosethatuseotherSolarWindsoperationsmonitoringcomponents.
Strengths
SolarWindsLEMiseasytodeployandprovidesextensivecontentintheformofdashboardsand
predefinedcorrelationrulesandreports.
Thetechnologyiswellsuitedfororganizationsthathavealreadyinvestedinthevendor'sother
technologysolutions.
ASIEMautoresponsecapabilityforendpointUSBandquarantinecontrolisavailableviaanagentfor
Windowssystems.
TheaverageofSolarWindsreferencecustomersatisfactionscoresforoverallscalabilityand
performance,effectivenessofpredefinedrules,usefulnessofpredefinedreports,productqualityand
stability,andsupportexperienceishigherthantheaveragescoresforallreferencesacrossthose
areas.
Cautions
SolarWindsLEMprovidesbasicstatisticalandbehavioranalytics,buthasnointegrationwithuser
behavioranalysistoolsorwithdatawarehousetechnologies.LEMcanobtainalertsfromalimited
numberofmalwaredetectionor"sandboxing"technologies.
CustomersrequiringmoreextensiveuserandapplicationorWebmonitoringmustacquireother
SolarWindsproductstoextendthecapabilitiesavailableinLEM.
AlthoughLEMincludesanativeflowcaptureanddisplaycapability,flowdataisnotavailableforreal
timecorrelationinLEM,andpacketcaptureisnotsupported.

Splunk
SplunkEnterpriseandSplunkCloudprovidesearch,alerting,realtimecorrelationandaquerylanguage
thatsupportsvisualizationusingmorethan100statisticalcommands.SplunkiswidelydeployedbyIT
operationsandapplicationsupportteamsforlogmanagement,analytics,monitoring,andadvanced
searchandcorrelation.Inmanycases,thepresenceofSplunkforoperationssupportleadsto
considerationofthetechnologyforSIEM,andGartnercustomersregularlyincludeSplunkonshortlistsfor
SIEM.TheSplunkAppforEnterpriseSecurityprovidespredefinedreports,dashboards,searches,
visualizationandrealtimemonitoringtosupportsecuritymonitoringandcompliancereportingusecases.
SplunkhascontinuedtoenhancetheAppforEnterpriseSecurity,predefinedsecurityindicatorsand
dashboardsandvisualizations,aswellastoimprovesupportforwiredatacaptureandanalysis.New
advancedqueryanddatapivotenableeasieraccesstofunctionspreviouslyavailableonlythroughthe
Splunkquerylanguage.SplunkcanbedeployedforSIEMasonpremisessoftware,inapublicorprivate
cloud,asaSaaSofferingfromSplunk(SplunkCloud),orinanycombination(hybrid).
Splunksupportsabroadrangeofthreatintelligencefeeds,includingSTIX/TAXIIformatsforimportingand
sharingfeeds.OrganizationsthatrequireanSIEMplatformthatcanbecustomizedtosupportextensive
analyticsfunctionsandavarietyoflogformats,andthosewithusecasesthatspansecurityandIT
operationssupport,shouldconsiderSplunk.
Strengths
Splunk'sstrongpresenceinIToperationsgroupscanprovidesecurityorganizationswithearly
handsonexposuretoitsgenerallogmanagementandanalyticscapabilities,"preSIEM"
deploymentbyoperationsforcriticalresources,andinhouseoperationssupportforexpanded
securityfocuseddeployments.
Splunkcustomerscitevisualizationandbehavioral,predictiveandstatisticalanalyticsaseffective
elementsofadvancedmonitoringusecases,suchasdetectinganomaloususeraccesstosensitive
data.
Splunkhasenhancedbuiltinsupportforalargenumberofexternalthreatintelligencefeedsfrom
commercialandopensources.
TheaverageofSplunkreferencecustomersatisfactionscoresforscalabilityandperformance,
effectiveandusefulpredefinedrulesandreports,ruleandreportcustomizationfeatures,report
creation,easeandeffectivenessofadhocqueries,productqualityandstability,andsupport
experienceishigherthantheaveragescoresforallreferencecustomersinthoseareas.
Cautions
TheSplunkAppforEnterpriseSecurityprovidesbasicsupportforpredefinedcorrelationsforuser
monitoring.Potentialbuyersshouldanticipatemodifyingthoseandbuildingtheirowntoimplement
moreadvancedusermonitoringusecases.
Workflowandcasemanagementfunctionslagbehindthoseofcompetitors.Organizationswith
matureSOCprocessesmayrequirecustomizationorintegrationswiththirdpartytechnologiesfor
thesefunctions.
Splunk'slicensemodelisbasedondatavolumeindexedperday.Customersreportthatthesolution
ismorecostlythanotherSIEMproductswherehighdatavolumesareexpected.

