To help you compare the best SIEM solutions, IT Central Station ranked them based on hundreds of real user reviews. These reviews cover all of the best SIEM products from top security vendors, from our esteemed community of enterprise technology professionals. You'll find comparisons of pricing, performance, features, stability and many other criteria. Read below to find out what your peers have to say about SIEM vendors such as Splunk, LogRhythm, AlienVault, McAfee and others.
See all 32 solutions in Security Information and Event Management (SIEM)
Average rating based on reviews
Number of total page views
Number of times compared to another product
Total number of reviews on IT Central Station
Number of followers on IT Central Station
The total ranking of a product, represented by the bar length, is based on a weighted aggregate score.
The score is calculated as follows: The product with the highest count in each area gets the highest available score.
(20 points for Reviews; 16 points for Views, Comparisons, and Followers.)
Every other product gets assigned points based on its total in proportion to the #1 product in
that area. For example, if a product has 80% of the number of reviews compared to the product
with the most reviews then the product's score for reviews would be 20% (weighting factor) *
80% = 16. For Average Rating, the maximum score is 32 points awarded linearly based on our
rating scale of 1-10. If a product has fewer than ten reviews, the point contribution
for Average Rating is reduced (one-third reduction in points for products with 5-9 reviews;
two-thirds reduction for products with fewer than five reviews). Reviews that are more than 24 months old,
as well as those written by resellers, are completely excluded from the ranking algorithm.
What is Security Information and Event Management (SIEM)?
What is SIEM? A Security Information and Event Management (SIEM) system gives security managers a holistic overview of multiple security systems. SIEM tools centrally store and analyze log from different locations in order to spot patterns and trends that might signal an emerging security threat or attack. SIEM security combines a security information management (SIM) system with security event management (SEM) to form a single SIEM software solution. In this way, SIEM blends the best of event management tools with security event and incident management technologies.
There are multiple SIEM vendors competing in the market today. IT Central Station members offer a number of recommendations for those considering SIEM solutions.
One phrase that comes up repeatedly in IT Central Station dialogues about SIEM products is “real time.” According to reviewers, SIEM technology should possess real-time threat analysis and reporting capabilities. Solutions should offer real time security related logs and incident reporting. Reports need to specify possible risks and damage to infrastructure. A SIEM tool should ideally provide real time gathering of logs and Log Correlation. Notification event Triggering and the availability special Event Collectors with different environment is viewed as a most important criterion.
Some IT Central Station members stress the importance of SIEM being able to combine information from multiple sources. The solution has to be capable of intelligent queries on these combined sources. Put another way, SIEM must offer compatibility with diverse security data sources and be able to adapt to new or unknown sources. Then, the SIEM solution should perform multilevel correlation on those sources of data.
Specific features recommended include packet analysis, audit trail creation, threat intelligence and search. Users encourage potential buyers to have confidence in the power of a SIEM solution’s search performance and the performance of its threat intelligence engine. The solution should be capable of parsing any log format.
Best SIEM Solutions & Products
Read reviews of Security Information and Event Management (SIEM) that are trending in the IT Central Station community:
Your trust is our top concern, so companies can't alter or remove reviews.
