The top SIEM products: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
Security information and event management (SIEM) systems are designed to collect security log data from a wide variety of sources within an organization, including security controls, operating systems and applications. Once the SIEM has the log data, it processes the data to standardize its format, performs analysis on the "normalized" data, generates alerts when it detects anomalous activity, and produces reports upon request of the SIEM's administrators. Some SIEM products can also act to block malicious activity, such as by running scripts that trigger reconfiguration of firewalls and other security controls.
SIEM systems are available in a variety of forms, including cloud-based, hardware appliances, virtual appliances and traditional server software. Each form has similar capabilities, so the forms differ primarily in terms of cost and performance. Because each form has both good and bad points, representative products using all of the forms will be included in this article.
The products studied for this article are: AlienVault Open Source SIEM (OSSIM), EMC RSA Security Analytics, HP ArcSight Enterprise Security Manager (ESM), IBM Security QRadar SIEM, LogRhythm Security Intelligence Platform, McAfee Enterprise Security Manager, SolarWinds Log & Event Manager and Splunk Enterprise.
Each of these products has been evaluated against a set of seven criteria using information gathered from publicly available sources. The criteria are:
- The native support provided for the possible log sources;
- Supplementation of existing source logging capabilities;
- The use of threat intelligence;
- The availability of forensic capabilities;
- Features to assist in performing data examination and analysis;
- The quality of automated response capabilities, if offered; and
- The security compliance initiatives that have built-in reporting support.
Although these criteria cover many of the questions that organizations may want answered regarding the best SIEM products and services on the market, the criteria are intended only as a starting point for an organization to do a broader evaluation. The criteria are not complete, and each organization has a unique environment that necessitates a similarly unique evaluation of its SIEM options.
Criteria 1: How much native support does the SIEM provide for the relevant log sources?
Log sources for a single organization are likely to include a wide variety of enterprise security control technologies, operating systems, database platforms, enterprise applications and other software and hardware. Nearly all SIEM systems offer built-in support for acquiring logs from commonly used log sources, while a few SIEMs, such as Splunk Enterprise, take an alternate approach. These SIEMs are designed to be more flexible and support nearly any log source, but the tradeoff is that an administrator has to perform onboarding actions that tell the SIEM how to parse and process the logs for each type of log that the organization has.
It is not feasible to compare the relative log source coverage provided by different SIEM systems because of the sheer number of different types of log sources. For example, HP ArcSight ESM, IBM Security QRadar SIEM, LogRhythm Security Intelligence Platform, McAfee ESM and SolarWinds Log & Event Manager all state support for hundreds of log source types, and most of these vendors keep up-to-date, comprehensive lists of their supported log source types on their websites.
Because each organization has a unique combination of log sources, those looking to find the best SIEM product for their organization should be sure to have an inventory of their organization's potential log sources and to compare this inventory against the prospective SIEM products lists of supported log sources.
Criteria 2: Can the SIEM supplement existing logging capabilities?
Some of an organization's log sources may not log all of the security event information that the organization would like to monitor and analyze. To help compensate for this, some SIEM products can perform their own logging on log sources themselves; generally through some sort of SIEM agent deployment. Many organizations do not need this feature because their log generation is already robust, but for other organizations it can be quite valuable. For example, a SIEM with agent software installed on a host may be able to log events that the host's operating system simply cannot recognize.
Products that offer additional logging capabilities for endpoints include EMC RSA Security Analytics, LogRhythm Security Intelligence Platform and SolarWinds Log & Event Manager. At minimum, these SIEMs offer file integrity monitoring (which includes registry integrity monitoring on Windows hosts); some also offer process, network communications and user activity monitoring.
The McAfee ESM product takes a different approach to supplementing logging. Add-ons are available for enhanced database monitoring (the McAfee Database Event Monitor for SIEM) and application monitoring (the McAfee Application Data Monitor).
Criteria 3: How effectively can the SIEM make use of threat intelligence?sp
Most SIEMs can use threat intelligence feeds, which are either provided via the SIEM vendor (often from a third party) or acquired directly by the customer from a third party. Threat intelligence feeds contain valuable information about the characteristics of recently observed threats around the world, so they can enable the SIEM to identify malicious activity more quickly and with greater confidence.
All of the SIEMs studied for this article state that they provide support for threat intelligence feeds. EMC RSA Security Analytics, IBM Security QRadar SIEM and McAfee ESM all offer threat intelligence gathered by the SIEM vendor itself. HP ArcSight SIEM, SolarWinds Log & Event Manager, and Splunk Enterprise offer support for third-party threat intelligence feeds, and LogRhythm Security Intelligence platform is partnered with five major threat intelligence vendors to allow customers to use one of their feeds or a combination of those feeds. Finally, the AlienVault OSSIM, being open source, has community-supported threat intelligence feeds available.