Trustwave
InApril2015,TheSingtelGroup(Singtel)announceditsintenttoacquireTrustwave,andthatTrustwave
willcontinuetooperateasastandalonebusiness.Atthetimeofthiswriting,thedealispending
regulatoryapproval.Trustwave'sprimarybusinessismanagedsecurityservices,vulnerabilityassessment
andcomplianceservices.Trustwavealsooffersabroadportfolioofsecurityproducts,includingsecureWeb
andemailgateways,DLP,aWebapplicationfirewall,networkaccesscontrol,unifiedthreatmanagement
(UTM),securityscanning,andencryptiontechnologies.ThecoreofthisportfolioisanSIEMdeliverablein
severalconfigurationstomeetdiverserequirements,fromlargeenterprise,SEMorienteddeploymentsto
midsizedeploymentswithmoremodestSEMneeds.
TrustwavehasthreeSIEMproductoptions:LogManagementAppliances,SIEMEnterpriseandSIEM
OperationsEdition(OE).SIEMEnterpriseandLogManagementAppliancesareavailableasphysicalor
virtualappliances.In2014,TrustwavedeployedUIanddashboardimprovementsandupgradedhardware
offerings,aswellasfurtherintegrationofitsThreatCorrelationServiceintotheLogandSIEMproducts.
TrustwaveisagoodfitformidsizeorganizationsseekingSIEMasafullportfoliooftechnologiesand
serviceoptionsformeetingthreatmanagementandcompliancerequirements.
Strengths
TheacquisitionbySingtelshouldresultinbetteraccesstosalesandsupportfunctionsinthe
Asia/PacificregionandothermarketswhereSingtelhasapresenceandbrandrecognition.

TheTrustwaveSIEMproductsincludeabroadrangeofdeploymentformatsandserviceoptions,
includinghybridoptionsthatsupportcustomerswithlimitedinternalresourcesfortechnology
managementorsecurityanalysis.
SIEMEnterpriseofferscorrelation,capacityandcustomizationcapabilitiesappropriateforcustomers
withlargescaleeventmonitoringrequirements.
Trustwave'sselfhealingnetworkofferingleveragesTrustwave'sSIEMproductstoprovide
autoresponsecapabilitiessuchasquarantiningandblacklisting.
TheaverageofTrustwavereferencecustomersatisfactionscoresforeaseofcustomizingcorrelation
rulesandreporttemplatesishigherthantheaveragescoresforallreferencecustomersinthose
areas.
Cautions
TrustwaveisnotveryvisibleincompetitiveevaluationsofSIEMofferingsamongGartnerclients.
Supportforexternaldatawarehouseorbigdatatechnologiesisunderdevelopment,butnotyet
availableforTrustwave'sSIEMofferings.Thevendorlagsbehindcompetitorsinsupportingthe
monitoringofcloudenvironments.Trustwave'sSIEMproductsdonotsupportAmazonCloudTrailor
platformasaserviceenvironments.
TheaverageofTrustwavereferencecustomersatisfactionscoresforscalabilityandperformance,
effectivenessofpredefinedrules,usefulnessofpredefinedreports,creatingnewreports,easeand
effectivenessofadhocqueries,productqualityandstability,andoverallsupportexperienceislower
thantheaveragescoresforallreferencecustomersinthoseareas.
CustomersshouldmonitorTrustwave'sSIEMroadmaptoensurethatdevelopmentprioritiesremain
alignedwithcustomerexpectationsinthewakeoftheplannedacquisitionbySingtel.

VendorsAddedandDropped
WereviewandadjustourinclusioncriteriaforMagicQuadrantsandMarketScopesasmarketschange.As
aresultoftheseadjustments,themixofvendorsinanyMagicQuadrantorMarketScopemaychange
overtime.Avendor'sappearanceinaMagicQuadrantorMarketScopeoneyearandnotthenextdoes
notnecessarilyindicatethatwehavechangedouropinionofthatvendor.Itmaybeareflectionofa
changeinthemarketand,therefore,changedevaluationcriteria,orofachangeoffocusbythatvendor.

Added
NovendorswereaddedtotheMagicQuadrant.

Dropped
TIBCOSoftwareisnolongerpositioningitsLogLogicproductasanSIEM.
TenableNetworkSecurity'sSecurityCenterandLogCorrelationEnginearenowpositionedas
complementarytechnologiestoSIEM.TheseproductscansupportsomeSIEMusecases,butare
notsoldormarketedasSIEMs.

InclusionandExclusionCriteria
Thefollowingcriteriahadtobemetforvendorstobeincludedinthe2015SIEMMagicQuadrant:
TheproductmustprovideSIMandSEMcapabilities.
Theproductmustsupportdatacapturefromheterogeneousdatasources,includingnetwork
devices,securitydevices,securityprogramsandservers.
ThevendormustappearontheSIEMproductevaluationlistsofenduserorganizations.
Thesolutionmustbedeliveredtothecustomerenvironmentasasoftwareorappliancebased
product(notaservice).
Vendorswereexcludedif:
TheyprovideSIEMfunctionsthatareorientedprimarilytodatafromtheirownproducts.
TheypositiontheirproductsasanSIEMoffering,buttheproductsdonotappearonthecompetitive
shortlistsofenduserorganizations.
Theyhadlessthan$13.5millioninSIEMproductrevenueduring2014.
Thesolutionisdeliveredexclusivelyasamanagedservice.
SIEMisa$1.69billionmarketthatgrew12.5%during2014,withanexpectedgrowthrateof10.9%
during2015.Forexclusion,Gartnerconsidersrevenueandrelativevisibilityofvendorsinthemarket.
Therevenuethresholdis$13.5millionperyearfor2014(netnewlicenserevenueplusmaintenance).
Visibilityiscalculatedfromthefollowingfactors:presenceonGartnerclientshortlistsviaclientinquiries,
searchreferencesongartner.com,presenceonvendorsuppliedcustomerreferenceshortlistsand
mentionsasacompetitorbyotherSIEMvendors.

