2020-03-23T06:30:00Z

Which is the best SIEM solution for a government organization?

I am the technical director of a science and technology division for the government. 

Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack?

Thanks! I appreciate your help. 

TR
Director, Technical at a government with 201-500 employees
  • 15
  • 532
21
PeerSpot user
21 Answers
Real User
Top 5
2021-10-29T13:32:24Z
Oct 29, 2021

As several have said, it depends on quite a few factors.


1. What use cases are you trying to solve? 


- Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk.


- Threat detection and alerting for compromised accounts and data misuse requires adding UEBA features (Securonix, Exabeam, Caspida/Splunk, Rapid7...)


- Malware prevention generally requires SOAR capabilities


2. What's your staff level? and how well trained are they? 


- Open Source / Threat Hunting tools will require much higher time and talent investments (I typically plan on 3X people costs vs commercial)


- You may need to consider an MSSP if staff is small or not well trained.


3. What hours of operation do you need? back to staffing and MSSP options


Well trained SIEM guys with SOC experience are expensive hires and the market is tight. They're not easy to find. Building a great SOC analyst takes a few years. SANS Incident Handling and Incident Response classes help, but are price at $7k or so each. Operating system skills (MCSE/RHCE...), and networking skills (CCNA, CCNP, JNIA, JNIE...), Anti-Virus, IDS and some at least basic packet analysis skills are also needed.


4. What fits your budget?


- Depending on budget you may need to plan in stages.


- SIEM deployment and maturity often takes a full year


- SOAR integration (Ticketing and blocking Responses), can take another year


An integrated approach, understanding your collection of security tools is always going to give a better answer than a single new shiny tool.



If you haven't also consider going back to basics and SANS/CIS Top 20 controls.


Poorly patched networks with little in the way of anti-phishing and poor anti-malware tools often benefit more from getting the basics right before going on to SIEM/UEBA/SOAR.

Search for a product comparison in Security Information and Event Management (SIEM)
MP
Senior Security & Infrastructure Architect at a retailer with 10,001+ employees
Real User
2021-10-28T09:20:31Z
Oct 28, 2021

SIEMMonster as the repository, Darktrace & Dyntrace working together..

GW
Consultant at Splunxter, Inc.
Real User
2020-03-30T18:24:54Z
Mar 30, 2020

I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).

GC
Founding partner at a tech services company with 1-10 employees
User
2020-03-26T15:09:22Z
Mar 26, 2020

I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.

BF
Account Manager at Communications Design & Management Pty Limite
User
2020-05-08T03:57:05Z
May 8, 2020

In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.

User
2020-04-29T04:11:10Z
Apr 29, 2020

The best solution depends on lots of factors. How large is the team, how large is the budget, will it be on-prem or cloud-based?

Learn what your peers think about IBM Security QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
708,461 professionals have used our research since 2012.
RV
Academic Application Support at a university with 1,001-5,000 employees
Real User
2020-04-02T07:53:35Z
Apr 2, 2020

We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.

AM
Enterprise Security Sales Representative at a tech consulting company with 11-50 employees
User
2020-03-31T16:17:07Z
Mar 31, 2020

SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.

As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.

To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.

The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.

Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.

Hope this provides insight and best practices.

MY
Linux Expert at a tech services company with 501-1,000 employees
Real User
2020-03-31T01:14:25Z
Mar 31, 2020

I would recommend the use of Splunk with the AI/ML and management configuration tool like ansible, by doing so you will get the best outcome as you it will act as SIME AND SOAR plus you can use them in other areas to help boost your business.

AS
President and CEO at a tech consulting company with 11-50 employees
User
2020-03-30T21:37:22Z
Mar 30, 2020

We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!

SB
CTO at a tech company with 11-50 employees
Real User
Top 10
2020-03-30T19:58:38Z
Mar 30, 2020

We use both AlienVault and FortiSIEM (formerly AccelOps) and in both cases use a managed security services provider to monitor and maintain. Our chief concern was ease of use and cost. While we really appreciated AlienVault, they were acquired by AT&T towards the end of 2018 and were concerned about how costs would escalate.
I would not expect a SIEM or a managed SIEM service to respond and help you recover from a cyberattack, I would look for a managed SOC service for that, most would include a SIEM service as part of that.

AM
RSA Specialist at a computer software company with 1,001-5,000 employees
Real User
2020-03-30T14:01:20Z
Mar 30, 2020

Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem

Thank you,
Adrian

JM
Director of Engineering at a tech services company with 201-500 employees
Real User
2020-05-11T04:04:53Z
May 11, 2020

We need to understand SIEM from 2-3 dimensions

- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
- Extensibility
- Price

KH
Strategic Account Manager at a computer software company with 201-500 employees
User
2020-03-31T16:44:35Z
Mar 31, 2020

We would recommend exploring Exabeam (offers a cloud based deployment which could be very compelling) or CI Security (https://ci.security/)
a managed service offering. We are assuming your team is likely resource constrained and needs a solution that meets all of your requirements, but also is simpler to deploy and can be managed with a smaller team. If you're interested in learning more about the solution space I recently delivered a SIEM comparative analysis for a customer that I'd be willing to share. Please feel free to reach out if this is of interest and we can determine the best way to connect directly.

YW
Network solutions associate at a tech services company with 51-200 employees
User
2020-03-31T09:15:42Z
Mar 31, 2020

My experience with SIEM is limited to LogRhythm only, and it is surely recommended as it complies with all of the customer’s main requirements, and ranked 4th on Gartner rank for SIEM market.

