The inclusion criteria for this IDC MarketScape required vendors to have at least $50 million in annual revenue in 2021 — as determined by IDC — related specifically to SIEM platforms. Revenue had to come from more than one geographic region to be part of this worldwide evaluation.

For the purposes of this analysis, IDC divided potential key measures for success into two primary categories: capabilities and strategies.

Positioning on the y-axis reflects the vendor’s current capabilities and menu of services and how well aligned the vendor is to customer needs. The capabilities category focuses on the capabilities of the company and product today, here and now. Under this category, IDC analysts will look at how well a vendor is building/delivering capabilities that enable it to execute its chosen strategy in the market.

Positioning on the x-axis, or strategies axis, indicates how well the vendor’s future strategy aligns with what customers will require in three to five years. The strategies category focuses on high-level decisions and underlying assumptions about offerings, customer segments, and business and go-to-market plans for the next three to five years.

The size of the individual vendor markers in the IDC MarketScape represents the market share of each individual vendor within the specific market segment being assessed.

IDC MarketScape criteria selection, weightings, and vendor scores represent well-researched IDC judgment about the market and specific vendors. IDC analysts tailor the range of standard characteristics by which vendors are measured through structured discussions, surveys, and interviews with market leaders, participants, and end users. Market weightings are based on user interviews, buyer surveys, and the input of IDC experts in each market. IDC analysts base individual vendor scores, and ultimately vendor positions on the IDC MarketScape, on detailed surveys and interviews with the vendors, publicly available information, and end-user experiences in an effort to provide an accurate and consistent assessment of each vendor’s characteristics, behavior, and capability.

Security information and event management (SIEM) solutions are log-centric platforms used for policy and compliance assurance as well as to initiate security investigations. SIEM solutions include products designed to aggregate data from multiple sources to identify patterns of events that might signify attacks, intrusions, misuse, or failure. Event correlation simplifies and speeds the monitoring of network events by consolidating alerts and error logs into a short, easy-to-understand package. Products can also consolidate and store the log data that was processed by the SIEM. This technology also includes products that collect and disseminate threat intelligence, provide early warning threat services, and can provide information on countermeasures. The data from SIEM products is provided to policy and compliance solutions for consistent reporting.

A SIEM must take in different logs and flows, has dashboards specifically used for threat investigation, and is capable of compliance reporting. In this sense, SIEM is differentiated from security analytics products that are designed to allow users flexibility in specifying their particular security framework and running data against that framework to better analyze data. And SIEM is different from threat intelligence products that are designed to take in a variety of threat intelligence sources and provide a platform for organizations to analyze their own data against a variety of different threat intelligence feeds. Often, companies will use business intelligence (BI) platforms in combination with open source platforms to index data, but IDC does not count this as SIEM categorically. Ideally, SIEM incorporates aspects of security and threat analytics, threat intelligence, business intelligence, and database management to provide search, storage, indexing and, most importantly, data that facilitate incident detection and response.

• IDC PeerScape: SIEM Practices for Enabling a Trusted Tool (IDC #US49688022, September 2022)
• Worldwide Security Information and Event Management Market Forecast, 2022–2026: Dated Assumptions and New Innovations — Washing Away the SIEMs of the Past (IDC #US48506322, September 2022)
• Worldwide Security Information and Event Management Market Shares, 2021: The Cardinal SIEMs (IDC #US48506522, July 2022)
• IDC Market Glance: SIEM and Vulnerability Management, 2Q22 (IDC #US49009522, April 2022)
• Features and Challenges in SIEM and Device Vulnerability Management Platforms: Variations by Size of Organization (IDC #US48860222, February 2022)

This IDC study provides a vendor assessment of those offering security information and event management (SIEM) platforms. Using the IDC MarketScape model, we considered SIEM vendors based on quantitative and qualitative criteria that is important to organizations selecting an SIEM. The assessment is based on a comprehensive and rigorous framework that includes vendor and customer interviews to evaluate how each vendor stacks up, and the framework highlights the key factors that are expected to be the most significant for achieving success in the SIEM market over the short term and long term.

“SIEM buyers need to consider the rest of their security environment when choosing an SIEM. Does the SIEM have integrations with tools in place or under purchase consideration? Does the pricing allow some level of predictability and options for data storage? Does the SIEM have built-in automations that allow analysts to reduce time spent on investigation, particularly on alerts that are false positives? Does the SIEM vendor offer the level of support that meets the buyer’s maturity? All these are important considerations, which should drive buyers to check out SIEM vendors they may not have considered in their last purchase decision.” — Michelle Abraham, research director, Security and Trust at IDC.