EvaluationCriteria
AbilitytoExecute
Productorserviceevaluatesthevendor'sabilityandtrackrecordtoprovideproductfunctionsin
areassuchasrealtimesecuritymonitoring,securityanalyticscompliancereportinganddeployment
simplicity.
Overallviabilityincludesanassessmentofthetechnologyprovider'sfinancialhealth,thefinancial
andpracticalsuccessoftheoverallcompany,andthelikelihoodthatthetechnologyproviderwill
continuetoinvestintheSIEMtechnologysegment.
Salesexecution/pricingevaluatesthetechnologyprovider'ssuccessintheSIEMmarketandits
capabilitiesinpresalesactivities.ThisincludesSIEMrevenueandtheinstalledbasesize,growth
ratesforSIEMrevenueandtheinstalledbase,presalessupport,andtheoveralleffectivenessofthe
saleschannel.ThelevelofinterestfromGartnerclientsisalsoconsidered.
Marketresponsiveness/recordevaluatesthematchoftheSIEMofferingtothefunctional
requirementsstatedbybuyersatacquisitiontime,andthevendor'strackrecordindeliveringnew
functionswhentheyareneededbythemarket.Alsoconsideredishowthevendordifferentiatesits
offeringsfromthoseofitsmajorcompetitors.
MarketingexecutionevaluatestheSIEMmarketingmessageagainstourunderstandingof
customerneeds,andalsoevaluatesanyvariationsbyindustryverticalorgeographicsegments.
Customerexperienceisanevaluationofproductfunctionandserviceexperiencewithin
productionenvironments.Theevaluationincludeseaseofdeployment,operation,administration,
stability,scalabilityandvendorsupportcapabilities.Thiscriterionisassessedbyconducting
qualitativeinterviewsofvendorprovidedreferencecustomers,incombinationwithfeedbackfrom
GartnerclientsthatareusingorhavecompletedcompetitiveevaluationsoftheSIEMoffering.
Operationsisanevaluationoftheorganization'sservice,supportandsalescapabilities,and
includesanevaluationofthesecapabilitiesacrossmultiplegeographies.

Table1.AbilitytoExecuteEvaluation

Criteria
EvaluationCriteria

Weighting

ProductorService

High

OverallViability

High

SalesExecution/Pricing

High

MarketResponsiveness/Record

High

MarketingExecution

Medium

CustomerExperience

High

Operations

High

Source:Gartner(July2015)

