Splunk, Elastic, Microsoft Top Security Analytics: ForresterElastic Enters Leaders Segment; Exabeam, Securonix and IBM Fall in Latest Rankings
A surging Elastic security firm has joined perennial stalwarts Splunk and Microsoft atop the Forrester Wave: Security Analytics 2022 report, toppling SIEM players Exabeam, Securonix and IBM.
"The shift to the cloud has changed the market in many ways because there are a lot of SIEM vendors who were built to be on-premise and were built to excel on-premise," Forrester Wave author Allie Mellen tells Information Security Media Group. "And now as they've had to make the shift and move to a cloud offering, they may not necessarily have the same level of expertise in the cloud or the same capabilities in the cloud as they did on-prem."
Silicon Valley-based observability and search vendor Elastic entered the security space through its $234 million acquisition of endpoint protection player Endgame in October 2019 and released its first security product to market that same year. Elastic went from not even being mentioned in the December 2020 security analytics Forrester Wave to leading the entire industry in strategy just two years later.
"Elastic is one of the fastest-growing security companies out there," says Santosh Krishnan, general manager of Elastic's security business. "We came out of nowhere to become a top-five vendor in use cases like SIEM in an extremely short period of time."
Fellow security analytics leaders Splunk and Microsoft took the silver and bronze, respectively, in strategy this time around. That's a significant change from fall 2020 when Microsoft, Splunk and Securonix took the gold, silver and bronze, respectively.
"Splunk has a couple of things that are going for it," Mellen says. "The quality of its community was highlighted constantly by customer references. They have a community that's building things like log collectors and SOAR integration. And so their depth of enterprise features is just really strong in the space, and stronger than any other vendor here."
The current offering category also saw ranking shifts. Splunk catapulted from fourth in 2020 to first this year and Microsoft jumped from eighth in 2020 to second this year. IBM slipped from first in 2020 to third this year, Exabeam nose-dived from second in 2020 to 10th this year, and Securonix fell from third in 2020 to sixth this year. Elastic went from being unranked in 2020 to taking fourth this year (see: Microsoft, IBM, Splunk Dominate SIEM Gartner Magic Quadrant).
The biggest change in the security analytics market compared with two years ago is the maturity and features built into cloud-native offerings, Mellen says. Unlike in 2020 when many vendors were content just having something in the cloud, Mellen says leading vendors today are delivering enterprise features such as role-based access control and log collectors through the cloud as well as adding functions such as SOAR.
Mellen expects the industry to focus more on the security analyst experience over the next two years to streamline the detection and response process. Security analytics tools need to move from enrichment, where threat intelligence is leveraged to determine if a file is malicious, to correlation so that multiple related activities can be brought together to give analysts a better understanding of what's taking place.
"Just about every security analytics platform takes a lot of consistent work to get value out of it," Mellen says. "What we'll see in the next few years is an increase in capabilities in the offering targeted to lessen that workload for security teams."
Outside of the leaders, here's how Forrester sees the security analytics market:
- Strong Performers: IBM, Sumo Logic
- Contenders: Rapid7, Securonix, LogRhythm, Logpoint, Exabeam, Micro Focus
- Challengers: Gurucul, Trellix, Devo
Forrester classified RSA as a strong performer in the December 2020 wave, but the company - whose security analytics practice is now under the NetWitness banner since being acquired by Symphony Technology Group - wasn't even considered as part of the wave this time around.
How the Security Analytics Leaders Climbed Their Way to the Top
Splunk Champions Risk-Based Alerting
Splunk over the past year has introduced risk-based alerting to help customers transform large volumes of alerts into fewer high-fidelity incidents that are prioritized by risk attribution, says Patrick Coughlin, vice president of go-to-market strategy and specialization. The company has added visualizations to help incident responders react to patterns that have surfaced and has published 1,000 relevant detections.
Meanwhile, Coughlin says, the company's November acquisition of TwinWave means that complex attack chains will now be automatically followed rather than requiring cumbersome manual workflows from security analysts. Customers have told Splunk they want to consolidate the tool sprawl that has occurred over the last several years around a handful of strategic partners, according to Coughlin.
"Pure open-source solutions or vendors from closed ecosystems are not providing customers with the same speed to value, the enterprise-grade reliability or the platform-level integrations that our customers require," Coughlin tells ISMG in an email.
Forrester says Splunk continues to struggle with how to license its enterprise security offering to help customers control costs and with customers citing expense as the most challenging part of using the Splunk offering. Coughlin says workload pricing has become the most popular and fastest-growing payment model from Splunk's cloud customers since it can help with predicting and forecasting expenses.
"With workload pricing, customers only pay for what they consume, workloadwise, within the Splunk platform, removing the concern about 'ingesting too much data' into Splunk," Coughlin says.
Elastic Takes on Out-of-the-Box Response
Elastic in mid-2021 introduced its first XDR offering that integrates SIEM, EDR and cloud security and combines them with data management and analytics on the Elastic search platform to provide a unified security platform for the modern SOC, Krishnan says. The company launched cloud security in June 2022 as well as SOAR capabilities so that the most important response functions are available out of the box.
The company can now offer out-of-the-box remediation options, such as killing processes, killing container ports and quarantining files, according to Krishnan. Security is all about data management and analytics, and Elastic's ability to collect data from a wide variety of infrastructure sources in a single deployment and retain that data in a cost-effective fashion is unrivaled, Krishnan says (see: Elastic Lays Off Nearly 400 Employees as SMB Spend Dwindles).
"When you look at some other architectures, your security analysts often have to cut corners in terms of what they collect because it's too expensive to collect telemetry from a wide variety of sources," Krishnan says. "They also have to cut corners in terms of how long they keep the data for investigative purposes. Usually, the way you pay the penalty on that one is in mean time to response."
Forrester criticized Elastic for having limited automation capabilities compared with its direct rivals. Krishnan says automation and response will be Elastic's biggest areas of R&D investment, with a focus on creating more out-of-the-box response capabilities and workflows upfront to take the customization burden away from customers. Today, customers have to manually create workbooks using Elastic APIs.
"If you look at most security operations centers, they have a deluge of alerts which they have to deal with all the time," Krishnan says. "The ability to aggregate like alerts or related alerts and then use that and certain machine learning and analytics capabilities in order to render a risk score allows security analysts to focus their investigations on those aggregated concepts."
Microsoft Embraces Automation to Relieve SOC
Microsoft allows customers to create their own rules using Kusto Query Language or by bringing their own machine learning, meaning SOCs can build automations and reduce the amount of time they spend on repetitive tasks, Microsoft 365 Security Corporate Vice President Rob Lefferts wrote in a blog post.
Scaled search and storage of large volumes of data allow customers to protect their digital ecosystems at scale and monitor all their clouds, platforms and endpoints in one place, according to Lefferts. The company has over the past year invested in content for IoT devices, business application coverage including SAP, enhanced SOAR capabilities and improved workflow management, Lefferts wrote (see: Open Systems Buys Tiberium to Automate Security on Microsoft).
"What makes the Microsoft suite of security solutions unique is the native integrations of SIEM with XDR to provide quick setup, more comprehensive coverage and context, and faster response times," Lefferts wrote.
Forrester says Microsoft Sentinel is costly because its pricing model is based on the volume of data ingested, which makes predicting costs difficult. In addition, reference customers told Forrester they wish Microsoft had additional log collectors to match competitors. Microsoft didn't respond to ISMG's questions about what - if any - actions it plans to take to address the concerns raised by Forrester.