Microsoft Debuts as 'Leader' in New SIEM (Security) Research Report

Microsoft didn't make it into Gartner's 2020 research report on Security Information and Event Management (SIEM) vendors, but in the new 2022 report it's grouped in the "leaders" section and actually leads everyone on the "ability to execute" axis.

That's because the company's SIEM offering, Microsft Sentinel, didn't debut until late 2019 (as Azure Sentinel), though it did make the 2021 report as a "visionary" offering in the research firm's famed "Magic Quadrant" report format that also includes "challengers" and "niche players."

Here's how Gartner describes SIEM:

SIEM aggregates the event data that is produced by monitoring, assessment, detection and response solutions deployed across application, network, endpoint and cloud environments. Capabilities include threat detection, through correlation and user and entity behavior analytics (UEBA), and response integrations commonly managed through security orchestration, automation and response (SOAR). Security reporting and continuously updated threat content through threat intelligence platform (TIP) functionality are also common integrations. Although SIEM is primarily deployed as a cloud-based service, it may support on-premises deployment.

Microsoft rode the success of Microsoft Sentinel to join four other vendors who were also named leaders last year (IBM, Splunk, Securonix and Exabeam), while two vendors (LogRhythm and Rapid7) dropped out of the leaders box and into the challengers quadrant.

"Microsoft is a Leader in this Magic Quadrant," the report said. "Its SIEM product, Microsoft Sentinel, is delivered only as SaaS via Microsoft's Azure data centers. Microsoft has a large and diverse customer base, catering for large and small customers alike, and offering the SIEM product in multiple settings internationally. Licensing is based on the volume of data ingested, via reserved capacity, or pay-as-you-go. However, many of the Microsoft enterprise tiers for Microsoft 365 include credit for Sentinel and Defender usage. Enhanced data storage, complementary Microsoft ecosystem capabilities (such as Defender for Endpoint and Defender for IoT) are available at extra cost."

Sentinel's strengths were listed as a rich ecosystem of highly integrated security products, a fast-developing roadmap and tiered/hybrid operations. On the flip side, Gartner issued cautions about the company's difficult-to-understand pricing, potential for vendor lock-in and limited out-of-box content.

In a market overview, Gartner said, "The SIEM market is maturing at a rapid pace and continues to be extremely competitive. The reality of what SIEM was just five years ago is starting to detach from what SIEM is and provides today.

"SIEM is now widely supporting exposure management capabilities by leveraging data points such as configuration status of cloud assets, risk profiling across users and entities, asset inventory and criticality rating, with the purpose of delivering a real time risk posture. This combination of use cases helps security and risk management (SRM) leaders build a compelling business case for purchasing based on outcome-delivered metrics, which can answer questions from the business about what value a SIEM will deliver rather than focusing on how much it costs."

The firm also said the SIEM market has been moving toward a feature-rich security solution to offer clients numerous options to address their security needs, including:

  • Threat detection:
    • Real-time analytics
    • Batch analytics
    • Data science algorithms
    • User- and entity-based analytics
  • Response:
    • SOAR
    • Incident management
    • Collaboration
  • Exposure management:
    • Asset details (criticality, grouping, location, patch status, etc.)
    • User details (criticality, peer grouping, business unit, role, incident history, etc.)
    • Configuration posture (cloud asset configuration, GPO settings, etc.)
    • Poly-cloud visibility and unified exposure understanding
    • Threat detection framework alignment
  • Compliance:
    • Reporting
    • Continuous monitoring requirements
    • Audits
    • Security system of record

Along with that movement, Gartner noted that, in seeking easier deployments, scalability and flexibility, the most prominent deployment architecture is no longer client-hosted and managed, but rather as cloud-native Software-as-a-Service (SaaS) or cloud-delivered (hosted). As the market evolves, other solutions will compete with SIEM, such as extended detection and response (XDR), which targets organizations with a less mature security operations posture, or are unable to run a complex SIEM solution.

"SIEM vendors have already begun to invest in (or acquire) telemetry collection solutions to deliver a prebuilt ecosystem of security technologies for buyers who are looking for an encapsulated security solution," Gartner said. "One that delivers threat detection, security log retention, compliance reporting, behavioral analytics, automation, investigation and response actions. SIEM, UEBA, SOAR, TIP, EDR, NDR and cloud security solutions in a packaged offering are already on the market, and the expectation is that this trend will continue to grow.

"This aligns to the concept of the cybersecurity mesh and a composable security architecture. However, it is unrealistic to expect that every organization will want a single vendor to provide its entire security stack, which will allow the vendor choice option to persist well into the future."

Gartner cautioned that its report should only be used as one tool in an organization's broader effort to evaluate SIEM vendors.

While the research firm typically charges for such reports, licensed-for-distribution versions can usually be accessed for free from vendors who were covered, easily found with a quick web search.

About the Author

David Ramel is an editor and writer for Converge360.


Subscribe on YouTube