CompletenessofVision
Marketunderstandingevaluatestheabilityofthetechnologyprovidertounderstandbuyerneeds
andtotranslatethoseneedsintoproductsandservices.SIEMvendorsthatshowthehighest
degreeofmarketunderstandingareadaptingtocustomerrequirementsinareassuchasearly
targetedattackandbreachdetection,andsimplifiedimplementationandoperation,whilealso
meetingcompliancereportingrequirements.
Marketingstrategyevaluatesthevendor'sabilitytoeffectivelycommunicatethevalueand
competitivedifferentiationofitsSIEMoffering.
Salesstrategyevaluatesthevendor'suseofdirectandindirectsales,marketing,service,and
communicationsaffiliatestoextendthescopeanddepthofmarketreach.
Offering(product)strategyisanevaluationofthevendor'sapproachtoproductdevelopment
anddeliverythatemphasizesfunctionalityandfeaturesetsastheymaptocurrentrequirementsfor
SIMandSEM.Developmentplansduringthenext12to18monthsarealsoevaluated.Becausethe
SIEMmarketismature,thereislittledifferentiationbetweenmostvendorsinareassuchassupport
forcommonnetworkdevices,securitydevices,OSsandconsolidatedadministrationcapabilities.In
thisevaluation,weneutralizedtherelativeratingsofvendorswithcapabilitiesintheseareas,but
therewouldbeaseverevisionpenaltyforavendorthathasshortcomingsinthisarea.Wecontinue
toplacegreaterweightoncurrentcapabilitiesthataidintargetedattackdetection,including:
Vendorcapabilitiesforprofilingandanomalydetectiontocomplementexistingrulebased
correlation.
Threatintelligenceintegration,whichincludesautomatedupdate,filtering,andusagewithin
rules,alertsandreports.
Useractivitymonitoringcapabilities,whichincludemonitoringofadministrativepolicychanges
andintegrationwithIAMtechnologies,forautomatedimportofaccesspolicy(usercontext)for
useinmonitoring.Wealsoevaluatepredefinedanalyticsforuserbehavioranalysis.
Dataaccessmonitoringcapabilities,whichincludedirectmonitoringofdatabaselogsand
integrationwithdatabaseauditandprotectionproducts,DLPintegration,andfileintegrity
monitoringthroughnativecapabilityandintegrationwiththirdpartyproducts.
Applicationlayermonitoringcapabilities,includingintegrationwiththirdpartyapplications(for
example,ERPfinancialandHRapplications,andindustryverticalapplications),forthepurpose
ofuseractivityandtransactionmonitoringatthatlayertheexternaleventsourceintegration
interfacethatisusedtodefinethelogformatofanorganization'sinhousedeveloped
applicationsandtheabilitytoderiveapplicationcontextfromexternalsources.
Analytics,animportantcapabilitytosupporttheearlydetectionoftargetedattacksand
breaches.SIEMvendorshavelongprovidedquerycapabilitiesagainsttheprimarystoragetiers
ofSIEMtechnology.Inordertobeeffectiveforearlybreachdetection,theanalyticscapability
mustincorporatecontextaboutusers,assets,threatsandnetworkactivity,andmustalso
providequeryperformancethatsupportsaniterativeapproachtoinvestigation.SomeSIEM
vendorshaveintroducedseparate"backstores"designedtoholdverylargeamountsof
securityevent,contentandcontextualdata,optimizedforanalysis.AnumberofSIEMvendors
havealsobuiltconnectorsfromtheSIEMtechnologytogeneralpurposebigdatarepositories.
Initialdeploymentsofthe"separateanalyticsbackstore"approachhavebeenimplementedby
asmallnumberofTypeAcompanies.
Inclusionofadvancedthreatdetection,networkmonitoringandpacketcapturecapabilities,
andintegrationswiththirdpartytechnologiesthatprovidethesefunctionsformoreeffective
earlybreachdetection.
Despitethevendorfocusonexpansionofcapability,wecontinuetoheavilyweightdeployment
simplicity.Users,especiallythosewithlimitedITandsecurityresources,stillvaluethisattributeover
breadthofcoveragebeyondthecoreusecases.SIEMproductsarecomplexandtendtobecomemore
soasvendorsextendcapabilities.Vendorsthatareabletoprovideeffectiveproductsthatuserscan
successfullydeploy,configureandmanagewithlimitedresourceswillbethemostsuccessfulinthe
market.
WeevaluateoptionsforcomanagedorhybriddeploymentsofSIEMtechnologyandsupporting
servicesbecauseagrowingnumberofGartnerclientsareanticipatingorrequestingongoingservice
supportformonitoringormanagingtheirSIEMtechnologydeployments.
Vertical/industrystrategyevaluatesvendorstrategiestosupportSIEMrequirementsthatare
specifictoindustryverticals.
Innovationevaluatesthevendor'sdevelopmentanddeliveryofSIEMtechnologythatis
differentiatedfromthecompetitioninawaythatuniquelymeetscriticalcustomerrequirements.
Productcapabilitiesandcustomeruseinareassuchasapplicationlayermonitoring,frauddetection
andidentityorientedmonitoringareevaluated,inadditiontoothercapabilitiesthatareproduct
specificandareneededanddeployedbycustomers.Thereisastrongweightingofcapabilitiesthat
areneededforsecuritymonitoringandtargetedattackdiscoveryuseranddataaccess
monitoring,applicationactivitymonitoring,adhocqueriesandanalytics,capabilities/plansfor
profilingandanomalydetection,andthreatintelligence.Thereisalsoanevaluationoftechnology
capabilitiesformonitoringcloudworkloads.
ForGeographicstrategy,althoughtheNorthAmericanandEuropeanSIEMmarketsproducethe
mostrevenue,LatinAmericaandtheAsia/PacificregionaregrowthmarketsforSIEMandare
drivenprimarilybythreatmanagementandsecondarilybycompliancerequirements.Ouroverall
evaluationofvendorsinthisMagicQuadrantincludesanevaluationofvendorsalesandsupport
strategiesforthosegeographies.

Table2.CompletenessofVision
EvaluationCriteria
EvaluationCriteria

Weighting

MarketUnderstanding

High

MarketingStrategy

Medium

SalesStrategy

Medium

Offering(Product)Strategy

High

BusinessModel

NotRated

Vertical/IndustryStrategy

Medium

Innovation

High

GeographicStrategy

Medium

Source:Gartner(July2015)

QuadrantDescriptions
Leaders
TheSIEMLeadersquadrantiscomposedofvendorsthatprovideproductsthatareastrongfunctional
matchtogeneralmarketrequirements,havebeenthemostsuccessfulinbuildinganinstalledbaseand
revenuestreamwithintheSIEMmarket,andhavearelativelyhighviabilityrating(duetoSIEMrevenue
orSIEMrevenueincombinationwithrevenuefromothersources).Inadditiontoprovidingtechnology
thatisagoodmatchtocurrentcustomerrequirements,Leadersalsoshowevidenceofsuperiorvision
andexecutionforemergingandanticipatedrequirements.Theytypicallyhaverelativelyhighmarket
shareand/orstrongrevenuegrowth,andhavedemonstratedpositivecustomerfeedbackforeffective
SIEMcapabilitiesandrelatedserviceandsupport.

Challengers
TheChallengersquadrantiscomposedofvendorsthathavemultipleproductand/orservicelines,atleast
amodestsizeSIEMcustomerbase,andproductsthatmeetasubsetofthegeneralmarket
requirements.AstheSIEMmarketcontinuestomature,thenumberofChallengershasdwindled.
Vendorsinthisquadrantwouldtypicallyhavestrongexecutioncapabilities,asevidencedbyfinancial
resources,asignificantsalesandbrandpresencegarneredfromthecompanyasawhole,orfromother
factors.However,ChallengershavenotdemonstratedacompletesetofSIEMcapabilitiesortheylackthe
trackrecordforcompetitivesuccesswiththeirSIEMtechnologies,comparedwithvendorsintheLeaders
quadrant.