Provides visibility into the network. We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients. We have a lot of financial and other customers that care about... more»
It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging... more»
Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming... more»
The breadth and harvesting of information the SIEM is capable of doing. I've been in this probably going on 30 years, and I've seen the growth. I found a resource that's outstanding in finding information and then the most important thing,... more»
We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of... more»
I really can't think of a particular one, I've been very satisfied with what's happening. I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp... more»
The PCI compliance pieces that help us produce reports for our external auditor, and their support. I constantly sing the praises of their support group. It's a complicated, vast product with a lot of breadth and depth. Things go wrong. But... more»
Absolutely. It has helped us gain visibility into events that we didn't have before at all. We have a lot of remote locations. We manage national parks and point-of-sale devices on ships, at the top of mountains and little cabins, gas... more»
Global management for registry integrity monitoring. Right now you have to apply what they call RIM policies, Registry Integrity Monitoring policies, one agent at a time. If you have thousands of endpoint agents, you have to touch each one of... more»
Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM. The main components of the architecture are as follows: * AV Sensor: AV Sensors perform Asset Discovery,... more»
A jack-of-all trades: The best thing about AlienVault USM is it being a “Jack-of-All Trades” solution. It provides SIEM, HIDS/NIDS, FIM, NetFlow, Asset Management, Vulnerability Management, etc., under one USM platform. None of the commercial... more»
This product is jack-of-all trades, but master of none. As mentioned in the good, being a jack-of-all trades is well suited for certain organizations. However, the lack of mature functionality and expertise in any of those areas is a strong... more»
The ability for me to go into the Web UI, and just learn what's going on in my environment. Being able to go in and show our company's management, "Look, this is what we can see. This is what we can now know about our environment." Then,... more»
The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous.... more»
My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have... more»
It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events... more»
We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has... more»
The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not... more»
Any SIEM, in and of itself, should be easy to ingest data, it should also be easy for the analyst to assess the different types of events that are coming through, be able to sift through false positives, and ensure that they are only acting... more»
We did a bake-off with several others when we brought in LogRhythm, 10 months ago. And a lot of it was around a cost perspective. Also, its capability of easily ingesting event data from many different types of platforms. Some of the... more»
The biggest thing that we need - in one of the presentations today here at the LogRhythm User conference they were talking about it - is automating your SOC and trying to get your systems to do as much as they can do without human... more»
The most valuable feature of LogRhythm for me is the ability to correlate logs throughout many different log sources. Every different log has a different time stamp, it has a different user, things are in different places. But with LogRhythm... more»
The benefits we see are manifold, compliance. We have to store logs. We're under SOX control, we're under now New York Department of Financial Services, cyber regulations, we are under EU GDPR, loads of regulations are coming out. To be able... more»
I'm not really sure I can pinpoint any particular area that I see LogRhythm needing improvement in. I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the... more»
We have two facilities, roughly 500 logs per second. Microsoft shop, Cisco stack on the networking side. We run two FortiGate firewalls, and a slew of different security products that we have not integrated into LogRhythm. We haven't seen the... more»
I can't think of any features they should add because we haven't used everything they've already released. They have Office 365 logs integration. They've got this new phishing engine that we haven't used. They've got dashboards we haven't... more»
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Jun 22 2017
What do you think of Fortinet FortiSIEM (AccelOps)?
How many of you remember Cisco MARS? Well, if you don’t, let me remind you that they were one of the earliest SIEM products around that stemmed from the infrastructure monitoring space. MARS was geared more towards monitoring and reviewing network infrastructure including their utilization, performance availability and logs. After a brief run in enterprises that were Cisco heavy, the product died a natural death. People who were involved in the product left Cisco and started AccelOps (Accelerate Operations). As a product, they took the fundamentals of data collection and integrated infrastructure log, event monitoring to the data analytics platform. The result is a promising product called AccelOps.
They have since been acquired by Fortinet, marking their foray...
The most valuable feature for me is that it's a single pane of glass for all of the analysts in my team. It gives us complete eyes and ears into what's going on within our environment. We run two separate installations. One is in our... more»
From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's... more»
In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the... more»
Most valuable feature is really providing us visibility into our infrastructure. Frequently, I'm reaching out to our partners in the business, and I'm asking them how I can assist them, and how I can improve their visibility from a security... more»
It's visibility. Frequently our network team - while our network security is paramount from a security perspective - our network team is really focused on keeping the network up. They're not concerned about intrusions, and potential malicious... more»
There is, of course, always, improved automation. Because, as we are continually needing more and more people from an analyst perspective, the more we can automate, the fewer people we need. If we can automate some of the lower-level things,... more»
* The ability to correlate data across our global enterprise in near real time * The ability to integrate a lot of third-party solutions * The machine learning pieces with Watson, indicators of compromise, and utilizing that across the value... more»
The solution has improved the efficiency of our security team. These improvements prevent the need for more proactive security activities. The improvements did not reduce our staff. It's funny, because IBM keeps on having this conversation... more»
Room for improvement is more in relation to a lot of the features, the automation of incidents themselves, and being able to automate workflow responses. Overall, I love the product. IBM usually puts good resources and talent behind things.... more»
* Security, understanding detection, intrusion, and how to do prevention and take action on an event that occurs from a security layer. * Having a single solution that can actually manage the entire infrastructure, soup to nuts. * Ability to... more»
Reducing my OPEX cost by reducing the overhead and training costs of employees and staff. Before we would have to have a large number of staff to be able to go in and do consulting opportunities, to mitigate and remediate security intrusions... more»
ArcSight needs to go the same route that HPE's doing with the virtualization engine of the HP 380. Basically making it more of a single pane of glass to be able to deploy and take a tangible action on a security event. Today it takes still a... more»
We're fairly new to LogRhythm. One of the things that we really liked in the deployment PoC phase was the dashboard. How easily it percolated critical information up onto a screen that we could immediately review, and drill-down to look at... more»
It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff. But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they... more»
Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets... more»
Favorite feature of the product is the ease of administration. There's not a lot of overhead. We don't need a FTE dedicated just to admin the product. That was one of the biggest selling features for us.
