Top 8 Security Information and Event Management (SIEM) Tools

SplunkIBM QRadarSecuronix Security AnalyticsDevoNetsurion EventTrackerFortinet FortiSIEMRSA NetWitness Logs and Packets (RSA SIEM)LogRhythm NextGen SIEM
  1. leader badge
    Easy to deploy and simple to use. The most valuable features of the solution are it is straightforward to use and the documentation is good for finding out how to get the data you are looking for.
  2. leader badge
    One very useful feature is the plug-in offering that allows you to integrate it with other solutions, such as integrating it with plug-ins like Scout, Carbon Black, and the rest.
  3. Find out what your peers are saying about Splunk, IBM, Securonix Solutions and others in Security Information and Event Management (SIEM). Updated: July 2021.
    523,535 professionals have used our research since 2012.
  4. The solution is stable and scalable.There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features.
  5. The most valuable feature is definitely the ability that Devo has to ingest data. From the previous SIEM that I came from and helped my company administer, it really was the type of system where data was parsed on ingest. This meant that if you didn't build the parser efficiently or correctly, sometimes that would bring the system to its knees. You'd have a backlog of processing the logs as it was ingesting them.
  6. There are a host of things that are most valuable. Obviously monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.
  7. Easy alert setup which enables different alerts in different categories. The CMDB and the device discovery features are most valuable.
  8. report
    Use our free recommendation engine to learn which Security Information and Event Management (SIEM) solutions are best for your needs.
    523,535 professionals have used our research since 2012.
  9. The packet capture aspect of it is a valuable feature because it is quite different from a traditional SIEM solution that only carries out investigations based on captured logs.
  10. Technical support is very helpful and responsive.File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting.

Advice From The Community

Read answers to top Security Information and Event Management (SIEM) questions. 523,535 professionals have gotten help from our community of experts.
Rony_Sklar
How do log management and SIEM differ? Is it necessary to have separate tools for each function or can these functions be rolled into one solution? Which products are best for SIEM, and which are better for log management? Do you have recommendations of products that effectively combine both log management and SIEM?
author avatarLindsay Mieth
Real User

Rony, Daniel's answer is right on the money.  There are many solutions for each in the market, a lot depends upon your ability to manage such tools and your budget.  A small operation may be best served by a managed service if it proves to be economical.  I do not have any recent data on these.  When I was investigating SIEMs there were big systems such as IBM, HP and McAfee then I found LogRhythm which has proved to be a great tool and more of what I needed right away.  We manage it ourselves, though they now have a cloud offering.  Also, if you have mostly Office365 and Azure IaaS logs to work with, you may find MS Azure Sentinel to be a good fit.  I hope this is of some use to you.

author avatarDaniel Sichel
Real User

Log Management is just that, it looks at logs from devices and attempts to make inferences about security issues from those logs. SIEM technology typically casts a wider net, looking at all types of security events. The best of breed will look at Network flows and events and logs, and other types of events that don't necessarily come from logging sources and provide an inference engine and rules management platform to allow you to detect anomalies from a wide variety of sources rather than just logs.

author avatarDavid Rivas Huete
User

In short, Log Management refers to the collection, storage, and organizing of the event logs according to your specifics needs and operational processes. Opposite, the SIEM after data collection, is making the real exploitation of this data acquired from different sources, servers, applications, and OS. In the context of the traditional Intelligence cycle, is performing 3 of the 4 typical stages: Collection, Analysis/Processing, and Distribution to Decision-makers. Said that from the perspective of a former Intel guy is Intelligence vs raw data before even converted into the information.

author avatarNavin Rehnius
Real User

SIEM is the tool that can monitor all the security activities like viruses, brute force, lateral movement, log deletion, etc,., 


Log management is used for storing, viewing, analyzing, and retrieving the logs from the source.

author avatarEsmat Salah El-Din
User

Splunk would be the best solution to address several use cases.

author avatarDamien Finette
User

Argent Software can help with the following products:-


Argent for Compliance - Compliance and Log monitoring.


 https://www.argent.com/product...


Argent SEIM (Expected release Q4 2020) – Single Security Management platform that provides full visibility to activity in your network. Argent SEIM collects, parses and categorizes data for correlation and threat detection so that you can act accordingly.



https://www.argent.com


Miriam Tover
Hi dear community members,  There's a lot of SIEM solutions. SIEMs are not something you just install and wait for great things to happen, right? What questions should someone ask before purchasing a SIEM? Help your peers ask the right questions so that they'll make the best decision. Thanks
author avatarreviewer1057374 (CISO at a computer software company with 51-200 employees)
Consultant

Some areas and questions for evaluating a SIEM solution. These are some common things that come up from customers that we deal with. But there can also be a lot of others based on specific business needs.

It helps if they have a clear objective of what it is you are wanting. So review questions like the following:
* Is it just logs from a select few systems or all systems like servers, databases, applications, and desktops?
* Are all the users and systems internal or are they also mobile and could be working from home or over the Internet from a café?
* What operating systems need to be covered ie Windows, Linux, Solaris, Mac OSX, etc.?
* Do you want to collect syslogs from other devices like firewalls, routers, switches, wireless APs, etc.?
* There can be some discussions on Agents vs Agentless so there can be discussions on the pros and cons of these needs.
* Do you have compliance issues they need to manage ie like PCI DSS, ISO27001, HIPAA, etc.?
* What is it that you are wanting from the SIEM in reporting, there can be a lot of options on static reports, dynamic dashboards, PDF reports, correlation of log data with other systems like ticketing systems?
* Do you want to run a SOC or just get reports if and when they want to look at something, do you have the resources to monitor things or do you need to also work with an MSSP.
* What sort of alerting and threshold reporting do you want to get?
* Do you have complex network segments with multiple zones to collect and aggregate logs that they need to centralize to keep the logs away from the systems generating them and away from potential hackers?
* In general for those that are starting out for the first time, just stick to the core critical systems and collect logs from those systems until you understand more of what you are wanting to do with a SIEM collection and reporting. This helps to keep the project scope more controlled and confined so it's easier to manage. As you learn more then you can grow the scope later on.

Once you have a clearer idea on what you are wanting then it's looking to the vendors to download the software and see how well it works in your environment.
* How easy was it to get an eval license, did the sales and presales support help you get going quickly.
* How easy and quickly can you install the software and start to collect logs and then start to get some reports and visualizations on the data.
* How easy was it to identify problems and security issues, and what sort of value is that to the business.
* How easy is it to roll out, many large corporate environments can have complex change control processes and can the software easily fit within these processes.
* Cost is always a component to any solution so how well does it scale for your business, does it have known costs or are there variable costs like per GB of storage which often bites customers as there is always more data than you expect.
* How well can the solution scale out to hundreds or 10s of thousands of systems as the business needs change or the business grows.
* Can upgrades and license changes be done with minimal effort?
* What are the futures of the company do they invest in R&D to keep enhancing the product as there is always something new to do or OS version to support.
* How well does the vendor do support, do they only do internet only or do they allow you to talk to a real person that can understand you.
* Does the vendor play nicely with others, almost all customers have a mixed environment so being able to integrate and work other SIEM vendors always helps.

So having a clearer understanding of what they are wanting makes it easier to see “ yes this was a success” or ”no this was a failure” and did not meet the business objectives. Some use a scoring system in a spreadsheet to rank various areas from a scale of 1-10 with 1 being poor and 10 meets all needs. By doing this in a matrix it often helps to sort the good and bad more easily and the good from the very good as part of the review process. So having a bit of structure to the evaluation process helps with finding the right fit for the business.

author avatarRainier Varilla (IBM)
MSP

Discovery questions you should ask any SIEM vendor:

-Would you like more insight into what’s going on in your network?
-Are your security-related compliance efforts manual and time-consuming?
-Would you know if an advanced threat went after your customer data or employee data before it was too late?
-Do you feel confident you're protected against stealthy, long term attacks that use social engineering tactics?
-Can you detect all the threats and risks taking place across mobile computing, social networks, and cloud environments?
-Do you find it difficult to keep up with constantly evolving threats, using limited staff and budget?
-Do you have a clear sense of what the risks are, associated with any vulnerabilities in your network, so you can build a prioritized plan of addressing the vulnerabilities?
-Are there any devices you’ve recently added or network changes you’ve made that impact your ability to ensure security and demonstrate compliance?
-Old ways of protecting networks can't keep up, and many organizations are looking for help in improving their security and risk posture. Is this a priority you are considering today?

author avatarWaleed Khalilieh (Securonix Solutions)
Real User

The eight features of a modern SIEM based on an open, big data architecture:
-Leverages real-time behavioral analytics including machine learning.
-Enriches data with additional context to facilitate accurate prioritization of threats.
-Easy access to pre-packaged security content, relevant security use cases, and a support library with dynamic security content.
-Predictable cost and low TCO with a pricing model that is aligned with your business.
-Automated incident response capabilities through automated playbooks.
-Cloud-based SIEM deployment options for cloud or hybrid IT environments.
-UEBA, NTA, and SOAR capabilities available in the SIEM platform.
-Legacy SIEMs require a lot of manual work. Security analysts need to spend a lot of time switching between solutions and screens while hunting down threats, manually remediating breaches, and writing and tweaking the manual rules the SIEM relies on to find threats. A modern SIEM uses integrated SOAR to drive security response through automated case creation and management, ending swivel chair investigations and freeing up security analysts to focus on security.

Compared to a legacy SIEM, which struggles to meet today’s security challenges, a modern SIEM improves your security posture through improved detection, investigation, and response capabilities.

author avatarUmbertoAlloni
User

Before buying a SIEM solution first ask yourself the following question: For what purpose and for what requirement will I purchase a SIEM?

The scope:
- Will it only be for compliance (but then it could be sufficient to a good Log Management tool)?
- Does the scope also for security monitoring (correlation, investigation, analysis, and reporting) and then also SIEM make sense?

If you are in the second case you need to ask yourself a second question:
- Who will use your SIEM? Anybody thinking that the SIEM produces alone results and benefits (then you must abandon the idea of buying a SIEM)?
- Will there be a service/SOC outside?
- Will there be an internal SOC?

If you are in the last case (the one that justifies the purchase of a SIEM and not an MSSP) you need to think about the best purchase to maximize its potential that you have in terms of the number of operators/analysts and their automation and competence (*).

- How and in what time does the SIEM vendor support you in the post-sales phase for software issue (numbers and real cases)?
- How does the SIEM start to collect first logs and visualizations (numbers and real cases)?
- How many days of additional vendor professional services should serve for an average deployment (up to 5,000 EPS) and one large and complex (up to 10,000 EPS)?
- What is the vendor best practices for the roll-out of SIEM in an IT environment complex systems and processes (real cases of implementation)?
- How much do I have to consider me (*) independent in changes to configurations and evolution of SIEM finished roll-out?
- How to scale the license of SIEM to the increase of my IT environment to monitor (an example)?

