1. leader badge
    The initial setup isn't overly complex.There are quite a lot of things that we find useful. Splunk agents are useful and good. Its UI is quite impressive.
  2. leader badge
    The solution is flexible and easy to use.We consider it mandatory for log and event management purposes.
  3. Find out what your peers are saying about Splunk, IBM, Securonix Solutions and others in Security Information and Event Management (SIEM). Updated: April 2021.
    475,208 professionals have used our research since 2012.
  4. There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features.Customer support and making sure that we're successful has been one of the best features, one that we weren't even looking for during evaluation, but that's what we have found.
  5. The user experience [is] well thought out and the workflows are logical. The dashboards are intuitive and highly customizable.The thing that Devo does better than other solutions is to give me the ability to write queries that look at multiple data sources and run fast. Most SIEMs don't do that. And I can do that by creating entity-based queries. Let's say I have a table which has Okta, a table which has G Suite, a table which has endpoint telemetry, and I have a table which has DNS telemetry. I can write a query that says, 'Join all these things together on IP, and where the IP matches in all these tables, return to me that subset of data, within these time windows.' I can break it down that way.
  6. The stability is very reliable. It offers very good performance.One of the most valuable features is that we can combine SOC and NOC operations in the same tool. We can provide NOC and SOC services in the same tool for two separate teams. There are plenty of third-party solutions that integrate with FortiSIEM. All these solutions already have a ready integration, and we have the possibility to create a custom connector for these solutions. Its reports are also very good.
  7. There are a host of things that are most valuable. Obviously monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.
  8. report
    Use our free recommendation engine to learn which Security Information and Event Management (SIEM) solutions are best for your needs.
    475,208 professionals have used our research since 2012.
  9. Technical support is very helpful and responsive.File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting.
  10. I really like the correlation part and the way the logs are correlated. I have never faced issues with parsing in this product. I like the way it parses, and everything is so clear to me.

Advice From The Community

Read answers to top Security Information and Event Management (SIEM) questions. 475,208 professionals have gotten help from our community of experts.
Rony_Sklar
There are many cybersecurity tools available, but some aren't doing the job that they should be doing.  What are some of the threats that may be associated with using 'fake' cybersecurity tools? What can people do to ensure that they're using a tool that actually does what it says it does?
author avatarSimonClark
Reseller


Dan Doggendorf gave sound advice.


Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.


There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.


If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.


Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.


By the way, there are free security products and services that I recommend.


author avatarDanny Miller
User

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

author avatarreviewer1266459 (Network Security Engineer at a performing arts with 201-500 employees)
Real User

Refrain from free products


Delete products and traces of product after evaluation


Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.


Work with recognised partners and solution providers


Download opensource from reputable sites


author avatarDoctor Mafuwafuwane (Altron Systems Integration )
Real User

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.



One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

author avatarBasil Dange
Real User

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 


As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

author avatarJavier Medina
Real User

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

author avatarAlan
Real User

Bogus cybersecurity tools might bring about the data exfiltration, trojan horse 

Rony_Sklar
How do log management and SIEM differ? Is it necessary to have separate tools for each function or can these functions be rolled into one solution? Which products are best for SIEM, and which are better for log management? Do you have recommendations of products that effectively combine both log management and SIEM?
author avatarLindsay Mieth
Real User

Rony, Daniel's answer is right on the money.  There are many solutions for each in the market, a lot depends upon your ability to manage such tools and your budget.  A small operation may be best served by a managed service if it proves to be economical.  I do not have any recent data on these.  When I was investigating SIEMs there were big systems such as IBM, HP and McAfee then I found LogRhythm which has proved to be a great tool and more of what I needed right away.  We manage it ourselves, though they now have a cloud offering.  Also, if you have mostly Office365 and Azure IaaS logs to work with, you may find MS Azure Sentinel to be a good fit.  I hope this is of some use to you.

author avatarDaniel Sichel
Real User

Log Management is just that, it looks at logs from devices and attempts to make inferences about security issues from those logs. SIEM technology typically casts a wider net, looking at all types of security events. The best of breed will look at Network flows and events and logs, and other types of events that don't necessarily come from logging sources and provide an inference engine and rules management platform to allow you to detect anomalies from a wide variety of sources rather than just logs.

author avatarDavid Rivas Huete
User

In short, Log Management refers to the collection, storage, and organizing of the event logs according to your specifics needs and operational processes. Opposite, the SIEM after data collection, is making the real exploitation of this data acquired from different sources, servers, applications, and OS. In the context of the traditional Intelligence cycle, is performing 3 of the 4 typical stages: Collection, Analysis/Processing, and Distribution to Decision-makers. Said that from the perspective of a former Intel guy is Intelligence vs raw data before even converted into the information.

author avatarEsmat Salah El-Din
User

Splunk would be the best solution to address several use cases.

author avatarDamien Finette
User

Argent Software can help with the following products:-


Argent for Compliance - Compliance and Log monitoring.


 https://www.argent.com/product...


