When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?

One of our community members wrote that what's important is  "compatibility with diverse sources, including the ability to adapt to unknown ones, performance, and the ability to do multi-level correlation."

What do you think?

See other excellent answers below.

Let the community know what you think. Share your opinions now!

Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
  • 33
  • 165
PeerSpot user
36 Answers
Security Consultant at Verizon Communications
Real User
Jun 5, 2018

Based on my experience with SIEM, 7 years I worked with ArcSight on a daily basis.
I would say that there are 3 mains points.

1) Objectives
What you would like to do with the SIEM.
What you have to achieve?
This is very important.

If you just need a solution to manage your logs and make searches for incident investigation.
I will use Splunk

If you need to build security monitoring use case with automatic notification
I will use ArcSight or QRadar.

2) Perimeter to monitor
What is the size of the infra to monitor?
How many AD users?
How many logs per day
Which logs to collect?
How many different vendors or logs type

If you have a big environment to monitor
You have no other choice to choose ArcSight
If it less QRadar could be used.

3) Security Team
Who will work with the SIEM?
This is highly critical because if you don't have a dedicated team with specific skills I will not recommend ArcSight because it is very complex and custom use is not enough documented.
You need an Expert on site to be able to use this tool correctly and efficiently to increase usefulness.
QRadar is less complex but for sure it will be less flexible.

If you want to use other SIEM solution or open source, you need to answer first to the 3 above points then you need to check if the solution can be able to collect, process, parse and categorize the logs you have to choose for your Use Cases
You have to verify how to build correlation, what are the limits
You have to check if you can build automatic notification
You have to check the evolution, what will be the new features
You have to ask the roadmap.
You shouldn't choose something that won't be developed anymore.
It is a lot of resources and time to build a SOC in using a SIEM
To configure the SIEM Infra completely
It is wrong to say that you can migrate easily to another solution. Completely wrong.

The last point, you need to verify the documentation and the support.
Very important for bugs, issues or important missing features.

I hope this answer will help you.
You can contact me if you have a precise question.

Search for a product comparison in Security Information and Event Management (SIEM)
Cyber Security Consultant at NETMONASTERY Inc.
May 3, 2019

When it comes to "features to look for in a SIEM" the answer is not simple and straightforward - as the saying goes: "one size fits all" doesn't work in this case.

Many infosec experts would argue that when it comes to security implementations, having a SIEM in place is the only way to go. That’s because a traditional SIEM, without fail, significantly increases visibility into vulnerabilities. However, these platforms still struggle with collecting and correlating logs in siloed data stores (the various security point solutions throughout the enterprise) which is an overkill when it comes to providing an enterprise-wide insight to security teams. Here are some resources that you might explore to better evaluate as per your cybersecurity requirements:

Resources you might find useful:

> Ebook - Why you need a next-gen SIEM - http://bit.ly/2UZxwHn

> Blog - How to make the most of your next-gen SIEM - http://bit.ly/2UTzcC8

VP of Business Development at a tech company with 11-50 employees
Real User
Jun 5, 2018

Reducing false positives.

System Engineer at a government with 51-200 employees
Jun 5, 2018

Ease of deployment and building dashboards for people to use. Usability is a big issue for me. No product is good unless people can use it. I like out of the box dashboards. I also like to deploy from a central console. The issue of storage and parsing can be solved thru systems engineering. Some products, splunk does have a nice ability to fragment the logs into chunks, I think the call them coolers, so you can partition the data off for backup and recover plus parsing. Not sure if SolarWinds LEM offers this. I like the SolarWinds LEM out of the box dashboards.

it_user324942 - PeerSpot reviewer
Network admin/security at a government with 1,001-5,000 employees
Real User
Jun 4, 2018

Ability to quickly extract information when required (forensic). The ease at which you can integrate your devices which are logging(agnostic) . Ability of the device to capture all your required logging and maintain it for a reasonable time frame (capacity).

it_user331212 - PeerSpot reviewer
Sr. Network Admin at a wholesaler/distributor with 1,001-5,000 employees
Oct 20, 2015

Real-time threat analysing and reporting capabilities

Learn what your peers think about Devo. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
735,226 professionals have used our research since 2012.
it_user831168 - PeerSpot reviewer
CEO with 11-50 employees
Real User
Jun 5, 2018

Well, actually very much to say.

