As several have said, it depends on quite a few factors.
1. What use cases are you trying to solve?
- Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk.
- Threat detection and alerting for compromised accounts and data misuse requires adding UEBA features (Securonix, Exabeam, Caspida/Splunk, Rapid7...)
- Malware prevention generally requires SOAR capabilities
2. What's your staff level? and how well trained are they?
- Open Source / Threat Hunting tools will require much higher time and talent investments (I typically plan on 3X people costs vs commercial)
- You may need to consider an MSSP if staff is small or not well trained.
3. What hours of operation do you need? back to staffing and MSSP options
Well trained SIEM guys with SOC experience are expensive hires and the market is tight. They're not easy to find. Building a great SOC analyst takes a few years. SANS Incident Handling and Incident Response classes help, but are price at $7k or so each. Operating system skills (MCSE/RHCE...), and networking skills (CCNA, CCNP, JNIA, JNIE...), Anti-Virus, IDS and some at least basic packet analysis skills are also needed.
4. What fits your budget?
- Depending on budget you may need to plan in stages.
- SIEM deployment and maturity often takes a full year
- SOAR integration (Ticketing and blocking Responses), can take another year
An integrated approach, understanding your collection of security tools is always going to give a better answer than a single new shiny tool.
If you haven't also consider going back to basics and SANS/CIS Top 20 controls.
Poorly patched networks with little in the way of anti-phishing and poor anti-malware tools often benefit more from getting the basics right before going on to SIEM/UEBA/SOAR.
Search for a product comparison in Security Information and Event Management (SIEM)
I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).
Founding partner at a tech services company with 1-10 employees
User
2020-03-26T15:09:22Z
Mar 26, 2020
I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.
Account Manager at Communications Design & Management Pty Limite
User
2020-05-08T03:57:05Z
May 8, 2020
In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.
Academic Application Support at a university with 1,001-5,000 employees
Real User
2020-04-02T07:53:35Z
Apr 2, 2020
We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.
Enterprise Security Sales Representative at a tech consulting company with 11-50 employees
User
2020-03-31T16:17:07Z
Mar 31, 2020
SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.
As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.
To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.
The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.
Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.
Linux Expert at a tech services company with 501-1,000 employees
Real User
2020-03-31T01:14:25Z
Mar 31, 2020
I would recommend the use of Splunk with the AI/ML and management configuration tool like ansible, by doing so you will get the best outcome as you it will act as SIME AND SOAR plus you can use them in other areas to help boost your business.
President and CEO at a tech consulting company with 11-50 employees
User
2020-03-30T21:37:22Z
Mar 30, 2020
We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!
We use both AlienVault and FortiSIEM (formerly AccelOps) and in both cases use a managed security services provider to monitor and maintain. Our chief concern was ease of use and cost. While we really appreciated AlienVault, they were acquired by AT&T towards the end of 2018 and were concerned about how costs would escalate.
I would not expect a SIEM or a managed SIEM service to respond and help you recover from a cyberattack, I would look for a managed SOC service for that, most would include a SIEM service as part of that.
RSA Specialist at a computer software company with 1,001-5,000 employees
Real User
2020-03-30T14:01:20Z
Mar 30, 2020
Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem
Director of Engineering at a tech services company with 201-500 employees
Real User
2020-05-11T04:04:53Z
May 11, 2020
We need to understand SIEM from 2-3 dimensions
- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
- Extensibility
- Price
Strategic Account Manager at a computer software company with 201-500 employees
User
2020-03-31T16:44:35Z
Mar 31, 2020
We would recommend exploring Exabeam (offers a cloud based deployment which could be very compelling) or CI Security (https://ci.security/)
a managed service offering. We are assuming your team is likely resource constrained and needs a solution that meets all of your requirements, but also is simpler to deploy and can be managed with a smaller team. If you're interested in learning more about the solution space I recently delivered a SIEM comparative analysis for a customer that I'd be willing to share. Please feel free to reach out if this is of interest and we can determine the best way to connect directly.
Network solutions associate at a tech services company with 51-200 employees
User
2020-03-31T09:15:42Z
Mar 31, 2020
My experience with SIEM is limited to LogRhythm only, and it is surely recommended as it complies with all of the customer’s main requirements, and ranked 4th on Gartner rank for SIEM market.
Almost all SIEM solutions does the same task if properly configured.
The point here is for which they want to go Open source or Premium
Here the trick is if they want to go for Open Source, first they need the expert team who are good in managing the infra in every expect because for if any issue they will not get any support from the company.