Any organization interested in leveraging threat intelligence to improve the accuracy and performance of its SIEM should carefully investigate the quality of each available threat intelligence feed, particularly how often the threat intelligence is updated and how the vendor's confidence in each piece of intelligence is conveyed. For example, IBM Security QRadar SIEM provides relative scores for each threat along with the threat category; this helps facilitate better decision making when responding to threats.
Criteria 4: What forensic capabilities can the SIEM provide?
In addition to the enhanced logging capabilities that some SIEMs can provide to compensate for deficiencies in host-based log sources, as described under Criteria 2, some of the best SIEMs have network forensic capabilities. For example, a SIEM may be able to perform full packet captures for network connections that it determines are malicious.
EMC RSA Security Analytics and LogRhythm Security Intelligence Platform products offer built-in network forensic capabilities that include full session packet captures. Some other products, including McAfee ESM, can save individual packets of interest when prompted by a security analyst, but do not automatically save network sessions of interest.
Criteria 5: What features does the SIEM provide that assist in data examination and analysis?
Even though the goal for SIEMs is to automate as much of the log collection, analysis and reporting work as possible, the best SIEMs are also meant to be used by humans to expedite their examination and analysis of security events, such as supporting incident handling efforts. Typical features provided by SIEMs to support human examination and analysis of log data fall into two groups: search capabilities and data visualization capabilities.
The product that has the most robust search capabilities is Splunk Enterprise, which offers the Splunk Search Processing Language. This language offers over 140 commands that can be used to write incredibly complex searches to use on the SIEM's data. Another one of the best SIEMs in terms of search capabilities is LogRhythm Security Intelligence Platform, which offers multiple types of searches as well as pivot and drill down capabilities. For other SIEMs, there is little or no information publicly available on their search capabilities.
Visualization capabilities are difficult to compare across products, with several vendors only stating that their products can produce a variety of customized charts and tables. Some products, such as LogRhythm Security Intelligence Platform, also offer visualization of network flows. Other products, including Splunk Enterprise, can generate gauges, maps and other graphic formats in addition to charts and tables.
Criteria 6: How timely, secure and effective are the SIEM's automated response capabilities?
Most SIEMs offer automated response capabilities to attempt to block malicious activities that are currently occurring. Comparing the timeliness, security and effectiveness of these capabilities is necessarily going to be implementation- and environment-specific. For example, some products will run organization-provided scripts to reconfigure other enterprise security controls. So the characteristics of these responses are mostly dependent on how the organization writes those scripts, what they are designed to do, and how the organization's other security controls support the result of running the scripts.
SIEM systems that claim mitigation capabilities include HP ArcSight ESM (through the HP ArcSight Threat Response Manager add-on), IBM Security QRadar SIEM, LogRhythm Security Intelligence Platform, McAfee ESM, SolarWinds Log & Event Manager and Splunk Enterprise.
Criteria 7: For which security compliance initiatives does the SIEM provide built-in reporting support?
Many, if not most, security compliance initiatives have reporting requirements that a SIEM can help to support. It will save an organization time and resources if its SIEM is preconfigured to generate reports for the compliance initiatives to which it is subject.
Because of the sheer number of security compliance initiatives around the world and the numerous combinations of initiatives that individual organizations are subject to, it is not possible to evaluate compliance initiative reporting support in absolute terms. Instead, it is reasonable to look at several commonly encountered initiatives and how widely they are supported in terms of SIEM reporting:
- Federal Information Security Modernization Act of 2014
- Health Insurance Portability and Accountability Act
- ISO/IEC 27001/27002, Information Security Management
- Payment Card Industry Data Security Standard
- Sarbanes-Oxley Act
All five of these are natively supported by EMC RSA Security Analytics, HP ArcSight ESM, LogRhythm Security Intelligence Platform and SolarWinds Log & Event Manager. McAfee ESM supports all five except ISO/IEC 27001/27002. Information on native support from the other studied SIEM systems was not available.
Determining the best SIEM system for you
Each organization should perform its own evaluation, taking not only the information in this article into account, but also considering all other aspects of the SIEM that may be of importance to the organization. Because each SIEM implementation has to address a unique set of log sources and has to support different combinations of compliance reporting requirements, among other variations, the best SIEM system for one organization may not be suitable at all for another organization.
That being said, however, the criteria in this article do indicate some substantial differences among SIEM products in terms of the capabilities that their associated websites and available documentation state that they provide. For example, LogRhythm Security Intelligence Platform is the only studied SIEM product that strongly supports all seven criteria. Close behind it is McAfee ESM and SolarWinds Log & Event Manager, followed by EMC RSA Security Analytics, HP ArcSight ESM, and Splunk Enterprise. Any of these products are strong candidates for enterprise usage. For organizations that cannot afford a full-fledged commercial SIEM product, the AlienVault OSSIM offers some basic SIEM capabilities with no software costs.
In part one of this SIEM series, get an introduction to SIEM service and products
In part two, learn some of the benefits SIEM products offer to the enterprise
Part three discusses seven questions you should ask before buying a SIEM product