The security information and event management (SIEM) market, according to Gartner, is "defined by the customer's need to analyze event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, analyze, investigate and report on event data for incident response, forensics and regulatory compliance."
But which SIEM offerings are most helpful for customers -- and which SIEM platforms are designed for MSSP adoption? MSSP Alert took a look at the Gartner Magic Quadrant for SIEM 2017. We've summarized the Gartner findings below, while also adding some of our own spin on the partner and MSSP front. Vendors mentioned in the article below are sorted alphabetically below and not by ranking. The Magic Quadrant grid is on the final page, showing companies in their actual grid (leaders, challenges, visionaries and niche players).
Got feedback on our MSSP-related perspectives, or SIEM-focused MSSP partner programs? Send me email ([email protected]).
1. AlienVault
Gartner quadrant: Niche player Gartner says: AlienVault competes in the SIEM market with two offerings: AlienVault Unified Security Management (USM) Appliance (physical or virtual) for on-premises deployment and AlienVault USM Anywhere, a cloud-based SaaS solution. USM Appliance includes file integrity monitoring (FIM) via the host intrusion detection system (IDS), NetFlow analysis and full-packet capture. USM Anywhere is designed to monitor cloud and on-premises environments from the AlienVault Secure Cloud. AlienVault also offers Open Threat Exchange (OTX), a free, community-supported threat intelligence sharing forum that integrates threat intelligence into USM. MSSP Alert says: AlienVault solutions often are too complex for smaller MSPs to deploy and manage. But a November 2017 relationship with ConnectWise simplifies how AlienVault's offerings are consumed, deployed and managed by MSPs and emerging MSSPs. Moreover, AlienVault is very, very serious about MSSP engagements.2. BlackStratus
Gartner quadrant: Niche player Gartner says: BlackStratus is a SIEM technology and service-focused vendor with solutions aimed at large enterprises, small or midsize businesses (SMBs), managed security service providers (MSSPs), and managed service providers (MSPs). The portfolio is composed of LOGStorm, SIEMStorm and CYBERShark. MSSP Alert says: CYBERShark has a very strong brand among MSPs in the SMB sector, but some partners have been trying to figure out if there are lower cost alternatives.3. Dell Technologies (RSA)
Gartner quadrant: Challenger Gartner says: RSA (a Dell Technologies business since the acquisition of EMC by Dell in September 2016) competes in the SIEM market via its RSA NetWitness Suite. The suite is composed of RSA NetWitness Logs and Packets, RSA NetWitness Endpoint, and RSA NetWitness Security Operations (SecOps) Manager. MSSP Alert says: The RSA brand has struggled a bit to remain relevant. Rumors about Dell or EMC potentially selling the business popped up multiple times during the Dell-EMC merger discussions. And RSA, overall, is now better known for its annual industry conference that its actual products.4. EventTracker
Gartner quadrant: Niche player Gartner says: In October 2016, EventTracker merged with Netsurion, a provider of managed security services, and EventTracker continues as a subsidiary with its own brand. EventTracker targets its SIEM software and service offerings primarily at midsize and government organizations with security event management and compliance reporting requirements. MSSP Alert says: EventTracker is serious about MSSP engagements.5. Exabeam
Gartner quadrant: Visionary Gartner says: Exabeam Security Intelligence Platform is a collection of components that collectively deliver the Exabeam SIEM solution that was introduced in February 2017. The platform is built on a variety of big data technologies, including Elastic, Hadoop, Kafka and Spark. Data management (collection, parsing, indexing and storage) is provided by Log Manager, which also includes agent-based collectors that can collect logs from local resources or from cloud-based applications using RESTful APIs. MSSP Alert says: Exabeam briefly mentioned MSSPs in their 3.0 release launch statement back in 2016. We'd like to hear that MSSP emphasis far more regularly.6. FireEye