Visionaries
TheVisionariesquadrantiscomposedofvendorsthatprovideproductsthatareastrongfunctionalmatch
togeneralSIEMmarketrequirements,buthavealowerAbilitytoExecuteratingthantheLeaders.This
lowerratingistypicallyduetoasmallerpresenceintheSIEMmarketthantheLeaders,asmeasuredby
installedbaseorrevenuesizeorgrowth,orbysmalleroverallcompanysizeorgeneralviability.

NichePlayers
TheNichePlayersquadrantiscomposedprimarilyofvendorsthatprovideSIEMtechnologythatisagood
matchtoaspecificSIEMusecaseorasubsetofSIEMfunctionalrequirements.NichePlayersfocusona
particularsegmentoftheclientbase(suchassmallbusinesses,serviceproviders,oraspecificgeographic
regionorindustryvertical)ormayprovideamorelimitedsetofSIEMcapabilities.Inaddition,vendorsin
thisquadrantmayhaveasmallinstalledbaseorbelimited,accordingtoGartner'scriteria,byanumber
offactors.Thesefactorsmayincludelimitedinvestmentsorcapabilities,ageographicallylimitedfootprint,
orotherinhibitorstoprovidingabroadersetofcapabilitiestoenterprisesnowandduringthe12month
planninghorizon.Inclusioninthisquadrantdoesnotreflectnegativelyonthevendor'svalueinmore
narrowlyfocusedmarketsorusecases.

Context
SIEMtechnologyprovides:
SIMLogmanagement,analyticsandcompliancereporting
SEMRealtimemonitoringandincidentmanagementforsecurityrelatedeventsfromnetworks,
securitydevices,systemsandapplications
SIEMtechnologyistypicallydeployedtosupportthreeprimaryusecases:
ThreatmanagementRealtimemonitoringandreportingofuseractivity,dataaccess,and
applicationactivity,incombinationwitheffectiveadhocquerycapabilities
ComplianceLogmanagementandcompliancereporting
AnSIEMdeploymentthatprovidesamixofthreatmanagementandcompliancecapabilities
AlthoughmanySIEMdeploymentshavebeenfundedtoaddressregulatorycompliancereporting
requirements,theriseinsuccessfultargetedattackshascausedagrowingnumberoforganizationsto
useSIEMforthreatmanagementtoimprovesecuritymonitoringandearlybreachdetection.TheSIEM
marketiscomposedoftechnologyprovidersthatsupportallthreeusecaseshowever,thereare
variationsintherelativelevelofcapabilityforeachusecaseindeploymentandsupportcomplexity,in
thescopeofrelatedfunctionsthatarealsoprovided,andinproductsupportforcapabilitiesrelatedto
targetedattackdetection(suchasuseractivitymonitoring,dataaccessmonitoring,applicationactivity
monitoring,theuseofthreatintelligenceandanomalydetection).Thisyear'sevaluationcontinuesto
moreheavilyweightcapabilitiesthatsupporttargetedattackdetection.Asacompaniontothisresearch,
weevaluatetheSIEMtechnologiesofthevendorsinthisMagicQuadrantwithrespecttothethreemajor
usecasesnotedabove(see"CriticalCapabilitiesforSecurityInformationandEventManagement").
OrganizationsshouldconsiderSIEMproductsfromvendorsineveryquadrantofthisMagicQuadrant,
basedontheirspecificfunctionalandoperationalrequirements.Productselectiondecisionsshouldbe
drivenbyorganizationspecificrequirementsinareassuchastherelativeimportanceofcomplianceand
threatmanagementthescaleofthedeploymentSIEMproductdeploymentandsupportcomplexitythe
ITorganization'sprojectdeploymentandtechnologysupportcapabilitiesidentity,dataandapplication
monitoringrequirementsandintegrationwithestablishedapplications,datamonitoringandidentity
managementinfrastructure(see"Toolkit:SecurityInformationandEventManagementRFP").
SecuritymanagersconsideringSIEMdeploymentsshouldfirstdefinetherequirementsforSEMand
reporting.Therequirementsdefinitioneffortshouldincludecapabilitiesthatwillbeneededforsubsequent
deploymentphases.Theprojectwillbenefitfromtheinputofothergroups,includingaudit/compliance,
identityadministration,IToperationsandapplicationowners(see"HowtoDeploySIEMTechnology").
Organizationsshouldalsodescribetheirnetworkandsystemdeploymenttopology,andassessevent
rates,sothatprospectiveSIEMvendorscanproposesolutionsforcompanyspecificdeploymentscenarios.
Therequirementsdefinitioneffortshouldalsoincludephasedeploymentsbeyondtheinitialusecase.This
MagicQuadrantevaluatestechnologyproviderswithrespecttothemostcommontechnologyselection
scenarioanSIEMprojectthatisfundedtosatisfyacombinationofthreatmonitoring/responseand
compliancereportingrequirements.

