makspogonii - Fotolia
Seven criteria for evaluating today's leading SIEM tools
Using criteria and comparison, expert Karen Scarfone examines the best SIEM software on the market to help you determine which one is right for your organization.
Security information and event management (SIEM) systems collect security log data from a wide variety of sources within an organization, including security controls, operating systems and applications.
Once the SIEM has the log data, it processes the data to standardize its format, performs analysis on the normalized data, generates alerts when it detects anomalous activity and produces reports on request for the SIEM's administrators. Some SIEM products can also act to block malicious activity, such as by running scripts that trigger the reconfiguration of firewalls and other security controls.
SIEM systems are available in a variety of forms, including cloud-based software, hardware appliances, virtual appliances and traditional server software. Each form has similar capabilities, so they differ primarily in terms of cost and performance. Because each type has both good and bad points, representative products using all of them will be included in this article.
The SIEM tools studied for this article are AlienVault Inc. Open Source SIEM (OSSIM), Hewlett Packard Enterprise (HPE) ArcSight Enterprise Security Manager (ESM), IBM Security QRadar SIEM, LogRhythm Inc. Security Intelligence Platform, RSA Security Analytics, Splunk Inc. Enterprise Security, SolarWinds Worldwide LLC Log & Event Manager and McAfee LLC Enterprise Security Manager (ESM).
The criteria for comparison are:
- the native support provided for the possible log sources;
- the supplementation of existing source logging capabilities;
- the use of threat intelligence;
- the availability of Network forensics capabilities;
- features to assist in performing data examination and analysis;
- the quality of automated response capabilities, if offered; and
- the security compliance initiatives that have built-in reporting support.
Although these criteria cover many of the questions that organizations may want answered regarding the best SIEM products and services on the market, they are only a starting point for organizations to do broader evaluations of SIEM tools. They are not complete, and each organization has a unique environment that necessitates a similarly unique evaluation of its SIEM options.
Editor's note
Using extensive research into the SIEM market, TechTarget editors focused on the vendors that lead in market share, plus those that offer traditional and advanced functionality. Our research included data from TechTarget surveys, as well as reports from other respected research firms, including Gartner.
Criteria 1: How much native support does the SIEM provide for the relevant log sources?
Log sources for a single organization are likely to include a wide variety of enterprise security control technologies, operating systems, database platforms, enterprise applications, and other software and hardware.
Nearly all SIEM systems offer built-in support to acquire logs from commonly used log sources, while a few SIEMs, such as Splunk Enterprise Security, take an alternate approach. These SIEM tools are more flexible and support nearly any log source, but the tradeoff is that an administrator has to perform integration actions to tell the SIEM software how to parse and process each type of log the organization collects.
It is not feasible to compare the relative log source coverage provided by different SIEM systems because of the sheer number of different types of log sources. For example, HPE ArcSight ESM, IBM Security QRadar SIEM, LogRhythm Security Intelligence Platform, and SolarWinds Log & Event Manager all claim support for hundreds of log source types, and most of these SIEM vendors keep up-to-date, comprehensive lists of the log source types they support on their websites.
Because each organization has a unique combination of log sources, those looking to find the best SIEM software for their organization should be sure to create an inventory of their organization's potential log sources and to compare this inventory against the prospective SIEM product's list of supported log sources.
Criteria 2: Can the SIEM supplement existing logging capabilities?
Some of an organization's log sources may not log all of the security event information that the organization would like to monitor and analyze. To help compensate for this, some SIEM tools can perform their own logging on log sources, generally using some sort of SIEM agent deployment.
Many organizations do not need this feature because of their robust log generation, but for other organizations, it can be quite valuable. For example, a SIEM with agent software installed on a host may be able to log events that the host's operating system simply cannot recognize.
Products that offer additional Log Management capabilities for endpoints include LogRhythm Security Intelligence Platform, RSA Security Analytics, and SolarWinds Log & Event Manager. At a minimum, these SIEM tools offer file integrity monitoring, which includes registry integrity monitoring on Windows hosts. Some also offer network communications and user activity monitoring.
Criteria 3: How effectively can the SIEM make use of threat intelligence?
Most SIEMs can use threat intelligence feeds, which the SIEM vendor provides -- often from a third party -- or that the customer acquires directly from a third party. Threat intelligence feeds contain valuable information about the characteristics of recently observed threats around the world, so they can enable the SIEM to perform threat detection more quickly and with greater confidence.
All of the SIEM vendors studied for this article state that they provide support for threat intelligence feeds. RSA Security Analytics, IBM Security QRadar SIEM and McAfee ESM all offer threat intelligence. HP ArcSight SIEM, SolarWinds Log & Event Manager, and Splunk Enterprise offer support for third-party threat intelligence feeds, and the LogRhythm Security Intelligence Platform works with six major threat intelligence vendors to allow customers to use one feed or a combination of feeds. Finally, AlienVault OSSIM, being open source, has community-supported threat intelligence feeds available.