Gartner quadrant: Niche player Gartner says: FireEye is a new entrant in the SIEM Magic Quadrant. FireEye's SIEM offering is Threat Analytics Platform (TAP), which is delivered as a service leveraging AWS. TAP provides real-time security analytics, investigative threat hunting, monitoring and data management, and storage, with data segregated on a per-customer basis. Integrated threat intelligence is provided by in-house iSIGHT security researchers and Mandiant incident responders. Both multitenant as well as single-instance versions are supported. MSSP Alert says: FireEye has struggled to maintain healthy, pure channel relationships ever since the company acquired Mandiant for IT consulting and forensics expertise. However, the company's overall security solutions are respected by partners.7. Fortinet
Gartner quadrant: Niche player Gartner says: FortiSIEM, acquired from AccelOps in 2016, is a component of Fortinet's Security Fabric framework that provides traditional SIM and SEM capabilities, complemented by a built-in CMDB, application and system performance monitoring capabilities, and agent-based FIM. Fortinet positions FortiSIEM for MSPs, telecommunications providers and MSSPs that use or support other Fortinet solutions, in addition to security operations buyers in large enterprises, government and education. MSSP Alert says: Fortinet helped to pioneer the MSSP and MSP channel models. The company is highly respected in MSSP circles.8. IBM
Gartner quadrant: Leader Gartner says: IBM QRadar Security Intelligence Platform is composed of QRadar SIEM at the core, with additional components providing complementary security monitoring and operations capabilities, such as log management (Log Manager), network monitoring (QFlow, Network Insights and Incident Forensics), vulnerability management (Vulnerability Manager) and risk management (Risk Manager). IBM positions QRadar as an on-premises solution available via a stand-alone or distributed architecture, SIEM as a service (QRadar on Cloud) or as co-managed QRadar in partnership with IBM Managed Security Services. MSSP Alert says: IBM itself is a Top 100 MSSP for 2017, but the company has been working more closely with MSSP partners in recent years.9. LogRhythm
Gartner quadrant: Leader Gartner says: LogRhythm Threat Lifecycle Management Platform provides core SIEM capabilities, in addition to optional add-ons for network and host monitoring. LogRhythm's SIEM solution consists of several components that can be run from a single appliance or separately as discrete components — Data Collector, Data Processor, Data Indexer, AI Engine, Platform Manager and WebUI Services. Multitenancy for MSSP buyers is also natively supported. MSSP Alert says: Yes indeed, LogRyhthm's partner program specifically serves MSSPs.10. ManageEngine
Gartner quadrant: Niche player Gartner says: Log360 is the SIEM offering from ManageEngine, a division of Zoho. ManageEngine Log360 is composed of three components — EventLog Analyzer, which provides core SEM and SIM features including event log management, correlation-based analytics, and management/UI for reports, dashboards and log search functionality; ADAudit Plus, which provides real-time monitoring and auditing for AD; and Cloud Security Plus, which manages log event data from public cloud environments. MSSP Alert says: ManageEngine is perhaps better known as an IT management platform provider to MSPs, but we get the sense that a more concerted MSSP push is coming... Gartner's SIEM Magic Quadrant 2017 with our partner spin continues on page two with companies 11 to 19 (sorted Alphabetically, not by ranking) Welcome to companies 11 to 19 -- sorted Alphabetically.11. McAfee
Gartner quadrant: Leader Gartner says: McAfee Enterprise Security Manager (ESM) provides core SIEM functionality, including a web-based user interface, a parsed event database, reporting capabilities and central management of other components in the solution. The other components in the solution include Event Receiver (ERC), which provides event and flow collection, and event parsing and normalization; Enterprise Log Manager (ELM), which collects, manages and stores all raw events; Advanced Correlation Engine (ACE), which provides real-time analytics using four types of correlation approaches (rule-based, risk-based, statistical and historical); and Enterprise Log Search (ELS) for log search functionality. MSSP Alert says: McAfee has been striving to accelerate a channel partner renaissance ever since Intel sold its majority ownership in the company. There are signs of progress.12. Micro Focus (ArcSight)
Gartner quadrant: Challenger Gartner says: In September 2017, Hewlett Packard Enterprise (HPE) and Micro Focus closed a business transaction that resulted in the ArcSight SIEM product becoming part of the Micro Focus business. ArcSight Enterprise Security Manager (ESM) is the core component of ArcSight's SIEM solution. Data collection and management is enabled by ArcSight Data Platform (ADP) using HDFS, Kafka, and Logger and Connectors (both prepacked SmartConnectors and customizable FlexConnectors). MSSP Alert says: The company quietly has MSSP-friendly partners -- including SOC Prime.13. Micro Focus (NetIQ)
