The security analytics platform market is moving faster than it has in years, as demonstrated by these Wave results.
Though Splunk still has a tight grip on the segment, competitors are finding opportunities to loosen its hold by addressing continued dissatisfaction with outdated pricing models. Hyperscalers like Microsoft are establishing themselves as top competitors through their expertise in the cloud, massive research budgets, and support of joint go-to-market efforts. New entrants hope to avoid the fate of the class of vendors that tried to topple Splunk — and failed — a few years ago by introducing cloud-native offerings and focusing on analyzing data instead of warehousing it.
As Forrester has covered since 2015, security information and event management (SIEM) capabilities alone are no longer sufficient for security operations teams — security analytics platforms combine analytics, investigation, automation, orchestration, dashboards, and reporting to improve analyst experience.
This research used 28 different criteria to evaluate 14 vendors: Devo, Elastic, Exabeam, Gurucul, IBM, Logpoint, LogRhythm, Micro Focus, Microsoft, Rapid7, Securonix, Splunk, Sumo Logic, and Trellix. It showed that security teams should look for providers that:
- Prioritize depth over breadth. Quantity over quality only works in fast fashion and cat cafés. It’s easy to fall into thinking “more must be better” when it comes to log collectors; security orchestration, automation, and response (SOAR) integrations; and availability on various cloud service providers (CSPs). However, every investment has a trade-off. Security teams should choose a security analytics platform with log collectors and SOAR integrations that fit their use case, not every use case. The same goes for the level of support a vendor can provide — the biggest win mentioned by customer references during our Wave research was the quality of customer support.
- Improve the analyst experience. Acquisitions and siloed product development led to unnecessary handoffs, disjointed workflows, and a lot of manual effort for the security team. To quote many customer references in this evaluation, “It takes people and time to get value out of it.” Clients should look for a security analytics platform that enriches alerts with context, correlates related events and alerts together dynamically, and provides seamless workflows from triage to investigation and response. One of the top five most common challenges mentioned by customer references during our Wave research was analyst experience. Analyst experience was also the only top planned enhancement that aligned to top customer challenges, which speaks volumes to the pulse — or lack thereof — that vendors have on their customer base.
- Have a unique product vision with a strong execution path. Getting a unique vision in the security analytics platform market is harder than finding the needle in the haystack that many SIEMs purport to help security teams discover. Most vendors plan to improve security operations, which acts as an umbrella term without direction, meaning, or expectations for delivery timeframe or quality. Look for a vendor that has a unique point of view on the market in which it is well positioned to execute and has planned enhancements with delivery dates it can back up.
In the full report, The Forrester Wave: Security Analytics Platforms, Q4 2022 goes into a lot more depth on the capabilities of each provider and how they stack up against the rest of the market. Read the research here and please reach out with any questions or comments.