Any organization interested in using threat intelligence to improve the accuracy and performance of its SIEM software should carefully investigate the quality of each available threat intelligence feed, particularly its confidence in each piece of intelligence and the feed's update frequency. For example, IBM Security QRadar SIEM provides relative scores for each threat along with the threat category; this helps facilitate better decision making when security teams respond to threats.
Criteria 4: What forensic capabilities can the SIEM provide?
In addition to the enhanced logging capabilities that some SIEMs can provide to compensate for deficiencies in host-based log sources, as described in criteria 2, some of the best SIEMs have network forensic capabilities. For example, SIEM tools may be able to perform full packet captures for network connections that it determines are malicious.
RSA Security Analytics and the LogRhythm Security Intelligence Platform offer built-in network forensic capabilities that include full session packet captures. Some other SIEM software, including McAfee ESM, can save individual packets of interest when prompted by a security analyst, but they do not automatically save network sessions of interest.
Criteria 5: What features does the SIEM provide that assist in data examination and analysis?
Even though the goal for SIEM technology is to automate as much of the log collection, analysis and reporting work as possible, security teams can use the best SIEM tools to expedite their examination and analysis of security events, such as supporting incident handling efforts. Typical features provided by SIEMs to support human examination and analysis of log data fall into two groups: search capabilities and data visualization capabilities.
The product that has the most robust search capabilities is Splunk Enterprise Security, which offers the Splunk Search Processing Language. This language offers over 140 commands that teams can use to write incredibly complex searches of data. Another one of the best SIEMs in terms of search capabilities is the LogRhythm Security Intelligence Platform, which offers multiple types of searches, as well as pivot and drill-down capabilities.
For other SIEM systems, there is little or no information publicly available on their search capabilities.
Visualization capabilities are difficult to compare across products, with several SIEM vendors only stating that their products can produce a variety of customized charts and tables. Some products, such as the LogRhythm Security Intelligence Platform, also offer visualization of network flows. Other products, including Splunk Enterprise Security, can generate gauges, maps and other graphic formats in addition to charts and tables.
Criteria 6: How timely, secure and effective are the SIEM's automated response capabilities?
Most SIEMs offer automated response capabilities to attempt to block malicious activities occurring in real time. Comparing the timeliness, security and effectiveness of these capabilities is necessarily implementation- and environment-specific.
For example, some products will run organization-provided scripts to reconfigure other enterprise security controls, so the characteristics of these responses are mostly dependent on how the security teams write those scripts, what they are designed to do and how the organization's other security operations support the result of running the scripts.
SIEM systems that claim mitigation capabilities include HPE ArcSight ESM -- through the HPE ArcSight Threat Response Manager add-on -- IBM Security QRadar SIEM, LogRhythm Security Intelligence Platform, McAfee ESM, SolarWinds Log & Event Manager, and Splunk Enterprise Security.
Criteria 7: For which security compliance initiatives does the SIEM provide built-in reporting support?
Many, if not most, security compliance initiatives have reporting requirements that a SIEM can help to support. If a company's SIEM is preconfigured to generate reports for its compliance initiatives, it can save time and resources.
Because of the sheer number of security compliance initiatives around the world and the numerous combinations of initiatives that individual organizations are subject to, it is not possible to evaluate compliance initiative reporting support in absolute terms. Instead, organizations should look at several common initiatives and how widely they are supported in terms of SIEM reporting.
Such compliance standards include:
- Federal Information Security Modernization Act of 2014
- Health Insurance Portability and Accountability Act
- ISO/IEC 27001/27002
- Payment Card Industry Data Security Standard
- Sarbanes-Oxley Act
- General Data Protection Regulation
RSA Security Analytics, HPE ArcSight ESM, LogRhythm Security Intelligence Platform, and SolarWinds Log & Event Manager natively support all six of these regulations. McAfee ESM supports five, with the exception of ISO/IEC 27001/27002. Information on native support from the other SIEM systems was not available.
Determining the best SIEM system for you
Each organization should perform its own evaluation, taking not only the information in this article into account, but also considering all the other aspects of SIEM that may be of importance to the organization. Because each SIEM implementation has to perform log management using a unique set of sources and has to support different combinations of compliance reporting requirements, the best SIEM system for one organization may not be suitable for other organizations.
However, the criteria in this article do indicate some substantial differences between SIEM software in terms of the capabilities that their associated websites and available documentation claim to provide.
For example, LogRhythm Security Intelligence Platform is the only SIEM product studied for this article that strongly supports all seven criteria, while SolarWinds Log & Event Manager supports five. Close behind it is McAfee ESM, RSA Security Analytics, HPE ArcSight ESM, and Splunk Enterprise Security with four.
All of these SIEM tools are strong candidates for enterprise usage. For organizations that cannot afford a full-fledged commercial SIEM product, AlienVault OSSIM offers some basic SIEM capabilities at no cost.