Argent SEIM (Expected release Q4 2020) – Single Security Management platform that provides full visibility to activity in your network. Argent SEIM collects, parses and categorizes data for correlation and threat detection so that you can act accordingly.



https://www.argent.com


Rony_Sklar
Are event correlation and aggregation both needed for effective event monitoring and SIEM? 
author avatarDavid Collier
Reseller

Both are techniques aimed at reducing the number of active alerts an operator receives from the monitoring tool.

I don't fully agree with the previous descriptions of correlation and aggregation, welcome though they are.

Let's take a typical scenario. Assume a network interface on a large switch fails to result in many systems experiencing a failure. In the 'raw' state, i.e. with no correlation or aggregation, the monitoring system would receive potentially thousands of events - possibly multiple SNMP traps from other network devices or servers, event logs records from Windows servers, Syslog entries from Linux, errors from the database management system, errors from web servers relying on that database and probably lots of incidents raised by users on the help desk. Good correlation algorithms will be able to distinguish between "cause" alarms and "symptom" alarms. In this scenario, the "cause" is the failing network switch port and the symptoms are the database failures and log file entries. Simplistically, fixing the cause will also address the symptoms.

Typically, aggregation is used to "combine" events into a single alarm. Again there are multiple methods to do this. A simple one would be - as previously described - duplicate reduction. In a poorly configured monitoring environment every check that breaches threshold results in an alarm. If monitoring is granular, say every 30 seconds the CPU utilization is measured and an alarm raised if it exceeds 80% then very quickly the operator would be overwhelmed by many meaningless alarms - especially if the CPU is doing some work where high CPU usage is expected. In this case, handling 'duplicates' is helpful when helping operators identify real issues. In this case, it may be enough to update the original alarm with the duration of the threshold breach.

There are many techniques for aggregation and correlation beyond identifying cause and symptoms events or ignoring duplicates. For instance, Time based event handling. Consider a scenario where an event is only considered relevant if another event hasn't happened in a given timeframe before or after the focus event. Or a scenario where avent aggregation occurs based on reset thresholds rather than alarm thresholds.

There are also some solutions that purport to intelligently correlate events using AI. Although, speaking personally, this seems more marketing speak than a one-click feature. In reality, these advanced (i.e. $$$$$$) solutions need to maintain a dynamic infrastructure topology in near-real-time and map events to service components in order to assess root cause correlation. In the days of rapidly flexing and shrinking infrastructures, cloud services, and containerization, it is extremely difficult to maintain an accurate, near-real-time view of an entire IT infrastructure from users through to lines of application code. A degree of machine learning has helped, but the cost-benefit simply isn't there yet for these topology-based event correlation features.

author avatarRandall Hinds
Real User

Agree on all the answers posted here, and I especially like Dave's explanation on the more advanced solutions available on the market. Excellent call outs on the need for deep & well maintained relationship mapping to enable an AI's algorithm to connect-the-dots between aggregated alerts firing from multiple separate source tools. Having a mature ITSM implementations with CI-discovery, automated dependency-mapping, and full integration between your correlation engine & CMDB will help too.

author avatarDaniel Sichel
Real User

Other answers are pretty much sum this up but there is one important point to make. In some technology it's important to take into account the number of events that got are aggregated and for your sim device to be able to treat them as individual events for the purpose of correlation.

author avatarJames Meeks
User

As previously mentioned, Correlation is the comparing of the same type of events. In my experience, alerts are created to notify when a series of these occurs and reaches as the prescribed threshold.

Aggregation, based on my experience, is the means of clumping/combining objects of similar nature together and providing a record of the "collection"; of deriving group and subgroup data by analysis of a set of individual data entries. Alerts for this are usually created for prognostication and forecasting. Often the "grouping" is not detailed information so there is a requirement for digging into the substantiating data to determine how this data was summarized.

