It’s a jungle out there! Ill-intentioned individuals are everywhere and they’re after you. Well, probably not you personally but rather your data. It’s no longer just viruses that we have to protect against but all sorts of attacks that can leave your network–and your organization–in a dire situation. Due to the proliferation of various protection systems such as antiviruses, firewalls, and intrusion detection systems, network administrators are now flooded with information that they have to correlate, trying to make sense of it.
This is where Security Information and Event Management (SIEM) systems come in handy. They handle most of the gruesome work of dealing with too much information. To make your job of selecting a SIEM easier, we’re presenting you the best Security Information and Event Management (SIEM) tools.
Today, we begin our analysis by discussing the modern threat scene. As we said, it’s no longer just viruses anymore. Then, we’ll try to better explain what SIEM is exactly and talk about the different components that make a SIEM system. Some of them might be more important than other but their relative importance might be different for different people. And finally, we’ll present our pick of the six best Security Information and Event Management (SIEM) tools and briefly review each one.
The Modern Threat Scene
Computer security used to be just about virus protection. But in recent years, several different kinds of attacks have been uncovered. They can take the form of denial of service (DoS) attacks, data theft, and many more. And they no longer just come from the outside. Many attacks originate from within a network. So, for the ultimate protection, various types of protection systems have been invented. In addition to the traditional antivirus and firewall, we now have Intrusion Detection and Data Loss Prevention systems (IDS and DLP), for example.
Of course, the more you add systems, the more work you have managing them. Each system monitors some specific parameters for abnormalities and will log them and/or trigger alerts when they are discovered. Wouldn’t it be nice if the monitoring of all these systems could be automated? Furthermore, some types of attacks could be detected by several systems as they go through different stages. Wouldn’t it be far better if you could then respond to all related events as one? Well, this is exactly what SIEM is all about.
What Is SIEM, Exactly?
The name says it all. Security Information and Event Management is the process of managing security information and events. Concretely, a SIEM system does not provide any protection. Its primary purpose is to make the life of network and security administrators easier. What a typical SIEM system really do is collect information from various protection and detection systems, correlate all this information assembling related events, and reacts to meaningful events in various ways. Often, SIEM systems will also include some form of reporting and dashboards.
The Essential Components Of A SIEM Solution
We’re about to explore in deeper details each major component of a SIEM system. Not all SIEM system include all these components and, even when they do, they could have different functionalities. However, they are the most basic components that one would typically find, in one form or another, in any SIEM system.
Log Collection And Management
Log collection and management is the main component of all SIEM systems. Without it, there is no SIEM. The SIEM system has to acquire log data from a variety of different sources. It can either pull it or different detection and protection systems can push it to the SIEM. Since each system has its own way of categorizing and recording data, it is up to the SIEM to normalize data and make it uniform, no matter what its source is.
After normalization, logged data will often be compared against known attack patterns in an attempt to recognize malicious behavior as early as possible. Data will also often be compared to previously collected data to help build a baseline that will further enhance abnormal activity detection.
Once an event is detected, something must be done about it. This is what the event response module fo the SIEM system is all about. The event response can take different forms. In its most basic implementation, an alert message will be generated on the system’s console. Often email or SMS alerts can also be generated.
But the best SIEM systems go a step further and will often initiate some remedial process. Again, this is something that can take many forms. The best systems have a complete incident response workflow system that can be customized to provide exactly the response you want. And as one would expect, incident response does not have to be uniform and different events can trigger different processes. The best systems will give you complete control over the incident response workflow.
Once you have the log collection and management and the response systems in place, the next building block you need is reporting. You might not know it just yet but you will need reports. The upper management will need them to see for themselves that their investment in a SIEM system is paying off. You might also need reports for conformity purposes. Complying with standards such as PCI DSS, HIPAA, or SOX can be eased when your SIEM system can generate conformity reports.
Reports may not be at the core of a SIEM system but still, it is one essential component. And often, reporting will be a major differentiating factor between competing systems. Reports are like candies, you can never have too many. And of course, the best systems will let you create custom reports.
Last but not least, the dashboard will be your window into the status of your SIEM system. And there could even be multiple dashboards. Because different people have different priorities and interests, the perfect dashboard for a network administrator will be different from that of a security administrator. And an executive will need a completely different one as well.
While we can’t evaluate a SIEM system by the number of dashboards it has, you need to pick one that has all the dashboard(s) you need. This is definitely something you’ll want to keep in mind as you evaluate vendors. And just like with reports, the best systems will let you build customized dashboards to your liking.
Our Top 6 SIEM Tools
There are lots of SIEM systems out there. Far too many, actually, to be able to review them all here. So, we’ve searched the market, compared systems, and build a list of what we found to be the six best security information and management (SIEM) tools. We’re listing them in order of preference and we’ll briefly review each one. But despite their order, all six are excellent systems that we can only recommend you try for yourself.
Here’s what our top 6 SIEM tools are:
- SolarWinds Log & Event Manager
- Splunk Enterprise Security
- RSA NetWitness
- ArcSight Enterprise Security Manager
- McAfee Enterprise Security Manager
- IBM QRadar SIEM
SolarWinds is a common name in the network monitoring world. Their flagship product, the Network Performance Monitor is one of the best SNMP monitoring tool available. The company is also known for its numerous free tools such as their Subnet Calculator or their SFTP server.