MarketOverview
Duringthepastyear,demandforSIEMtechnologyhasremainedstrong.Duringthisperiod,thenumber
ofGartnerinquirycallsfromenduserclientswithfundedSIEMprojectsincreasedby24%overthe
previous12months,andmostvendorshavereportedincreasesincustomersandrevenue.During2014,
theSIEMmarketgrewfrom$1.5billiontoapproximately$1.69billion,achievingagrowthrateofabout

14%.Theprimarydriversthatwereinplaceatthestartof2014remainineffect.Threatmanagementis
theprimarydriver,andcomplianceremainsasecondarydriver.InNorthAmerica,therecontinuestobe
manynewdeploymentsbysmallercompaniesthatneedtoimprovemonitoringandbreachdetection.
Compliancereportingalsocontinuesasarequirement,butmostdiscussionswithGartnerclientsare
securityfocused.Therecontinuetobenewdeploymentsbylargercompaniesthatareconservative
adoptersoftechnology.Bothofthesecustomersegmentsplacehighvalueondeploymentand
operationalsupportsimplicity.
WecontinuetoseelargecompaniesthatarereevaluatingSIEMvendorstoreplaceSIEMtechnology
associatedwithpartial,marginalorfaileddeployments.Duringthisperiod,wehavecontinuedtoseea
strongerfocusonsecuritydrivenusecasesfromnewandexistingcustomers.DemandforSIEM
technologyinEuropeandtheAsia/Pacificregionremainssteady,drivenbyacombinationofthreat
managementandcompliancerequirements.GrowthratesinAsiaandLatinAmericaaremuchhigher
thanthoseintheU.S.andEurope.Asaconsequence,ouroverallevaluationofvendorsinthisMagic
Quadrantincludesanevaluationofvendorsalesandsupportstrategiesforthosegeographies.
TheSIEMmarketismatureandverycompetitive.Weareinabroadadoptionphase,inwhichmultiple
vendorscanmeetthebasiclogmanagement,complianceandeventmonitoringrequirementsofatypical
customer.Thegreatestareaofunmetneediseffectivetargetedattackandbreachdetection.
Organizationsarefailingatearlybreachdetection,withmorethan92%ofbreachesundetectedbythe
breachedorganization.Thesituationcanbeimprovedwithstrongerthreatintelligence,theadditionof
behaviorprofilingandbetteranalytics.Wearemonitoringtheemergingentitybehavioranalysis(also
calledentitybehavioranalysis,andsometimescalledUBA)market,asearlyadoptersreporteffective
detectionoftargetedattackswithlimiteddeploymentefforts.WeexpectSIEMvendorstoincreasetheir
supportforbehavioranalysiscapabilitiesandpredefinedcontentoverthenext18months.Most
companiesexpandtheirinitialSIEMdeploymentsoverathreeyearperiodtoincludemoreeventsources,
greateruseofrealtimemonitoringandinvestigationtosupportincidentresponse.ThelargeSIEM
vendorshavesignificantexistingcustomerbases,andtherecontinuestobeafocusontheexpansionof
SIEMtechnologydeploymentswithinexistingaccounts.Ingeneral,SIEMvendorsarecontinuingto
incrementallyimproveproductcapabilitiesinareasrelatedtobreachdetectionthreatintelligence,
anomalydetectionandactivitymonitoringfromthenetworkaswellasinvestigationworkflowandcase
management.