Alerts/Alarms can be set for both, but usually only for the former and not the latter.

author avatarreviewer1217868 (Information security at a financial services firm with 1-10 employees)
Real User

You can not process and generate advanced correlated alerts without aggregation: limiting your correlation to one set of source will let your SIEM blind and unaware
of global context.
So yes, to get an 'EFFECTIVE' event monitoring with the goal to correlate them, you need to aggregate many different sources.

author avatarAndreas Rühl
User

"Aggregation is a mechanism that allows two or more events that are raised to be merged into one for more efficient processing" from https://www.ibm.com/support/knowledgecenter/SSRH32_3.2.0/fxhdesigntutorevtaggreg.html
"Event correlation takes data from either application logs or host logs and then analyzes the data to identify relationships. " from https://digitalguardian.com/blog/what-event-correlation-examples-benefits-and-more

So yes you need both for siem. For simple monitoring you dont. Theres a big difference between what a siem does and that what simple event monitoring does.

author avatarRishan-Ahmed
MSP

Simplly : Correlation is the process to track relation between events based on defined conditions. Aggregation is nothing but to aggregate similiar events. Both are required for effective monitoring.

author avatarreviewer1346619 (Sales Engineer at a tech services company with 201-500 employees)
Reseller

Aggregation is taking several events and turning them into one single event, while Correlation enables you to find relationships between seemingly unrelated events in data from multiple sources and to understand which events are most relevant.

Both Aggregation and Correlation are needed for effective event monitoring and SIEM; In Enterprise Security (ES) correlation searches can search many types of data sources, including events from any security domain (access, identity, endpoint, network), asset lists, identity lists, threat intelligence, and other data in Splunk platform. The searches then aggregate the results of an initial search with functions in SPL and take action in response to events that match the search conditions with an adaptive response action.

Aggregation example - Splunk Stream lets you apply aggregation to network data at capture-time on the collection endpoint before data is sent to indexers. You can use aggregation to enhance your data with a variety of statistics that provide additional insight into activities on your network. When you apply aggregation to a Stream, only the aggregated data is sent to indexers. Using aggregation can help you decrease both storage requirements and license usage. Splunk Stream supports a subset of the aggregate functions provided by the SPL (Splunk Processing Language) stats command to calculate statistics based on fields in your network event data. You can apply aggregate functions to your data when you configure a stream in the Configure Streams UI.

Correlation example - Identify a pattern of high numbers of authentication failures on a single host, followed by a successful authentication by correlating a list of identities and attempts to authenticate into a host or device. Then, apply a threshold in the search to count the number of authentication attempts.

Dr. Thulaganyo Rabogadi
I am the technical director of a science and technology division for the government.  Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack? Thanks! I appreciate your help. 
author avatarBrian Fortington
User

In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.

author avatarRuan Van Staden
Real User

We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.

author avatarAnthony Mack
User

SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.

As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.

To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.

The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.

Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.

Hope this provides insight and best practices.

author avatarAdam Sewall
User

We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!

author avatarGregg Woodcock
Real User

I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).

author avatarAdrianMache
Real User

Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem

Thank you,
Adrian

author avatarGabriel Crespo
User

I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.

author avatarreviewer1341687 (Director of Engineering at a tech services company with 201-500 employees)
Real User

We need to understand SIEM from 2-3 dimensions

- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
- Extensibility
- Price

See more Security Information and Event Management (SIEM) questions »

Security Information and Event Management (SIEM) Articles

Rony_Sklar
IT Central Station
Apr 09 2021

There are a lot of considerations when choosing a Security Incident and Event Management (SIEM) Solution for your business. That’s why users on IT Central Station often turn to our community to ask for advice.

In this Q&A round-up, we’re going to take a look at some of the insights about SIEM that have emerged in our community. We’re going to focus specifically on the tips and insights that users have shared for successfully implementing a SIEM solution.

SIEM solutions are as good as the people implementing them

Many users turn to our community to ask for SIEM recommendations – some general and some more specific. Although fellow users are happy to make product suggestions, a common theme emerges in many of the answers: The solution that you choose is only as good as the team behind it.

Simo Sim, a Systems Engineer, notes, “besides the technology you also need the manpower behind it.” Another user, Aji Joseph, says that successful SIEM implementation “depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.”

Consulta85d2, who appears on our Threat Intelligence Leaderboard echoes this sentiment, adding that it’s important to realise that one needs to actively manage whatever SIEM solution is chosen. He notes, “The critical choice is in the resources and commitment to manage and use the system. I’ve seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a “set it and forget it” system…A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the “best” and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.”

But how do you choose a SIEM solution that you know your team can handle?

Anthony Mack notes that effective implementation (particularly at scale) ”demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.” He suggests that one should choose a solution that matches one’s current IT posture. To do this he recommends “an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.”

Tips for choosing the right SIEM solution

As with any enterprise tech solution, it’s important to spend time doing your research and POC, so that you know that you’re spending on the right product. We sifted through some of our users’ answers to summarize some of the best tips.

  1. Define your goal

Before starting to evaluate solutions, It’s important to define what you want to accomplish with a SIEM. Marty Barron says, “Every SIEM has different strengths and weaknesses so you need to know what is most important to you in terms of goals, so you don’t waste time looking at something that can’t do the thing you need it to do.”

