EMA Radar for Log-Based Security Analytics: Q2 2018

Cybersecurity as a discipline is a fast-paced, dynamic area. New and innovative attack methods are combined with old ones to make nearly infinite avenues of attack. Whether an attack is a single packet compromise or a low-and-slow attack drawn out over many days, the defenders are responsible for identifying and stopping the attacks as soon as possible. It’s the last phrase that is the issue. How fast is as fast as possible? It seems that over the last few years, “as fast as possible” has not been nearly fast enough. Compromises can happen in hours, but identification may not take place for months to years.

It is this issue that drew innovators to try to figure out how to identify and respond to security incidents faster. The first challenge is being able to wade through the incessant and overwhelming noise of alerts and reduce them to a small trickle of real problems that can be clearly defined and addressed quickly.

Over the past several years, numerous startup companies were established to address this gap in analytics and visibility of real issues in the sea of alerts. Security analytics solutions were initially designed to perform one or more of three primary types of security-focused analytics: User and Entity Behavior Analytics (UEBA), Anomaly Detection, and Predictive Analytics. Since their inception, much of these analytics have merged, leaving only a thin line between a combined UEBA/Anomaly Detection and Predictive Analytics.

This report, which is part one of a two-part series, delves into the platforms, solutions, and products supplying log-based security analytics to security practitioners for the express purpose of providing them with fewer actionable alerts without the tuning side effects that can filter out alerts on actual threat activity. The report evaluates vendors across five major categories supported by over 100 KPIs. EMA evaluated, scored, and ranked each vendor under the same documented criteria. Each participating vendor has a profile that outlines the solution, including its strengths and weaknesses, in comparison to the other vendors evaluated. It also documents key decision-making factors important to the buying process and ultimately depicts the vendors’ relationship to each other based on value vs. functionality.

Part two will follow the same methodology, but will focus on security analytics solutions that primarily rely on network-based data for analysis.