Security information and event management (SIEM) is a blue-collar tool for network security professionals. There’s nothing remotely glamorous about auditing, reviewing and managing event logs, but it’s one of the more important aspects of building a secure enterprise network.
Network security has matured to the point where myriad tools (machine-learning-backed firewalls, hardened web application servers, cloud services, etc.) make the act of attacking an enterprise network a tall order. Monitoring each layer, service and device in a holistic, top-down manner is critical to providing context to log events. Applying automated remediation tasks to log events takes many of these SIEM tools to another level.
Due to the nature of event logs, they are often a secondary attack surface for malicious users looking to obfuscate their activity and cover their tracks. SIEM tools often provide an additional layer of protection for your event logs by offloading them to a server or service purpose-built for the task, giving a means to prevent editing or deletion, and even creating backup copies.
Below are overviews of the top 12 SIEM tools and summaries of peer-review ratings from the Gartner PeerInsights.
AlienVault’s Unified Security Management (USM) platform provides tools to monitor, analyze and manage your system events across a wide range of systems. Adding your system components and recognizing new candidates for inclusion is facilitated through asset discovery and inventory.
AlienVault USM is more than just an SIEM solution. In addition to monitoring and managing your event logs, the platform provides tools for both vulnerability assessment and intrusion detection (both network and host-based), adding value for customers who might not have these capabilities in place. AlienVault also offers OSSIM (Open Source Security Information and Event Management), which as the name suggests is an open-source SIEM solution that gives you a subset of the tools available with the full USM suite in an open source package.
Elastic does not offer a true SIEM platform (if PCI-compliance is a requirement for your organization, you’ll need to look elsewhere), but Logstash allows for log events from a wide array of sources to be parsed and handled using its Elastic Stack platform. In particular Elastic offers tools such as Beats to move data, Elasticsearch to facilitate parsing large amounts of data, and Kibana to handle visualizations and analysis.
Logstash might be the most flexible of the tools on this list, but it comes with a couple of key concerns. Elastic’s Stack platform is incredibly powerful, but it’s largely built for a DevOps world, and expectations should be set accordingly. On the other hand, the entirety of the Elastic Stack platform is open-source software, making it incredibly cheap to put through its paces. For customers looking for enterprise support or assistance in getting your solution set up, Elastic offers services to help in either scenario.
Exabeam boasts the highest Gartner PeerInsights rating of any of the 12 solutions in our list, and it’s not hard to see why. For starters, Exabeam’s Security Management Platform brings a big-data toolset to bear against your event logs, offering both performance and analytics benefits. Exabeam Data Lake supports as much data as you can throw at it, with pricing based on user count rather than data volume, and Exabeam offers multiple analytics strategies using both machine learning and a healthy selection of canned reports.
In addition to providing tools for compiling, aggregating, and analyzing your event logs, Exabeam offers a toolset for handling incident responses. Exabeam Incident Responder offers options for assigning incidents to personnel and tracking status updates as the incidents are worked. Incident Responder also leverages playbooks, both automatic and customized, which define the steps which should be taken for different types of incidents as well as potential opportunities for automation and integration with other systems.
Fortinet offers a diverse range of network devices, with FortiSIEM as its SIEM solution. FortiSIEM offers asset discovery and role-based access in either an on-premises deployment using a hardware or virtual appliance, or within Amazon Web Services (AWS).
FortiSIEM is built to integrate, both in terms of gathering events and automating event response. The FortiSIEM Remediation Library offers built-in scripts that can be leveraged against devices and systems from a variety of vendors to perform remediation steps such as disabling a switch port or Active Directory account.
IBM has long been a leader in the enterprise software arena, and it’s fair to expect its QRadar SIEM platform to be able to handle large data sets and the myriad features needed in an enterprise event management solution. QRadar’s support for over 500 integrations and a built-in analytics engine are what you’ve come to expect from an IBM software product.
Watson, perhaps the world’s most marketed AI, can be leveraged against your event logs using IBM QRadar Advisor with Watson. Advisor allows your security team to focus on anomalous behavior without having to manually identify trends. Watson Advisor also incorporates new threat intel from external sources to identify zero-day attacks.
LogPoint users tout the easy setup process as a key point, and the licensing structure makes cost projections clear. Licensing is based on the number of devices sending data to the SIEM, not on users or throughput.
LogPoint uses User and Entity Behavior Analytics (UEBA) as its threat modeling and machine learning offering. UEBA enables customers to get up and running quickly without having to create or modify extensive rulesets.
LogRhythm offers a comprehensive SIEM suite that facilitates threat management from data collection through to remediation. LogRhythm offers LogRhythm XM in various sizes depending on your needs, or LogRhythm Enterprise, which supports scaling across multiple servers. Both are available in software or appliance-based solutions, and Enterprise supports a hybrid architecture as well.
Several add-ons are available for the core LogRhythm solutions. CloudAI is LogRhythm’s UEBA-based advanced threat detection offering. LogRhythm NetMon tracks network traffic in order to identify anomalous behavior and potential threats. LogRhythm also offers SysMon, their software agent-based sensor to monitor users, applications, and endpoints.
McAfee Enterprise Security Manager (ESM) is designed to provide analysts information critical to beginning the triage and incident response process. Events are evaluated in the context of related log entries, and ESM guides users through the process of preliminary investigative steps using actionable alerts.
Flexibility in terms of architecture and integration are key points with McAfee ESM. ESM is available in both physical and virtual appliances in a range of sizes, with virtual appliances supporting a wide array of hypervisors and cloud platforms. McAfee offers content packs that enable monitors and alerts for specific use cases or partner platforms, and integration partnerships with over a dozen third-party vendors makes ESM incredibly extensible.
ArcSight Enterprise Security Manager (ESM) is a full-featured solution that checks all the boxes of an enterprise SIEM. ArcSight ESM supports a range of integrations and customization options, allowing security analysts to perform incident response from a single pane of glass. ArcSight’s Marketplace enables you to leverage new dashboards, reports or correlation rules with minimal fuss.
ArcSight ESM supports workflow-based automation, allowing analysts to quickly correlate events, referencing them in a case, and respond or escalate as necessary. Each action taken can be audited and reported on to maintain service-level agreement (SLA) compliance and track response time. Integrations with third-party systems allow users to begin remediation, such as disabling ports or accounts, or rule sets can even be created to automate these steps.
RSA’s SIEM solution, RSA NetWitness, has many of the features necessary in an enterprise-level SIEM including UEBA, automation tools and architecture flexibility (support for hardware and virtual appliances, software-based options, or cloud deployments). In addition, RSA NetWitness includes the ability to add business context to incidents based on the asset or user being impacted through integrations with RSA Archer and SecurID.
Encrypted or encoded event data or web traffic can be difficult to incorporate into your SIEM. RSA NetWitness leverages a variety of cryptography tools including decryption, decompression, and entropy measurements to surface this information and bring it into your SIEM workflow. This visibility into encrypted traffic can be the difference in determining if the traffic is malicious or legitimate in nature.