I would stress about the importance of obtaining from the vendor real numbers of real cases.

author avatarSimo Sim
User

That is correct, you don't just install it and that is it. There is quite some work to do after installation:
* You need to get events into the system, they need to be normalized, this is dependent upon the vendor and how they offer support for it. Again this is also important where there is a version upgrade of the source device where log types change.
* You need to configure correlation content and tune it to fit your environment – remove false positives, add assets to the SIEM and so on
* Monitor the system what kind of alerts are generated
* Keep the system up to date with vendor-provided updated software

What questions should someone ask before purchasing a SIEM?
* Do you have an existing library of use cases?
* What kind of content is available?
* Is this content updated regularly?
* What kind of event sources do you support?
* What If I need to add a custom application?
* What is your license model? If I have a surge, will the system accept it – will anything be throttled as a result of license violation?
* How can I monitor for the availability of elements within the system – usually the collection layer and analysis/storage layer are separate – if the collection layer does not work that means the analysis layer has nothing to analyze. So how can I monitor that?
* Can I upgrade the system just by changing the license? Will the proposed solution limit us at some point and it will need to replaced as a whole – this is usually true with SIEM that is delivered as an appliance?
* Does the license limit me in any way as to how many different sources I can collect?

author avatarGregg Woodcock
Real User

What am I using for SOAR?
What am I using for Ticketing?
What am I using for communication?
What am I using for ML/UBA?
How quickly do I need to be operational?
Will I be staffing my own SOC or farming that out (MSSP)?
What is the bandwidth required for all of the data that I need to process?
Am I going to use in-house bare-metal, data-center bare-metal, my cloud, or somebody else's cloud offering?
How well is the company that owns the product going to support/extend it (i.e. DO NOT BUY ARCSIGHT)?
Would I rather pay for a product or for people (this is important because many cheap products are admin/staff-heavy)?

author avatarUlrik Rosendal-Jensen (IBM)
MSP

-Ease of operation including patching and upgrades.
-Should ensure that all related suspect data (network traffic, user behaviour, ..) are gathered and presented as one suspect security incident to significantly reduce the analyst work.
-Provides an easily understood summary of each suspect security incident with prioritization and important details and drill down for all details to ensure more efficient handling of suspect security incidents.
-Broad out of box support (collect/receive, parse) for devices, applications including from cloud, os, security solutions which should be continuously and automatically updated (versions and new).
-Extensive out of box support for detecting suspect network traffic, suspect user behaviour (user behaviour analytics), continuously updated.
-Easy support for or builtin continuously updated threat intelligence.
-Out of box support for vulnerability scanners to provide better prioritization of suspect security incidents.

author avatarChrisTaylor (LogPoint)
Vendor

What questions should someone ask before purchasing a SIEM?

-Ask about and understand the ease of use.
-How long to implement and make the SIEM operational based on use cases?
-What compliance functionality is included for alerts, rules, and reports?
-Does the SIEM have a fully integrated and easy to implement UEBA component?
-Is the reporting tool native or is it an OEM solution?
-Can the SIEM run on-premise, in the cloud or in a hybrid mode?
-Is the solution sized accurately on both hardware and cost perspectives?
-Is the SIEM vendor-independent or from a multi-product company where additional components may be needed for full visibility across the network?

Help your peers ask the right questions so that they'll make the best decision.

Rony_Sklar
There are many cybersecurity tools available, but some aren't doing the job that they should be doing.  What are some of the threats that may be associated with using 'fake' cybersecurity tools? What can people do to ensure that they're using a tool that actually does what it says it does?
author avatarSimonClark
Real User


Dan Doggendorf gave sound advice.


Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.


There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.


If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.


Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.


By the way, there are free security products and services that I recommend.


author avatarDanny Miller
User

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

author avatarDoctor Mafuwafuwane (Altron Systems Integration )
Real User

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.



One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

author avatarBasil Dange
Real User

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 


As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

author avatarJavier Medina
Real User

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

author avatarCurtis Yanko (Shiftleft)
Vendor

I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.

author avatarreviewer1266459 (Network Security Engineer at a performing arts with 201-500 employees)
Real User

Refrain from free products


Delete products and traces of product after evaluation


Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.


Work with recognised partners and solution providers


Download opensource from reputable sites


Rony_Sklar
Are event correlation and aggregation both needed for effective event monitoring and SIEM? 
author avatarWilla Ou
User

Yes, both of them are needed. Since their concepts have been well discussed here, I will just give a few examples of event processing rules I developed in BMC TrueSight for BMC customers in the last 17 years. 


'Aggregation' requests are usually about combining multiple occurrences of one single event type into one event for the purpose to minimize the number of redundant incident tickets.


One type of aggregation is to combine multiple events occurred on different instances within a certain time period into one event. I call this type horizontal aggregation. One aggregation rule I developed combined all ping failure events within the last 10 minutes into one event if more than 10 servers failed on ping test. Another aggregation rule I developed combined all Remedy server process down events on a single Remedy server within last 10 minutes into one event.


Another type of aggregation is vertical aggregation along the time line. Take an example of CPU utilization on a single server. If CPU utilization exceeds a threshold at 10:00am, an event will occur and thus a ticket is created. If CPU utilization continues exceeding the threshold, BMC TrueSight won't generate more events. But if CPU utilization falls below the threshold at 10:15 am, BMC TrueSight will close the previous event. What if CPU utilization exceeds a threshold again at 10:30 am? Another event will occur and another ticket will be created. If this pattern goes on for 20 times in a day, we will get 20 tickets. This is sometimes called event flapping. The aggregation rule I developed combined all occurrences of the same type of events into one event based on user-defined criteria - either by a fixed time period (e.g. All high CPU events happened within an 8-hour fixed window go to one event/ticket) or by idle time (e.g. All re-occurrences happened after 3 hours of normal CPU utilization go to a new event/ticket).


'Correlation' requests are usually about grouping different event types (and often occurred on different servers) together for the purpose to identify root cause - though it can sometimes reduce the number of redundant incident tickets as well. Correlation may even add one higher-level ticket that links to all related lower-level tickets especially if these lower-level tickets are assigned to different support groups. One example is to correlate an event from synthetic transaction failure, an event from app server log monitoring, and an event from Oracle alert log monitoring occurred within the last 10 minutes. One challenge in event correlation is to correlate the related events only thus having an accurate infrastructure topology is critical. As discussed here previously, purely relying on discovery tool to keep a real-time topology is difficult and expensive. In BMC TrueSight, I sometimes had to develop an add-on data collection (custom PATROL KM) to extract the component relationship from configuration files on the server and execute this custom PATROL KM at the same schedule as BMC out-of-box PATROL KM.


Aggregation and correlation are necessary in enterprise SIEM in order to realize positive ROI. 

author avatarErtugrul Akbas (ANET)
Real User

They are not same. For evet monitoring (log management) aggregation is enough but if you need correlation then SIEM required. Aggregation  means log parsing and correlation means developing rules to detect attacks

author avatarTjeerd Saijoen
Vendor

Aggregation is taking several events and turning them into one single event, while Correlation enables you to find relationships between seemingly unrelated events in data from multiple sources and to understand which events are most relevant.


SIEM event correlation is an essential part of any SIEM
solution. It aggregates and analyzes log data from across your network
applications, systems, and devices, making it possible to discover
security threats and malicious patterns of behaviors that otherwise go
unnoticed and can lead to compromise or data loss.


author avatarreviewer1285209 (Tech Lead at a tech services company with 1,001-5,000 employees)
Real User

Aggregation and correlation: Agreeing on the right responses below.


Aggregation takes place during the flow of the real-time events to reduce duplicate events generated from the same source. Aggregation of the event can be adjusted in a few of the SIEM solutions to reduce logging, EPS, Storage, CPU, etc. (Solution Architecture or the platform Engineer has to decide the aggregation setting depending on what is to be achieved out of the environment).


Ex: Reducing same/similar sync events to saves in SIEM from a security device.


Correlation is the process of connecting/relating two different event properties from the Same or different log sources, Those events may or may not hold the same parsed fields. But correlation can only occur once the events are aggregated >> parsed >> Mapped to respective fields so that SIEM rules can check for required fields to trigger a correlated offense/alert.


Ex: Detecting and triggering security threat alerts from different security appliance (Firewall, IDS/IS, WAF, EDR, HIPS, AV ETC) 


Suppression: let's not get confused with suppression of alerts as aggregation, As Suppression is used to reduce the same offenses generated multiple times and this takes place after Aggregation >> parsing >> Mapping >> Correlation >> Offense triggered >> Suppression.


Ex : Device not reporting from last 1 hour this can be suppressed as security team works to resolve the event till the devices back in action


Thank you


author avatarGregg Woodcock
Real User

Yes. You need aggregation to show sustained activity over time which can indicate an attack, attempt to breach, or exfiltration. You need correlation to show things that happen contemporaneous which is especially useful if they should not or normally do not.

author avatarreviewer1275930 (IT Executive Leader / Innovator at a tech consulting company with 11-50 employees)
Consultant

Not sure anything else could be added that Mr. Collier already stated.  The aggregation of any events is to collect and combine events to develop a pool of raw data which could be analyzed later.  To correlate events on any given situation is to look for similarities or disparities between those events. I do not see any applications or platforms on the market (yet) that can provide a solid foundation of correlating events.  Given a very small sample of variables and LOTS of data, correlations can be surmised -- but still need a very manual process of validation. 

author avatarRandall Hinds
Real User

Agree on all the answers posted here, and I especially like Dave's explanation on the more advanced solutions available on the market. Excellent call outs on the need for deep & well maintained relationship mapping to enable an AI's algorithm to connect-the-dots between aggregated alerts firing from multiple separate source tools. Having a mature ITSM implementations with CI-discovery, automated dependency-mapping, and full integration between your correlation engine & CMDB will help too.

Rony_Sklar
SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security? If you've been working in cybersecurity, you've likely come across SOAR and SIEM technologies. There are differences between their capabilities, although they have a fair amount of commonalities. They both collect data, but the quantity of data, type of data, and type of response is where they differ. As threats have advanced, security professionals may be in need of both. That's where SOAR and SIEM come to the rescue, although there has been some confusion as to the difference between the two. The two technologies have different competencies, but can be combined to increase a security team's or SOC's effectiveness. We've evaluated the differences of the best SIEM tools and top SOAR tools to clear up the differences between each. SIEM vs SOAR In short, SIEM aggregates and correlates data from multiple security systems to generate alerts while SOAR acts as the…
author avatarDenis L
Reseller

TLDR:


SIEM:


Security information management: Long-term storage as well as analysis and reporting of log data.


Security event manager: Real-time monitoring, correlation of events, notifications, and console views.


SOAR:


SIEM + Threat Intelligence (IoC's, AI, etc), Vulnerability and Threat Management (Analysis, Reporting, Management views, Dashboards, real-time analysis) Automation and orchestration for incident response (Something like "Ability to Block dst_ip that we get from for example proxy log, on our firewall).

author avatarGregg Woodcock
Real User

The SIEM is the detection/surveillance engine whereas the SOAR is the remediation/response engine

author avatarShastri Sooknanan
User

SIEM is the log file collection of IT assets and various intel feeds that aggregate and correlate big data. 


The SOAR component mostly enhances how the detected anomalies are handled with minimal to no human interaction by coordinating corrective action from one or more systems.

author avatarSagar_Shah
Real User

What is SIEM?


Firewalls, network appliances and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing and analyzing incidents and events. This is often done using machine learning, specialized analytics software and dedicated sensors.


A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity and finally, issues alerts accordingly.


So why isn’t a SIEM solution effective on its own?


SIEM tools usually need regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data.


What is SOAR?


Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.


Here’s how:



  • SOAR solutions gather alarm data from each integrated platform and place them in a single location for additional investigation.

