Easy Read Time: 4 Minutes

Security Information and Event Management (SIEM): Best tools

The Security and Information Event Management ( SIEM) market is defined as the requirements of the customers to analyze event data in real-time to detect targeted attacks and data breaches early and to collect, store, investigate and report log data for incident response, forensics and regulatory compliance. SIEM technology aggregates the data generated by security tools, network resources, systems, and applications. The main data source is log data but other types of data, such as network telemetry, can also be analyzed by SIEM technology. It integrates event data with specific user information, and information about resources, threats, and vulnerabilities. The data can be normalized so that events, data, and contextual information from different sources can be analyzed for specific purposes, such as monitoring network security events, monitoring user activity, and reporting compliance. For a historical analysis, the technology provides real-time analysis of events for security monitoring, evaluating, and long-range analytics. Security and risk management stakeholders are constantly searching for SIEM platforms with capabilities that enable early identification and response to targeted attacks. Users have to balance advanced SIEM capabilities with the necessary resources to run and tune the platforms.

Security Information and Event Management (SIEM) – Gartner magic quadrants

The descriptions of some of the best SIEM tools are as follows:

Splunk

This Security Intelligence Platform consists of Splunk Enterprise and three solutions: Splunk Enterprise Security, Splunk User Behavior Analytics, and Splunk Phantom. Splunk Enterprise provides the collection, search, and visualization of events and data for various uses in IT operations and some instances of security use. The premium Enterprise Security (ES) software includes much of the security-monitoring-specific features, including security-specific searches, visualizations, and dashboards, as well as some functionality for event management, reporting, and incident response. User Behavior Analytics (UBA) adds advanced analytics that is driven by ML. Phantom has SOAR capabilities. Additional security-use applications are available through Splunkbase. Splunk Cloud is a SaaS solution hosted by Splunk and-operated using the AWS infrastructure. Components of Splunk Enterprise and Splunk Cloud consist of Universal Forwarders, Indexers, and Search Heads that support n-tier architectures. Splunk is licensed based on the amount of data that is ingested into the platform, with DNS and NetFlow data pricing discounts. ES is often licensed by gigabytes a day, while UBA is licensed by an organization’s number of customer accounts, all of which are offered as either permanent or temporary licenses, with different choices for enterprise-wide pricing and true-ups. Phantom is measured by the number of activities Users are taking action on. Splunk is a good choice for companies looking for SIEM applications that can share infrastructure and vendor management through SIEM and other IT use cases, and finding a modular approach with a wide range of options from simple log management to sophisticated analytics and response.

https://www.splunk.com/en_us/siem-security-information-and-event-management.html

IBM

The IBM QRadar Security Intelligence System consists of many modules and works around IBM QRadar SIEM. IBM QRadar Vulnerability Manager contextualizes the data from VM events. IBM QRadar Network Analysis provides feedback from network flows to QFlow-based applications. IBM QRadar User Behavior Analytics is a free UBA module that examines certain cases related to insider threats. IBM QRadar Incident Forensics offers support to the forensic investigation. IBM QRadar Advisor with Watson provides advanced analytics on the root cause of identified threats. It also offers the IBM Security App Exchange, where customers of IBM QRadar can download content developed by IBM or third parties to extend the coverage of IBM QRadar. IBM also provides the IBM QRadar packet capture tool for strong network forensics, and IBM Resilient, a SOAR system that helps businesses streamline the management process of incidents. IBM QRadar SIEM is available as virtual hardware and customer-based software packages. This is also available in the cloud as IBM hosting SaaS SIEM. The price for other IBM QRadar security information platform components depends upon their respective specifications. QRadar Network Insights is only available in the format of hardware devices.

https://www.ibm.com/security/security-intelligence

https://www.ibm.com/products/qradar-siem

Exabeam

It consists of six products: Exabeam Data Lake, Exabeam Cloud Connectors, Exabeam Advanced Analytics, Exabeam Entity Analytics, Exabeam Hazard Hunter, and Exabeam Incident Responder. Each of these services has a timeline for releases/updates and some are more advanced than others. They are available in many forms: hardened physical devices, virtual devices, and clusters in private or public clouds. A deployment may be made up of multiple options for the form factor. The model for licensing and pricing is simple: one- or three-year contract, with Data Lake, Cloud Connectors, Advanced Analytics, Threat Hunter, and incident Responder. Exabeam addresses larger financial markets, banking, and energy vertical companies, among others. The technology’s flexible design helps Exabeam to position elements such as Incident Responder or Advanced Analytics as companion technologies to the SIEM of a competitor, and to incorporate Data Lake and other elements as a substitute for SIEM. Mid-size and smaller companies usually partner with external service providers to track or run Exabeam SMP.

https://www.exabeam.com/product/

Securonix

The Securonix SNYPR Security Analytics Platform provides SIEM capabilities through an on-site solution, or as an option provided by SaaS. SNYPR leverages a Hadoop platform to deliver the event and data collection and management, analytics that includes rule-based and advanced analytics (also sold stand-alone as their UEBA solution), and operational functions such as dashboards, incident management, and response, and reporting. SNYPR includes a variety of platform components that can be leveraged to scale according to buyer requirements and environments. Premium apps (and app bundles) provide pre-packaged behavioral models, rules, reports, and dashboards across a variety of security monitoring applications related to privileged accounts, data security, access, cyber threats, patient data, fraud, and trade monitoring. Securonix’s Spotter feature facilitates the detection of accidents and threat tracking activities. SNYPR can be deployed in a variety of ways, including software-only which includes the Hadoop environment, or as software that can use the existing Hadoop environment of a buyer. Turnkey deployments are supported by a physical appliance that includes all the components needed. Securonix licenses are term-based, charged on an organization’s number of identities (also offered through EPS pricing) for SNYPR. The number of identities monitored lets premium apps and bundles are licensed. SNYPR Support services Hadoop is charged per node deployed.

https://www.securonix.com/what-is-siem/

https://www.securonix.com/products/securonix-next-generation-siem/

Rapid7

Rapid7 Insight platform consists of InsightIDR (its core SIEM offering), InsightVM (vulnerability management), InsightAppSec (application security), InsightConnect (SOAR) and InsightOps (log management for use cases in IT operations). Rapid7 offers Insight Agent as its preferred endpoint agent with Rapid7 InsightIDR, Rapid7 InsightVM, and Rapid7 InsightOps to enable telemetry gathering and basic bidirectional response integration capabilities. InsightIDR also offers seamless integration with InsightVM, giving interesting opportunities for incident prioritization. Rapid7 InsightIDR is provided as a service, using Insight Collectors deployed within the company enterprise to centralize and forward to InsightIDR all required logs. Because Rapid7 InsightIDR is built as a cloud-native program, the provider can easily and transparently deliver solution updates to the market. Rapid7 InsightIDR clients can use its Managed Detection and Response (MDR) tools to outsource 24/7 security detection and inquiry and response to Rapid7. Rapid7 InsightIDR ‘s pricing is dependent on the amount of activity-monitored properties (typically servers, desktops, and laptops), with higher volume-tiered pricing. Rapid7 InsightIDR, a cloud-native solution, has short and iterative release cycles that offer continuous improvements.  SMBs and mid-sized companies looking for SIEM as a service should find Rapid7 with the option to outsource monitoring and vendor response 24/7.

https://www.rapid7.com/solutions/siem/

References:

https://virtualizationandstorage.files.wordpress.com/2018/03/magic-quadrant-for-security-information-and-event-3-dec-2018.pdf