The authors of The Forrester Wave™ turn to a quote from ‘The Empire Strikes Back’ to sum up the direction of SIEM: “You truly belong here with us among the clouds.” Sticking with ‘Star Wars’ for guidance, we might also find some truth in ‘The Phantom Menace’: “You can’t stop change, any more than you can stop the suns from setting.”

Security analytics has always needed to adapt to changing threats, and this year has been no exception. Threat detection, investigation and response are more complex than ever. Enterprise is shifting the workload to the cloud as employees work at home in an always-evolving threat landscape.

Therefore, modern security analytics is more than SIEM. It also needs to include SOAR, user and entity behavior analytics (UEBA) and sometimes extended detection and response (XDR).

As a buyer in 2020, what trends should you consider when making a purchase? Drawing on insights from ‘The Forrester Wave™: Security Analytics Platforms, Q4 2020’, cloud services will be key, and pave the way for a suite of features to look out for when choosing between solutions.

Download the report

SIEM Cybersecurity for Cloud Services

In the past, security analytics have been seen as an on-premise toolset. However, recent years have seen growth in software-as-a-service (SaaS) SIEM security tools. These have arisen in response to demands for lower capital expense in favor of a model based on operating expenses. SIEM tools delivered as SaaS also offer quicker time to value, are more flexible and scale easily.

Now, many vendors offer cloud deployment on infrastructure-as-a-service (running in AWS/Azure) and in containers. The deployment of these solutions can be even more flexible, providing better scale and portability.

Using SIEM via SaaS or cloud-hosted models “has enabled vendors to more quickly roll out new capabilities to their customers and decrease the management overhead for these systems,” the authors of the Forrester report state.

Fast and flexible cloud service is a major factor in the trends for additional features that SIEM buyers in 2020 should look for.


For enterprises, detection content and analytics straight from the vendor could be enough. However, enterprises with advanced use cases need more flexibility. In addition, power users need to be able to create custom analytics. Open analytics and machine learning are critical for custom detection.

Advanced Analytics

In 2018, Gartner predicted that 85% of UEBA would be a feature of broader security platforms. Many vendors support behavioral analytics and provide more data via network and endpoint detection tools. Two years later, threats and threat actors have evolved, demanding layered analytics such as:

  • Correlation, including multiple sources, threat data and out-of-the-box detection use cases.
  • Machine learning, including multiple statistical models applied to users, networks and assets.
  • Automation, including automated detection and response workflows and automated response for malware or phishing.


Over recent years, the MITRE ATT&CK framework has become the de facto threat detection framework, based on models of how attackers operate.

Teams need the ability to map their tasks — including visibility and detection, investigation and response — to the framework. Doing so can help reveal gaps in their walls and enable them to detect attacks before they progress. Picturing active exploits and attacks in progress provides context for threat hunters and responders that can help them act faster and with confidence when studying threats.


XDR offers diverse threat detection and response. The mix of endpoint detection and response (EDR) and analytics from other tools “[provides] highly enriched telemetry, speedy investigations and automated response actions,” according to The Forrester Wave™.

Earlier this year, we explored the past, present and future of SIEM. One trend we studied is the continued adoption of behavioral-based analytics across users, devices, networks, apps and the cloud. From there, we saw the future of SIEM as open, with a need for more cohesive workflows powered by tools working together seamlessly.

Looking ahead to the end of 2020 and beyond, it’s intriguing to see industry efforts toward open security, standard protocols and collection of readings from multiple systems evolving into this new realm. With XDR, the industry is enabling a broader, more connected approach.

SIEM is Always Evolving

With eyes on how much security analytics has evolved in the past and looking ahead to upcoming changes, it becomes clear how important it is to select a partner that understands market needs.

IBM Security has been named a leader in The Forrester Wave™ for Security Analytics, Q4 2020 and had the highest score in the current offering category. Check out The Forrester Wave™ for the current overview of the security analytics market.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings and comments. Forrester does not endorse any vendor, product or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…