What feedback do enterprise tech professionals give about SIEM tools in Q2 2017?
Many users discuss valuable features such as threat protection and dynamic data input, while also addressing a common need for an improved reporting interface.
Ultimately, how have users benefitted from their security information and event management tools?
In the review excerpts below, our user community discusses Splunk, IBM Security QRadar SIEM, HPE ArcSight, AlienVault, and Fortinet FortiSIEM (AccelOps) -- and share their latest feedback from Q2 2017.
Mark Kline, an Information Architect at a financial services firm with 1,001-5,000 employees, lists the value his organization has seen in Splunk:
Splunk delivers a holistic view of an application (the big picture).
Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value.
Significant reduction in mean-time-to-investigate (MTTI) and mean-time-to-resolve (MTTR) production incidents from days to hours.
Splunk’s visualization capabilities help pinpoint problem areas, spikes, and anomalies easier and faster.
Ability to monitor and resolve integration problems before they impact the business user area.
Splunk is being used as part of the development life cycle, resulting in better quality and more efficient applications.
Provides additional insights into a 360-degree view of the customer.
However, Kline then adds, “We usually have to follow up with technical support on our open cases. Otherwise, Splunk listens to customers and is constantly incorporating their feedback in future releases.”
A Vulnerability Manager at a tech services company with 51-200 employees explains how IBM Security QRadar SIEM has helped his organization:
“The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why…
Normally, an offense comes in and an offense is something negative, to put it plainly, that impacted your environment. Once it comes through, you can then see from the QRadar log sources, who or what triggered the offense.”
In the future, adds this vulnerability manager, “I would like to see a more user-friendly product. I would like them to make it much more user-friendly. At this stage, you need to use a lot of widgets to do your searches.”
A Product Specialist Security Solutions at a tech services company with 501-1,000 employees points to HPE ArcSight’s Active List/Session List capability as one of the tool’s most valuable features:
“Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.
For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events, where it only matches IPs within that list.”
For room for improvement, this product specialist points to the tool’s GUI interface, suggesting that “Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.
The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.”
Aaron Balillio, a Security Architecture and Operations Lead at a university with 1,001-5,000 employees, writes about AlienVault’s NIDS/HIDS features:
“The NIDS/HIDS features have probably been the best features for us in our environment. We've had some open-source options and, while they work, it isn't the same as having commercial support. SIEM is the second-most useful feature.”
Baillio also adds that AlienVault’s reporting capabilities “still need a lot of work, especially on the vulnerability side”, and that the vulnerability management UI “could be improved as well.”
Nick Korosi, a Network Engineer at a sports company with 51-200 employees emphasizes the benefits he’s seen from being able to write his own parsers for device logs:
“The ability to write my own parsers for the devices that are not supported by Fortinet is the most valuable feature. It’s impossible to find an application that supports every device/manufacturer that we have. Thus, being able to write my own parsers for device logs, allows for greater scalability…
It provides extremely fast and flexible querying of logs/events on the network. For example, it’s easy to write a quick query for all the “authentication” requests on the network, regardless of where they came from, i.e., during the past days, weeks or months.”
In terms of how Fortinet FortiSIEM (AccelOps) could improve later down the line, Korosi notes that “The reporting feature is not very attractive for the upper management and I am not able to perform complex/nested queries. However, it does function well for our day-to-day operations.”
Read more of the latest SIEM reviews from Q2 2017 on IT Central Station.
arcsight - splunk - rsa