To boil it down:

- What’s the scope of your responsibility? If all IT operations, most can be achieved.
- Standard adapters: To configure log parsers and to care for updates is a kind of work to be avoided.
- Predefined correlations (multi-level) that you may adapt. Doing all that work yourself is quite much. More and more anomaly detection gets mature as a complementing, general concept. Good, if the vendor has such a module under development.
- Performance
- Coverage: Who many other tools are needed? Try to get one that does the job for log centralisation and alarming and audit trails and console tracking and…
- Flexible UI and alarming concept. Ability to trigger and evaluate immediate, automated actions (mostly in case in intruders detection…).

it_user306477 - PeerSpot reviewer
Head - Information Security at a comms service provider with 1,001-5,000 employees
Jun 5, 2018

Ability to perform Advanced Context Correlation is one of the key parameter.

it_user813318 - PeerSpot reviewer
Senior I.T. Consultant at Rad-Infosec IT Consultation
Real User
Jun 5, 2018

I think the best SIEM should enable users to easily setup alarm triggers based specific log, also vendor list of logs that should be monitored would be very helpful, I have seen some SIEM products are very powerful but need an expert to setup triggers, at the end of the day monitoring is the main job of SIEM

it_user545463 - PeerSpot reviewer
Sr Lead Solutions Architect at Booz Allen Hamilton
Real User
Jun 4, 2018

To me, the answer to 'what aspect do you think is the most important to look for?' is RESULTS. Does the system (be it self-managed or MSSP) give you what you need? Cost aside, if it doesn't provide you the information or capabilities to let you be successful in obtaining your business outcomes, then it's a waste of money. Even if the system costs only $1 and you spend a lot of time either figuring it out or trying to get it to behave the way you want/need, then that costs too much! Forget all of the other nonsense, focus on the business outcomes and user experience, and you will get to the right tool. THEN you can look at the different tools that meet the criteria. (Just my $.02)

it_user301440 - PeerSpot reviewer
Senior IT Security Operations at a pharma/biotech company with 10,001+ employees
Jun 4, 2018

Data On boarding and usability of the tool is the most important thing. It has to be an easy tool to manage every day and of course, data onboarding has to be also an easy part of the process, even with unknown data sources.

Sr. Architect/Sr. Security Strategist at Centene Corporation
Jun 4, 2018

Dynamic interface for log/event collection; elastic storage; intuitive rule generation; api support for orchestration and threat intelligence integration; dashboard support for KRIs.

Jun 4, 2018

Here is my take:

1. Integration to several log sources

2. Ease of access and deployment

3. User, Behavioral and network analysis

4. Ability to compress logs (Compression ratio)

5. Detailed reporting for Regulatory Compliance requirement

6. Security Intelligence capability

7. Database retention

it_user711273 - PeerSpot reviewer
Jun 4, 2018

I believe the most important consideration are 1) deployment model which should be in a distributed environment where there will be Logger, Reporting, Processor & the console because if there all in one it can create database issue after some point of time, 2) Asset discovery and Inventory, 3) Network visibility & Netflow information. (When we are considering SIEM we will be concentrating on Server, network, FW etc. nobody thinking about the client machine ; so if you dont have any IDS/IPS then you have no control and visibility on user machine so to get this we should consider to collect real time flow information from LAN Coreswitch, MPLS link flow information, Internet link flow information or VPN link flow information etc ), 3) Flexible reporting and various export (CSV or PDF)option to prepare report or pull out alerts information also alert notification, 4) Check for correlation rule (Event Based, Rule Based, Anomaly Based, Risk Based)availability in the SIEM toolset, 5) Incorporate with Service desk ticketing tool support, and integrating with Nessus/NMAP in to the SIEM portal to perform on demand scan on target, 6) Multiple dissimilar type of log colletion and correlation etc.