  • SOAR’s approach to case management allows users to research, assess and perform additional relevant investigations from within a single case.

  • SOAR establishes integration as a means to accommodate highly automated, complex incident response workflows, delivering faster results and facilitating an adaptive defense.

  • SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform including interaction with third-party products for comprehensive integration.


Put simply, SOAR—sometimes also known as security automation and orchestration (SAO)—integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to automate incident response workflows.


SOAR’s main benefit to a SOC is that it automates and orchestrates time-consuming, manual tasks, including opening a ticket in a tracking system, such as Jira, without requiring any human intervention—which allows engineers and analysts to better use their specialized skills.

See more Security Information and Event Management (SIEM) questions »

Security Information and Event Management (SIEM) Articles

Ertugrul Akbas
Manager at a computer software company with 11-50 employees
May 12 2021

The right SIEM tool varies based on a business’ security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities:

  • Scalability — Ensure the solution has the capability to accommodate the current and the projected growth.
  • Log compatibility — Ensure that the solution is compatible with your logs
  • Correlation engine — Does the solution have the ability to search across multiple devices and logs
  • Forensic capabilities — Does the solution offer forensic analysis capabilities from the event source
  • Dashboards — The solution must provide the ability to easily create dashboards and reports
  • Threat intelligence — Find out if the solution has the ability to integrate with internal/external intelligence sources
  • Incident response
  • Machine Learning — Can the system improve its own accuracy through machine learning and deep learning?
  • Performance

Scalability

A modern SIEM can scale into any organization — big or small, locally-based or operating globally. [1]

A modern SIEM manages events in a distributed manner for offloading the processing requirements of the log management system for tasks such as collecting, filtering, normalization, aggregation. This model also is the solution for security-related issues and incremental approach [2,3,36].

Log compatibility

SIEM functions based not just on its correlation rules but on the data you feed it. Feeding your SIEM security-related data results in more accurate alerts.

Currently, most of the SIEM products support hundreds of log formats. If there is a log format that is not supported, there is an API for a custom log parser.

Correlation engine

SIEM use cases or rules are 80% of the value of the product. Check the predefined rule list for the product and also check are there any restrictions. A Next-Gen SIEM correlation engine will be very helpful to analysts indeed. Not all SIEM correlation rules, use cases are created equal and it is hard to find a SIEM that supports both cores, advanced and intelligent use cases at an affordable price. [4,5,6, 7,8,18].

All the SIEM products have correlation but not all SIEM solutions are created equal. A detailed analysis is required to understand the difference in correlation capabilities. For example, most of the SIEM solutions have the watchlist or list management feature, but only some of them and A modern SIEM has multidimensional list management capability in correlation [33,34]. Some SIEM solutions update multiple lists, sets at the same time [34] while others have not.

Some correlation engines have restrictions like

Cross-Correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses.

Correlation and detection methods and correlation features diversity are important like detecting what never seen before and many others. A modern SIEM can play a huge role in making analysts’ jobs easier with modern detection and correlation features like never seen before type of rules [18].

Advanced features are the key features for successful detection. Sample distinguishing use cases:

  • Returns days where a user accessed more than his 95th percentile number of assets
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for the 4th day of a week.
  • If a user number of failed authentication ratio to the number of successful authentication is 10%, alert.
  • Data loss detection by monitoring all endpoints for an abnormal volume of data egress
  • Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade
  • DGA detection
  • Failed login to an asset that a user has previously never logged on to
  • The first-time user is performing an activity from a country
  • First VPN connection from a device for a user
  • First connection from a source IP
  • First access to a device for a user
  • First access to database MSSQL for peer group HR
  • First access to database MSSQL for user
  • First mail to/from a domain for the organization
  • First access to this web domain which has been identified as risky by a reputation feed
  • First execution of a process on a host
  • First access to object fdghsdydhas
  • First access from a host to a database for a user
  • First access from source zone Atlanta office to a database for a user
  • Suspicious temporary account activity
  • Abnormal account administration
  • Unusual account privilege escalation
  • Unusual file modifications
  • Abnormal password activity

Forensic capabilities

Almost every company needs a solution for protecting its sensitive data and detecting suspicious activity in real-time. Besides, when an incident occurs, companies want to be able to provide digital evidence in the courtroom. Integrity is also critical. This is usually achieved by using integrity mechanisms, such as running hash checks on blocks of stored log data. Historical log data must be secured either with a checksum in the form of a popular hash — MD5, SHA1, SHA2, etc. — or with a digital signature.

Easily aggregate and search logs within a single platform is critical.

The latest study by the Ponemon Institute on behalf of IBM found that the average time required to identify a data breach is currently 197 days [35]. So having logs under hands at least 197 days is a good plus and makes everything easy for detection and forensic analysis. It is achieved by live search capability. Disk usage for live search is the most critical parameter. Every SIEM solution has its technology with advantages and disadvantages for live search. Some examples:

IBM Qradar:

How much space is used per day in bytes can be calculated with the following formula: [eps rate] * ([AveragePayloadSize in bytes] + [AverageRecordsSize in bytes]) * 86400 [9]

Splunk:

You can estimate how much index disk space you will need for a given amount of incoming data. Typically, the compressed raw data file is 10% the size of the incoming, pre-indexed raw data. The associated index files range in size from approximately 10% to 110% of the raw data file. The number of unique terms in the data affects this value [10].

McAfee SIEM:

Due to the number of enabled standard indexes on McAfee ESM, you can add only 5 indexes to an accumulator field. If you need more than 5, you can disable up to 42 unused standard indexes (such as sessionid, src/dst mac, src/dst port, src/dst zone, src/dst geolocation).

McAfee ESM uses standard indexes to generate queries, reports, alarms, and views. If you disable an index, McAfee ESM notifies you when it can’t generate a query, report, alarm, or view due to a disabled index, but it does not identify which index is disabled. Due to this limitation, do not disable standard indexes unless needed [11].

ElasticSearch (Lucene Based Solutions)

You can estimate how much index disk space you will need for a given amount of incoming data.

disk space used(original) = 1/3 original for each indexed field + 1 * original for stored + 2 * original per field with term vectors [12].

AlienVault:

Alienvault USM All-in-One has a limit of 200 million events in its database. There are not more than 200 million events in the Alienvault USM All-in-One SIEM database [13,14].

SureLog:

SureLog compresses indexes. Compressing indexes give SureLog the advantage of live search, real-time search capability for years. An example of a SureLog disk capacity requirement of a live search for 5000 EPS for one year is 5 TB. When SureLog disk usage for live search compares to Elasticsearch and Lucene-based systems, the result depicted in the below graph.

Dashboards

Real-time monitoring and dashboards permit visibility at the desired level via security-based, pre-defined and customizable analysis.

In addition, you can create real-time and easy reports by preparing dashboards and widgets which are appropriate for your new ad hoc requirements.

Dashboards deliver monitoring and reporting metrics to track the state of security throughout the network. These are simple to configure and user-friendly, while allowing users to read a summary of existing network infrastructure data using graphs and tables [15,16].

Threat intelligence

Threats are dynamic and attack vectors change constantly. Respond quickly and minimize damage by using the rich external context enabled by threat intelligence. Immediately know about dangerous IP addresses, files, processes, and other risks in your environment.

A modern SIEM combines multiple threat intelligence feeds and generates alerts for the benefit of the security team. A modern SIEM uses this data to reduce false positives, detect hidden threats, and prioritize your most concerning alarms.

Compliance Reporting

Regulatory compliance is necessary. SIEM will help to save time and ensure compliance with predefined reports. Creating a productive SIEM environment requires plenty of predefined reports you need on a daily, weekly or monthly basis and also easy to create reporting infrastructure [16].

A modern SIEM has more than hundreds of predefined reports and a very easy & fast reporting infrastructure [16,17,18,19].

Incident response

Incident response is an action that SIEM takes in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Logoff User active response, the Kill Process active response, and so on [20,21].

Machine Learning

Machine learning in SIEM takes cybersecurity rules and data to help facilitate security analytics. As a result, it can reduce the effort or time spent on rote tasks or even more sophisticated duties. With the right configurations, machine learning can actually make decisions based on the data it receives and change its behavior accordingly. A modern SIEM has has many ML models [22,23,24,25,26,27,28,37]. Example of the ML models:

Performance

The performance analyses of SIEM products are very important in terms of evaluation.

The running performance of SIEM products, the resources which they require (CPU, RAM, DISK), and how they will show performance in the EPS value needed are very important. There are two kinds of evaluation criteria:

  • Limits & Recommendations
  • Requirements

Many SIEM products documented limits and recommendations like:

AlienVault:

AlienVault USM Appliance All-in-One has 1000 EPS data collection and 1000 EPS correlation recommendations.

Solarwinds LEM

A properly configured LEM can handle up to 200 million events per day, or 2,500 EPS (events per second). Conversely, limiting the ‘reservations’ (appropriate CPU and RAM) will result in poor performance and instability. While the maximum EPS limit is 2500 EPS the requirement for 2500 EPS is 48–256GB Ram 16-CPU @2Ghz [30].


McAfee

Maximum Ingestion Events Per Second (iEPS) describes peak advertised EPS for this appliance. iEPS is based on out-of-box settings with no adjustments to default event or flow aggregation and very Stilted overall SIEM user activity (Users, Alarms, Reports, IoCs, etc.). Any customization in the configuration or increase in user activity may result in reduced observed EPS rates [31]. Maximum Ingestion Events Per Second (iEPS) is 1500 for the VM version of McAfee SIEM [31].

All of the SIEM tools has system requirements like:

Arcsight

System requirements for Arcsight [32]

SureLog

System requirements for SureLog All-in-One is 16 core, 32 GB Ram for max 2500 EPS with 100 correlation rules activated.

