Which is the best SIEM solution for a government organization?

I am the technical director of a science and technology division for the government. 

Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack?

Thanks! I appreciate your help. 

1919 Answers

author avatar

In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.

author avatar
Real User

We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.

author avatar

SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.

As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.

To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.

The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.

Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.

Hope this provides insight and best practices.

author avatar

We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!

author avatar
Top 5Real User

I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).

author avatar
Top 20Real User

Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem

Thank you,

author avatar

I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.

author avatar
Top 10Real User

We need to understand SIEM from 2-3 dimensions

- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
- Extensibility
- Price

author avatar

The best solution depends on lots of factors. How large is the team, how large is the budget, will it be on-prem or cloud-based?

author avatar

We would recommend exploring Exabeam (offers a cloud based deployment which could be very compelling) or CI Security (https://ci.security/)
a managed service offering. We are assuming your team is likely resource constrained and needs a solution that meets all of your requirements, but also is simpler to deploy and can be managed with a smaller team. If you're interested in learning more about the solution space I recently delivered a SIEM comparative analysis for a customer that I'd be willing to share. Please feel free to reach out if this is of interest and we can determine the best way to connect directly.

author avatar

My experience with SIEM is limited to LogRhythm only, and it is surely recommended as it complies with all of the customer’s main requirements, and ranked 4th on Gartner rank for SIEM market.

author avatar
Top 20Real User

Dear Team,

Thanks for reaching out to me.

Almost all SIEM solutions does the same task if properly configured.

The point here is for which they want to go Open source or Premium

Here the trick is if they want to go for Open Source, first they need the expert team who are good in managing the infra in every expect because for if any issue they will not get any support from the company.

For premium SIEM solution they just a team how should have basic knowledge on incident response and threat hunting. for any technical challenges the company will assist for 24 * 7.

i hope this is suffice.

Ashok Kumar

author avatar

As per my understanding, Splunk SIEM is best.

author avatar
Real User

I would recommend the use of Splunk with the AI/ML and management configuration tool like ansible, by doing so you will get the best outcome as you it will act as SIME AND SOAR plus you can use them in other areas to help boost your business.

author avatar
Top 5Real User

If your environment is complex and you're trading information with people on a fairly open basis, but it needs to be secure oh, then you should consider QRadar. It has functionality none of the other SIEM solutions come close to offering. The state-of-the-art behavior analytics that are available with QRradar are pretty world-class. Also, its functionality in adapting to log sources is unmatched. Add to that the ability to correlate point in time log events with things happening over time using time series data, and you have the best in breed especially for sensitive government information.

author avatar
Top 5LeaderboardVendor

The best solution I have worked with several customers is IBM QRadar. We just set up a cyber center delivering this kind of service as a SaaS solution in the USA.

author avatar
Top 5Real User

We use both AlienVault and FortiSIEM (formerly AccelOps) and in both cases use a managed security services provider to monitor and maintain. Our chief concern was ease of use and cost. While we really appreciated AlienVault, they were acquired by AT&T towards the end of 2018 and were concerned about how costs would escalate.
I would not expect a SIEM or a managed SIEM service to respond and help you recover from a cyberattack, I would look for a managed SOC service for that, most would include a SIEM service as part of that.

author avatar

I would recommend AlienVault.

author avatar
Top 10User

The best tool on the market today is Splunk. Referring to explorative search, easiness of administration and Scalability, there is nothing comparable.
The only possible threshold is that you need to buy the license, it's not freeware.

Find out what your peers are saying about Splunk, IBM, Securonix Solutions and others in Security Information and Event Management (SIEM). Updated: March 2021.
474,319 professionals have used our research since 2012.