it_user858882 - PeerSpot reviewer
Business Development Manager- Threat Management Services at Insight Enterprises, Inc.
Apr 18, 2018

Prebuilt content that is easily and intuitively integrated into my environment.

it_user587232 - PeerSpot reviewer
Senior Consultant at Redrock IT & Security Solutions
Mar 28, 2018

The biggest cost for most SIEM products is labor.

Feb 28, 2018

Real time monitoring and reporting, protection, system realibility

it_user607062 - PeerSpot reviewer
IT Security Analyst at a tech vendor with 51-200 employees
Real User
Feb 11, 2017

performance, workflow integration and reporting

it_user328515 - PeerSpot reviewer
Oct 14, 2015

Combine information from several sources do intelligent queries on it and all within an easy to use environment

it_user322710 - PeerSpot reviewer
Deputy General Manager with 1,001-5,000 employees
Real User
Oct 3, 2015

Most important criteria is Log and Packet analizing.

Sep 21, 2015

Real time security related logs & incidents reporting, relates with risks and possible damages to the infrastructure

Sep 8, 2015

Search Performance / capable to parse any logs format / price.

it_user290796 - PeerSpot reviewer
User at a tech company with 51-200 employees
Aug 12, 2015

Finding the balance between the costs and benefits of the solution.

it_user289152 - PeerSpot reviewer
User at a tech company with 51-200 employees
Aug 10, 2015

Compatibility with diverse sources, including ability to adapt to unknown ones. Performance. Ability do multilevel correlation.

Aug 5, 2015

Correlation and search performance.
... and price.

it_user285582 - PeerSpot reviewer
User at a tech company with 51-200 employees
Aug 4, 2015

Threat intelligence and engine analytics

it_user280122 - PeerSpot reviewer
Security Professional with 501-1,000 employees
Top 20
Jul 27, 2015

It all depends on the purpose of the purchase.
Security Information and Event Management can be used to so many thing.

If its purpose is auditing/compliance it need to secure the chain of evidens or audit trail.
If its purpose is security it need to be abel to correlate the data.
In all purposes it need to be abel to receive data from all the sources you are using.

You need to think of the SIEM as a umbrella over all of your IT including physical surveillance equipment if needed.

it_user268416 - PeerSpot reviewer
Consultant SSI at a tech services company
Jul 7, 2015

Strong use cases implementation capabilities

Jun 26, 2015

The Real-time Gathering of Logs, and Reporting. Stability, and Price! Ease of use. Notification event Triggering.

Jun 9, 2015

Being available special Event Collectors with different environment is most important criteria.
Real time gathering logs from systems and Log Correlation is also very important

it_user244524 - PeerSpot reviewer
Security aadministrator
May 26, 2015

Real time threat analysing and reporting

it_user232962 - PeerSpot reviewer
Tecnical Security Analyst/Engineer at a retailer with 1,001-5,000 employees
May 4, 2015

From bitter recent experience, gaining easy access to evaluation software. Some main vendors make obtaining even limited license period packages very difficult - no names no pack drill here but one is 2 letters ending in a P.
My clients want vendor agnostic advice and as a small independent evaluator, I cannot afford to buy packages from all the disparate SIEM providers.