AK
Cyber Security Consultant at raf
Real User
Top 20
2020-03-31T08:11:35Z
Mar 31, 2020

Dear Team,

Thanks for reaching out to me.

Almost all SIEM solutions does the same task if properly configured.

The point here is for which they want to go Open source or Premium

Here the trick is if they want to go for Open Source, first they need the expert team who are good in managing the infra in every expect because for if any issue they will not get any support from the company.

For premium SIEM solution they just a team how should have basic knowledge on incident response and threat hunting. for any technical challenges the company will assist for 24 * 7.

i hope this is suffice.

--
Ashok Kumar

AKHIL Kumar Guttapalli - PeerSpot reviewer
Product Sales Specialist(Asst.Manager) at Redington India Limited
Real User
Top 20
2020-03-31T04:43:20Z
Mar 31, 2020

As per my understanding, Splunk SIEM is best.

MP
Senior Security & Infrastructure Architect at a retailer with 10,001+ employees
Real User
Oct 28, 2021

@reviewer1138383 Nope... cost in-efficient.... its a consumption based model and thats a bad thing!

PeerSpot user
DS
User at a healthcare company with 5,001-10,000 employees
Real User
2020-03-30T23:54:11Z
Mar 30, 2020

If your environment is complex and you're trading information with people on a fairly open basis, but it needs to be secure oh, then you should consider QRadar. It has functionality none of the other SIEM solutions come close to offering. The state-of-the-art behavior analytics that are available with QRradar are pretty world-class. Also, its functionality in adapting to log sources is unmatched. Add to that the ability to correlate point in time log events with things happening over time using time series data, and you have the best in breed especially for sensitive government information.

TS
CEO at Rufusforyou
Reseller
Top 5Leaderboard
2020-03-30T21:53:17Z
Mar 30, 2020

The best solution I have worked with several customers is IBM QRadar. We just set up a cyber center delivering this kind of service as a SaaS solution in the USA.

MS
User at a tech services company with 51-200 employees
MSP
2020-03-30T17:36:24Z
Mar 30, 2020

I would recommend AlienVault.

NF
Account-Manager at Consist ITU Environmental Software GmbH
Real User
Top 5
2020-03-30T12:56:16Z
Mar 30, 2020

The best tool on the market today is Splunk. Referring to explorative search, easiness of administration and Scalability, there is nothing comparable.
The only possible threshold is that you need to buy the license, it's not freeware.

NF
Account-Manager at Consist ITU Environmental Software GmbH
Real User
Top 5
Nov 1, 2021

@David Swift  
well its top rated by Gartner for example and it is a plattform, so 90 % of Sec Data is very useful for ITOps and much more Dep. like Sales and Marketing.
Together with some Apps its the Single point of Truth for transparency and best decission making for your Company.
Its much easier to handle like the Rest in the same Gartner Quadrant.
So on TCO view i am sorry but i have to totally disagree. Looks like you missed the big picture a little bit.
Have a pleasant day

PeerSpot user
Related Questions
EM
User at Outsourced Insights
Mar 16, 2023
Hello community,  I work at an advertising services firm. I am currently researching SIEM solutions and their features. On the topic of SEM data - what elements belong in a monthly SIEM report? Thank you for your help.
See 1 answer
Gerald Mbewa - PeerSpot reviewer
Cyber Security Analyst at DIgital Sentry Ltd
Mar 16, 2023
The SIEM monthly report should contain the following components · Security monitoring · Advanced threat detection · Forensics and incident response · Compliance reporting and auditing · not forgetting the number and type of logs the SIEM has been collecting on a certain period of time. 
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Feb 19, 2023
Hi community,  Please let us know your thoughts in the comments below. Thank you!
See 1 answer
LW
Content Editor at PeerSpot
Feb 19, 2023
There are several threat intelligence platforms that do what you're looking for. Among them are a couple of long-timers in the field, Splunk and IBM QRadar. McAfee ESM has integrations to prioritize, investigate, and respond to threats, and AlienVault is another platform that claims to have a comprehensive security solution with features such as asset discovery, vulnerability assessment, and network and host intrusion detection. Relatively recent solutions that have gotten a good deal of attention lately include Palo Alto Networks Cortex XSOAR and Microsoft Sentinel. Other players include Securonix Next-Gen SIEM, LogRhythm, and Devo. To varying extents, these solutions help streamline incident response processes and improve the overall security posture. To varying extents, they all capture security events and alerts and provide a workflow for incident response. They are said to include real-time threat detection, automated investigation, and case management, and to integrate with other security tools. Have a look at SIEM Tools and SOAR Solutions.
Related Articles
Ertugrul Akbas - PeerSpot reviewer
Manager at ANET
Jan 24, 2023
It is important to retain logs for a significant amount of time in order to be able to investigate and analyze past attacks. This allows security teams to identify patterns and trends that can aid in the detection and prevention of future attacks. The retention period will vary depending on the organization's specific requirements and regulations, but it is generally recommended to keep logs ...
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
EB
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
EB
Director of Community at PeerSpot (formerly IT Central Station)
Apr 4, 2022
Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
EB
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Moderator
DS
Owner at David Strom Inc.
Related Articles
Ertugrul Akbas - PeerSpot reviewer
Manager at ANET
Jan 24, 2023
Features of Today's SIEMs – Requirements for Today’s Attacks and Breaches
It is important to retain logs for a significant amount of time in order to be able to investig...
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
SIEM vs. Firewall
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
Download Free Report
Download our free IBM Security QRadar Report and get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
DOWNLOAD NOW
708,461 professionals have used our research since 2012.