  1. Limit your options

As Kent Gladstone-USA says, “Review a finite number of products, otherwise you’ll never finish”. Although it’s important to spend time doing due diligence, you need to get to the point of implementation. If you have too many options, it will take too long to make a decision. Users suggest making a shortlist of options that meet your technical requirements, speak to your goal, and match your budget

  1. Create a framework for your POC

Once you’ve narrowed down your options, it’s time to trial the shortlisted products. Users recommend putting a framework in place to guide the POC. This way, you can evaluate your options systematically.

One user, DAX Paulino, suggests “creat[ing] a checklist of features that you need, from the basic (i.e. interactive dashboards, ease of integration, Threat Intelligence), to the more advanced (i.e. Automated response, Behavior Analytics, etc.). Give each item on your checklist a score so that you can weigh in on each item as a measure of your decision. Don’t forget to factor in usability and support.”

More advice about SIEM solutions from our user community

If you’re researching SIEM solutions, there’s a wealth of information on our site that can guide you in your research. You can read in depth reviews of SIEM solutions, and also explore the other questions and answers about SIEM from our user community.

If you don’t find the exact answers that you’re looking for, you can also post a question and get answers from your peers.

IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

Matthew Shoffner
IT Central Station
Mar 12 2021

The major regulatory compliance schemes do not mention Security Incident and Event Management (SIEM) systems by name, but in reality, SIEM tools are essential for achieving compliance and passing their certification audits. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), for example, which is used for PCI-DSS and Sarbanes Oxley (SOX) among others, mandates continuous monitoring, detection processes and the ability to analyze anomalies and events. These are tasks arguably SIEM tools do better than any other security tool, which is one of the many benefits of SIEM.

SIEM Is Critical For Compliance

A SIEM solution is an absolutely critical tool for complying with security regulations promulgated by regulatory bodies. To understand why this is the case, it is first helpful to grasp how cybersecurity technologies and practices actually enable compliance. The regulations tend to be general, not prescriptive. The specifics of implementing the controls required by the law, testing them and passing an audit are left up to the organization that needs to comply with them. To achieve compliance, organizations rely on frameworks and standards like NIST CSF. However, it’s a subjective and sometimes messy, confusing process.

The Sarbanes Oxley Act does not say, “Install a SIEM system and monitor your network.” Rather, Section 404 of the law itself actually just says that a publicly-traded company should issue “an internal control report, which shall…contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” SOX says very little about IT, but the accounting industry, along with various industry bodies, have developed a SOX compliance framework that requires IT departments to pass an audit verifying that an organization has:

  • Established physical and electronic controls that will prevent users lacking credentials from accessing sensitive information.
  • Maintained secure locations for servers and data centers.
  • Ensured that proper controls for IT assets containing financial information are in place to protect these digital assets from breach.

Using SIEM software, you are able to monitor the underlying security policies that enable such controls to exist. For instance, a firewall is an electronic control that prevents unauthorized users from accessing sensitive information. That’s great. How will a company pass an audit that wants to check how well that control is working? Enter the SIEM. The SIEM can aggregate, correlate and analyze multiple firewall logs. From this process, it can produce an audit report demonstrating how the company has been implementing the control required for SOX compliance.

SIEM Compliance Requirements

Compliance programs that follow NIST CSF try to snap to the framework’s functional categories. The categories span the security lifecycle, starting with Identify (ID), Protect (PR), Detect (DE), Respond (RE) and Recover (RC). In this way, each stage of security is covered by the framework. The security team first identifies risks, then endeavors to protect them. If there is an incident, it responds and then tries to recover.

Not every category and sub-category relates to SIEM. However, SIEMs are foundational to achieving compliance with the framework across multiple categories and their respective requirements. They do this with compliance reporting, endpoint detection and response (EDR), threat intelligence gathering, monitoring, log management, analysis and visualization. In particular, SIEM is instrumental in meeting the requirements defined for the following NIST CSF category/sub-categories:

  • Protect (PR)/Access control—SIEMs can produce audit reports based on multiple access control system logs.
  • Protect (PR)/Information protection processes and procedures—Having a SIEM in place as a countermeasure against intrusion is an application of this framework sub-category.
  • Protect (PR)/Protective technology—SIEM serves as protective technology in multiple senses of the term. It is part of the Security Operating Center’s (SOC’s) toolset for guarding against improper access to data and systems of record.
  • Detect (DE)/Anomalies and events—SIEMs detect anomalies and issue alerts to SOC analysts.
  • Detect (DE)/Security continuous monitoring—SIEMs perform continuous monitoring, staying on top of multiple other systems of continuous monitoring.
  • Detect (DE)/Detection processes—SIEMs detect attacks and threats and alert SOC analysts when they find one.
  • Respond (RS)/Analysis—SIEMs create reports used in forensic analysis of security events.
  • Recover (RC)/improvements—SIEM reports give analysts and security managers the insights they need to improve incident responses process after an event has occurred.

Regulations Requiring Compliance

Nearly all regulations that mandate IT compliance have a requirement of logging all relevant events and then operationalizing an incident response process that handles the threats—and documents the entire series of response activities. After that, the regulations set out the expectation that the company will maintain records of its incident responses. SIEM performs all of these tasks. This is relevant across multiple sets of regulations.

The Federal Information Security Modernization Act (FISMA)

FISMA security practices cover “any federal agency document and implement controls of information technology systems which are in support to their assets and operations.” According to NIST, compliance contains the following tasks that are the province of SIEM:

  • Continuously monitoring security controls.
  • Refining controls using risk-assessment procedures.
  • Documenting controls in the security plan.

The Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS sets out security standards to establish a secure environment for businesses that accept, process, store or transmit payment card information. SIEMs helps with PCI DSS by:

  • Helping protect networks on which payment card information is stored or processed.
  • Providing the basis for passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
  • Comprising the threat detection aspects of the PCI DSS standard.

General Data Protection Regulation (GDPR)

GDPR covers data protection and privacy in the EU and the European Economic Area, along with transfers of personal data outside these regions. SIEMs are essential for GDPR compliance because they:

  • Enable companies to process personal data securely by what the law calls “appropriate technical and organizational measures.”
  • Provide a key element of “confidentiality, integrity and availability” of systems and services that process personal information.
  • Help data custodians restore access and availability to personal data in a timely manner if there is a security incident.

Health Insurance and Portability Accountability Act (HIPAA)

HIPAA protects the private, individually identifiable health information, or protected health information (PHI). With a SIEM, an entity needing to comply with HIPAA can:

  • Identify and defend against threats to the PHI.
  • Secure systems that ensure the confidentiality, integrity and availability of PHI.
  • Monitor systems to mitigate the risk of impermissible uses or disclosures of PHI.

Conclusion

SIEMs are integral to compliance. Without a SIEM, it would be difficult in the extreme to meet the criteria set down by the dominant standards such as NIST CSF. It’s an ever-evolving situation, in any event. As networks and infrastructure grows more complex, SIEMs will be even more useful in enabling companies to keep up with compliance audits.

Matthew Shoffner
IT Central Station
Nov 18 2020

A Security Incident and Event Management (SIEM) solution typically represents a significant investment, even for a large enterprise. With the average price coming in at $50,000, ranging from a minimum of $20,000 and getting to be upwards of $1M, SIEM solutions carry a hefty price tag. However, the value of the top SIEM tools, for general security health and compliance, probably makes the technology worth the cost, but it’s a big check to write.

The benefits of SIEM are obvious and a crucial part to a security strategy, helping SOCs organize and respond to security threats. The benefits of mitigating threats, keeping inline with compliance and audit standards, and avoiding costly data loss and business delays can easily outweigh SIEM TCO.

Additionally, you could add a Security Orchestration, Automation, and Retention (SOAR) tool to accompany your SIEM solution, which would be an additional cost that enables you to handle security issues more efficiently. Commonly confused with one another, there are differences between SOAR and SIEM.

SIEM cost summary


Item

Cost Range

Explanation

SIEM software cost

$20,000 - $1M

Average cost is $50,000

Deployment consulting support

$50,000

One-time fee. Varies based on complexity of implementation, but can easily reach six figures for large enterprises or highly integrated, customized solutions.

Training

$0 - $10,000

Some training can be included with the product. Cost of additional training not included varies by requirements and number of people to be trained.

Database administrator (DBA)

$74,000

DBA average US salary

Admin personnel

$74,000 to $500,000

Varies by staffing needs. Three admins can cover a full 24-hour shift. Includes additional product tuning that will be necessary.

Hardware

$25,000 - $75,000

Varies by size of configuration, but will generally cost more than plain off-the-shelf hardware due to performance requirements.

Intelligence Feeds

$1,500 to $10,000

Some feeds are free, but others need to be purchased and vary by quantity and level of feeds.

Infrastructure

$10,000

Includes servers, storage, and switches.



SIEM Cost Breakdown

One helpful way to think about SIEM costs is to take a basic enterprise technology project and add on a couple of extras. In particular:

  • Consulting support for the deployment process. SIEM implementation, traditionally, is not as simple as standing up a traditional enterprise solution. It has to connect with a wide variety of other systems and must be configured to handle a high volume of data. With advancements, SIEM can now be set up without much, if any, consultation. This tends to mean hiring external consultants. Not all departments have the skills in-house to do the work. Consultants can provide customizations, which include threat identification, alerting, and remediation rules, to fine tune your SIEM product to handle threats you’re facing.
  • Hiring a database administrator (DBA). This may not be a full time hire, but setting up a SIEM involves some pretty complicated data architecture and integration processes. In addition, most SIEMs lack self-managing databases. Someone has to take care of all this. A DBA gets paid $74,000 per year on average.
  • Hardware that can handle the load. SIEMs ingest and process enormous amounts of data, with huge real-time insertion and retrieval rates. As a result, the SIEM cannot run on any old piece of hardware. Someone, usually an external consultant, needs to spec out the hardware based on the SIEM’s connectivity and expected data loads.
  • Personnel. SIEMs need to be staffed, often around the clock. Labor costs vary, of course, but in North America and Europe, hiring experienced SIEM admins for three shifts will cost something in the neighborhood of $500,000 a year.
  • Intelligence feeds. The threat intel feeds going into the SIEM can come with their own price tags. Some are free, but many cost between $1,500 and $10,000 per year.
  • Training. SIEMs are a distinct technology that almost always requires specialized training for the people who operate them. Initial training, along with recurring annual retraining, should be part of the SIEM budget.
  • Ongoing tuning. SIEMs tend to be a bit fussy, creating a lot of distracting “noise” that can defeat their entire purpose if not corrected. As a result, SIEMs usually need ongoing tuning, which may require external consultants.

Considering these cost elements, it’s easy to see how a SIEM can cost a million dollars to acquire and launch in its first year. It could then require a budget of half a million dollars to keep it up and running. Plus, some SIEMs price on a per-second or per-event basis. It’s essential to understand exactly what the costs will be based on expected usage patterns.


Tips For Keeping SIEM Costs Low

It’s possible to keep SIEM costs relatively low.

  • Buy a solution that fits your needs today. One approach is to limit the scope of the solution at launch. This keeps hardware and DBA costs down and speeds the deployment process, which in turn cuts down on consultant costs. The trick here is to design for scaling up later on, if that’s required.
  • Outsource SIEM monitoring. Another option is to outsource SIEM monitoring and event management. This may not work for everyone, but a Managed Security Service Provider (MSSP) can take over some of the more difficult SIEM operations. This will likely cost less than staffing people around the clock.
  • Use a log collection strategy. Use your SIEM software to log only critical items while leaving non-critical events to be handled by a log management server. You can then more easily discard lower value events at shorter retention periods to reduce storage and maintenance costs.

SIEMs tend to be expensive and time-consuming solutions to run, even as they deliver much-needed security incident and event detection and response capabilities. The investment is probably worth it, but it’s a pretty big investment, especially for a smaller company or government agency.

Rony_Sklar
IT Central Station
Oct 27 2020


Members of the IT Central Station community are always happy to take a few minutes to help other users by answering questions posted on our site. In this Q&A round-up, we’re focusing on our users’ answers about SIEM, Identity and Access Management, and the Differences between Hyper-converged Infrastructure vs Converged Infrastructure.

Which is the best SIEM tool for a mid-sized enterprise financial services firm: Arcsight or Securonix?

One of our users was looking for SIEM recommendations, and was specifically looking at ArcSight and Securonix. As always users were very helpful, and suggested possible tools based on their own experience.

ArcSight appeared to be the popular recommendation between the two tools; One user, Himanshu Shah, suggested that Securonix may be better suited for a mid-sized business as ArcSight “works on EPS (Events per second) costing”, which can become costly. Users also suggested looking at other options, such as QRadar, Splunk, and LogRhythm.

However, Consulta85d2 responded, “Neither, or both. Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn’t the most important choice. The critical choice is in the resources and commitment to manage and use the system.”

Aji Joseph held similar sentiments and highlighted the key role that the SoC team plays: “The success of SIEM solutions depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.” He also suggested evaluating the forensics capabilities of the various solutions before buying.

What are some tips for effective identity and access management to prevent insider data breaches?

Insider breaches can be a real issue in businesses. Users gave advice on how to effectively implement Identity and Access Management to tackle this issue.

Mark Adams, a Senior Manager, IT Security and Compliance / CISO at a large construction company, gave great advice for implementing a solution, noting that it’s important to “make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks.” He gave practical tips, including identifying and classifying all information assets and creating rules for access to those assets. He also highlighted the importance of reviewing access periodically. He stated, “Data owners should be involved in the review since they are usually in a better position to determine if individuals’ access is still legitimate.”

What are the key differences between converged and hyper-converged solutions?

Users helped to clarify key differences between hyper-converged (HCI) and converged infrastructure. Based on the users’ answers, the key differences revolve around ease of use, flexibility, and price.

HCI solutions are typically more expensive, but have significant advantages. Steffen Hornung pointed to the scaleout nature of HCI, noting that “add more nodes to the system to support new workloads without losing Performance because you add all types at once (compute, storage and networking).”

Dan Reynolds summarised the appeal of HCI really well, pointing out that it’s a complete solution: “Hyper-converged is typically an “all in one box/rack” solution. It consists of compute, storage & network resources all tied together physically (and through software)….You don’t have to architect it. All you have to know is how much “power” you need (what you want to do with it).” In contrast, he noted that “with converged infrastructure (which can still be ‘software defined’) you have to match and configure the components to work together.”

Thanks, as always, to all the users who are taking the time to ask and answer questions on IT Central Station!

IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

Do you have a question that you’d like to ask our IT Central Station Community? Ask now!

Rony_Sklar@Himanshu Shah ​@Consulta85d2 ​@Aji Joseph ​@Mark Adams ​@Steffen Hornung ​@Dan… more »
Matthew Shoffner
IT Central Station
Oct 26 2020

Security Incident and Event Management (SIEM) has been widely adopted and used to manage cybersecurity events as the benefits of SIEM are apparent. As a result, the SIEM market is expected to grow by approximately 25% over the next 5 years as the need for cybersecurity automation increases. Even though the market is expanding, the cost of SIEM has remained relatively flat.

All of the top SIEM tools ingest and analyze mass amounts of security event data from a wide range of other systems, like firewall software, network routers, and intrusion detection and prevention software to name a few. It’s effectively impossible for a human being to keep track of multiple security device logs, so SIEM organizes, analyzes, and creates alerts for security operations to follow up on. The overarching advantage of SIEM is its ability to perform quick, accurate detection and identification of security events.

SIEM can be combined with Security Orchestration Automation and Response (SOAR) for additional benefits. Many think that SOAR and SIEM are one in the same, but there is a difference between SOAR and SIEM which you should understand before moving forward with purchasing either.

The Advantages of SIEM

SIEMs help the Security Operations Center (SOC) function effectively. In particular, they enable:

  1. Faster, more efficient SecOps. With a SIEM sifting through millions of data points, SOC analysts can quickly get a handle on what’s happening using analysis templates to quickly analyze log and threat intelligence data, which can save both in responding to a security threat as well as the adverse impact of a cyberattack. Without a SIEM, security analysists would have to interpret multiple security device logs and data sources, such as threat intel feeds, by hand. In addition to burning people out—which is itself a big problem—it slows the incident response process down significantly. You can configure your SIEM tool to respond to incidents in real-time, potentially saving your company from data loss or worse.
  2. More Accurate Threat Detection and Security Alerting. SIEM tools can leverage their extensive data sets to detect and identify threats more accurately than would be possible using individual security data streams. They also have the ability to enrich security event data and offer critical context to incident alerts. For example, a SIEM can correlate a threat signature detected in one device log with a threat found on another log.
  3. Improved Security Data. SIEMs aggregate security data, improving the potential for it to be analyzed and used in incident response workflows. This can also result in better visibility over the entire security landscape in the enterprise. The SIEM also typically normalizes security. In its raw form, the multiple data streams feeding into the SIEM have different schemas and fields. It’s not normalized. For example, data about users originating from network logs, email servers, databases and mobile devices might all take different forms. This creates a problem for data analysis and event correlation. The SIEM is able to reformat the data, making it consistent for incident analyst and response processes. Data storage is a related benefit. The SIEM can store normalized security data for extended analytics and reporting. This may also help with compliance.
  4. Better Network Visibility. SIEM log management and aggregation make it easier to get an overview of the network. Indeed, given the complexity and diversity of modern networks, a network can easily have “dark spaces.” This means that as the network scales, network managers and security teams lose visibility into what’s actually happening with databases, servers, devices and third parties. Hackers look for dark spaces on networks. It gives them a place to hide persistent threats and move laterally across digital assets without being detected. SIEM mitigates this risk by collecting security event data from everywhere in the network. It then stores and analyzes it in a central place. SIEM log analysis can shine a light on these dark spaces, so to speak.
  5. Improved Compliance. Regulations and compliance frameworks such as HIPAA invariably require logging of security data as a key control. SIEMs fulfill this role, easing the attestation process with pre-set compliance reporting templates that streamline the compliance process.

Disadvantages of SIEM

SIEM software is not without it's flaws. Organization that adopt SIEM generally have difficulty with a few things.