References:

  1. http://anet-canada.ca/2019/11/02/large-scale-surelog-siem-implementation/
  2. https://solutionsreview.com/security-information-event-management/the-3-most-common-siem-mistakes-and-how-to-avoid-them/
  3. http://anet-canada.ca/2019/11/19/surelog-siem-has-most-valuable-siem-use-cases/
  4. http://anet-canada.ca/2020/01/09/not-all-siem-solutions-are-equal-and-not-all-siem-use-cases-are-the-same/
  5. http://anet-canada.ca/2019/11/11/surelog-siem-use-cases/
  6. http://anet-canada.ca/2019/11/04/gdpr-use-cases/
  7. https://www.ibm.com/support/pages/qradar-how-determine-average-event-payload-and-record-size-bytes-updated
  8. https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Estimateyourstoragerequirements
  9. https://docs.mcafee.com/bundle/enterprise-security-manager-11.0.0-installation-guide-unmanaged/page/GUID-2F189D5A-AC92-4965-80A4-03EE2272F37C.html
  10. https://lucidworks.com/post/estimating-memory-and-storage-for-lucenesolr/
  11. https://cdn5.alienvault.com/docs/data-sheets/usm-appliance.pdf
  12. https://success.alienvault.com/s/question/0D50Z00008oGqax/alienvault-v571-functional-release
  13. https://medium.com/@eakbas/creating-new-dashboards-with-surelog-siem-a67232c84366
  14. https://searchdatacenter.techtarget.com/feature/14-SIEM-reports-and-alerts-to-boost-security
  15. https://medium.com/@eakbas/surelog-predefined-reports-sample-detect-password-changes-and-password-resets-with-surelog-siem-1807d97f9a25
  16. http://anet-canada.ca/2020/01/18/never-seen-before-type-of-rules-with-surelog-siem/
  17. http://anet-canada.ca/2019/07/27/implementing-windows-advanced-logging-cheat-sheet-with-surelog-siem/
  18. https://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144
  19. https://logrhythm.com/products/features/smartresponse-automation-plugin-library/
  20. http://anet-canada.ca/2019/06/21/surelog-siem-and-advanced-threat-analytics-with-machine-learning-ml/
  21. http://anet-canada.ca/2019/08/19/user-and-entity-profiling-with-surelog/
  22. http://anet-canada.ca/2019/10/05/domain-generation-algorithm-dga-detection-in-surelog/
  23. http://anet-canada.ca/2019/10/12/hunting-critical-process-masquerade-using-surelog-siem/
  24. http://anet-canada.ca/2019/10/22/hunting-malware-and-viruses-by-detecting-random-strings-using-surelog-siem/
  25. http://anet-canada.ca/2019/11/02/detecting-top-4-tools-used-by-cyber-criminals-recently-with-surelog/
  26. https://www.ibm.com/us-en/marketplace/qradar-user-behavior-analytics
  27. https://www.slideshare.net/anetertugrul/siem-tools-146762789
  28. https://documentation.solarwinds.com/en/success_center/LEM/content/System_Requirements/SEM_2019-4_system_requirements.htm
  29. https://community.mcafee.com/t5/Security-Information-and-Event/Mcafee-SIEM/td-p/617728?lightbox-message-images-617737=2991i122AF2F454808D73
  30. https://community.microfocus.com/t5/ArcSight-User-Discussions/ArcSight-VM-ESM-System-requirement/td-p/2687370
  31. https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_ref_data_collection_overview.html
  32. http://www.anet-canada.ca/blogs
  33. https://www.all-about-security.de/fileadmin/micropages/Fachartikel_28/2019_Cost_of_a_Data_Breach_Report_final.pdf
  34. https://solutionsreview.com/security-information-event-management/the-3-most-common-siem-mistakes-and-how-to-avoid-them/
  35. https://www.varonis.com/blog/user-entity-behavior-analytics-ueba/
Ertugrul Akbas
Manager at a computer software company with 11-50 employees
Jul 14 2021

There are many comparisons and scoring reports like Gartner. But a small part of their scoring is technical capacity. Other comparisons available on the web or magazines are marketing, sales, and presales documents. They do not include extensive technical analysis.

In today’s ever-evolving cybersecurity climate, businesses face more threats than ever before. Finding the right SIEM is crucial in protecting against the latest risks and equipping your organization with a robust security strategy.

A SIEM’s power is in its correlation. 80% of SIEM is a correlation. if you are spending 80 percent of your time within a SIEM tool doing alert review and analysis, then you are on the right track. [SANS Your SIEM Questions Answered]

A detailed comparison of the correlation capacity of SIEM products technically will be given. The comparison based on the most critical correlation and detection capabilities:

  1. Rule Chain (Multi-Stage Rules)
  2. Correlation Logic
  3. List/Watchlist Management
  4. Real-Time Correlation
  5. Cross-Correlation
  6. Correlation Operators
  7. Correlation Field Operators
  8. Correlation Field Restrictions
  9. Machine Learning


Rule Chain (Multi-Stage Rules):

Rule chain is the ability to combine multiple steps (rules) of a use case without any restrictions. This type of rule detects a sequence of events that occur.

Most of the SIEM tools like Micro Focus ArcSight, Logrthym, Qradar, Securonix, and SureLog support multi-sage rules.

AlienVault, McAfee, FireEye, FortiSIEM, Solarwinds LEM, ManageEngine SIEM are the other SIEM tools that support multi-sage rules with some limits.

McAfee has a restriction on the rule chain capability. For example: "if a firewall admin login has occurred and after this login action there is no configuration change immediately (wait for 15 minutes) but if there is a change in the firewall after this 15 minutes within 12 hours, notify", is not possible with McAfee. It is not possible to develop this type of rule chain because it is not possible to define "wait 15 minutes" then check for "later 12 hours".

McAfee Rule Chain Editor

Since there are two or more actions that require time windows, the 10 minutes must be divided between them. For this example, five minutes is the period for each action. 

Once the unsuccessful attempts have occurred in five minutes, the system begins to listen for a successful login from the same IP source in the next five minutes. .so there is no chance to implement wait logic between actions (rules)

FireEye has the same restrictions as McAfee.

Solarwinds LEM has the same restrictions as McAfee.

ManageEngine SIEM has the same restrictions as Solarwinds LEM. In ManageEngine SIEM, there is no chance to define a new rule type to chain. Also, there are schema fields restrictions to link rule chains.

AlienVault has the same restrictions as Solarwinds LEM. Also, when chaining rules, Alienvault only uses None, Plugin_sid, SRC_IP, DST_IP, SRC_Port, DST_Port, Protocol, and Sendor. There is no way for other schema fields to link rule chains.

FortiSIEM also does not have "wait for 15 minutes" kind of capability to chain rules.

Logpoint does not have this kind of correlation capability.

Rapid7 does not have this kind of correlation capability.

One another requirement when chaining rules, is cross-linking of rule fields. As an example: If a device is the destination of a brute force attack and then this destination device is the source of the port scan, detect this device.

Alienvault only uses SRC_IP, DST_IP, SRC_Port, DST_Port, Protocol rule fields.

McAfee does not support cross-linking of rule fields.

Logpoint does not have this kind of correlation capability.

Rapid7 does not have this kind of correlation capability.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Logic:

Rules are discriminators used to find a certain behavior. If their designer knows what it's searching for, they will be invaluable tools. To design a rule without any limits or barriers, the correlation logic of the rule engine must be very powerful and flexible. It is hard to test the correlation logic of the SIEM tools. One of the simplest ways is to try to implement a discriminator use case (correlation rule). For example :

"Detects more than three authentication failures from the same user within five minutes without any successful login in-between."

Micro Focus ArcSight also can detect similar use cases.

If you want to detect this use case with Splunk, it might be possible to do with "transaction" events. But those searches are very taxing in the search head.

Rapid7 and Logpoint have the same issues with Splunk.

AlienVault, FortiSIEM, ManageEngine SIEM, McAfee, Solarwinds LEM could not detect the above use case.

Another test use case is detecting changes. Rapid7 has a change detection capability.

Rapid7 Change Detection Wizard

Qradar also has a change detection capability.

Another example is "Never Seen Before Type Of Rules" [2,3]. While Micro Focus ArcSight, Exabeam, Qradar, Rapid7, Securonix, and SureLog have this capability, AlienVault, McAfee, FireEye, Solarwinds LEM, and ManageEngine do not.

If we continue with the decisive scenarios that are not available in every SIEM product, we can use the below rules:

  1. If a machine bandwidth usage is > 200Mbytes within 5 minutes or If a user to DSTIP bandwidth usage is > 500Mbytes within 10 minutes.
  2. If an account has not been used at least in the last 30 days, notify/lock/delete this account. (This use case is mandatory for FedRAMP Moderate; Control AC-2(3) nd NIST 800-53; Control AC-2(3))

McAfee does not support those types of rules. Please check the below blogs.

The second rule is also not supported by many SIEM products like McAfee, FortiSIEM, Logrthym, AlienVault, Solarwinds, ManageEngine, and RSA.

Maybe you can develop a query with Splunk and Logpoint. But if you want to detect this immediately, you should consider system resource usage.

List/Watchlist Management:

Micro Focus ArcSight, Logrthym, Qradar, Securonix, and SureLog - all have a list management feature. 

Both products support simple lists, multi-dimensional lists, complex lists, lists with 20 columns. Also, those products add, delete, modify, list items dynamically, or manually. 

AlienVault:

Dynamic list usage in correlation rules is not supported in AlienVault. It is not possible to develop a rule like If a VPN user connected after business hours and the user is not in VPN white list, alert.

The only way to implement a simple Active Lists is to develop a code.

https://www.alienvault.com/blogs/security-essentials/how-to-use-ossim-usm-active-lists-with-python-scripts

But even if you can develop Python Scripts, there is no key: value, reference set, reference map, multi-dimensional type of lists. 

AlienVault SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, AlienVault does not support list operators like count, sum, compare, check case sensitivity.

FortiSIEM:

Dynamic list usage in correlation rules is limited to one dimension.

There is no key: value, reference set, reference map, multi-dimensional type of lists. The only available operators are “IN, NOT IN”. Also, the only way of removing items from a watchlist is time-based. Also, FortiSIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, FortiSIEM does not support list operators like count, sum, compare, check case sensitivity.

McAfee:

There is no key: value, reference set, reference map, multi-dimensional, type of lists. McAfee SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, McAfee SIEM does not support list operators like count, sum, compare, check case sensitivity.

LogPoint:

LogPoint supports two kinds of lists; Static List and Dynamic List. Also LogPoint supports tables, but there is no reference set, reference map, multi-dimensional type of lists.

Also, if you are looking for a GUI for list/watchlist management, LogPoints works over queries. Dynamic lists and table updates are the only query-based. Also, LogPoint SIEM does not support updating multiple lists at the same time (more than one list) by a query. Also, LogPoint SIEM does not support list operators like count, sum, compare, check case sensitivity.

RSA NetWitness Platform:

RSA has a limited list management capability. There is no key: value, reference set, reference map, multi-dimensional, type of lists. Also, RSA SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, RSA SIEM does not support list operators like count, sum, compare, check case sensitivity.

There are many other correlation features to check [1] . But without an advanced list/watchlist management, it is not possible to detect advanced attacks.

Real-Time Correlation:

AlienVault, Micro Focus ArcSight, Fireye, FortiSIEM, Logrthym, ManageEngine SIEM, McAfee, Qradar, RSA NetWitness, Solarwinds LEM has a real-time correlation capability. if you use Splunk ES for real-time detection, you have to consider "Each real-time search unpreemptively locks 1 core on EVERY INDEXER and on your Search Head”.

Elastic also has no real-time correlation feature.

Cross Correlation:

Micro Focus ArcSight, FortiSIEM, Logrthym, McAfee, Qradar has a cross-correlation capability.

AlienVault cross-correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses.

RSA NetWitness utilizes ESPER CEP, and there is no GUI for cross-correlation rule development.

Logpoint does not have this kind of correlation capability. Mainly it is a search-based tool.

Rapid7 does not have this kind of correlation capability. Mainly it is a search-based tool.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Operators:

Micro Focus ArcSight, Logrthym, Qradar, SureLog has a correlation operator support feature, such as:

  • And
  • Or
  • Fallowed by Within
  • Not Fallowed by Within

SureLog also has some additional correlation operators like:

  • At the Same Time
  • Before
  • After

McAfee has some missing operators like "At the Same Time", "Before", "Not Fallowed by Within"

Solarwinds LEM documents mention some other correlation limits.. For example you cannot create a rule using “NOT FALLOWED BY” operator."At the Same Time", "Before" are an example of ther missing correlation operators.

Only "AND", "OR" Operator supported. "NOT" Operator is not supported. Also, other operators listed above are not supported.

ManageEngine Eventlog analyzer correlation has only one operator “Fallowed by Within”. Many operators are missing like ”Not Fallowed by Within”.

