Top 8 Security Information and Event Management (SIEM) Tools
SplunkIBM QRadarDevoRSA NetWitness Logs and Packets (RSA SIEM)Netsurion EventTrackerLogRhythm NextGen SIEMArcSight Enterprise Security Manager (ESM)Securonix Security Analytics
The solution is very fast and succinct.
The most valuable features are how stable and easy to use Splunk is.
I have found IBM QRadar to be stable.
The product has plenty of features and capabilities.
Devo provides multi-tenant, cloud-native architecture. This is very important, especially for scale and costs. For managed service provider environments or multinational organizations who may have subsidiaries where you want to keep the data separate and not internal, it is purpose-built so it isolates the data. You can get access to sub-organizations, and the data doesn't mix. At the same time, it is leveraging the infrastructure in a smart way. That way, it scales.
The newer 11.5 version that my team is using has found it to have good mapping.
The solution is really scalable for the high-end power, enterprise customer.
There are a host of things that are most valuable. Obviously monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.
I would say the most valuable feature of LogRhythm is that it has built-in UEBA functionality, among other basic Windows packages.
The product is great for medium to large-scale organizations.
Very good real-time reporting with a good dashboard.
We have been satisfied with the support.
The solution is stable and scalable.
There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features.
Tips for choosing the right SIEM solution
As with any enterprise tech solution, it’s important to spend time doing your research and POC, so that you know that you’re spending on the right product. We sifted through some of our users’ answers to summarize some of the best tips.
- Define your goal
Before starting to evaluate solutions, It’s important to define what you want to accomplish with a SIEM. Marty Baron says, “Every SIEM has different strengths and weaknesses so you need to know what is most important to you in terms of goals, so you don’t waste time looking at something that can’t do the thing you need it to do.”
- Limit your options
As one of your users says, “Review a finite number of products, otherwise you’ll never finish”. Although it’s important to spend time doing due diligence, you need to get to the point of implementation. If you have too many options, it will take too long to make a decision. Users suggest making a shortlist of options that meet your technical requirements, speak to your goal, and match your budget
- Create a framework for your POC
Once you’ve narrowed down your options, it’s time to trial the shortlisted products. Users recommend putting a framework in place to guide the POC. This way, you can evaluate your options systematically.
One user, DAX Paulino, suggests “creat[ing] a checklist of features that you need, from the basic (i.e. interactive dashboards, ease of integration, Threat Intelligence), to the more advanced (i.e. Automated response, Behavior Analytics, etc.). Give each item on your checklist a score so that you can weigh in on each item as a measure of your decision. Don’t forget to factor in usability and support.”