February 2014
Security Devices
Servers & Mainframes
True Offense
Event Correlation
Network & Virtual Activity
Logs
Flows
IP Reputation
Geo Location
Offense Identification
Database Activity
Application Activity
Configuration Info
Vulnerability & Threat
User Activity
Database Activity
Application Activity
Network Activity
Suspected Incidents
Extensive Data
Sources
Credibility
Severity
Relevance
Deep
Intelligence
Magic Quadrant for Security Information and Event Management, Gartner, 7 May 2013
Gartner Magic Quadrant for SIEM:
IBM/Q1 Labs SIEM is rated #1 for on Ability to Execute (the Y-axis)
and beat McAfee/Nitro, RSA, LogRhythm, and Splunk on
Completeness of Vision (the X-axis)
Ability to execute is an assessment of overall viability, product
service, customer experience, market responsiveness, product
track record, sales execution, operations, and marketing
execution.
Completeness of Vision is a rating of product strategy,
innovation, market understanding, geographic strategy, and
other factors
Single browser-based UI
Role-based access to
information & functions
Customizable dashboards
(work spaces) per user
Real-time & historical
visibility and reporting
Advanced data mining and drill down
Easy to use rules engine with out-of-the-box security intelligence
10
11
Offense tab shows offenses currently open, with drill down to details
12
Credibility:
A false positive or true positive?
Severity:
Alarm level contrasted
with target vulnerability
Relevance:
Priority according to asset or
network value
Priorities can change over
time based on situational
awareness
13
14
What was
the breach?
Was it
successful?
Who was
responsible?
Where do I
find them?
How valuable
are the targets to
the business?
How many
targets
involved?
Yes
15
Where is all
the evidence?
16
17
18
19
20