February 09, 2023
February 09, 2023
Contributor: Colin Reid
Enterprise IT and tech buying teams should prioritize these technical and functional requirements when evaluating any new SIEM tools and solutions.
SIEM combines security information management (SIM) and security event management (SEM) into one security management system. SIEM collects data on security events in real time and provides historical analysis of such events from a wide variety of data sources. It can also flag and report events that require investigation and assist with validating (and responding to) issues that may cause harm to the organization.
SIEM continues to evolve rapidly as cloud-based tools and solutions gain greater acceptance among enterprise IT and security teams. By 2023, 90% of SIEM solutions will offer capabilities delivered exclusively in the cloud — log storage, analytics and incident management, to name a few — up from 20% in 2020, according to Gartner.
Enterprise tech buying teams evaluating new SIEM solutions should specify and prioritize key criteria that will ensure the solutions works practically and technically to deliver on the use and business cases defined by the buyer team. Use these requirements consistently to judge the relative value of different options and ultimately shortlist the best candidates.
Gartner research shows these seven requirements to be critical, but for your use case, they may instead be highly desirable but not strictly essential. Accordingly, rank your team’s requirements as being of high, medium or low importance.
Look for SIEM tools that use real-time analytics to detect and prioritize events or activities that may represent a threat, compliance issue or something else of interest to users. The solution should offer batch analytics to identify and correlate weak signals in data not detected in real time.
The SIEM solution should provide tools to administer, maintain and support complex functions, such as log and data source management, analytics and detection content, reporting, user roles and access control, along with technical integration and response workflows.
This function provides data collectors, parsers, analytics rules and models, use cases, compliance packages and response workflows, actions and plays. Administrators can enable, access and update this content through an included management framework.
Buyers should ensure the new SIEM solution provides easy-to-understand and user-friendly interfaces featuring intuitive designs to better facilitate user engagement, especially where users may fall outside traditional IT teams. Define use cases for your SIEM that best align to your organization’s security monitoring objective. Use those as design requirements to focus on performance and resource utilization for priority issues.
From a technical requirement standpoint, it’s imperative to ensure the new SIEM tool will provide enough data storage capacity, as well as required file types, location and processes, such as extraction or eradication. Cloud-based solutions offer scalable storage capacity, which proves essential in a global threat landscape undergoing exponential growth.
It may sound elementary, but it’s also critical for any new SIEM tool to integrate with all relevant applications, data sources and technologies. SIEM threat detection performance depends not only on SIEM and its configuration, but also on the entire detection stack and all supporting telemetry chosen to be sent to the SIEM.
Ensure the SIEM solution will provide proactive alerts on system events across all of your environments including cloud services, physical and virtual appliances and software, and combinations of these. It should also produce logging and resolution reporting on all issues.
Attend a live Gartner BuySmart™ Demo.™ Already a Gartner client? Use your existing login to access BuySmart.
SIEM solutions can serve many roles for security organizations, including as a system of record for compliance, audit, forensics data and general reporting or to monitor relevant security alerts and data, allowing a single source of truth on real-time, prioritized alerts across an organization.
The current class of SIEM solutions use a variety of analysis techniques, including correlation, statistical deviation and machine learning to identify threats and other events of interest. They should allow the enterprise to turn raw alert data into actionable intelligence, through whatever analysis method works best, based on the monitoring objective.
SIEM tools require tight coordinated integration with an enterprise’s complete detection and security stack.
What was once a nice-to-have, SIEMs now offer user-friendly, more intuitive interfaces, which encourage greater user engagement. Prioritize this criterion.
By 2023, 90% of SIEM solutions will offer capabilities delivered exclusively in the cloud.
Colin Reid, VP of Product Management, leads Gartner teams in scoping, building, shipping and managing global SaaS applications, including BuySmart. Previously, as a Gartner analyst, he helped clients design, build, integrate, operate and optimize all aspects of marketing and content technology and their operations. Mr. Reid also has experience as a CMO, COO and team leader at client marketing organizations, marketing agencies and global technology providers.
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
Demo Gartner BuySmart™ (login required)
Questions to Answer Before Adopting Cloud SIEM Solutions
Magic Quadrant for Security Information and Event Management
Critical Capabilities for Security and Event Management
*Note that some documents may not be available to all Gartner clients.