Gartner recently published its so-called 2018 Magic Quadrant for Security Information and Event Management (SIEM).
We were very excited to read the report and it is with great pleasure we have come to know that the two SIEM suppliers that Netic recently set up collaborations with, namely Splunk and IBM, are, according to Gartner’s customers, the leading products on the world market.
However, the world market is one thing. Denmark is a completely other thing. We have done our best to apply the report findings to the demand experienced on the Danish market.
But for now, let’s focus on how the Gartner Magic Quadrant for SIEM actually looks like in the year of 2018:
Besides Splunk and IBM being the two leading suppliers, there are no surprises. LogRhythm, a company with several Danish customers, is also appointed as leader. Also RSA, Exabeam and Securonix have moved in to the leaders quadrant making the competition in the top field more intense.
Since Gartner’s evaluation is based on interviews with Gartner customers you may conclude that there is a general satisfaction with the SIEM solutions on the market and that the competition between the suppliers is healthy.
To finish off this introduction, LogPoint is for the first time ever part of the MQ. It is appointed as a niche player.
SIEM in Danmark
If you measure according to market penetration, SIEM is still a new technology in Denmark. Most companies are uncertain whether they are organizational capable of making use of the value that SIEM creates as for security. This does not only concern the qualifications needed to operate the solution but also the resources to react to alarms and incidents.
For that reason, it is still only large companies in Denmark that consider SIEM and the financial investment is carefully considered and compared to alternatives.
Consequently, many negotiations on SIEM in Denmark focus on price instead of the value that a SIEM system may bring about to the company – and this is not just when it comes to security but we’ll get back to that.
Let’s take a look at what Gartner has to say about IBM and Splunk.
IBM - QRadar Security Intelligence Platform
QRadar has been positioned as leader in Gartner’s MQ for a number of years and is well-established on the market for SIEM solutions. The solution is made up of several components which together constitute a security platform for collection of security data and the actions needed based on the collected data.
Gartner highlights that QRadar is a strong platform that offers functionalities for a wide range of security use cases.
Also, QRadar is surrounded by a solid ecosystem made up of both IBM developers and third-party integrations which can be accessed through IBM marketplace. In this way QRadar’s positioning is solid enough to deal with almost every security related demand.
Gartner starts out with what can only be perceived as a cosmetic flaw, the somewhat old-fashioned look of QRadar.
Following, Gartner mentions the way risks are scored in QRadar. This is done by using a scale model where the risks are categorized according to threats and then graded within every category. Gartner points out that it takes a high level of security maturity to operationalize this. We’ll also get back to this.
Lastly, Gartner’s customers have a few not so nice words to say about IBM’s service and support. It is nothing new that many global IT companies have a hard time offering high-quality support and service and IBM is no exception. IBM themselves highlight that they have increased the headcount for support and service.
Splunk was established in 2003 and has been in the leader quadrant for SIEM for six consecutive years. Splunk differs from most of the other products on the SIEM market by being a strong platform for collection, correlation and analysis of data. This means that Splunk can be used for analysis of data from a wide range of sources. The possible use cases for Splunk go way beyond just security.
Splunk both has a high market penetration and a highly developed ecosystem of integrations and third-party applications. This makes Splunk a good match for both organizations with a low security maturity and for organizations with well-established security processes seen from both a governance perspective and a technical perspective.
Gartner supports this notion by highlighting that Splunk offers several different entries to security monitoring.
Stating the obvious, price is one of Splunk’s weaknesses.
Gartner’s customers emphasize that Splunk’s price model makes it difficult to produce a coherent business case. We agree to a certain extent and we do admit that Splunk is rarely a cheap solution. It all comes back to use cases. The more uses the company can come up with concerning data analysis and value creation based on the company data, the better the business case.
In addition, Gartner highlights that Splunk’s UBA (User Behaviour Analytics) is only available for on-premise solutions and not for Splunk’s cloud solution. This may potentially cause difficulties for customers who wish to license Splunk in a SaaS model.
The notion that the Danish market for SIEM solutions is still rather immature serves as the starting point for this blog post. Yet, we think that every company dependent on data could benefit from a SIEM solution.
When it comes to Danish companies the barriers for investing in a SIEM solution can be divided into the three following categories:
Typically, all three barriers can be overcome by using an as-a-service model for the operations of the solution. Whether this model works or not depends on a number of factors, but the facts are:
- There is a lack of qualified security specialists in Denmark and all companies are having a hard time filling in the vacant positions within security analytics. If the company does not already have the qualifications it might be hard to operate the solution.
- The security budget often has to balance other budgets in the IT department and even though security is given more priority than five years ago large investments in IT security are still a though decision to make for most companies.