Real User
Apr 23, 2015

That it is top rated and applies secuirty indepth. Must be easy to deploy, configure and use. Must complement and mix well with others, e.g., run QualysGuard along with Arcsight, Symantec endpoint and HBSS (McAfee).

it_user200754 - PeerSpot reviewer
User at a tech company with 51-200 employees
Feb 26, 2015

Alerting and workflow integration

it_user200754 - PeerSpot reviewer
User at a tech company with 51-200 employees
Feb 26, 2015

Sletting and workflow integrasjon.

it_user197601 - PeerSpot reviewer
system engineer at a government with 10,001+ employees
Feb 21, 2015

Working with Identity and Acces Management, is at the first place a controlled release and registration of all personel that is working in our department. From the beginning of the HR department, the provisioning of the roles and privileges, till they change job, department i.e. from Amsterdam to The Hague, of even die, you must be auditable of the amout of people the have role a, of permission z.. The SOLL situation must be updated frequently.
At our company, there is a bifurcation between the technic Department, an the Central Administration, owner of the data.
There is a good cooperation between the data owner and the technics.

Related Questions
Content Editor at a tech company with 51-200 employees
Jul 13, 2023
Hi community, Why is Security Information and Event Management (SIEM) important for companies? Share your thoughts with the rest of the community.
See 1 answer
Content Editor at a tech company with 51-200 employees
Jul 13, 2023
SIEM tools are important for companies because they provide a centralized platform for monitoring and managing security events and information and provide:-Improved threat detection and response capabilities-Enhanced visibility into security events and incidents-Efficient log management and analysis-Compliance with regulatory requirements-Streamlined incident investigation and forensic analysis-Real-time alerts and notifications for potential security breaches-Integration with other security tools and systems-Automation of security event correlation and analysis-Reduction of false positives and false negatives-Overall improvement in the company's security posture
Content Editor at a tech company with 51-200 employees
Jul 13, 2023
Hi community, When evaluating Security Information and Event Management (SIEM) Tools, what is the most important aspect to look for? Share your thoughts with the rest of the community.
See 1 answer
Content Editor at a tech company with 51-200 employees
Jul 13, 2023
The most important aspects to look for when evaluating SIEM Tools solutions are:-Scalability: The ability of the tool to handle a large volume of security events and logs from various sources without compromising performance.-Real-time monitoring and alerting: The tool should provide real-time monitoring capabilities to detect and alert security incidents as they occur.-Log management and correlation: The ability to collect, store, and analyze logs from different sources to identify patterns and correlations that may indicate potential security threats.-Threat intelligence integration: The tool should have the capability to integrate with external threat intelligence feeds to enhance its ability to detect and respond to emerging threats.-Compliance reporting: The tool should provide comprehensive reporting capabilities to meet regulatory compliance requirements and facilitate audits.-User-friendly interface and ease of use: The tool should have an intuitive and user-friendly interface that allows security analysts to easily navigate and perform their tasks efficiently.-Customization and flexibility: The ability to customize and tailor the tool to meet specific organizational needs and integrate with existing security infrastructure.-Automation and orchestration: The tool should have automation and orchestration capabilities to streamline security operations and response processes.-Integration with other security tools: The ability to integrate with other security tools and technologies, such as intrusion detection systems (IDS) and vulnerability scanners, to provide a holistic security monitoring and response ecosystem.-Vendor support and reputation: Consider the reputation and track record of the SIEM tool vendor, including their level of customer support and commitment to product updates and enhancements.
Related Articles
Ertugrul Akbas - PeerSpot reviewer
Manager at ANET
Jan 24, 2023
It is important to retain logs for a significant amount of time in order to be able to investigate and analyze past attacks. This allows security teams to identify patterns and trends that can aid in the detection and prevention of future attacks. The retention period will vary depending on the organization's specific requirements and regulations, but it is generally recommended to keep logs ...
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Director of Community at PeerSpot (formerly IT Central Station)
Apr 4, 2022
Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Related Articles
Ertugrul Akbas - PeerSpot reviewer
Manager at ANET
Jan 24, 2023
Features of Today's SIEMs – Requirements for Today’s Attacks and Breaches
It is important to retain logs for a significant amount of time in order to be able to investig...
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
SIEM vs. Firewall
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
Download Free Report
Download our free Devo Report and get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
735,226 professionals have used our research since 2012.