Last updated at Mon, 28 Oct 2019 18:31:55 GMT

If you’re looking for a SIEM solution, chances are you’ve at least heard of the Gartner Magic Quadrant for Security Information and Event Management (SIEM). But what about its companion guide, the Critical Capabilities report? Still yes, probably. If you want to understand the various features and integrations your peers need in a SIEM tool, that companion guide offers the additional depth you seek.

The critical capabilities highlighted in each annual report evolve as technology advances, but also as Gartner identifies trends in the differences between failed and successful SIEM projects. This trend is what is evident in this year’s report. Since our first security monitoring conversations with customers in 2012, the Rapid7 team heard two very consistent pains with traditional SIEM capabilities:

  1. Not knowing what an end user actually did.
  2. Only having basic log pattern matching for analysis.

So…if these were the problems SIEM wasn’t solving, they were obviously our best opportunity to enter the market. UserInsight was our user behavior analytics (UBA) offering we launched in late 2013 and its entire mission was to solve these two problems before tackling any others. We began by using graph mining and entity relationship modeling to baseline all the relationships between users and assets in each environment to detect when authentications look like attacker behavior or lateral movement. Then, we developed heuristics for differentiating between user, service, and administrator accounts, so that each would be baselined according to different expectations.

Then, we rubbed some magical “artificial intelligence” ointment on it. Just kidding—that snake oil marketing isn’t for us. Instead, we started chasing new stealthy attack techniques. We added deception technology for attacker behavior we couldn’t see in logs. Once our customers started getting answers to the questions their SIEM couldn’t, it was time to figure out how to help with the dual portal problem UBA and SIEM had introduced. We had to solve for the other SIEM use cases, so we acquired Logentries and combined it with UserInsight.

But, we had long ago convinced ourselves that endpoint visibility was key to detecting early in the attack chain. InsightIDR was launched as more than just UserInsight plus Logentries. It also included enhanced endpoint detection and response capabilities using both the Insight agent and our existing endpoint scan. This endpoint analysis enabled new advanced analytics like detection for protocol poisoning and statistical anomaly detection for service creation events to detect tools using PsExec or similar techniques.

Without these iterative developments to attack these SIEM pains, we never would have built a solution Gartner rates as ‘Excellent’, which is over 4 on a 5 point scale, in both ‘User Monitoring’ and ‘Advanced Analytics’ in this year’s Critical Capabilities for Security Information and Event Management report. These are Gartner’s classifications for the types of technology we use to address the very pains we have heard since we first started listening.

For the full description and to see how we’re rated in other areas, get your free copy of the SIEM Critical Capabilities today.

If you’d like to try InsightIDR in your environment, you can also sign up for a free, full-featured trial here.