Magic Quadrant for Security Information and Event Management Published 18 February 2020 - ID G00381093 - 72 min read Security and risk management leaders increasingly seek security information and event management solutions with capabilities that support early attack detection, investigation and response. Users should balance advanced SIEM capabilities with the resources needed to run and tune the solution. Market Definition/Description The security information and event management (SIEM) market is defined by customers’ need to analyze security event data in real time, which supports the early detection of attacks and breaches. SIEM systems collect, store, investigate, support mitigation and report on security data for incident response, forensics and regulatory compliance. The vendors included in this Magic Quadrant have products designed for this purpose, which they actively market and sell to the security buying center. SIEM technology aggregates event data produced by security devices, network infrastructure, host and endpoint systems, applications and cloud services. The primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry (i.e., flows and packets). Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data may be normalized, so that events, data and contextual information from disparate sources can be analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time analysis of events for security monitoring, query and long-range analytics for historical analysis, and other support for incident investigation and management, and reporting — e.g., for compliance requirements. Magic Quadrant Figure 1. Magic Quadrant for Security Information and Event Management Source: Gartner (February 2020) 1 Vendor Strengths and Cautions AT&T Cybersecurity AT&T Cybersecurity, part of the AT&T Business portfolio, is headquartered in Dallas, Texas. AT&T Cybersecurity’s SIEM solution is Unified Security Management (USM) Anywhere, which is delivered as a software as a service (SaaS) solution. It packages several other security elements with SIEM, including asset discovery, vulnerability assessment, an intrusion detection system (IDS) for network and cloud, and endpoint detection and response (EDR). An on-premises software deployment, USM Appliance, is available and is still supported; however, the vendor continues to focus more on the USM Anywhere SaaS offering. USM customers can connect to the Alien Labs Open Threat Exchange (OTX) via an API key to gain additional indicators of compromise (IoCs) and threat intelligence sharing capability. The AlienVault USM Appliance and Anywhere products are licensed on the amount of data analyzed (gigabyte per month) and are offered as subscription-only. There is also licensing for managed security service provider (MSSP) partners who want access to USM’s central management console, USM Central, which provides unified dashboards across multiple USM Anywhere deployments. 2 Advancements during the past 12 months include the addition of an EDR agent to the USM portfolio to provide threat visibility and automated response actions for the major OSs. USM Anywhere now has threat visibility and response capabilities for Google Cloud, as well as enhanced case management features for analysts performing investigations. Small and midsize businesses (SMBs) in financial services and healthcare verticals, which need SIEM as a service (SaaS SIEM) delivery models with bundled security controls that don’t require extensive database or application monitoring or advanced analytics, should consider AT&T Cybersecurity’s USM Anywhere. Strengths  Deployment: The SaaS form factor, combined with predefined content for detections and dashboards, offers relatively quick deployment and initial operation, compared with on-premises SIEM.  Operations: Detection content is updated frequently by the vendor. The USM Anywhere detection rules and dashboards are updated weekly, based on the findings of the AT&T Alien Labs threat intelligence team.  Product: AT&T Cybersecurity offers strong integrations with its own technologies for endpoint agent deployment/management, network intrusion detection, vulnerability scanning/asset discovery and threat intelligence. Native file integrity monitoring (FIM) and EDR c