SIEMVendorLandscape
FourteenvendorsmetGartner'sinclusionrequirementsforthe2015SIEMMagicQuadrant.Sixarepoint
solutionvendors,andeightarevendorsthatselladditionalsecurityoroperationsproductsandservices.
TherewerenonotableacquisitionsintheSIEMmarketduring2014.TheSIEMmarketcontinuestobe
dominatedbyrelativelyfewlargevendorsHP,IBM,IntelSecurityandSplunkthatcommandmore
than60%ofmarketrevenue.LogRhythmisanexampleofapointsolutionvendorthatcontinuestodo
verywell,butthereisincreasingstressonmanyoftheremainingsmallvendors.
Therehasbeensomeadditionalmarketconsolidationoverthepast18months.Symantecannounced
theendofsaleofitsSIEMtechnologyasof2September2014,andtheendofsupportasofNovember
2017.TenableNetworkSecurityandTIBCOSoftwarejointhelistofvendorsthatnolongerpositiontheir
technologycompetitivelyintheSIEMmarket,butareappropriateforselectusecasesandasproviding
adjunctcapabilitytoSIEM.Wemaintainrevenuethresholdsandrelativevisibilityrequirementsfor
inclusionofvendorsinthemarket.Therevenuethresholdis$13.5millionperyearfor2014(netnew
licenserevenueplusmaintenance).Visibilityiscalculatedfromthefollowingfactors:presenceonGartner
clientshortlists,presenceonvendorsuppliedcustomerreferenceshortlists,mentionsasacompetitorby
otherSIEMvendorsandsearchreferencesongartner.com.
SIEMtechnologyisnowdeployedbyabroadsetofenterprises.SIEMvendorsareincreasinglyfocusedon
coveringadditionalusecases,sotheycancontinuetoselladditionalcapabilitiestotheircustomerbases.
SomeSIEMtechnologypurchasedecisionsdonotincludeacompetitiveevaluation,becausethe
technologyissoldbyalargevendorincombinationwithrelatedsecurity,networkoroperations
managementtechnologies,butmostSIEMpurchasesaremadeonthemeritsofSIEMcapabilities.Many
SIEMvendorscontinuetodevelopsaleschannelsthatcanreachthemidsizemarketinNorthAmerica.
SaleseffectivenessinLatinAmericaandtheAsia/Pacificregionisalsoafocus.
SIEMvendorshaverespondedtothecustomerfocusontargetedattackandbreachdetectionthrough
incrementaldevelopmentofSIEMcapabilitiesinareassuchasthreatintelligence,analytics,profilingand
anomalydetection,andnetworkactivitymonitoring(bothNetFlowanalysisandfullpacketcapture).
However,wehaveobservedtheemergenceofuserbehavioranalyticspointsolutionvendorsthatare
providingadvancedcapabilitiesintheareaofearlybreachdetection,with"signaltonoiseratios"thatare
muchbetterthanwhathasbeenachievedbySIEMvendors.
Somevendors(IBM,HPandRSA)arealsodevelopingorhavedeployedintegrationswiththeirownbig
datatechnologies,whileothers(IntelSecurityandSplunk)haveintegratedwiththirdpartytechnologies.
Anumberofvendorswithinhousesecurityresearchcapabilities(IBM,HP,IntelSecurity,RSAand
Trustwave)provideintegrationwithproprietarythreatintelligencecontent.VendorsthathavebothSIEM
andMSSPbusinesses(HP,IBM,TrustwaveandEventTracker)aremarketingcomanagedSIEM
technologydeploymentsthatincludearangeofmonitoringservices.RSAprovidesacommonplatformfor
logmanagementandnetworkpacketcapture,andalsointegratesitsSIEMwithitsITgovernancerisk
andcompliancemanagement(GRCM)technology.IntelSecurity'sstrategyisincreasinglyfocusedon
technologyintegrationwithinitsownsecurityportfolioandsellingSIEMtolargeenterprisesthatuseits
endpointsecurityproducts.SeveralvendorsarenotincludedintheMagicQuadrantbecauseofaspecific
verticalmarketfocusand/orSIEMrevenueandcompetitivevisibilitylevels:
FairWarningprovidesprivacybreachdetectionandpreventionsolutionsforthehealthcaremarket
thatentailuseractivityandresourceaccessmonitoringattheapplicationlayer,andhasexpanded
toincludesecuritymonitoringforSalesforce.
LookwiseisanSIEMvendorthatwasspunoutofS21secandhasamarketpresenceprimarilyin
SpainandSouthAmerica.ThedistinguishingcharacteristicofLookwiseisthethreatintelligence
feedsfromS21sec,whicharefocusedonthebankingandcriticalinfrastructuresectors.Lookwise
doesnotmeetourmorestringentrevenueandvisibilitythresholds.
Tripwire'sLogCenterisfocusedonaugmentingTripwirecapabilitiestoprovidegreatersystemstate
intelligence.
Tango/04providesoperationaleventcorrelation,businessprocessmonitoringandSIEMsolutionsto
customersinEuropeandSouthAmerica.Thevendornolongermeetsourmorestringentrevenue
andvisibilitythresholds.
HuntsmanSecurity(partofTier3)isanSIEMvendorwithapresenceprimarilyintheU.K.and
Australia.Thedistinguishingcharacteristicofthetechnologyisitsprofilingandanomalydetection
capabilities.Thevendordoesnotmeetourmorestringentrevenueandvisibilitythresholds.
AfewvendorssellsolutionsthatarebasedonlicensedSIEMtechnology.IBMlicensesitstechnologytoa
fewvendorsthatimplementitstechnologyontheirownappliances,andaddspecificintegrationswith
theirrespectivemanagementinfrastructures.

CustomerRequirementsSecurityMonitoringandComplianceReportingfor
Systems,Users,DataandApplications
Duringthepastyear,GartnerclientsdeployingSIEMtechnologyhavecontinuedtobeprimarilyfocused
onsecurityusecases,eventhoughcompliancecontinuestobeanimportantdriver.Theprimaryfocus

continuestobetargetedattackandbreachdetection.Thesecurityorganizationoftenwantstoemploy
SIEMtoimprovecapabilitiesforexternalandinternalthreatdiscoveryandincidentmanagement(see
"UsingSIEMforTargetedAttackDetection").Asaconsequence,therearerequirementsforuseractivity
andresourceaccessmonitoringforhostsystemsandapplications(see"EffectiveSecurityMonitoring
RequiresContext").Inthisyear'sSIEMvendorMagicQuadrantevaluation,wecontinuetoplacegreater
weightoncapabilitiesthataidintargetedattackdetection,includingsupportforuseractivitymonitoring,
applicationactivitymonitoring,profilingandanomalydetection,threatintelligence,andeffective
analytics.
DemandfromNorthAmericanandEuropeanclientshasincreased,whilethenumberofAsia/PacificSIEM
inquirieshasremainedsteadyasapercentageoftotalSIEMinquiryactivity.Thecontinuedadoptionof
SIEMtechnologybycompanieswithlimitedsecurityprogramshasfosteredademandforproductsthat
providepredefinedsecuritymonitoringandcompliancereportingfunctions,aswellaseaseofdeployment
andsupport.
SIEMsolutionsshould:
Supporttherealtimecollectionandanalysisofeventsfromhostsystems,securitydevicesand
networkdevices,combinedwithcontextualinformationforthreats,users,assetsanddata.
Providelongtermeventandcontextdatastorageandanalytics.
Providepredefinedfunctionsthatcanbelightlycustomizedtomeetcompanyspecificrequirements.
Beaseasyaspossibletodeployandmaintain.

