This content is part of the Essential Guide: How to assess security information and event management systems
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Four SIEM capabilities to differentiate SIEM vendors

To stay current in the security information and event management market, vendors must not only offer what customers need but also differentiate themselves from the rest of the pack. Learn how this is being done.

In addition to the changing expectations security teams have placed on them, security information and event management platforms have also undergone a period of evolution. Previously niche vendors in a now-crowded field have not only overhauled their products in response to the growing number of requirements enterprises expect from them, but also added new capabilities for further differentiation from other vendors.

The SIEM market is not static, and yesterday's leaders are no longer the sure bet they once were. Many products have added or improved their capabilities in a number of areas. Below are four capabilities vendors are using to gain a foothold in the marketplace and their way into your network.

Application and database monitoring

Making sense of log files and collecting network activity are core values provided by SIEM platforms. But a network-centric view of security is of limited use. The ability to understand how applications work and how users should interact cannot be determined at the network layer. Misuse must be judged in context of the application function. It's for this reason that additional data collection and analysis capabilities have been integrated -- or in some cases fully merged -- into SIEM platforms. Features like application monitoring, database activity monitoring and file integrity monitoring are common additions. These features view high activity in relation to normal activity and are better able to distinguish acceptable activities from an attack.

Identity services integration

The need to map a real user identity to activity has prompted SIEM system vendors to integrate with identity management systems like LDAP and Active Directory. Rather than list a generic service account name (e.g., app user) or account name, SIEM platforms can cross-reference these generic identifiers with actual user identity. This provides a clear picture of user behavior across multiple accounts at different network, service and application layers.

Big data engines

In response to the ever-increasing need to store large amounts of data quickly and perform near-real-time analysis on vast data sets, many SIEM vendors have moved their platforms away from traditional relational data storage methods and now use non-relational big data engines (e.g., Hadoop), data management and storage techniques. These platforms are more elastic -- scaling well beyond relational platforms -- and offer unparalleled data insertion rates, which allows for faster performance with a higher volume of events. While they do not offer many of the benefits of relational platforms (relational storage, transactional integrity), they come with other benefits (intrinsic resistance to hardware failures, flexible data-type storage) beyond insertion speeds and scalability.

Parallel processing

The use of MapReduce query techniques in big data allow for massive parallel query operations, speeding up data analysis. Further, the need to aggregate, normalize and correlate in advance is no longer necessary. Intrinsic to the MapReduce queries, the mapping function can handle correlation, and the reduction function will accomplish the aggregation. This means data is available to be searched almost instantaneously.

About the author:
Adrian Lane is CTO of Phoenix-based analyst firm Securosis. Adrian specializes in database security, data security and software development. He is a former executive at security and software companies such as Ingres, Oracle, Unisys and IPLocks, and is a frequent presenter at industry events. Adrian is a graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University. Reach Adrian via email at

Next Steps

Making the case for extending SIEM product capabilities

Learn how one university secured its open network with SIEM

This was last published in December 2014

Dig Deeper on SIEM, log management and big data security analytics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What differentiating SIEM capabilities does your organization seek from SIEM vendors?
SIEMs are enormously complex to manage, and that's why the ability to manage a SIEM without hiring a team of a half-dozen PhD's is nice. We've looked at a bunch of potential providers, but it looks like we're going to go with the Splunk cloud-based option, because it seems to be the most intuitive yet powerful platform. Other SIEM's like RSA are enormously powerful, but we could tell how complex they were during the demos.