Also, other operators listed above are not supported like "At the Same Time", "Before".

FortiSIEM does not support "At the Same Time", "Before".

RSA NetWitness does not support "At the Same Time", "Before".

Logpoint does not have this kind of correlation capability. Mainly it is a search-based tool.

Rapid7 does not have this kind of correlation capability. Mainly it is a search-based tool.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Field Operators:

Required correlation operators for powerful correlation:

  • Link Fields
  • Check Base64
  • Count Characters
  • In List
  • Not In List
  • Count
  • Sum
  • Regex Matches
  • Matches,
  • Not Maches,
  • Entropy Bigger Than
  • Entropy SmallerThan
  • Is null,
  • Is not null,
  • IP Range Equals,
  • IP Range Not Equals,
  • In list,
  • Not in list,
  • Starts with in list,
  • Starts with in list case insensitive,
  • Not starts with in list,
  • Not starts with in list case insensitive,
  • Contains list key in data,
  • Not contains string in list,
  • Not contains string in list case insensitive,
  • Is contained in string,
  • Regex in list,
  • Check data in regex list,
  • Contains in list,
  • Not contains in list,
  • Contains credit card number

McAfee has some of those correlation operators but less than the above list.

McAfee Operators

AlienVault, FortiSIEM, ManageEngine and Solarwinds LEM does not support most of the above list.

RSA NetWitness utilizes ESPER CEP, and there is no GUI for rule development. ESPER language does not support all of the operators.

Logpoint does not have this kind of correlation capability. Mainly it is a search-based tool.

Rapid7 does not have this kind of correlation capability. Mainly it is a search-based tool.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Field Restrictions:

Micro Focus ArcSight, Logrthym, Qradar has no restrictions on fields. All the available fields on search and report schema will be available for correlation.

McAfee has also some limitations. if I see a user attempt to login to our VPN from two different "regions" within a three-hour window. I have the logic built but in the correlation rules "Advanced Options" I try to set a 'Distinct values' of 2 but the monitored fields only seem to provide a 'Source Geo location' option, and not the ability to select state, region, country, etc.

AlienVault correlation engine has sticky diff restrictions.


Solarwinds LEM does not use all the report fields on correlation. Also, correlation cannot fire on raw log data that is received

ManageEngine SIEM has correlation field restrictions. It is not possible to use all the available reports and search schema in correlation.

Machine Learning:

SureLog, IBM QRadar, Microfocus, LogRhythm, Exabeam, Securonix, NetWitness Platform has NLP/ML/AI features like DGA detection, outlier detections, rarity detection, similarity detection. 

LogPoint uses 3rd party UEBA tool Fortscale (RSA Now).

References:

  1. https://drertugrulakbas.medium.com/detecting-unusual-activities-using-a-next-generation-siem-use-cases-d91f4e24b0f2
  2. https://drertugrulakbas.medium.com/at-the-same-time-siem-operator-be8d6598b7b8
  3. https://www.itcentralstation.com/articles/what-really-matters-when-selecting-a-siem-and-how-to-choose-a-siem-looking-into-the-correlation https://answers.splunk.com/answers/663659/need-help-writing-query-to-alert-if-an-account-has.html
  4. https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500
  5. https://gosplunk.com/accounts-deleted-within-24-hours-of-creation/
  6. https://drertugrulakbas.medium.com/siem-for-smb-in-2020-a04e3fe8e98d
  7. https://www.itcentralstation.com/articles/how-to-select-the-right-siem-solution
  8. https://drertugrulakbas.medium.com/ml-ai-is-a-feature-not-a-silver-bullet-and-ueba-questions-d504a6926c4e
  9. https://www.linkedin.com/pulse/ai-cybersecurity-closing-steve-king/
  10. https://towardsdatascience.com/the-limitations-of-machine-learning-a00e0c3040c6
  11. https://www.computerworld.com/article/3466508/the-impact-of-machine-learning-on-security.html
  12. https://drertugrulakbas.medium.com/detecting-unusual-activities-using-a-next-generation-siem-use-cases-part-2-27b201bcc127
CraigHeartwellExcellent article.  ArcSight claims to use ML - they are not listed under ML… more »
Tjeerd Saijoen
CEO at Rufusforyou
Jul 04 2021

Security and protecting your IT environment is the biggest challenge now. 

How to prevent ransomware attacks?

Part 1 described our approach to proactively protect your environment. The first step is to scan your environment from server to endpoint and check your complete environment on several issues preventing a hacker to penetrate your systems. Most of the times hackers getting a chance because of the complexity of IT. One thing your IT department forgets most of the time is, for example, the BIOS and the microcode. The first thing we do is discover all hardware, software, BIOS, Microcode, and the relationship with all those components. We have different options to do this. If you are a SMB environment a tool like Lansweeper is an excellent solution, it is not expensive and it will do the job.

Example: Lansweeper Inventory

For bigger environments, we have different options: BMC Discovery, IBM TADDM. I will mention only BMC and IBM. You have many more. I do not have experience with other brands and describe only BMC and IBM.

I worked for a long time with IBM. For this solution I prefer BMC. It is easy to install and extremely easy to understand and work with it.

Example: BMC Discovery

IBM Maximo Asset Management IBM Asset management software

IBM has a lot of different solutions but to cope with those threads and IT Complexity, IBM´s strategy is changing towards Artificial Intelligence. Also, from the Tivoli brand, you have TADDM.

Enterprise asset management (EAM) is a combination of software, systems, and services used to maintain and control operational assets and equipment. The aim is to optimize the quality and utilization of assets throughout their lifecycle, increase productive uptime and reduce operational costs.

Enterprise asset management involves work management, asset maintenance, planning and scheduling, supply chain management and environmental, health and safety (EHS) initiatives.

In the Internet of Things (IoT) era — with everything from valves to vehicles connected by sensors and systems — practitioners are incorporating advanced analytics and artificial intelligence (AI) into EAM. Data gathered from instrumented assets is analyzed using AI techniques. The resulting insights help maintenance teams make better decisions, enhance efficiency, perform preventive maintenance and maximize investments in their physical assets.

Example IBM Maximo asset management, together with TADDM a total solution

Now you have the asset management database, you know every application, every server, every hardware and software component, and the relationship. 

So we can ask for example: are there endpoints with an old virus checker? Or how many systems are not on the right OS level? Bring all systems on the same anti-virus level or do I have any systems with an old BIOS level. If yes, then upgrade it to the same level as described in our policy template.

Netanya Carmi
Content Manager
IT Central Station
Jul 04 2021

Security Incident and Event Management (SIEM) has been widely adopted and used to manage cybersecurity events. As a result, the SIEM market is expected to grow by approximately 25% over the next five years as the need for cybersecurity automation increases. Even though the market is expanding, the cost of SIEM has remained relatively flat.

All of the top SIEM tools ingest and analyze massive amounts of security event data from a wide range of other systems, like firewall software, network routers, and intrusion detection and prevention software, to name a few. It’s effectively impossible for a human being to keep track of multiple security device logs, so SIEM organizes, analyzes, and creates alerts for security operations to follow up on. The overarching advantage of SIEM is the ability to perform quick, accurate detection and identification of security events that help avert cyber disasters by alerting analysts to impending attacks.

SIEM can be combined with Security Orchestration Automation and Response (SOAR) for additional benefits. Many think that SOAR and SIEM are one and the same, but there is a difference between SOAR and SIEM which you should understand before moving forward with purchasing either one of them.

The Advantages of SIEM

SIEM systems help the Security Operations Center (SOC) function effectively. In particular, they enable:

  1. Faster, more efficient SecOps: With a SIEM sifting through millions of data points, SOC analysts can quickly get a handle on what’s happening using analysis templates to quickly analyze log and threat intelligence data, which radically cuts down on the destructive impact of a cyberattack. Without a SIEM, security analysts would have to interpret multiple security device logs and data sources, such as threat intel feeds, by hand. In addition to burning people out - which is itself a big problem - it slows the incident response process down significantly. You can configure your SIEM tool to respond to incidents in real-time, potentially saving your company from data loss or worse.

  2. More accurate threat detection and security alerting: SIEM systems can leverage their extensive data sets to detect and identify threats more accurately than would be possible using individual security data streams. They also have the ability to enrich security event data and offer critical context to incident alerts. For example, a SIEM can correlate a threat signature detected in one device log with a threat found on another log.

  3. Improved security data: SIEMs aggregate security data, improving the potential for it to be analyzed and used in incident response workflows. This can also result in better visibility over the entire security landscape in the enterprise. The SIEM also typically normalizes security. In its raw form, the multiple data streams feeding into the SIEM have different schemas and fields. It’s not normalized. For example, data about users originating from network logins, email servers, databases, and mobile devices might all take different forms. This creates a problem for data analysis and event correlation. The SIEM is able to reformat the data, making it consistent for incident analysis and response processes. Data storage is a related benefit. The SIEM can store normalized security data for extended analytics and reporting. This may also help with compliance.

  4. Better network visibility: SIEM log management and aggregation make it easier to get an overview of the network. Indeed, given the complexity and diversity of modern networks, a network can easily have “dark spaces.” This means that as the network scales, network managers and security teams lose visibility into what’s actually happening with databases, servers, devices, and third parties. Hackers look for dark spaces on networks. It gives them a place to hide persistent threats and move laterally across digital assets without being detected. SIEM mitigates this risk by collecting security event data from everywhere in the network. It then stores and analyzes it in a central place. SIEM log analysis can shine a light on these dark spaces, so to speak.

  5. Improved compliance: Regulations and compliance frameworks such as HIPAA invariably require logging of security data as a key control. SIEM systems fulfill this role, easing the attestation process with pre-set compliance reporting templates that streamline the compliance process.

Disadvantages of SIEM

Organizations that struggle with SIEM systems generally have difficulty with a few well-known problematic aspects of the technology.

  1. Cost: SIEM systems can be rather expensive. Even so, the benefits can outweigh the cost to provide a positive ROI (return on investment).

  2. Effort to configure: SIEM systems almost always need costly external resources to install and configure. That process can take a long time, too. The time to value can lag, causing organizational and budget challenges.

  3. Dedicated security resources for monitoring: Once up and running, SIEM systems need dedicated staff for operations and continuous tuning. Without constant updating, a SIEM can become “noisy,” generating excessive alerts - to the point where they may even be ignored by the SOC.

Conclusion

SIEM systems are potentially highly valuable additions to a SOC. They correlate security data feeds, enabling them to detect serious security incidents in time to take action. They then facilitate an effective, fast response by the SOC team. At the same time, SIEM software can take significant time to set up and to adjust the alerts and responses. Embarking on a SIEM project represents a serious commitment of time and resources on the part of the security team. It should be undertaken with rigorous planning and realistic budgeting in order to ensure long-term success.

Ertugrul Akbas
Manager at a computer software company with 11-50 employees
May 11 2021
SIEM

Part of the SIEM problems enterprises face is failing to maintain it with the proper correlation rules.

SIEM use cases or rules are 80% of the value of the product. All SIEM solutions have a correlation feature, but they are not the same. Before choosing a SIEM, you must check correlation capabilities. Each product has many different features and their advantages and limits.

Some examples of correlation limits from product user guides and product's websites.