For premium SIEM solution they just a team how should have basic knowledge on incident response and threat hunting. for any technical challenges the company will assist for 24 * 7.
User at a healthcare company with 5,001-10,000 employees
Real User
2020-03-30T23:54:11Z
Mar 30, 2020
If your environment is complex and you're trading information with people on a fairly open basis, but it needs to be secure oh, then you should consider QRadar. It has functionality none of the other SIEM solutions come close to offering. The state-of-the-art behavior analytics that are available with QRradar are pretty world-class. Also, its functionality in adapting to log sources is unmatched. Add to that the ability to correlate point in time log events with things happening over time using time series data, and you have the best in breed especially for sensitive government information.
The best solution I have worked with several customers is IBM QRadar. We just set up a cyber center delivering this kind of service as a SaaS solution in the USA.
Account-Manager at Consist ITU Environmental Software GmbH
Real User
Top 5
2020-03-30T12:56:16Z
Mar 30, 2020
The best tool on the market today is Splunk. Referring to explorative search, easiness of administration and Scalability, there is nothing comparable.
The only possible threshold is that you need to buy the license, it's not freeware.
Account-Manager at Consist ITU Environmental Software GmbH
Real User
Top 5
Nov 1, 2021
@David Swift well its top rated by Gartner for example and it is a plattform, so 90 % of Sec Data is very useful for ITOps and much more Dep. like Sales and Marketing.
Together with some Apps its the Single point of Truth for transparency and best decission making for your Company.
Its much easier to handle like the Rest in the same Gartner Quadrant.
So on TCO view i am sorry but i have to totally disagree. Looks like you missed the big picture a little bit.
Have a pleasant day
Hello community,
I work at an advertising services firm. I am currently researching SIEM solutions and their features.
On the topic of SEM data - what elements belong in a monthly SIEM report?
Thank you for your help.
The SIEM monthly report should contain the following components · Security monitoring · Advanced threat detection · Forensics and incident response · Compliance reporting and auditing · not forgetting the number and type of logs the SIEM has been collecting on a certain period of time.
There are several threat intelligence platforms that do what you're looking for. Among them are a couple of long-timers in the field, Splunk and IBM QRadar.
McAfee ESM has integrations to prioritize, investigate, and respond to threats, and AlienVault is another platform that claims to have a comprehensive security solution with features such as asset discovery, vulnerability assessment, and network and host intrusion detection.
Relatively recent solutions that have gotten a good deal of attention lately include Palo Alto Networks Cortex XSOAR and Microsoft Sentinel. Other players include Securonix Next-Gen SIEM, LogRhythm, and Devo.
To varying extents, these solutions help streamline incident response processes and improve the overall security posture. To varying extents, they all capture security events and alerts and provide a workflow for incident response. They are said to include real-time threat detection, automated investigation, and case management, and to integrate with other security tools. Have a look at SIEM Tools and SOAR Solutions.
It is important to retain logs for a significant amount of time in order to be able to investigate and analyze past attacks. This allows security teams to identify patterns and trends that can aid in the detection and prevention of future attacks. The retention period will vary depending on the organization's specific requirements and regulations, but it is generally recommended to keep logs ...
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles.
Do you need SIEM if you already have a firewall?
If you have questions about the difference between SIEM and firewall, you have come to the right place....
Dear PeerSpot community members,
This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.
Check them out!
Trending
See what your peers are discussing at the moment!
What were your main pain points during the SIEM product purchase process?
What...
Hi peers,
This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.
Trending
Is RPA beneficial for a healthcare organization?
With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud?
Articles
8 Business Automation Ideas to Save Time and...
Hi community members,
Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members.
Trending
What open-source HCI solution do you recommend?
How much time does SSO save?
What are the main technical differences between Microsoft Power Automate and Blue Prism?
Articles
Top HCI in 2022
What is Web Design? The Ultima...
As several have said, it depends on quite a few factors.
1. What use cases are you trying to solve?
- Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk.
- Threat detection and alerting for compromised accounts and data misuse requires adding UEBA features (Securonix, Exabeam, Caspida/Splunk, Rapid7...)
- Malware prevention generally requires SOAR capabilities
2. What's your staff level? and how well trained are they?
- Open Source / Threat Hunting tools will require much higher time and talent investments (I typically plan on 3X people costs vs commercial)
- You may need to consider an MSSP if staff is small or not well trained.
