The intent of this post is to provide the reader with the 'Then and Now' view of the SIEM market by using Gartner MQs over the past few years. As the first post of the blog, I also cover how logging and SIEM in general have interested me over these years.HistoryIt started as an internal project to create a log collection server with one of my previous employers. I was tasked with a challenge to create an easy to deploy, open source and, of course, secure logging solution that essentially acted as a syslog server, within six months. Using Debian LiveCD (Knoppix), SE Linux, VMWare and guidance from @craigbalding, the race against time began to create this extremely light, hardened and secure image that will be used as a cheap and easy syslog server to whoever who wants to deploy one in their business. Obviously, questions came up around what to log, how to log, when to log, why to log etc. Some areas were covered, some were missed and after a many weeks of hard work, the project was delivered. Although it was just a small step in the right direction for the organisation, the biggest benefit for me was the first-hand experience of developing an alpha 'log management' tool and of challenges around acceptance of such a solution in various shapes and sizes of business.Following this, a project followed to select a mature product that offer the SIEM capabilities. This was in 2006 and I got my hands on, what I believe, the first Gartner SIEM MQ for 1H06.Since then, I have been studying these reports closely, looking at the developments in the products, deploying some of these products and also working with businesses in various industry sectors to reap benefits from the logging solution of choice.SIEM MQsSo, below are the MQs from 2006, 2008, 2009 and most recently 2010.
And, below is a quick tabular assessment of the above MQs. This may give an idea on how the vendors have fared over the years in the eyes of Gartner analysts with their definition of SIEM. The vendors in green font have appeared in all 4 MQs, not necessarily in the same quadrant. Pardon the colour selection :).
Hopefully, the above should provide businesses who are in the process of SIEM vendor selection a quick snapshot of where vendors are positioned in the MQ and their journeys within.Personally, I take MQ as a good starting point for vendor selection/assessment but it certainly shouldn't be the end or focus of it. As most product selection goes, this is a multiobjective optimization problem. Businesses have various constraints to make this selection against like cost, compliance, operations, incident response, audit, etc.In the next post, I would like to focus on vendor movements in the MQ and whether these movements makes sense. Probably, this may lead to the science behind MQ, who knows!;) What I am really interested to know is whether these movements are actually experienced by the organisations who use these products e.g. someone using Q1Labs since 2006.Thank you @rockyd for pointing me to 2010 MQ.
No comments:
Post a Comment