AlienVault:

AlienVault is a great product and combines many open source tools like vulnerability scanner and asset manager. There are some limits on correlations like:

“Cross-Correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses”.

AlienVault uses 4,500 built-in “correlation directives” for threat correlation and most them are just for AlienVault NIDS”.

There is a limit on list management. Dynamic List usage in correlation rules is not supported in AlienVault.

Also, keep in mind that AlienVault correlation engine has sticky diff restrictions.


LogPoint:

LogPoint is a great tool and listed in Gartner in 2020. LogPoint user guide has details about alerts. Use case development is only with developing a search query.


ManageEngine:

ManageEngine EventAnalyzer SIEM is a good product and has many fantastic reporting features. When it comes to correlation, ManageEngine EventAnalyzer SIEM does not parse Firewall Traffic, IPS, Proxy, etc logs. Just configuration and authentication logs. So correlation rules cannot include Firewall Traffic, IPS, Proxy, etc. details.

ManageEngine EventAnalyzer SIEM has predefined rule templates. So you cannot create a rule from scratch. You have to select one predefined rule from templates.

Examples of other limits:

  1. There is no capability to develop your own rule. You have to use available templates.
  2. Eventlog analyzer correlation has only one operator “Fallowed by Within”. Many operators are missing like ”Not Fallowed by Within”

Eventlog has many missing operators like:

  • Matches,
  • Doesn't match,
  • Is null,
  • Is not null,
  • IP Range Equals,
  • IP Range Not Equals,
  • In list,
  • Not in list,
  • Starts with in list,
  • Starts with in list case insensitive,
  • Not starts with in list,
  • Not starts with in list case insensitive,
  • Contains list key in data,
  • Not contains string in list,
  • Not contains string in list case insensitive,
  • Is contained in string,
  • Regex in list,
  • Check data in regex list,
  • Contains in list,
  • Not contains in list,
  • Contains credit card number,
  1. There is no way to use dynamic and static lists in correlation
  2. There is no way to use the output of one correlation as an input to the new correlation rule
  3. There are column restrictions in correlation. You cannot use all the available columns in reports

Solarwinds SIEM:

Solarwinds SIEM is a good product and has many good features. When it comes to correlation:

  • Solarwinds LEM does not use all the report fields on correlation. Also, correlation cannot fire on raw log data that is received

  • Solarwinds LEM correlation engine has many limits. For example, you cannot create a rule using the “NOT FALLOWED BY” operator
  • Only the AND and OR operators are supported. The NOT operator is not supported
  • Solarwinds does not support creating scenarios based on multiple rules.
  • Threshold rules are very limited. For example, you cannot create a rule like If you want to check whether there are 5 events from Host Firewalls with severity 4 or greater in 10 minutes between the same source and same destination IP
  • Dynamic list updates through actions are missing
  • Linking multiple rule fields is missing
  • “Group By” is not supported

You should also check system requirements and performance limits up to 5000 rule execution per day


Splunk:

If you think about SIEM, you have to consider Splunk ES. Splunk Core/Enterprise is not a SIEM product. Splunk is a great product. Splunk says that:

"Each real-time search "unpreemptively" locks 1 core on EVERY INDEXER and on your Search Head”.

Also, there is no functional real time detection.

McAfee:

EPS:


Maximum Ingestion Events Per Second (EPS) describes the peak advertised EPS for this appliance. iEPS is based on out-of-box settings with no adjustments to default event or flow aggregation and very limited overall SIEM user activity (Users, Alarms, Reports, loCs, etc.). Any customization in the configuration or increase in user activity may result in reduced observed EPS rates.

2 - Maximum Query Events Per Second (gEPS) describes what a typical ESM appliance could expect to achieve under normal, active ESM usage conditions and reduced levels of event aggregation. Max qEPS assumes multiple analysts are accessing the system simultaneously while background activities such as Alarms, Reports and CyberThreat (loC) queries are executing. In addition, Max qEPS assumes that customers would adjust the event and flow aggregation rates lower than out-of-box settings. McAfee recommends using QEPS numbers as the basis for sizing most ESM designs. Note that Max qEPS represents best performance estimates based on observations with typical larger enterprise customers; aggressive customizations or dramatic increases in user activity may result in reduced observed iEPS rates.

https://community.mcafee.com/t5/Security-Information-and-Event/Mcafee-SIEM/td-p/617728

MacAfee SIEM All-in-One VM correlation maximum limit is 1500 EPS.


McAfee SIEM is a powerful SIEM. If you want to dig into correlation details, you will see some comments on the McAfee SIEM blog like:

If a use case has many rules (for example 5 rules), currently McAfee will get only 1 of these 5 source event's custom types in the use case.

The only way is using the API.

No Case insensitive option when using watchlists.

https://community.mcafee.com/t5/Security-Information-and-Event/No-Case-insenstive-option-when-using-watchlist-or-correlation/m-p/630011

There are some limits on correlation fields:

if I see a user attempt to login to our VPN from two different "regions" within a three-hour window.

I have the logic built but in the correlation rules "Advanced Options" I try to set a 'Distinct values' of 2.

But the monitored fields only seem to provide the 'Source Geo location' option but not the ability to select: state, region, country, etc.

https://community.mcafee.com/t5/Security-Information-and-Event/VPN-quot-Super-Human-quot-Use-Case/m-p/619606

Non-Supported rule types:

Rule chain:

if a firewall admin login has occurred and after this login action there is n configuration change immediately (within 15 minutes) but if there is a change in the firewall within 12 hours, notify

Threshold rules:

Destination IP is 1.1.1.1 and destination port is 389 and sent_bytes > 100000 (total) in time frame of 10 minutes and group by source IP.

https://community.mcafee.com/t5/Security-Information-and-Event/accumulator-field-in-correlation-rule/m-p/634698

I want to know how many SQL injection attack events from a single IP for 5 minutes. I know that I can set a threshold. But I want to know the exact number.

SUM type of thresholds are not supported

If I want to detect total downloads within 5 minutes more than 500 Mb, it is not possible with Mcafee

If the correlation is important, you may consider reading technical documents. Some remarkable examples of limits and notifications are given above. There are many other SIEM solutions like IBM Qradar, Arcsight, FortiSIEM, SureLog, RSA, LogRhytm. You have to check what the product user guides and technical documents say in detail about correlation.

Correlation and detection capabilities are important. In order to choose a SIEM according to correlation capabilities you should also check if those use cases supported:

  • Warn if Powershell command with base64 format and more than 100 characters appears
  • Password changes for the same user more than 3 within 45 days
  • If there are more than 10 DNS requests within 5 minutes that have the same domain but different subdomains, notify. Example: xxx.domian.com, yyy.domian.com
  • Misuse of an account
  • Lateral movement
  • Executive only asset accessed by a non-executive user
  • Multiple VPN accounts failed login from a single IP
  • First access to critical assets
  • User access from multiple hosts
  • The user account created and deleted in a short period of time
  • Monitor privileged accounts for suspicious activity
  • Chained RDP connections
  • RDP with unusual charset
  • Multiple RDP from the same host in a short time
  • Lateral movement following an attack
  • Returns days where a user accessed more than his 95th percentile number of assets
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for the 4th day of the week [1],
  • If a user number of failed authentication ratio to the number of successful authentication is %10, alert
  • Data loss detection by monitoring all endpoints for an abnormal volume of data egress
  • Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade [2]
  • DGA detection [3]
  • Detect attack Tools [4]
  • Detect malware [5]
  • Detect suspicious/malicious processes [5]
  • Detect suspicious/malicious files [5]
  • Detect suspicious/malicious services [5]
  • Detect abnormal port used in outbound network connection from an asset [1]
  • An abnormal number of assets logged on [1]
  • Failed logon to an asset that a user has previously never logged on to [6]
  • The first time a user saves files to a USB drive
  • First time the user is performing an activity from a country
  • First VPN connection from a device for a user
  • First connection from a source IP
  • First access to a device for a user
  • First access to database MSSQL for peer group HR
  • First access to database MSSQL for user
  • First mail to/from a domain for the organization
  • First access to this web domain which has been identified as risky by a reputation feed
  • First execution of a process on a host
  • First access to object fdghsdydhas
  • First access from a host to a database for a user
  • First access from source zone Atlanta office to a database for a user
  • Suspicious temporary account activity
  • Abnormal account administration
  • Unusual account privilege escalation
  • Unusual file modifications
  • Abnormal password activity
Netanya Carmi
Content Manager
IT Central Station
Apr 26 2021

Security information and event management (SIEM) is a multipurpose security management protocol that combines security information management (SIM) and security event management (SEM). SIEM has recently emerged as the gold standard approach to network security. It uses historical as well as real-time correlation software to keep track of security data logs, allowing you to troubleshoot historical threats as well as to flag new security issues as they occur.

Data logs document any unusual activity that occurs in your network. Because all network activity is collected in the data log, it is one of the most effective tools for detecting threats that may have managed to sneak through your other lines of defense. In addition to identifying, monitoring, recording, and analyzing security events, SIEM as a service should also simplify and automate your data log management, managing network security from a centralized, unified dashboard and offering a comprehensive view of your IT infrastructure’s security. This is much easier, faster, and more efficient than having to check in individually on all your various security services and technologies.

Top SIEM tools, according to IT Central Station users, include Splunk, IBM QRadar, Securonix, Security Analytics, and Devo.

Difference Between SOC and SIEM

SIEM SOC often get grouped together. But while SIEM is a kind of technology that allows security analysts to discover and act on suspected threats, a SOC (security operations center) encompasses not only the technology but also the people and processes involved in monitoring the network, searching for threats, and responding to incidents.

Rather than having their SOC in a dedicated facility, many companies today have virtual SOCs and use part-time staff from their development, security, and operations teams. Some also set up managed or hybrid SOCs, combining in-house staff with expertise and tools from MSSPs (Managed Security Service Providers).

Using the SIEM, SOC analysts monitor around the clock for security incidents and are responsible for responding if one is detected. The SIEM solution is the management tool, providing an additional layer of security to the SOC. You generally will not see a SOC without a SIEM, as SIEM software is a foundational element of SOC. SIEMs are valuable tools, but can have limitations. They will identify, filter, and flag the most serious security events but then it is up to the SOC analysts to determine the priorities and provide the solutions.

Security and technology teams often debate whether SIEM should be handled by an MSSP or in-house. In order to be able to handle SIEM in-house, you need three things:

  1. The money to invest in the staffing and operational costs.
  2. The time to invest in reviewing and monitoring data logs, customizing alerts, etc.
  3. The expertise to implement SIEM into your security program and audit as needed.

If any of these three elements is lacking, it might make more sense to consider going with an MSSP.

SIEM SOC Use Cases

The following are examples of use cases in which SOCs used SIEM as a part of their security operations:

1. Compliance

    The Payment Card Industry Data Security Standard (PCI DSS) secures credit cardholders’ data from theft and misuse. SIEM SOC can help with PCI compliance through:

    a. Perimeter security - monitoring for unauthorized network connections, searching for insecure services and protocols,, and checking traffic flow.
    b. Monitoring any event that results in change to user identity/user credentials.
    c. Detecting threats in real time
    d. Searching for replicates, default credentials, etc. on production and data systems.
    e. Collecting system and security logs, auditing and reporting them, and generating compliance reports.