We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those... more»
The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven... more»
Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some... more»
Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they... more»
* The integratedness * The parsing * Their partnerships with various device manufacturers They keep it up to date, you don't have to worry about that when their products change. I think as an aggregator it works very well, and as a case... more»
We're an MSSB, we have about 10 or so different customers that all host with us. Currently we're licensed for 15,000 MPS, average, and we use about 8000 MPS average, consistently, and we're growing. Among our key challenges is getting... more»
I would like to see more focus on it being a data lake. We have around 100 terabytes of data stored in LogRhythm, machine data, sensor data. That all could be used for operations tasks as well. It would really be awful to have to stand up... more»
As an information security consultant that works across many diverse networks, these features offer by far the most critical information when analysing a client’s environment for issues that need to be addressed:
We run this product on our network 24/7 and it has helped identify many important events. We take the security of our network very seriously, and this helps to quickly identify and lock down any potential vulnerabilities or events that could... more»
My biggest challenge has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure... more»
Some of the most valuable things that I get from QRadar are the custom parsers. A lot of the syslog items I get pushed to QRadar, instead of trying to build a custom parser to parse out the information that we need in order to do our... more»
I think it has improved our organization by the speed at which I can run queries compared to other software that I've used in the past. It's a lot quicker and holds a lot more information. It helps keep a good cognitive overview of our... more»
I'd like to see it being able to be integrated with more security products. I'm a big Guardian user; it's nice for the bidirectional. I can do some stuff, like a SQL injection, or if something is happening. But if there were other security... more»
What do users say about their their security information and event management (SIEM) tools?
What added value do SIEM tools give security professionals and network engineers?
Are users satisfied with the advanced threat protection capabilities? Do the log management features meet their... more»
Dynamic 9 years of IT career, reflecting progressive experience and performance in the computer and Internet industries. Specialized in providing cutting-edge solutions to traditional Security issues; establishing strategic ideas in various domains and demonstrating self-motivation, creativity,... more>>
Shaikh Jamal Uddin is a computer and cyber security expert and has done B.S. in Computer Engineering as well as CPTE, CEH, ECSA, Rapid7: NCA (Nexpose), Rapid7: MPCS (Metasploit), IBM QRadar Certified, TCSE (TrendMicro), KLCC (Kaspersky), MCSA, MCITP professional certifications. Recently, he got... more>>
More than 8 years as a security engineer with the last 4 years as a SIEM consultant working delivering solutions to multiple industries.
Sr QRadar Professional Services consultant with experience delivering on prem or cloud solution. Performed SOW technical review, sizing, architecture/design,... more>>
I am a Security person and have titles like Security Officer, Security Manager, Säkerhetschef and Säkerhetsskyddschef, these are only titles and not limitations.
My last twenty years has been a road that started with Novell and now i live in the Cloud.
Security in all forms have always been... more>>
Assisting companies with broad security analysis, securing and hardening their servers and networks, setting up complete SIEM environments. I set up controls and analyze business processes.
The buzz words: Siem consultant, Certified Information Systems Security Professional (CISSP), Certified... more>>
Information Security Advisor, CISO & CIO, Docutek Services
About my business:
Docutek is a leading business and technology consulting company specializing in the development and implementation of healthcare technology since 2008. We deliver Consulting, Integration, Support and Training. We also provide clients with security assessment. network... more>>
Cyber Security Advisor / CISO / Healthcare Security Pro
Mr. Christly is a seasoned Technology and Cybersecurity Executive and Consultant.
He has demonstrated success aligning technology investments to streamline operations, secure corporate assets, reduce operating costs, grow sales, and develop the business in healthcare, education, telecom, and... more>>
Not sure which Security Information and Event Management (SIEM) solution is right for you?Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Splunk, LogRhythm, AlienVault, and more!