The authors of The Forrester Wave™ turn to a quote from ‘The Empire Strikes Back’ to sum up the direction of SIEM: “You truly belong here with us among the clouds.” Sticking with ‘Star Wars’ for guidance, we might also find some truth in ‘The Phantom Menace’: “You can’t stop change, any more than you can stop the suns from setting.”

Security analytics has always needed to adapt to changing threats, and this year has been no exception. Threat detection, investigation and response are more complex than ever. Enterprise is shifting the workload to the cloud as employees work at home in an always-evolving threat landscape.

Therefore, modern security analytics is more than SIEM. It also needs to include SOAR, user and entity behavior analytics (UEBA) and sometimes extended detection and response (XDR).

As a buyer in 2020, what trends should you consider when making a purchase? Drawing on insights from ‘The Forrester Wave™: Security Analytics Platforms, Q4 2020’, cloud services will be key, and pave the way for a suite of features to look out for when choosing between solutions.

Download the report

SIEM Cybersecurity for Cloud Services

In the past, security analytics have been seen as an on-premise toolset. However, recent years have seen growth in software-as-a-service (SaaS) SIEM security tools. These have arisen in response to demands for lower capital expense in favor of a model based on operating expenses. SIEM tools delivered as SaaS also offer quicker time to value, are more flexible and scale easily.

Now, many vendors offer cloud deployment on infrastructure-as-a-service (running in AWS/Azure) and in containers. The deployment of these solutions can be even more flexible, providing better scale and portability.

Using SIEM via SaaS or cloud-hosted models “has enabled vendors to more quickly roll out new capabilities to their customers and decrease the management overhead for these systems,” the authors of the Forrester report state.

Fast and flexible cloud service is a major factor in the trends for additional features that SIEM buyers in 2020 should look for.


For enterprises, detection content and analytics straight from the vendor could be enough. However, enterprises with advanced use cases need more flexibility. In addition, power users need to be able to create custom analytics. Open analytics and machine learning are critical for custom detection.

Advanced Analytics

In 2018, Gartner predicted that 85% of UEBA would be a feature of broader security platforms. Many vendors support behavioral analytics and provide more data via network and endpoint detection tools. Two years later, threats and threat actors have evolved, demanding layered analytics such as:

  • Correlation, including multiple sources, threat data and out-of-the-box detection use cases.
  • Machine learning, including multiple statistical models applied to users, networks and assets.
  • Automation, including automated detection and response workflows and automated response for malware or phishing.


Over recent years, the MITRE ATT&CK framework has become the de facto threat detection framework, based on models of how attackers operate.

Teams need the ability to map their tasks — including visibility and detection, investigation and response — to the framework. Doing so can help reveal gaps in their walls and enable them to detect attacks before they progress. Picturing active exploits and attacks in progress provides context for threat hunters and responders that can help them act faster and with confidence when studying threats.


XDR offers diverse threat detection and response. The mix of endpoint detection and response (EDR) and analytics from other tools “[provides] highly enriched telemetry, speedy investigations and automated response actions,” according to The Forrester Wave™.

Earlier this year, we explored the past, present and future of SIEM. One trend we studied is the continued adoption of behavioral-based analytics across users, devices, networks, apps and the cloud. From there, we saw the future of SIEM as open, with a need for more cohesive workflows powered by tools working together seamlessly.

Looking ahead to the end of 2020 and beyond, it’s intriguing to see industry efforts toward open security, standard protocols and collection of readings from multiple systems evolving into this new realm. With XDR, the industry is enabling a broader, more connected approach.

SIEM is Always Evolving

With eyes on how much security analytics has evolved in the past and looking ahead to upcoming changes, it becomes clear how important it is to select a partner that understands market needs.

IBM Security has been named a leader in The Forrester Wave™ for Security Analytics, Q4 2020 and had the highest score in the current offering category. Check out The Forrester Wave™ for the current overview of the security analytics market.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings and comments. Forrester does not endorse any vendor, product or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today