    2. Insider Threats
    Insider threats are at the root of three out of five security breaches, and can go undetected for months or even years. SIEM SOC can help detect and stop insider threats by:

    a. Using behavioral analysis to detect compromised user credentials.
    b. Detecting anomalous privilege escalation.
    c. Correlating threat intelligence with network traffic to discover malware/compromised user accounts.
    d. Combining and analyzing seemingly unrelated events via behavioral analysis to exfiltrate data.
    e. Detecting and stopping encryption of large amounts of data, e.g. by ransomware.
    f. Using their broad view of multiple systems to detect lateral movement.

      3. Advanced Security
      Many IoT (Internet of Things) devices are vulnerable to advanced security threats. SIEM SOC can help mitigate these threats in the following ways:

      a. Detecting unusual traffic from the organization’s IoT devices, which might be used for a DoS (Denial of Service) attack.
      b. Detecting unpatched vulnerabilities, old operating systems, and insecure protocols on IoT devices.
      c. Monitoring who has access control and where they connect to; alerting to the presence of an unknown or suspicious source or target.
      d. Monitoring unusual data flow, which may signify a transfer of sensitive data.
      e. Identifying at-risk devices
      f. Identifying suspicious or anomalous behavior of particular devices that might be compromised.


      Rony_Sklar
      IT Central Station
      Apr 09 2021

      There are a lot of considerations when choosing a Security Incident and Event Management (SIEM) Solution for your business. That’s why users on IT Central Station often turn to our community to ask for advice.

      In this Q&A round-up, we’re going to take a look at some of the insights about SIEM that have emerged in our community. We’re going to focus specifically on the tips and insights that users have shared for successfully implementing a SIEM solution.

      SIEM solutions are as good as the people implementing them

      Many users turn to our community to ask for SIEM recommendations – some general and some more specific. Although fellow users are happy to make product suggestions, a common theme emerges in many of the answers: The solution that you choose is only as good as the team behind it.

      Simo Sim, a Systems Engineer, notes, “besides the technology you also need the manpower behind it.” Another user, Aji Joseph, says that successful SIEM implementation “depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.”

      Consulta85d2, who appears on our Threat Intelligence Leaderboard echoes this sentiment, adding that it’s important to realise that one needs to actively manage whatever SIEM solution is chosen. He notes, “The critical choice is in the resources and commitment to manage and use the system. I’ve seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a “set it and forget it” system…A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the “best” and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.”

      But how do you choose a SIEM solution that you know your team can handle?

      Anthony Mack notes that effective implementation (particularly at scale) ”demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.” He suggests that one should choose a solution that matches one’s current IT posture. To do this he recommends “an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.”

      Tips for choosing the right SIEM solution

      As with any enterprise tech solution, it’s important to spend time doing your research and POC, so that you know that you’re spending on the right product. We sifted through some of our users’ answers to summarize some of the best tips.

      1. Define your goal

      Before starting to evaluate solutions, It’s important to define what you want to accomplish with a SIEM. Marty Barron says, “Every SIEM has different strengths and weaknesses so you need to know what is most important to you in terms of goals, so you don’t waste time looking at something that can’t do the thing you need it to do.”

      1. Limit your options

      As Kent Gladstone-USA says, “Review a finite number of products, otherwise you’ll never finish”. Although it’s important to spend time doing due diligence, you need to get to the point of implementation. If you have too many options, it will take too long to make a decision. Users suggest making a shortlist of options that meet your technical requirements, speak to your goal, and match your budget

      1. Create a framework for your POC

      Once you’ve narrowed down your options, it’s time to trial the shortlisted products. Users recommend putting a framework in place to guide the POC. This way, you can evaluate your options systematically.

      One user, DAX Paulino, suggests “creat[ing] a checklist of features that you need, from the basic (i.e. interactive dashboards, ease of integration, Threat Intelligence), to the more advanced (i.e. Automated response, Behavior Analytics, etc.). Give each item on your checklist a score so that you can weigh in on each item as a measure of your decision. Don’t forget to factor in usability and support.”

      More advice about SIEM solutions from our user community

      If you’re researching SIEM solutions, there’s a wealth of information on our site that can guide you in your research. You can read in depth reviews of SIEM solutions, and also explore the other questions and answers about SIEM from our user community.

      If you don’t find the exact answers that you’re looking for, you can also post a question and get answers from your peers.

      IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

      Matthew Shoffner
      IT Central Station
      Mar 12 2021

      The major regulatory compliance schemes do not mention Security Incident and Event Management (SIEM) systems by name, but in reality, SIEM tools are essential for achieving compliance and passing their certification audits. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), for example, which is used for PCI-DSS and Sarbanes Oxley (SOX) among others, mandates continuous monitoring, detection processes and the ability to analyze anomalies and events. These are tasks arguably SIEM tools do better than any other security tool, which is one of the many benefits of SIEM.

      SIEM Is Critical For Compliance

      A SIEM solution is an absolutely critical tool for complying with security regulations promulgated by regulatory bodies. To understand why this is the case, it is first helpful to grasp how cybersecurity technologies and practices actually enable compliance. The regulations tend to be general, not prescriptive. The specifics of implementing the controls required by the law, testing them and passing an audit are left up to the organization that needs to comply with them. To achieve compliance, organizations rely on frameworks and standards like NIST CSF. However, it’s a subjective and sometimes messy, confusing process.

      The Sarbanes Oxley Act does not say, “Install a SIEM system and monitor your network.” Rather, Section 404 of the law itself actually just says that a publicly-traded company should issue “an internal control report, which shall…contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” SOX says very little about IT, but the accounting industry, along with various industry bodies, have developed a SOX compliance framework that requires IT departments to pass an audit verifying that an organization has:

      • Established physical and electronic controls that will prevent users lacking credentials from accessing sensitive information.
      • Maintained secure locations for servers and data centers.
      • Ensured that proper controls for IT assets containing financial information are in place to protect these digital assets from breach.

      Using SIEM software, you are able to monitor the underlying security policies that enable such controls to exist. For instance, a firewall is an electronic control that prevents unauthorized users from accessing sensitive information. That’s great. How will a company pass an audit that wants to check how well that control is working? Enter the SIEM. The SIEM can aggregate, correlate and analyze multiple firewall logs. From this process, it can produce an audit report demonstrating how the company has been implementing the control required for SOX compliance.

      SIEM Compliance Requirements

      Compliance programs that follow NIST CSF try to snap to the framework’s functional categories. The categories span the security lifecycle, starting with Identify (ID), Protect (PR), Detect (DE), Respond (RE) and Recover (RC). In this way, each stage of security is covered by the framework. The security team first identifies risks, then endeavors to protect them. If there is an incident, it responds and then tries to recover.

      Not every category and sub-category relates to SIEM. However, SIEMs are foundational to achieving compliance with the framework across multiple categories and their respective requirements. They do this with compliance reporting, endpoint detection and response (EDR), threat intelligence gathering, monitoring, log management, analysis and visualization. In particular, SIEM is instrumental in meeting the requirements defined for the following NIST CSF category/sub-categories:

      • Protect (PR)/Access control—SIEMs can produce audit reports based on multiple access control system logs.
      • Protect (PR)/Information protection processes and procedures—Having a SIEM in place as a countermeasure against intrusion is an application of this framework sub-category.
      • Protect (PR)/Protective technology—SIEM serves as protective technology in multiple senses of the term. It is part of the Security Operating Center’s (SOC’s) toolset for guarding against improper access to data and systems of record.
      • Detect (DE)/Anomalies and events—SIEMs detect anomalies and issue alerts to SOC analysts.
      • Detect (DE)/Security continuous monitoring—SIEMs perform continuous monitoring, staying on top of multiple other systems of continuous monitoring.
      • Detect (DE)/Detection processes—SIEMs detect attacks and threats and alert SOC analysts when they find one.
      • Respond (RS)/Analysis—SIEMs create reports used in forensic analysis of security events.
      • Recover (RC)/improvements—SIEM reports give analysts and security managers the insights they need to improve incident responses process after an event has occurred.

      Regulations Requiring Compliance

      Nearly all regulations that mandate IT compliance have a requirement of logging all relevant events and then operationalizing an incident response process that handles the threats—and documents the entire series of response activities. After that, the regulations set out the expectation that the company will maintain records of its incident responses. SIEM performs all of these tasks. This is relevant across multiple sets of regulations.

      The Federal Information Security Modernization Act (FISMA)

      FISMA security practices cover “any federal agency document and implement controls of information technology systems which are in support to their assets and operations.” According to NIST, compliance contains the following tasks that are the province of SIEM:

      • Continuously monitoring security controls.
      • Refining controls using risk-assessment procedures.
      • Documenting controls in the security plan.

      The Payment Card Industry Data Security Standard (PCI DSS)

      PCI DSS sets out security standards to establish a secure environment for businesses that accept, process, store or transmit payment card information. SIEMs helps with PCI DSS by:

      • Helping protect networks on which payment card information is stored or processed.
      • Providing the basis for passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
      • Comprising the threat detection aspects of the PCI DSS standard.

      General Data Protection Regulation (GDPR)

      GDPR covers data protection and privacy in the EU and the European Economic Area, along with transfers of personal data outside these regions. SIEMs are essential for GDPR compliance because they:

      • Enable companies to process personal data securely by what the law calls “appropriate technical and organizational measures.”
      • Provide a key element of “confidentiality, integrity and availability” of systems and services that process personal information.
      • Help data custodians restore access and availability to personal data in a timely manner if there is a security incident.

      Health Insurance and Portability Accountability Act (HIPAA)

      HIPAA protects the private, individually identifiable health information, or protected health information (PHI). With a SIEM, an entity needing to comply with HIPAA can:

      • Identify and defend against threats to the PHI.
      • Secure systems that ensure the confidentiality, integrity and availability of PHI.
      • Monitor systems to mitigate the risk of impermissible uses or disclosures of PHI.

      Conclusion

      SIEMs are integral to compliance. Without a SIEM, it would be difficult in the extreme to meet the criteria set down by the dominant standards such as NIST CSF. It’s an ever-evolving situation, in any event. As networks and infrastructure grows more complex, SIEMs will be even more useful in enabling companies to keep up with compliance audits.

      Matthew Shoffner
      IT Central Station

      A Security Incident and Event Management (SIEM) solution typically represents a significant investment, even for a large enterprise. With the average price coming in at $50,000, ranging from a minimum of $20,000 and getting to be upwards of $1M, SIEM solutions carry a hefty price tag. However, the value of the top SIEM tools, for general security health and compliance, probably makes the technology worth the cost, but it’s a big check to write.

      The benefits of SIEM are obvious and a crucial part to a security strategy, helping SOCs organize and respond to security threats. The benefits of mitigating threats, keeping inline with compliance and audit standards, and avoiding costly data loss and business delays can easily outweigh SIEM TCO.

      Additionally, you could add a Security Orchestration, Automation, and Retention (SOAR) tool to accompany your SIEM solution, which would be an additional cost that enables you to handle security issues more efficiently. Commonly confused with one another, there are differences between SOAR and SIEM.

      SIEM cost summary


      Item

      Cost Range

      Explanation

      SIEM software cost

      $20,000 - $1M

      Average cost is $50,000

      Deployment consulting support

      $50,000

      One-time fee. Varies based on complexity of implementation, but can easily reach six figures for large enterprises or highly integrated, customized solutions.

