IT Central Station is now PeerSpot: Here's why

What are the must-haves for a SIEM solution?

Avigail Sugarman - PeerSpot reviewer
Community Manager at IT Central Station

Can you name a few based on the Solutions you have used?

PeerSpot user
88 Answers

Gabor Mayer - PeerSpot reviewer

- Organisation of the company
- Leadership commitment
- Enough money to get the full system
- The right choice
- Quality teaching
- Enough time to start a production plant
- The commitment of the owners of the systems involved
-Many-many works from developers

it_user113184 - PeerSpot reviewer

An integrated solution that can help prevent, detect, prioritise, deep dive investigate and remediate incidents.

it_user126030 - PeerSpot reviewer


from my point of view this is top must-have for any SIEM:
1. log correlation that actually works :)
2. detection of anomalies in network traffic
3. good prioritization of alerts (automatic rejection of irrelevant -> good
baselining capabilities are a prerequisite for this)
4. good and easy event drill-down capabilities (by easy I mean simply
clicking and not writing new regex or query :) )


it_user130770 - PeerSpot reviewer

Well from solution perspective one can have as many ... I wanted to draw attention to Business Scope, Requirements, and then see what product fits in and what one wants from SIEM, Must haves are depending what a org wants but a baseline looks like

1.Which Devices Will You Collect Events From- IT Infra Complete
2.Which Events Will You Collect? Type of Events like Access, Auth, Activity
3.How Long Will You Keep the Logs? Time of rentention based on Regulation is has bind to
4.Where Will You Store the Logs? Storage like arrays depending on the volume
5. What type of Reports and Dashboards to get.
6. Risk Profiling and Threat Intelligence Scorecard RAG type detailing, Charting
7. Live Event activity and APTs called zerodays hit with forensic capabilities to deep dive.

it_user3405 - PeerSpot reviewer

→ What are the must-haves for a SIEM solution? I think to the point of Vikas, it is important to determine the size and scope of the device; however, the question was based on must haves, so if I were to answer the question it would the following:
• Monitor S,J,N flows of the network (network anomaly detection)
• High speed data-correlation from multiple devices and sources (data-correlation)
• Provide suggestions or point to the root cause (Intelligent)
• Provide historical analysis to determine fluctuations and differences in traffic patterns (baselining)
• Real-time charting with reporting features that can be exported to other graphical solutions (reporting)
• Provide threat analysis tools and threat detection using centralized global analysis (threats are sent to central processing center where they are analyzed for future updates if it is considered a zero day attack (future proofing the solution and threat analysis)
• Interfaces with the existing equipment where the SIEM acts as a brain to thwart attacks, it works directly with IPS, NAC, HIDS, NIDS, AV where the threats are sent to a correlation engine and the engine ranks the severity of the threat to perform an action of sort on a device (the session is sent to a honeypot instead of production) (NAC communication).

→ A few that I have used?
• Enterasys Netsight Atlas (now Extreme Networks)
• IBM Q1 Radar
• McAfee Nitro
• Sourcefire/Snort
• Security Onion (Opensource)
• Splunk


it_user130770 - PeerSpot reviewer

IT infra Assesment(HML), EPS Log estimation(Sizing), Compliance triggers , Security Intelligenge and Risk profiling realtime

it_user130770 - PeerSpot reviewer

Before the start of a SIEM , it is very important to set a scope. The scope is the driver behind SIEM and can be related to compliance, security and operations . It can be a combination of all three and should encompass the entire company. Its highly Imp to know the driver behind the SIEM. Also There should be Stretegic Voice acrocce the Company for Infosec as a whole. SIEM Market is still growing..and Most SIEM project fail because companies do not know what they need SIEM. SIEM is a Component of Secuirty Planning and Roadmap . Its Imp to have in mind that What happened? – When the Event happened?Why it happened? Can we Stop it?

it_user146268 - PeerSpot reviewer

RSA envision, Lancope and Splunk

Buyer's Guide
Security Information and Event Management (SIEM)
June 2022
Find out what your peers are saying about Splunk, IBM, Microsoft and others in Security Information and Event Management (SIEM). Updated: June 2022.
609,272 professionals have used our research since 2012.