The authors of The Forrester Wave™ turn to a quote from ‘The Empire Strikes Back’ to sum up the direction of SIEM: “You truly belong here with us among the clouds.” Sticking with ‘Star Wars’ for guidance, we might also find some truth in ‘The Phantom Menace’: “You can’t stop change, any more than you can stop the suns from setting.”

Security analytics has always needed to adapt to changing threats, and this year has been no exception. Threat detection, investigation and response are more complex than ever. Enterprise is shifting the workload to the cloud as employees work at home in an always-evolving threat landscape.

Therefore, modern security analytics is more than SIEM. It also needs to include SOAR, user and entity behavior analytics (UEBA) and sometimes extended detection and response (XDR).

As a buyer in 2020, what trends should you consider when making a purchase? Drawing on insights from ‘The Forrester Wave™: Security Analytics Platforms, Q4 2020’, cloud services will be key, and pave the way for a suite of features to look out for when choosing between solutions.

SIEM Cybersecurity for Cloud Services

In the past, security analytics have been seen as an on-premise toolset. However, recent years have seen growth in software-as-a-service (SaaS) SIEM security tools. These have arisen in response to demands for lower capital expense in favor of a model based on operating expenses. SIEM tools delivered as SaaS also offer quicker time to value, are more flexible and scale easily.

Now, many vendors offer cloud deployment on infrastructure-as-a-service (running in AWS/Azure) and in containers. The deployment of these solutions can be even more flexible, providing better scale and portability.

Using SIEM via SaaS or cloud-hosted models “has enabled vendors to more quickly roll out new capabilities to their customers and decrease the management overhead for these systems,” the authors of the Forrester report state.

Fast and flexible cloud service is a major factor in the trends for additional features that SIEM buyers in 2020 should look for.

Customizability

For enterprises, detection content and analytics straight from the vendor could be enough. However, enterprises with advanced use cases need more flexibility. In addition, power users need to be able to create custom analytics. Open analytics and machine learning are critical for custom detection.

Advanced Analytics

In 2018, Gartner predicted that 85% of UEBA would be a feature of broader security platforms. Many vendors support behavioral analytics and provide more data via network and endpoint detection tools. Two years later, threats and threat actors have evolved, demanding layered analytics such as:

• Correlation, including multiple sources, threat data and out-of-the-box detection use cases.
• Machine learning, including multiple statistical models applied to users, networks and assets.
• Automation, including automated detection and response workflows and automated response for malware or phishing.

MITRE ATT&CK™

Over recent years, the MITRE ATT&CK framework has become the de facto threat detection framework, based on models of how attackers operate.

Teams need the ability to map their tasks — including visibility and detection, investigation and response — to the framework. Doing so can help reveal gaps in their walls and enable them to detect attacks before they progress. Picturing active exploits and attacks in progress provides context for threat hunters and responders that can help them act faster and with confidence when studying threats.

XDR

XDR offers diverse threat detection and response. The mix of endpoint detection and response (EDR) and analytics from other tools “[provides] highly enriched telemetry, speedy investigations and automated response actions,” according to The Forrester Wave™.

Earlier this year, we explored the past, present and future of SIEM. One trend we studied is the continued adoption of behavioral-based analytics across users, devices, networks, apps and the cloud. From there, we saw the future of SIEM as open, with a need for more cohesive workflows powered by tools working together seamlessly.

Looking ahead to the end of 2020 and beyond, it’s intriguing to see industry efforts toward open security, standard protocols and collection of readings from multiple systems evolving into this new realm. With XDR, the industry is enabling a broader, more connected approach.

SIEM is Always Evolving

With eyes on how much security analytics has evolved in the past and looking ahead to upcoming changes, it becomes clear how important it is to select a partner that understands market needs.

IBM Security has been named a leader in The Forrester Wave™ for Security Analytics, Q4 2020 and had the highest score in the current offering category. Check out The Forrester Wave™ for the current overview of the security analytics market.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings and comments. Forrester does not endorse any vendor, product or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.