      Training

      $0 - $10,000

      Some training can be included with the product. Cost of additional training not included varies by requirements and number of people to be trained.

      Database administrator (DBA)

      $74,000

      DBA average US salary

      Admin personnel

      $74,000 to $500,000

      Varies by staffing needs. Three admins can cover a full 24-hour shift. Includes additional product tuning that will be necessary.

      Hardware

      $25,000 - $75,000

      Varies by size of configuration, but will generally cost more than plain off-the-shelf hardware due to performance requirements.

      Intelligence Feeds

      $1,500 to $10,000

      Some feeds are free, but others need to be purchased and vary by quantity and level of feeds.

      Infrastructure

      $10,000

      Includes servers, storage, and switches.



      SIEM Cost Breakdown

      One helpful way to think about SIEM costs is to take a basic enterprise technology project and add on a couple of extras. In particular:

      • Consulting support for the deployment process. SIEM implementation, traditionally, is not as simple as standing up a traditional enterprise solution. It has to connect with a wide variety of other systems and must be configured to handle a high volume of data. With advancements, SIEM can now be set up without much, if any, consultation. This tends to mean hiring external consultants. Not all departments have the skills in-house to do the work. Consultants can provide customizations, which include threat identification, alerting, and remediation rules, to fine tune your SIEM product to handle threats you’re facing.
      • Hiring a database administrator (DBA). This may not be a full time hire, but setting up a SIEM involves some pretty complicated data architecture and integration processes. In addition, most SIEMs lack self-managing databases. Someone has to take care of all this. A DBA gets paid $74,000 per year on average.
      • Hardware that can handle the load. SIEMs ingest and process enormous amounts of data, with huge real-time insertion and retrieval rates. As a result, the SIEM cannot run on any old piece of hardware. Someone, usually an external consultant, needs to spec out the hardware based on the SIEM’s connectivity and expected data loads.
      • Personnel. SIEMs need to be staffed, often around the clock. Labor costs vary, of course, but in North America and Europe, hiring experienced SIEM admins for three shifts will cost something in the neighborhood of $500,000 a year.
      • Intelligence feeds. The threat intel feeds going into the SIEM can come with their own price tags. Some are free, but many cost between $1,500 and $10,000 per year.
      • Training. SIEMs are a distinct technology that almost always requires specialized training for the people who operate them. Initial training, along with recurring annual retraining, should be part of the SIEM budget.
      • Ongoing tuning. SIEMs tend to be a bit fussy, creating a lot of distracting “noise” that can defeat their entire purpose if not corrected. As a result, SIEMs usually need ongoing tuning, which may require external consultants.

      Considering these cost elements, it’s easy to see how a SIEM can cost a million dollars to acquire and launch in its first year. It could then require a budget of half a million dollars to keep it up and running. Plus, some SIEMs price on a per-second or per-event basis. It’s essential to understand exactly what the costs will be based on expected usage patterns.


      Tips For Keeping SIEM Costs Low

      It’s possible to keep SIEM costs relatively low.

      • Buy a solution that fits your needs today. One approach is to limit the scope of the solution at launch. This keeps hardware and DBA costs down and speeds the deployment process, which in turn cuts down on consultant costs. The trick here is to design for scaling up later on, if that’s required.
      • Outsource SIEM monitoring. Another option is to outsource SIEM monitoring and event management. This may not work for everyone, but a Managed Security Service Provider (MSSP) can take over some of the more difficult SIEM operations. This will likely cost less than staffing people around the clock.
      • Use a log collection strategy. Use your SIEM software to log only critical items while leaving non-critical events to be handled by a log management server. You can then more easily discard lower value events at shorter retention periods to reduce storage and maintenance costs.

      SIEMs tend to be expensive and time-consuming solutions to run, even as they deliver much-needed security incident and event detection and response capabilities. The investment is probably worth it, but it’s a pretty big investment, especially for a smaller company or government agency.

      Rony_Sklar
      IT Central Station


      Members of the IT Central Station community are always happy to take a few minutes to help other users by answering questions posted on our site. In this Q&A round-up, we’re focusing on our users’ answers about SIEM, Identity and Access Management, and the Differences between Hyper-converged Infrastructure vs Converged Infrastructure.

      Which is the best SIEM tool for a mid-sized enterprise financial services firm: Arcsight or Securonix?

      One of our users was looking for SIEM recommendations, and was specifically looking at ArcSight and Securonix. As always users were very helpful, and suggested possible tools based on their own experience.

      ArcSight appeared to be the popular recommendation between the two tools; One user, Himanshu Shah, suggested that Securonix may be better suited for a mid-sized business as ArcSight “works on EPS (Events per second) costing”, which can become costly. Users also suggested looking at other options, such as QRadar, Splunk, and LogRhythm.

      However, Consulta85d2 responded, “Neither, or both. Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn’t the most important choice. The critical choice is in the resources and commitment to manage and use the system.”

      Aji Joseph held similar sentiments and highlighted the key role that the SoC team plays: “The success of SIEM solutions depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.” He also suggested evaluating the forensics capabilities of the various solutions before buying.

      What are some tips for effective identity and access management to prevent insider data breaches?

      Insider breaches can be a real issue in businesses. Users gave advice on how to effectively implement Identity and Access Management to tackle this issue.

      Mark Adams, a Senior Manager, IT Security and Compliance / CISO at a large construction company, gave great advice for implementing a solution, noting that it’s important to “make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks.” He gave practical tips, including identifying and classifying all information assets and creating rules for access to those assets. He also highlighted the importance of reviewing access periodically. He stated, “Data owners should be involved in the review since they are usually in a better position to determine if individuals’ access is still legitimate.”

      What are the key differences between converged and hyper-converged solutions?

      Users helped to clarify key differences between hyper-converged (HCI) and converged infrastructure. Based on the users’ answers, the key differences revolve around ease of use, flexibility, and price.

      HCI solutions are typically more expensive, but have significant advantages. Steffen Hornung pointed to the scaleout nature of HCI, noting that “add more nodes to the system to support new workloads without losing Performance because you add all types at once (compute, storage and networking).”

      Dan Reynolds summarised the appeal of HCI really well, pointing out that it’s a complete solution: “Hyper-converged is typically an “all in one box/rack” solution. It consists of compute, storage & network resources all tied together physically (and through software)….You don’t have to architect it. All you have to know is how much “power” you need (what you want to do with it).” In contrast, he noted that “with converged infrastructure (which can still be ‘software defined’) you have to match and configure the components to work together.”

      Thanks, as always, to all the users who are taking the time to ask and answer questions on IT Central Station!

      IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

      Do you have a question that you’d like to ask our IT Central Station Community? Ask now!

      Rony_Sklar@Himanshu Shah ​@Consulta85d2 ​@Aji Joseph ​@Mark Adams ​@Steffen Hornung ​@Dan… more »
      Matthew Shoffner
      IT Central Station

      Security Incident and Event Management (SIEM) has been widely adopted and used to manage cybersecurity events as the benefits of SIEM are apparent. As a result, the SIEM market is expected to grow by approximately 25% over the next 5 years as the need for cybersecurity automation increases. Even though the market is expanding, the cost of SIEM has remained relatively flat.

      All of the top SIEM tools ingest and analyze mass amounts of security event data from a wide range of other systems, like firewall software, network routers, and intrusion detection and prevention software to name a few. It’s effectively impossible for a human being to keep track of multiple security device logs, so SIEM organizes, analyzes, and creates alerts for security operations to follow up on. The overarching advantage of SIEM is its ability to perform quick, accurate detection and identification of security events.

      SIEM can be combined with Security Orchestration Automation and Response (SOAR) for additional benefits. Many think that SOAR and SIEM are one in the same, but there is a difference between SOAR and SIEM which you should understand before moving forward with purchasing either.

      The Advantages of SIEM

      SIEMs help the Security Operations Center (SOC) function effectively. In particular, they enable:

      1. Faster, more efficient SecOps. With a SIEM sifting through millions of data points, SOC analysts can quickly get a handle on what’s happening using analysis templates to quickly analyze log and threat intelligence data, which can save both in responding to a security threat as well as the adverse impact of a cyberattack. Without a SIEM, security analysists would have to interpret multiple security device logs and data sources, such as threat intel feeds, by hand. In addition to burning people out—which is itself a big problem—it slows the incident response process down significantly. You can configure your SIEM tool to respond to incidents in real-time, potentially saving your company from data loss or worse.
      2. More Accurate Threat Detection and Security Alerting. SIEM tools can leverage their extensive data sets to detect and identify threats more accurately than would be possible using individual security data streams. They also have the ability to enrich security event data and offer critical context to incident alerts. For example, a SIEM can correlate a threat signature detected in one device log with a threat found on another log.
      3. Improved Security Data. SIEMs aggregate security data, improving the potential for it to be analyzed and used in incident response workflows. This can also result in better visibility over the entire security landscape in the enterprise. The SIEM also typically normalizes security. In its raw form, the multiple data streams feeding into the SIEM have different schemas and fields. It’s not normalized. For example, data about users originating from network logs, email servers, databases and mobile devices might all take different forms. This creates a problem for data analysis and event correlation. The SIEM is able to reformat the data, making it consistent for incident analyst and response processes. Data storage is a related benefit. The SIEM can store normalized security data for extended analytics and reporting. This may also help with compliance.
      4. Better Network Visibility. SIEM log management and aggregation make it easier to get an overview of the network. Indeed, given the complexity and diversity of modern networks, a network can easily have “dark spaces.” This means that as the network scales, network managers and security teams lose visibility into what’s actually happening with databases, servers, devices and third parties. Hackers look for dark spaces on networks. It gives them a place to hide persistent threats and move laterally across digital assets without being detected. SIEM mitigates this risk by collecting security event data from everywhere in the network. It then stores and analyzes it in a central place. SIEM log analysis can shine a light on these dark spaces, so to speak.
      5. Improved Compliance. Regulations and compliance frameworks such as HIPAA invariably require logging of security data as a key control. SIEMs fulfill this role, easing the attestation process with pre-set compliance reporting templates that streamline the compliance process.

      Disadvantages of SIEM

      SIEM software is not without it's flaws. Organization that adopt SIEM generally have difficulty with a few things.

      1. Cost. SIEM systems can be rather expensive. We’ve broken down SIEM costs to provide a full total cost of ownership. Although the cost can be high, the benefits can outweigh the cost to provide a positive ROI.
      2. Effort to configure. They also almost always need costly external resources to install and configure. That process can take a long time, too. The time to value can lag, causing organizational and budget challenges.
      3. Dedicated security resources to monitor. Then, once up and running, they need dedicated staff for operations and continuous tuning. Without constant updating, a SIEM can become “noisy,” generating excessive alerts to the point where it may even be ignored by the SOC.

      Conclusion

      SIEMs are potentially highly valuable additions to a SOC. They correlate security data feeds, enabling them to detect serious security incidents in time to take action. They then facilitate an effective, fast response by the SOC team. At the same time, SIEM software can take significant time to set up and to adjust the alerts and responses. Embarking on a SIEM project represents a serious commitment of time and resources on the part of the security team. It should be undertaken with rigorous planning and realistic budgeting in order to ensure long term success.

      Find out what your peers are saying about Splunk, IBM, Securonix Solutions and others in Security Information and Event Management (SIEM). Updated: July 2021.
      523,535 professionals have used our research since 2012.