The authors of The Forrester Wave™ turn to a quote from ‘The Empire Strikes Back’ to sum up the direction of SIEM: “You truly belong here with us among the clouds.” Sticking with ‘Star Wars’ for guidance, we might also find some truth in ‘The Phantom Menace’: “You can’t stop change, any more than you can stop the suns from setting.”

Security analytics has always needed to adapt to changing threats, and this year has been no exception. Threat detection, investigation and response are more complex than ever. Enterprise is shifting the workload to the cloud as employees work at home in an always-evolving threat landscape.

Therefore, modern security analytics is more than SIEM. It also needs to include SOAR, user and entity behavior analytics (UEBA) and sometimes extended detection and response (XDR).

As a buyer in 2020, what trends should you consider when making a purchase? Drawing on insights from ‘The Forrester Wave™: Security Analytics Platforms, Q4 2020’, cloud services will be key, and pave the way for a suite of features to look out for when choosing between solutions.

Download the report

SIEM Cybersecurity for Cloud Services

In the past, security analytics have been seen as an on-premise toolset. However, recent years have seen growth in software-as-a-service (SaaS) SIEM security tools. These have arisen in response to demands for lower capital expense in favor of a model based on operating expenses. SIEM tools delivered as SaaS also offer quicker time to value, are more flexible and scale easily.

Now, many vendors offer cloud deployment on infrastructure-as-a-service (running in AWS/Azure) and in containers. The deployment of these solutions can be even more flexible, providing better scale and portability.

Using SIEM via SaaS or cloud-hosted models “has enabled vendors to more quickly roll out new capabilities to their customers and decrease the management overhead for these systems,” the authors of the Forrester report state.

Fast and flexible cloud service is a major factor in the trends for additional features that SIEM buyers in 2020 should look for.


For enterprises, detection content and analytics straight from the vendor could be enough. However, enterprises with advanced use cases need more flexibility. In addition, power users need to be able to create custom analytics. Open analytics and machine learning are critical for custom detection.

Advanced Analytics

In 2018, Gartner predicted that 85% of UEBA would be a feature of broader security platforms. Many vendors support behavioral analytics and provide more data via network and endpoint detection tools. Two years later, threats and threat actors have evolved, demanding layered analytics such as:

  • Correlation, including multiple sources, threat data and out-of-the-box detection use cases.
  • Machine learning, including multiple statistical models applied to users, networks and assets.
  • Automation, including automated detection and response workflows and automated response for malware or phishing.


Over recent years, the MITRE ATT&CK framework has become the de facto threat detection framework, based on models of how attackers operate.

Teams need the ability to map their tasks — including visibility and detection, investigation and response — to the framework. Doing so can help reveal gaps in their walls and enable them to detect attacks before they progress. Picturing active exploits and attacks in progress provides context for threat hunters and responders that can help them act faster and with confidence when studying threats.


XDR offers diverse threat detection and response. The mix of endpoint detection and response (EDR) and analytics from other tools “[provides] highly enriched telemetry, speedy investigations and automated response actions,” according to The Forrester Wave™.

Earlier this year, we explored the past, present and future of SIEM. One trend we studied is the continued adoption of behavioral-based analytics across users, devices, networks, apps and the cloud. From there, we saw the future of SIEM as open, with a need for more cohesive workflows powered by tools working together seamlessly.

Looking ahead to the end of 2020 and beyond, it’s intriguing to see industry efforts toward open security, standard protocols and collection of readings from multiple systems evolving into this new realm. With XDR, the industry is enabling a broader, more connected approach.

SIEM is Always Evolving

With eyes on how much security analytics has evolved in the past and looking ahead to upcoming changes, it becomes clear how important it is to select a partner that understands market needs.

IBM Security has been named a leader in The Forrester Wave™ for Security Analytics, Q4 2020 and had the highest score in the current offering category. Check out The Forrester Wave™ for the current overview of the security analytics market.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings and comments. Forrester does not endorse any vendor, product or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read