SolarWinds’ SIEM tool, the Log and Event Manager (LEM) is best described as an entry-level SIEM system. But it’s possibly one of the most competitive entry-level systems on the market. The SolarWinds LEM has everything you can expect from a SIEM system. It has excellent long management and correlation features and an impressive reporting engine.
As for the tool’s event response features, they leave nothing to be desired. The detailed real-time response system will actively react to every threat. And since it’s based on behavior rather than signature, you’re protected against unknown or future threats.
But the tool’s dashboard is possibly its best asset. With a simple design, you’ll have no trouble quickly identifying anomalies. Starting at around $4 500, the tool is more than affordable. And if you want to try it first, a free fully functional 30-day trial version is available for download.
2. Splunk Enterprise Security
Possibly one of the most popular SIEM system, Splunk Enterprise Security–or Splunk ES, as it is often called–is particularly famous for its analytics capabilities. Splunk ES monitors your system’s data in real time, looking for vulnerabilities and signs of abnormal activity.
Security response is another of Splunk ES’ strong suits. The system uses what Splunk calls the Adaptive Response Framework (ARF) which integrates with equipment from more than 55 security vendors. The ARF perform automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.
Splunk ES is truly an enterprise-grade product and it comes with an enterprise-sized price tag. You can’t even get pricing information from Splunk’s web site. You need to contact the sales department to get a price. Despite its price, this is a great product and you might want to contact Splunk and take advantage of a free trial.
3. RSA NetWitness
Since 20016, NetWitness has focused on products supporting “deep, real-time network situational awareness and agile network response”. After being acquired by EMC which then merged with Dell, the Newitness business is now part of the RSA branch of the corporation. And this is good news RSA is a famous name in security.
RSA NetWitness is ideal for organizations seeking a complete network analytics solution. The tool incorporates information about your business which helps prioritize alerts. According to RSA, the system “collects data across more capture points, computing platforms, and threat intelligence sources than other SIEM solutions”. There’s also advanced threat detection which combines behavioral analysis, data science techniques, and threat intelligence. And finally, the advanced response system boasts orchestration and automation capabilities to help get rid eradicate threats before they impact your business.
One of the main drawbacks of RSA NetWitness is that it’s not the easiest to use and configure. However, there is comprehensive documentation available which can help you with setting up and using the product. This is another enterprise-grade product and you’ll need to contact sales to get pricing information.
4. ArcSight Enterprise Security Manager
ArcSight Enterprise Security Manager helps identify and prioritize security threats, organize and track incident response activities, and simplify audit and compliance activities. Formerly sold under the HP brand, it has now merged with Micro Focus, another HP subsidiary.
Having been around for more than fifteen years, ArcSight is another immensely popular SIEM tools. It compiles log data from various sources and performs extensive data analysis, looking for signs of malicious activity. To make it easy to identify threats quickly, you can view the real0tme analysis results.
Here’s a rundown of the products main features. It has powerful distributed real-time data correlation, workflow automation, security orchestration, and community-driven security content. The Enterprise Security Manager also integrates with other ArcSight products such as the ArcSight Data Platform and Event Broker or ArcSight Investigate. This is another enterprise-grade product–like pretty much all quality SIEM tools–that will require that you contact ArcSight’s sales team to get pricing information.
5. McAfee Enterprise Security Manager
McAfee is certainly another household name in the security industry. However, it is better known for its virus protection products. The Enterprise security manager is not just software. It is actually an appliance. You can get it in virtual or physical form.
In terms of its analytics capabilities, the McAfee Enterprise Security Manager is considered one of the best SIEM tool by many. The system collects logs across a wide range of devices. As for its normalization capabilities, it is also top notch. The correlation engine easily compiles disparate data sources, making it easier to detect security events as they happen
To be true, there’s more to the McAfee solution than just its Enterprise Security Manager. To get a complete SIEM solution you also need the Enterprise Log Manager and Event Receiver. Fortunately, all products can be packaged in a single appliance. For those of you who may want to try the product before you buy it, a free trial is available.
6. IBM QRadar
IBM, possibly the best-known name in the IT industry has managed to establish its SIEM solution, IBM QRadar is one of the best products on the market. The tool empowers security analysts to detect anomalies, uncover advanced threats and remove false positives in real-time.
IBM QRadar boasts a suite of log management, data collection, analytics, and intrusion detection features. Together, they help keep your network infrastructure up and running. There is also risk modeling analytics that can simulate potential attacks.
Some of QRadar’s key features include the ability to deploy the solution on-premises or in a cloud environment. It is a modular solution and one can quickly and inexpensively add more storage of processing power. The system uses intelligence expertise from IBM X-Force and integrates seamlessly with hundreds of IBM and non-IBM products.
IBM being IBM, you can expect to pay a premium price for their SIEM solution. But if you need one of the best SIEM tools on the market, QRadar might very well be worth the investment.
SIEM Vendors: Conclusion
The only problem you risk having when shopping for the best Security Information and Event Monitoring (SIEM) tool is the abundance of excellent options.
We’ve just introduced the best six. All of them are excellent choices.
The one you’ll choose will largely depend on your exact needs, your budget and the time you’re willing to put into setting it up. Alas, the initial configuration is always the hardest part and this is where things can go wrong for if a SIEM tool is not properly configured, it won’t be able to do its job properly.