Before Gartner’s 2020 SIEM Magic Quadrant comes out, let’s take a look at Forrester’s latest Security Analytics Platform vendor evaluation report (Forrester Wave), published on December 1, 2020. Forrester’s SAP market segment roughly corresponds to the Gartner universe’s SIEM market segment.
The last time Forrester released the SAP vendor evaluation report was in 2018. After more than two years, the changes are still relatively large, because the recent years have been the era of earth-shaking SIEM/SOC/SAP.
Forrester gave the latest SAP definition in another previous report “Now Tech: Security Analytics Platforms, Q3 2020”:
SAP is built on a big data infrastructure and integrates logs from networks, identities, endpoints, applications, and other security-related data sources, generates high-fidelity behavioral alerts, and facilitates rapid security incident analysis, investigation, and response.
Recall that when Forrester first defined SAP, it was in the “Counteract Cyberattacks With Security Analytics” report:
SAP is a platform built on a big data architecture. It integrates log data, associated data and report data from various terminals and applications including SIM, (specific) security solutions, network stream data, external threat intelligence. SAP uses this information and machine learning technology to provide (users) with real-time monitoring, prompting (users) to detect, analyze and respond to incidents more quickly.
By comparison, the definition is roughly the same, and the current definition is more concise.
Note: SAP is not equal to SA, SA (Security Analysis) is a technology, not a market segment!
Forrester believes that the current three core uses of SAP are:
Identify location threats with better network visibility
Support the work of SOC analysts with automated alarm triage and response recommendations
Realize the orchestration response of the entire environment
Obviously, Forrester’s definition of SAP is larger than the classic SIEM, called the next-generation SIEM, which is closer to our current understanding of the security management platform (or SOC platform). Of course, when Gartner analyzes the SIEM market, it is no longer limited to the scope of classic SIEM. Everyone’s understanding of the market is converging. ESG’s SOAPA is almost the same.
In Forrester’s view, SOAR is the core capability of SAP, and it even distinguishes different types of SAP. In addition, Forrester directly uses the SOAR term of the Gartner Universe to replace the original SAO.
To sum up, use the words that we can understand in common, SAP = big data + SIEM + SOAR + XDR + UEBA.
Back to the report, the 2020 Forrester Wave quadrant chart is as follows:
Compare the 2018 Wave quadrant chart:
As you can see, this change is still relatively large.
First of all, AlienVault has been acquired by AT&T, McAfee, Fortinet, Huntsman are not on the list, and FireEye is on the list.
Secondly, Microsoft is on the list with Azure Sentinel and its prominent position shows that Forrester attaches great importance to the Cloud SIEM (the term comes from Gartner) market. Gartner has not yet included Cloud SIEM in the scope of SIEM MQ.
Finally, and most importantly, major changes have taken place in maintaining the positions of manufacturers on the list. IBM and Splunk led the way, LogRhythm retreated to the second line, and Securonix and Exabeam emerged with UEBA (Forrester called SUBA) technology.
Looking further, IBM and Splunk fit Forrester’s views on SAP very well (it’s not easy to say who affected whom). They are both SIEM+SOAR strategies, and both have cloud SAP products and services, and their market performance is also very good.
Although LogRhythm also has SOAR and SaaS versions, the performance of these capabilities is not satisfactory. However, what this report did not have time to mention is that on January 13, 2021, LogRhythm announced the acquisition of cloud analysis platform manufacturer MistNet, and is expected to reorganize its XDR and Cloud SIEM technologies/products/markets on top of SIEM around housekeeping. strategy.
Arcsight of Micro Focus has also recovered a bit after a major landslide for several years. First, it acquired Interset in 2019 to obtain UEBA technology, and then in July 2020, it acquired ATAR Labs to obtain SOAR technology. It is finally catching up on face. Back, but the integration is not yet known. And Forrester thinks Arcsight is too late to embrace the cloud compared to several other big companies.
Incidentally, it is obvious that Arcsight under Micro Focus has regressed, but Forrester is still merciful and put it in the second gear, while Gartner cruelly put it in the fourth gear of the 2019 MQ.
Forrester’s main views on SAP
Forrester believes that the future of SAP lies in the cloud, because users’ workloads are migrating to the cloud, and the cloud has the characteristics of extremely easy storage expansion, easy scale up, and stability and reliability. In addition, cloud SAP software development and release are more efficient. From the actual market, Forrester found that mainstream SAP vendors have begun to provide Cloud SIEM.
Microsoft’s Azure Sentinel can be described as cloud-native SAP, which has come to the front of GCP Chronicle.
IBM made the list with QRadar and Resilient, and Forrester also mentioned IBM’s CloudPak for Security Platform as a sign of its move to the cloud.
Spunk is on the list with ES and Phantom, while its cloud-oriented Misson Control is gaining attention.
Securonix also launched a SaaS-based multi-tenant version of SAP.
Forrester gives 4 suggestions to customers who choose SAP, that is, 4 key capabilities that SAP should possess:
1) Customer customization capabilities, especially the customization of analysis content, analysis scenarios and analysis models;
2) The integration of analysis and automated response can not only find problems, but also help solve them;
3) Take MITRE’s ATT&CK framework as a part of safe operation, running through all links of detection, investigation and hunting;
4) With the vision of XDR, EDR can be well integrated into security analysis.
When Forrester evaluates the technical capabilities of SAP vendors, the dimensions considered include: deployment mode and data architecture, visibility, correlation analysis capabilities, threat detection capabilities, ATT&CK mapping, customized detection capabilities, security orchestration capabilities, compliance, platform usage Experience, analytical skills, risk scoring and prioritization capabilities.