Another year of publishing the Gartner Magic Quadrant for SIEM, our flagship tool in the Data-Driven Cybersecurity line.
While we update our SIEM functionalities tool that we published in 2020, I decided to share some conclusions of the evolution of this service and what vendors position as new functionalities or default functionalities of a SIEM solution.
Basic functionalities
SIEM solutions are defined as tools that support the Cybersecurity function to cover the following customer needs:
- Collection of cybersecurity event logs and real-time telemetry for threat detection and compliance use cases.
- Real-time telemetry analysis in real time and over a period of time to detect threats and other activities of interest.
- Incident investigation to determine severity and impact to the business.
- Reporting of such activities.
- Safeguarding of logs and relevant events.
Although the main source of events is logs, telemetry processing such as flows or packets is becoming important. Additionally, context by enriching user, asset, threat and vulnerability information for the purpose of assessing, prioritizing and accelerating investigation becomes critical.
Technology must offer real-time event analysis and telemetry for security monitoring, advanced analysis of user and entity behavior, wide-ranging analytics for historical analysis, support for investigation and incident response and reporting (compliance requirements).
New capabilities
SIEM has long since become an ideal solution for security incident detection and response. Last year, new capabilities such as advanced data analytics and process automation and orchestration were introduced. Now the focus is on 3 key elements:
- Hybrid Architecture: to cover Cloud processing needs, OnPremise processing and SaaS and Cloud Provider monitoring.
- Collaborative Functionalities: to improve incident investigation and response processes.
- Managed Services: to support organizations with efficient operation of the Cybersecurity function, creation of new use cases and analytics models, threat hunting and investigation, continuous improvement in incident investigation and response.
Conclusions
SIEM is here to stay. We find in the integration of solutions such as UEBA or SOAR, an evolution of SIEM with new capabilities in detection and response for the Cybersecurity function.
SIEM Native Cloud and Hybrid. The fundamental architecture of the SIEM solution, is a Cloud native SIEM with SaaS capabilities, integrations and visibility for cloud processing, on premise and Cloud services (Office 365 or SalesForce, among others).
Not just the tool, customers need MDR. The conclusion of the analysis shows that manufacturers are looking for channels or offering MDR (Managed Detection & Response) capabilities because security is not only the technological part, but also the processes and equipment.
Interested in learning more about it, meet me!