Scalability
ScalabilityisamajorconsiderationinSIEMdeployments.ForanSIEMtechnologytomeetthe
requirementsforagivendeployment,itmustbeabletocollect,process,storeandanalyzeallsecurity
relevantevents.Eventsthatneedtobemonitoredinrealtimehavetobecollectedandprocessedinreal
time.Eventprocessingincludesparsing,filtering,aggregation,correlation,alerting,display,indexingand
writingtothebackstore.Scalabilityalsoincludesaccesstothedataforanalyticsandreportingeven
duringpeakeventperiodswithadhocqueryresponsetimesthatdonotprecludetheuseofan
iterativeapproachforincidentinvestigation.Queryperformanceneedstoholdup,evenastheevent
storegrowsovertime.Wecharacterizethesizeofadeploymentbasedonthreeprincipalfactors:
Thenumberofeventsources
Thesustainedeventspersecond(collectedafterfiltering,ifany)
Thesizeoftheeventbackstore
Weassumeamixofeventsourcesthataredominatedbyservers,butalsoincludefirewalls,intrusion
detectionsensorsandnetworkdevices.SomedeploymentsalsoincludealargenumberofPCendpoints,
butthesearenottypical,andPCendpointcountsarenotincludedinourtotals.Theboundariesforsmall,
midsizeandlargedeploymentsarenotabsolute,becausesomedeploymentsmayhavealargenumberof
relativelyquieteventsources,whileotherswillhaveasmallernumberofverybusyeventsources.For
example,adeploymentwithseveralbusylogsourcesmayexceedtheEPSlimitssetbelowforasmall
deployment,butwillstillbesmallarchitecturally.
Gartnerdefinesasmalldeploymentasonewith300orfewereventsources,asustainedEPSrateof
1,500eventspersecondorless,andabackstoresizedat800GBorless.Gartnerdefinesamidsize
deploymentasonewith400to800eventsources,asustainedeventrateof2,000to7,000eventsper
secondandabackstoreof4TBto8TB.Alargedeploymentisdefinedasonewithmorethan900event
sources,asustainedeventrateofmorethan15,000eventspersecond,andabackstoreof10TBor
more.Someverylargedeploymentshavemanythousandsofeventsources,sustainedeventratesof
morethan25,000EPSandabackstoreofmorethan50TB.Wemayindicatethatavendor'sSIEM
technologyisideallysuitedforasmall,midsizeorlargedeployment,whichmeansthatthesizeisatypical
ormostcommonsuccessfuldeploymentforthatvendor.Everyvendorwillhaveoutliers.

SIEMServices
GartnercustomersincreasinglyindicatethattheyareseekingexternalservicesupportfortheirSIEM
deployment,orareplanningtoacquirethatsupportinconjunctionwithanSIEMproduct.Driversfor
externalservicesincludelackofinternalresourcestomanageanSIEMdeployment,lackofresourcesto
effectivelymonitorthealertsordoso24/7,orlackofexpertisetoexpandthedeploymenttoincludenew
usecases(suchasuseractivitymonitoring).WeexpectdemandbySIEMusersforsuchserviceswill
grow,asmorecustomersadopt24/7monitoringandimplementusecasesthatrequiredeeperSIEM
operationalandanalyticsexpertise.
SIEMvendorsmaysupporttheseneedswithmanagedservices,withstaffaugmentationoroutsourcing
services,orviapartners.Managedsecurityserviceproviders,whichofferrealtimemonitoringand
analysisofevents,andcollectlogsforreportingandinvestigation,areanotheroptionforSIEMusers.The
numberofhostedSIEM,orSIEMasaserviceofferings(suchasSplunkCloudandAlertLogic,andlog
servicesfromSumoLogic),isincreasingtosupportcustomersoptingtoforgoSIEMtechnology
management,butabletouseinternalresourcesformonitoringandinvestigation.Customerspecific
requirementsforeventcollectionandstorage,alerting,investigation,andreportingmayprove
problematicforexternalserviceproviders,andSIEMusersexploringservicesshouldevaluatethefitofthe
serviceprovidertomeetcurrentandplannedusecases.

2015Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Thispublicationmaynotbe
reproducedordistributedinanyformwithoutGartnerspriorwrittenpermission.Ifyouareauthorizedtoaccessthispublication,youruseofitissubjecttothe
UsageGuidelinesforGartnerServicespostedongartner.com.Theinformationcontainedinthispublicationhasbeenobtainedfromsourcesbelievedtobereliable.
Gartnerdisclaimsallwarrantiesastotheaccuracy,completenessoradequacyofsuchinformationandshallhavenoliabilityforerrors,omissionsorinadequacies
insuchinformation.ThispublicationconsistsoftheopinionsofGartnersresearchorganizationandshouldnotbeconstruedasstatementsoffact.Theopinions
expressedhereinaresubjecttochangewithoutnotice.AlthoughGartnerresearchmayincludeadiscussionofrelatedlegalissues,Gartnerdoesnotprovidelegal
adviceorservicesanditsresearchshouldnotbeconstruedorusedassuch.Gartnerisapubliccompany,anditsshareholdersmayincludefirmsandfundsthat
havefinancialinterestsinentitiescoveredinGartnerresearch.GartnersBoardofDirectorsmayincludeseniormanagersofthesefirmsorfunds.Gartnerresearch
isproducedindependentlybyitsresearchorganizationwithoutinputorinfluencefromthesefirms,fundsortheirmanagers.Forfurtherinformationonthe
independenceandintegrityofGartnerresearch,seeGuidingPrinciplesonIndependenceandObjectivity.

AboutGartner|Careers|Newsroom|Policies|SiteIndex|ITGlossary|ContactGartner