Gartner quadrant: Niche player Gartner says: NetIQ Sentinel is a SIEM solution from Micro Focus. Sentinel Enterprise is the full SIEM solution that provides SIM and SEM capabilities to support both threat detection- and compliance-oriented use cases. Sentinel for Log Management provides log management, search and reporting capabilities, and can be upgraded to Enterprise. MSSP Alert says: The company offers some clear guidance on potential MSSP partnerships and relationships for customers.14. Rapid7
Gartner quadrant: Visionary Gartner says: InsightIDR is Rapid7's SIEM solution that is delivered as a service via the Insight platform. The solution consists of the InsightIDR service, EDR agents and honeypots. InsightIDR provides core SIEM features like log collection and management, threat detection rules and correlations, advanced analytics, dashboards, case management, and workflow and reporting. MSSP Alert says: The company positions itself as a more robust MSSP alternative, and the partner program focuses mostly on distributors and resellers.15. Securonix
Gartner quadrant: Visionary Gartner says: Securonix's SIEM platform is branded as Snypr Security Analytics and runs on top of a Hadoop big data platform. Snypr incorporates an event and data collection and management tier, advanced analytics that include native UEBA functionality as well as a threat library of traditional signatures and rules, and case management and workflow functions. MSSP Alert says: The company's partner program specifically mentions MSSPs -- but so far most of the chatter involves IT consulting partners.16. SolarWinds
Gartner quadrant: Niche player Gartner says: SolarWinds Log & Event Manager (LEM) provides SEM and SIM functionality delivered as a virtual appliance for VMware and Hyper-V platforms. SolarWinds LEM is composed of Manager, which provides central management of the overall solution as well as log and event management and storage; Console, which provides the user interface; and Agents. MSSP Alert says: The company's SolarWinds MSP arm supports roughly 20,000 MSPs worldwide, but many of them offer network- and device-centric managed services. The push is on to more aggressively promote security services.17. Splunk
Gartner quadrant: Leader Gartner says: Splunk's Security Intelligence Platform is composed of Splunk Enterprise and two premium solutions, Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk Enterprise is the core component of the product, providing event and data collection, a variety of analytics capabilities, search, and visualizations. Splunk Enterprise (aka Core Splunk) and Splunk Cloud provide use-case-agnostic data analysis capabilities that are used for various purposes like IT operations, application and network performance monitoring, business intelligence, and some security use cases. MSSP Alert says: Splunk is extremely serious about expanding its partner program -- including deeper MSP engagements focused on security.18. Trustwave
Gartner quadrant: Niche player Gartner says: Trustwave's SIEM solution is composed of two versions — SIEM Enterprise and Log Management Enterprise (LME). Both products complement their broader security solution offerings across network, endpoint, and content and data security. Customers consuming SIEM Enterprise as a service leverage the local collector appliance (LCA). MSSP Alert says: Trustwave is a Top 100 MSSP for 2017 in its own right, but the company also has a healthy, growing channel partner program.19. Venustech
Gartner quadrant: Niche player Gartner says: The Venustech SIEM solution is composed of various components under the Venusense Unified Security Management (USM) product, which includes modules for Security Analytics (SA), Network Behavior Analysis (NBA), Configuration Verification System (CVS) and Business Security Management (BSM). Venusense SA provides log collection, normalization and storage, and an analytics engine for threat detection and compliance use cases. It is based on a big data platform, with both Hadoop and Elasticsearch options available, that enables ML analytics in addition to standard correlation-based detection. MSSP Alert says: Venustech is best known in China, and the company's partner program focuses mostly on more traditional distributors and resellers.Gartner SIEM Magic Quadrant Grid 2017
Here's a look at the actual Gartner Magic Quadrant 2017 for SIEM, and where each vendor plots on the chart:
