Big data analytics, threat intelligence and machine learning have broadened the capabilities of security information and event management, technology that is used to normalize log data from disparate systems to correlate security event data for faster threat detection and response. With the whirl of advanced threat capabilities spinning up around SIEM tools, one thing hasn't changed, however: Tuning these systems requires continual care and feeding by dedicated security teams. Cloud and virtual environments are further complicating these deployments.
Who has the in-house resources to effectively implement SIEM tools on premises, across clouds and continually manage the tsunami of logs and alerts? More companies are rising to the challenge especially as vendors offer an array of options, from enterprise security platforms with optional threat intelligence feeds -- IP and URL reputation data -- to log management software and appliances.
We polled 133 North American IT and information security professionals at midsize and large enterprises who have funded SIEM projects or technology purchases for the next 12 months. Investment in SIEM tools ranked high among security technologies, according to TechTarget's Q1 research.
Roughly half of the readers we surveyed said their organizations have existing deployments of SIEM products, log management or advanced analytics. One-third reported some level of advanced threat detection and prevention.
"We continue to see large companies that are re-evaluating SIEM vendors to replace SIEM technology associated with partial, marginal or failed deployments," noted analysts Kelly M. Kavanagh and Oliver Rochford, co-authors of a Gartner July 2015 report on SIEM.
But 45% of those TechTarget polled said their company had not previously adopted SIEM tools or advanced analytics. As companies build out their deployments or invest for the first time, which SIEM technologies made their short lists?
Not surprisingly, Splunk is shortlisted by 45% of those surveyed. The machine-generated data platform, which is focused on logging application data for complex event processing, gained more security cred in July 2015 when it acquired Caspida, a machine learning and behavioral analytics startup. The company's software platform Splunk Enterprise is available for on-premises and Splunk Cloud for Amazon Web Services.
The other SIEM products on the short list each garnered an impressive 22% or more of the votes. HP ArcSight's SIEM offers Enterprise Security Management software and big data analytics for security operations centers, as well as log management software and appliances for midsize SIEM deployments.
AlienVault's Unified Security Management platform is a commercial software and appliance offering based on Open Source SIEM. The company offers USM for Amazon Web Services. Targeted at smaller enterprises, the USM technology is also tied into the company's Open Threat Exchange. IBM Security's QRadar SIEM, LogRhythm's Security Intelligence Platform and SolarWinds' Log and Event Management software rounded out the Readers' Top Five list.
Primarily used for compliance requirements and reporting, more companies are investing in SIEM products to improve their response to targeted attacks; 71% of readers surveyed said they seek to analyze alerts and security data in real time. Compliance requirements ranked second at 48%, but many organizations likely use SIEM tools to address a mix of regulatory issues and threat response.
"The greatest area of unmet need is effective targeted attack and breach detection," according to the findings in Gartner's July report. "Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with stronger threat intelligence, the addition of behavior profiling and better analytics."
In addition to "real-time" analytics, SIEM tools are expected to increase their capabilities to monitor virtual and cloud environments. About one-third (36%) of the IT and business professionals surveyed said their organization needs to monitor cloud-based security products and logs, while the majority (64%) said they do not have such plans.
Only one-third of those surveyed said they are looking for cloud-based managed security service providers for their SIEM deployment. The majority are not planning to use managed services for this project.
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.
What you need to know about data analytics and SIEM
Buyer's Guide: Key criteria for top SIEM products
Best practices for getting value out of SIEM