Security Information and Event Management (SIEM) Forum

Rhea Rapps
Content Specialist
IT Central Station
Jul 18 2018
One of the most popular comparisons on IT Central Station is SolarWinds LEM vs Splunk. One user says about SolarWinds LEM, "It allows us to monitor access and pull cyber reports quickly. No more searching through logs on each server. There was not much customization, which we had to do with Splunk."Another user says about Splunk, "Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user." In your experience, which is better and why?
Johney ShadeComparing SolarWinds to Splunk is unwise. One responds to active monitoring where as the other uses stored data to analyze trends and can alert on events stored in the Log Files.
MS AlamSolarWinds is good for network monitoring but analyzing for critical logs splunk is best. As my opinion splunk is best.
Ayodeji AbimbolaSplunk is a more robust and analytically sound tool for Log monitoring. My view is that Solarwinds will be suitable for SMEs with less network security heterogeneity while Splunk can perfectly serve a Large Enterprise with wide Log Analysis needs.
Ariel Lindenfeld
Sr. Director of Community
IT Central Station
One of our community members wrote that what's important is  "compatibility with diverse sources, including the ability to adapt to unknown ones, performance, and the ability to do multi-level correlation." What do you think? See other excellent answers below. Let the community know what you think. Share your opinions now!
Michael SCHLEICHBased on my experience with SIEM, 7 years I worked with ArcSight on a daily basis. I would say that there are 3 mains points. 1) Objectives What you would like to do with the SIEM. What you have to achieve? This is very important. If you just need a solution to manage your logs and make searches for incident investigation. I will use Splunk If you need to build security monitoring use case with automatic notification I will use ArcSight or QRadar. 2) Perimeter to monitor What is the size of the infra to monitor? How many AD users? How many logs per day Which logs to collect? How many different vendors or logs type If you have a big environment to monitor You have no other choice to choose ArcSight If it less QRadar could be used. 3) Security Team Who will work with the SIEM? This is highly critical because if you don't have a dedicated team with specific skills I will not recommend ArcSight because it is very complex and custom use is not enough documented. You need an Expert on site to be able to use this tool correctly and efficiently to increase usefulness. QRadar is less complex but for sure it will be less flexible. If you want to use other SIEM solution or open source, you need to answer first to the 3 above points then you need to check if the solution can be able to collect, process, parse and categorize the logs you have to choose for your Use Cases You have to verify how to build correlation, what are the limits You have to check if you can build automatic notification You have to check the evolution, what will be the new features You have to ask the roadmap. You shouldn't choose something that won't be developed anymore. It is a lot of resources and time to build a SOC in using a SIEM To configure the SIEM Infra completely It is wrong to say that you can migrate easily to another solution. Completely wrong. The last point, you need to verify the documentation and the support. Very important for bugs, issues or important missing features. I hope this answer will help you. You can contact me if you have a precise question.
it_user331212Real-time threat analysing and reporting capabilities
Stephen HockleyAbility to quickly extract information when required (forensic). The ease at which you can integrate your devices which are logging(agnostic) . Ability of the device to capture all your required logging and maintain it for a reasonable time frame (capacity).
Chris Poorte
Computer & Network Systems Administrator at a aerospace/defense firm with 1,001-5,000 employees
My organization has one last piece to the puzzle in our completion for NIST 800-171 compliance. I know nothing about Network Security and Event Management. I have a team of two Systems and Network Admins that already spend a lot of time ensuring the organization is running smooth, dealing with any technical issues, and ensuring the infrastructure is performing well. What solution is recommended for something that can automate and run with little to no interaction, but ensure the requirements and needs are met? Is there a solution that does not require heavy configuration, one that can give you an overview of the network and tell you exactly what is going on inside the network, and if needed any penetration alerts, if they exist?
David BurtonThere are many good SIEM products on the market today. Our company evaluated several SIEM products, LogRhythm, Splunk, AlienVault, Fortinet, and EventTracker. They all are great products. We settled on EventTracker and purchase the licenses through a 3rd party. Because these companies have internal teams of trained security analysts. They take on the heavy lifting of reviewing alerts, threat analysis, etc. The required manpower is a critical piece when evaluating SIEMs.
Perry JurancichAs David mentioned above, there are many good SIEM products available. The challenge is, in the environment as described, is getting the value out of it if you run it yourself. There is a lot of overhead when it comes to running a SIEM, especially for the uninitiated and non-cyber minded folks. This question is interesting because I had this very conversation with a customer yesterday. My company provides consulting services to myriad companies around the world. Under 800-171 section 3.3 (800-53r4 AU controls), you have to demonstrate you retain logs for your cybersecurity environment (3.3.1), review logs on a regular basis (3.3.3), have the ability to 'audit' the logs (3.3.5) and alert events (AU-6). IMHO, the best solution for an organization that has limited staff and time, a hosted version of SIEM services is best. Not just a hosted SIEM, but have an AI/ML behavioral analysis processing engine with 24x7 'eyes on glass' (not just automated systems monitoring) certified cybersecurity analysts to evaluate all alerts, then only advising the company of an issue to be addressed. It totally takes the heavy lifting off of any company, and the benefit of (in effect) staff augmentation. Bringing a SIEM in-house for small organizations is a challenge at best, a recipe for failure at worst, plus it may not meet 800-171 requirements. TIG ThreatWatch, ArticWolf SOCaaS and SecureWorks are a few in the space. Be careful, make sure you have full access to your data, ability to run reports to generate artifacts for audits and live alerts and you only plug in security devices into the monitoring for 800-171 requirements. Be sure to use one that doesn't cost you by volume of logs, it should be by log source, regardless of volume. Best of luck!
itsecuri350985I have been working with SIEM Technology for more than 10 years. LogRhythm no doubt is one of the best for a small to mid size company.
Rhea Rapps
Content Specialist
IT Central Station
I'm a community manager here at IT Central Station and I'm doing some research to try to make our platform even better. I'd really appreciate it if you could answer a few quick questions. Was your research of SIEM products on our site for a purchase? If not, what was it for? Which product did you end up choosing and when did you finalize the purchase? Was IT Central Station content helpful in helping you make a decision? What other content or data could we have offered that would have helped you make a quicker/better decision? I really appreciate your help! Rhea

Sign Up with Email