Top 9 SIEM Software Products of 2017
Introduction
Ensuring a proper level of cybersecurity is one of the top challenges facing companies. As the number of protection technologies rises constantly, making sense of events or alerts becomes an essential task for early incident detection and response.
This is where security information and event management (SIEM) can help. SIEM enables real-time monitoring and correlation of events, notifications and alerts from different console views, while also providing intelligence by analyzing and reporting collected data.
Learn Network Security Fundamentals
Here are the top 9 SIEM products of 2017:
- IBM Security QRadar
IBM Security QRadar was the best-positioned leader product on Gartner’s 2017 Magic Quadrant for SIEM technologies. This is an on-premises solution available via a stand-alone or distributed architecture — SIEM as a service (QRadar on Cloud) or as co-managed QRadar in partnership with IBM Managed Security Services.
Splunk's Security Intelligence Platform was also listed as a leader in Gartner’s 2017 Magic Quadrant for SIEM technologies. Splunk Enterprise is the primary component of the product. It can provide event and data collection, and features several analytics capabilities, search functions and visualizations.
Splunk can provide advanced analytics capabilities through several different means across its ecosystem, including built-in core search capabilities, a machine learning toolkit and several other options via third-party app providers.
LogRhythm Threat Lifecycle Management provides not only core SIEM functions, but also includes the options of add-ons for network and host monitoring.
LogRhythm's SIEM involves several components that can be run from a single appliance or individually including Data Collector, Data Processor, Data Indexer, AI Engine, Platform Manager and WebUI Services. This creates a reliable platform for companies that want core SIEM capabilities in addition to host and network monitoring capabilities, in a solution that can scale up to n-tier architectures.
McAfee Enterprise Security Manager (ESM) is another top rated SIEM product that provides critical information, such as real-time visibility into all activity across systems, networks, databases and applications. It provides the security team with continuous visibility into threats and risks, and facilitates decisive analysis that can accelerate investigations and other important tasks, such as the orchestration of security patches.
It is important to consider that McAfee ESM, when compared other top SIEM technologies, lacks advanced, machine-driven analytics capabilities. McAfee already plans to change the ESM platform to run on a big-data architecture in the near future, enabling the development of these lacking capabilities.
During September 2017, Hewlett Packard Enterprise (HPE) and Micro Focus closed a deal effectively turing the ArcSight SIEM product into a part of the Micro Focus business.
ArcSight Enterprise Security Manager (ESM) is Micro Focus’s core SIEM solution, providing real-time data correlation on up to 75,000 events per second, using functionalities such as workflow automation and security orchestration to drastically raise the effectiveness during the triage of detected alerts through the ArcSight Command Center (ACC).
ArcSight ESM supports the collection and parsing of data from a wide range of sources and connector customization. This allows for the normalization of a broad range of event sources and even the use of an open platform, enabling structured data to be used outside of the ArcSight solution.
Dell’s RSA NetWitness Suite focuses on real-time threat detection, incident response and investigation. It includes powerful tools for forensics and threat hunting, including full-packet network capture, security event and log data, NetFlow, and telemetry from endpoints. It can also perform event and data collection within the cloud, including IaaS providers such as AWS and Azure.
The NetWitness Suite adopts a single-solution approach for threat detection and event monitoring, investigation and response across network traffic, endpoints and other security event and log data sources. This allows for advanced threat detection, incident response, forensics and threat hunting, making it a great option for companies that have, or plan to, deploy a security operation center (SOC).
InsightIDR is Rapid7's SIEM solution, consisting of the InsightIDR service, EDR agents and honeypots. InsightIDR can provide main SIEM features such as log collection and management, threat detection rules and correlations, advanced analytics, dashboards, case management, workflow and reporting.
One of InsightIDR’s best advantages is being delivered as a service, effectively simplifying most of its architecture and implementation process, and also making it simpler to operate. Ongoing maintenance tasks such as performance management, upgrades and scaling are fully managed by Rapid7.
It is also important to consider the fact InsightIDR is a fairly new player into the SIEM market. It has less features when compared with other, more established SIEM solutions, including reporting and the number of supported log events and data sources.
Snypr Security Analytics is Securonix’s next-generation SIEM platform. It combines an open data model with log management, security incident and event management (SIEM) capabilities, and other features such as user and entity behavior analytics (UEBA) and fraud detection. This turns Snypr into a complete, end-to-end platform that can be deployed using a flexible approach and modular components.
While its deployment can be flexible, it’s important to note that Snypr runs on top of a commercial Hadoop platform, using a different architecture compared to more traditional SIEM solutions. This may extend the necessary learning curve to fully understand how to manage, monitor and troubleshoot the various components running on the platform (e.g., Kafka, Solr, HBase, Spark, HDFS, etc.).
Also, as Securonix has no native advanced threat defense solutions, Snypr depends on integrations with third-party solutions for those functions.
Exabeam Security Intelligence Platform is a set of different components that collectively deliver the Exabeam SIEM solution. It uses a variety of big-data technologies such as Elastic, Hadoop, Kafka and Spark.
Exabeam’s Security Intelligence Platform focus on providing comprehensive, end-to-end detection, analytics and response capabilities from a single security management and operations solution, while also having elastic scalability using a big-data and machine-learning architecture that ingests and analyzes data at any scale.
One of Exabeam’s advantages is its licensing approach: Instead of using traditional indicators such as the speed, volume of events, logs and contextual data analyzed, it is based simply on the number of users in an organization, which could mean lower costs.
It is important to note that, aside from its Advanced Analytics solution, Exabeam is not widely adopted when compared to most SIEM solutions on the market. It also lacks native support for network traffic analysis capabilities, making Exabeam dependent on third-party solutions.
Learn Network Security Fundamentals
Sources
- Gartner, "Magic Quadrant for Security Information and Event Management" by Kelly M. Kavanagh and Toby Bussa, December 4, 2017
- IBM Security QRadar
- Splunk's Security Intelligence Platform
- LogRhythm Threat Lifecycle Management
- McAfee Enterprise Security Manager (ESM)
- ArcSight SIEM
- RSA NetWitness Suite
- InsightIDR
- Snypr Security Analytics
- Exabeam Security Intelligence Platform