Magic Quadrant for Security Information and Event Management Published 3 December 2018 - ID G00348811 - 68 min read Security and risk management leaders increasingly seek SIEM solutions with capabilities that support early targeted attack detection and response. Users must balance advanced SIEM capabilities with the resources needed to run and tune the solution. Market Definition/Description Gartner defines the security and information event management (SIEM) market by the customer’s need to analyze event data in real time for early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics and regulatory compliance. The vendors included in our Magic Quadrant analysis have products designed for this purpose, and they actively market and sell these technologies to the security buying center. SIEM technology aggregates event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry (flows and packets). Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data may be normalized, so that events, data and contextual information from disparate sources can be analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time analysis of events for security monitoring, query and long-range analytics for historical analysis and other support for incident investigatio n and management, and reporting (e.g., for compliance requirements). Magic Quadrant Figure 1. Magic Quadrant for Security Information and Event Management Source: Gartner (December 2018) 1 Vendor Strengths and Cautions AlienVault AlienVault, an AT&T company, was acquired in August 2018, and is part of AT&T’s newly created Cybersecurity Solutions division. The AlienVault SIEM product, Unified Security Managemen t (USM) Anywhere, is delivered as SaaS, and includes several components for asset discovery; vulnerability assessment; and intrusion detection system (IDS) for network, host and cloud; as well as for core SIEM capabilities. USM Appliance (an on-premises software deployment) is still supported, but the vendor’s emphasis is on the Anywhere SaaS offering. Additional offerings include the Open Threat Exchange (OTX) threat intelligence sharing capability and OTX Endpoint Threat Hunter service, both no-cost services. AlienVault also offers Open Source Security Information Management (OSSIM). AlienVault targets end-user SIEM buyers, with an emphasis on financial services and healthcare as well as service providers. End-user customers are typically midmarket, not large, enterprises. Notable capabilities that have been added since the last Magic Quadrant research include monitoring of Google G Suite and Office 365 SaaS, an API to support app integrations, and a central management console (USM Central) for managed security service (MSS) partners. 2 Midsize organizations seeking an SIEM-as-a-service delivery model with bundled security controls, but with little need for extensive database or application monitoring, or advanced analytics, should consider AlienVault. Strengths  USM Anywhere bundles several security controls, sensors and other capabilities like file integrity monitoring (FIM)/endpoint detection and response (EDR) and vulnerability scanning as components of the solution.  The Anywhere SaaS solution has a straightforward architecture: cloud-based storage and analytics/reporting with on-premises endpoint agents and a network appliance for log aggregation and forwarding, NIDPS, and vulnerability scanning. Scalability requires adding more agents and network sensors as needed.  Implementation is straightforward: Users request new sensors via the management interface for the specific hosting platform (on-premises virtual machine or a virtual instance in Amazon Web Services [AWS] or Microsoft Azure), and the sensor is made available to be deployed. Configuring the sensor to accept events is supported by a wizard.  Product currency and scalability are handled on the cloud-based platform. New features and updates are automatically deployed. If a client exceeds its licensed capacity, it is notified so it can arrange to move to a higher-capacity service tier. Cautions  AT&T ha