  1. Cost. SIEM systems can be rather expensive. We’ve broken down SIEM costs to provide a full total cost of ownership. Although the cost can be high, the benefits can outweigh the cost to provide a positive ROI.
  2. Effort to configure. They also almost always need costly external resources to install and configure. That process can take a long time, too. The time to value can lag, causing organizational and budget challenges.
  3. Dedicated security resources to monitor. Then, once up and running, they need dedicated staff for operations and continuous tuning. Without constant updating, a SIEM can become “noisy,” generating excessive alerts to the point where it may even be ignored by the SOC.

Conclusion

SIEMs are potentially highly valuable additions to a SOC. They correlate security data feeds, enabling them to detect serious security incidents in time to take action. They then facilitate an effective, fast response by the SOC team. At the same time, SIEM software can take significant time to set up and to adjust the alerts and responses. Embarking on a SIEM project represents a serious commitment of time and resources on the part of the security team. It should be undertaken with rigorous planning and realistic budgeting in order to ensure long term success.

Miriam Tover
Content Specialist
IT Central Station

Check out the latest advice from the community about how to trial SIEM. Our favorite tips: “I recommend NOT trialing SIEM solutions in a bake-off. You will be comparing several unbaked cakes.” And: “Check if a cloud version of the tool is available. Some SIEM's offer a free trial period for their cloud-based solutions.” And: “Understand your retention requirements: Storage cost!!! You’re capturing events per minute, and it gets expensive.” Read more tips.

Russell Rothstein
Founder and CEO
IT Central Station

Here are the week’s top briefs about the SIEM market.

 

Elastic launches free SIEM

Elastic, known for Elasticsearch and other tools, has beta launched a free SIEM solution.

 

AWS new Security Hub offers SIEM-like capabilities

Customers pay only for the compliance checks performed and security findings ingested, with no charge for the first 10,000 security finding events each month. Read more.

 

The best way to trial a SIEM solution

Check out the latest advice from the community about how to trial SIEM. Our favorite tips: “I recommend NOT trialing SIEM solutions in a bake-off. You will be comparing several unbaked cakes.” And: “Check if a cloud version of the tool is available. Some SIEM's offer a free trial period for their cloud-based solutions.” And: “Understand your retention requirements: Storage cost!!! You’re capturing events per minute, and it gets expensive.” Read more tips.

 

Splunk: Logging solution or SIEM?

A Director of Information Security told us in this review: “Before Splunk, I’ve used AlienVault, LogRhthym, ArcSight, and IBM QRadar. As a logging solution, I would say Splunk is probably an eight or nine. If you're talking about SIEM I'd say it's probably about a five.” Agree? Disagree? Post a comment on the review and share your opinion with the community.

 

That's all for now!

What topics would you like us to include in the next update? Add a comment.

 

What is Security Information and Event Management (SIEM)?

What is SIEM? A Security Information and Event Management (SIEM) system gives security managers a holistic overview of multiple security systems. SIEM tools centrally store and analyze log from different locations in order to spot patterns and trends that might signal an emerging security threat or attack. SIEM security combines a security information management (SIM) system with security event management (SEM) to form a single SIEM software solution. In this way, SIEM blends the best of event management tools with security event and incident management technologies.

There are multiple SIEM vendors competing in the market today. IT Central Station members offer a number of recommendations for those considering SIEM solutions.

Keep in mind, while SIEM is used for detecting security threats and triggers the alerts, a SOAR solution is needed to act on these alerts.

One phrase that comes up repeatedly in IT Central Station dialogues about SIEM products is “real time.” According to reviewers, SIEM technology should possess real-time threat analysis and reporting capabilities. Solutions should offer real time security related logs and incident reporting. Reports need to specify possible risks and damage to infrastructure. A SIEM tool should ideally provide real time gathering of logs and Log Correlation. Notification event Triggering and the availability special Event Collectors with different environment is viewed as a most important criterion.

Some IT Central Station members stress the importance of SIEM being able to combine information from multiple sources. The solution has to be capable of intelligent queries on these combined sources. Put another way, SIEM must offer compatibility with diverse security data sources and be able to adapt to new or unknown sources. Then, the SIEM solution should perform multilevel correlation on those sources of data.

Efficient use is important. A SIEM tool must be easy to deploy, configure and use. SIEM can be more effective if it integrates with Identity and Access Management.  Alerting and workflow integration adds to administrative efficiency.

Specific features recommended include packet analysis, audit trail creation, threat intelligence and search. Users encourage potential buyers to have confidence in the power of a SIEM solution’s search performance and the performance of its threat intelligence engine.  The solution should be capable of parsing any log format.

Find out what your peers are saying about Splunk, IBM, Securonix Solutions and others in Security Information and Event Management (SIEM). Updated: April 2021.
475,208 professionals have used our research since 2012.