3. What hours of operation do you need? back to staffing and MSSP options
Well trained SIEM guys with SOC experience are expensive hires and the market is tight. They're not easy to find. Building a great SOC analyst takes a few years. SANS Incident Handling and Incident Response classes help, but are price at $7k or so each. Operating system skills (MCSE/RHCE...), and networking skills (CCNA, CCNP, JNIA, JNIE...), Anti-Virus, IDS and some at least basic packet analysis skills are also needed.
4. What fits your budget?
- Depending on budget you may need to plan in stages.
- SIEM deployment and maturity often takes a full year
- SOAR integration (Ticketing and blocking Responses), can take another year
An integrated approach, understanding your collection of security tools is always going to give a better answer than a single new shiny tool.
If you haven't also consider going back to basics and SANS/CIS Top 20 controls.
Poorly patched networks with little in the way of anti-phishing and poor anti-malware tools often benefit more from getting the basics right before going on to SIEM/UEBA/SOAR.
SIEMMonster as the repository, Darktrace & Dyntrace working together..
I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).
I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.
In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.
The best solution depends on lots of factors. How large is the team, how large is the budget, will it be on-prem or cloud-based?
We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.
SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.
As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.
To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.
The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.
Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.
Hope this provides insight and best practices.
I would recommend the use of Splunk with the AI/ML and management configuration tool like ansible, by doing so you will get the best outcome as you it will act as SIME AND SOAR plus you can use them in other areas to help boost your business.
We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!
We use both AlienVault and FortiSIEM (formerly AccelOps) and in both cases use a managed security services provider to monitor and maintain. Our chief concern was ease of use and cost. While we really appreciated AlienVault, they were acquired by AT&T towards the end of 2018 and were concerned about how costs would escalate.
I would not expect a SIEM or a managed SIEM service to respond and help you recover from a cyberattack, I would look for a managed SOC service for that, most would include a SIEM service as part of that.
Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem
Thank you,
Adrian
We need to understand SIEM from 2-3 dimensions
- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
- Extensibility
- Price
We would recommend exploring Exabeam (offers a cloud based deployment which could be very compelling) or CI Security (https://ci.security/)
a managed service offering. We are assuming your team is likely resource constrained and needs a solution that meets all of your requirements, but also is simpler to deploy and can be managed with a smaller team. If you're interested in learning more about the solution space I recently delivered a SIEM comparative analysis for a customer that I'd be willing to share. Please feel free to reach out if this is of interest and we can determine the best way to connect directly.
My experience with SIEM is limited to LogRhythm only, and it is surely recommended as it complies with all of the customer’s main requirements, and ranked 4th on Gartner rank for SIEM market.
Dear Team,
Thanks for reaching out to me.
Almost all SIEM solutions does the same task if properly configured.
The point here is for which they want to go Open source or Premium
Here the trick is if they want to go for Open Source, first they need the expert team who are good in managing the infra in every expect because for if any issue they will not get any support from the company.
For premium SIEM solution they just a team how should have basic knowledge on incident response and threat hunting. for any technical challenges the company will assist for 24 * 7.
i hope this is suffice.
--
Ashok Kumar
As per my understanding, Splunk SIEM is best.
@reviewer1138383 Nope... cost in-efficient.... its a consumption based model and thats a bad thing!
If your environment is complex and you're trading information with people on a fairly open basis, but it needs to be secure oh, then you should consider QRadar. It has functionality none of the other SIEM solutions come close to offering. The state-of-the-art behavior analytics that are available with QRradar are pretty world-class. Also, its functionality in adapting to log sources is unmatched. Add to that the ability to correlate point in time log events with things happening over time using time series data, and you have the best in breed especially for sensitive government information.
The best solution I have worked with several customers is IBM QRadar. We just set up a cyber center delivering this kind of service as a SaaS solution in the USA.
I would recommend AlienVault.
The best tool on the market today is Splunk. Referring to explorative search, easiness of administration and Scalability, there is nothing comparable.
The only possible threshold is that you need to buy the license, it's not freeware.
@David Swift
well its top rated by Gartner for example and it is a plattform, so 90 % of Sec Data is very useful for ITOps and much more Dep. like Sales and Marketing.
Together with some Apps its the Single point of Truth for transparency and best decission making for your Company.
Its much easier to handle like the Rest in the same Gartner Quadrant.
So on TCO view i am sorry but i have to totally disagree. Looks like you missed the big picture a little bit.
Have a pleasant day