Security information and event management tools are a core part of most companies’ cyber defenses. This guide will help you find SIEM options that best match your needs.
Security information and event management (SIEM) is a blue-collar tool for network security professionals. There’s nothing remotely glamorous about auditing, reviewing, and managing event logs, but it’s one of the more important aspects of building a secure enterprise network. In an industry increasingly driven by automation and AI, deep contextual data is a foundational component in a modern security stack.
Due to the nature of event logs, they are often a secondary attack surface for malicious users looking to obfuscate their activity and cover their tracks. SIEM tools often provide an additional layer of protection for your event logs by offloading them to a server or service purpose-built for the task, giving a means to prevent editing or deletion, and even creating backup copies.
In this buyer’s guide
- What to look for in a SIEM tool
- How much to pay for SIEM
- Leading security information and event management (SIEM) vendors
- Essential reading
Selecting the right SIEM tool for your business
Selecting the right SIEM product will not only aid in monitoring business-critical systems and services, but also to inform authentication systems, aid threat detection, and provide context to SOAR platforms.
Cloud or on-premises?
Most of the modern SIEM solutions have moved to a SaaS model to iterate and add features more quickly. The endless capacity of the cloud also makes it easier for vendors to integrate machine learning capabilities, which require large quantities of reference data before they can identify anomalous behavior. The consensus is that SaaS has made SIEM better.
Nonetheless, some businesses need to keep SIEM on premises, typically because they need to abide by regulations that stipulate log or related data reside on local infrastructure. A handful of options still enable customers to deploy SIEM entirely on prem, including some solid open-source solutions.
Analytics capabilities
An SIEM solution is only as good as the information you can get out of it. Gathering all the log and event data from your infrastructure has no value unless it can help you identify problems and make educated decisions. Today, in most cases, the analytics capabilities of SIEM systems include machine learning to help identify anomalous behavior in real time and provide a more accurate early warning system that prompts you to take a closer look at potential attacks or even new application or network errors.
Your SIEM analytics needs will depend on a variety of factors: What sort of systems are you monitoring? What skill sets do you have available to build dashboards and reports or to perform investigations? Do you have an existing investment in an analytics platform that you want to leverage? Each of these questions can help narrow down your platform options.
If you have no existing solutions or skills in place to drive the decision, your best bet may be to pursue SIEM solutions with an extensive dashboard library or managed services to help you build what’s best for you.
Log ingestion
Another practical consideration involves ingestion, or how your data is consumed by your SIEM. Often software agents extract log and event data from servers and workstations while network hardware and cloud applications may send event data directly to the SIEM through an integration or an API.
One basic issue is whether the SIEM can properly identify key information from your events outside of the gate. Ideally, your SIEM should be mature enough to provide a high level of fidelity when parsing event data from most common systems without requiring customization, separating out key details from events such as dates, event levels, and affected systems or users. You should also look for an SIEM that provides flexibility in tuning the way event data is processed after it has been captured, so you can remedy situations in which your log entries aren’t being parsed properly.
Configuring alerts
The primary reason to have a modern SIEM is for sophisticated real-time monitoring of your systems. But that has little value unless a human is monitoring the system for alerts or notifications (in the form of emails, text messages, or push notifications to mobile devices).
The problem with alerts and notifications, as any email user knows, is keeping the volume manageable. If users receive too many notifications, they will either disable them or ignore them. If too few, then critical threats may be missed. Look for flexibility in configuring alerts, including rules, thresholds (i.e., system was down for 15 minutes, 20 errors per minute for 10 minutes, etc.), and alert methods (SMS, email, push notifications, and webhooks).
Role-based access
For large enterprises with diverse business segments, multiple application teams, or dispersed geographic locations, role-based access (RBAC) is imperative. Providing admins, developers, and analysts access to just the log events they need is not only a matter of convenience, but also requisite to the principle of least privilege and, in some industries, certain regulatory mandates.
The events captured by an SIEM often provide a deep level of detail on application and service functionality or even how devices on your network are configured. Gaining illicit access to this event data can benefit malicious actors looking to infiltrate your systems, the same way thieves benefit from casing target before a heist. Limiting user access to SIEM event data is a best practice for one reason: It limits the impact of a compromised account and ultimately helps protect your network as a whole.
Regulatory compliance
Many industry regulations — such as HIPAA or Department of Defense Security Technical Implementation Guides (STIGs), to name just two — not only require the use of an SIEM or a similar utility, but also specify how the solution should be configured. Study the relevant requirements for your organization in detail. Things to look for include retention periods, encryption requirements (for both data in transit and data at rest), digital signatures (to ensure event data is not modified in any way), and reporting obligations. Also keep in mind that most compliance regimens include an audit or reporting element, so make sure your SIEM solution can spit out the appropriate documentation or reports to satisfy auditors.
Event correlation
Perhaps the biggest reason to implement SIEM is the ability to correlate logs from disparate (and/or integrated) systems into a single view. For example, a single application on your network could be made up of various components such as a database, an application server, and the application itself. The SIEM should be able to consume log events from each of these components, even if they are distributed across multiple hosts, and correlate those events into a single stream. This enables you to see how events within one component led to events within another component.
The same principle applies to an enterprise network. In many cases, correlated event logs can be employed to identify suspicious privilege escalation or to track an attack as it impacts various segments of the network. This broad view has become increasingly relevant as organizations move to the cloud or implement container-based infrastructure such as Kubernetes.
SIEM ecosystems
SIEM depends on connecting with other systems from a variety of vendors. Of course, there are data exchange standards from text-based log files to protocols such as Simple Network Monitoring Protocol (SNMP) or Syslog. If the SIEM can integrate directly (or through plugins) with other systems, that makes things much easier. A SIEM with a robust, mature ecosystem enables you to enhance such features as event collection, analysis, alerting, and automation.
In addition to the system enhancements to be had through an SIEM ecosystem, there are other business benefits to be considered. For example, a mature SIEM will often create demand for training, drive community-based support, and even help streamline the hiring process.
Interaction via API
An ecosystem offering extensibility is great, but it will not meet all the diverse needs of every business. If your business involves software development, and particularly if your company has invested time and effort in devops, the ability to interact with your SIEM programmatically can make a huge difference. Rather than spending development time on logging capability for the sake of security or debugging, the SIEM can ingest, correlate, and analyze event data from your custom code.
Do I need AI-enhanced SIEM?
SIEM would seem like a tailor-built use case for AI-backed analysis, and vendors aren’t shy about implementing AI-based features. Generally, these features are centered around analysis and alerting, but this means so much more than reports. AI-enabled SIEM systems can integrate with immense cloud data feeds from a variety of vendors and sources, knowledge that can be leveraged to build deep context into your event data without lifting a finger. This context is essential to triaging events, identifying attack chains, and putting together a plan for incident response. Do keep in mind that the AI question may be tied to the cloud or on-prem question. On-prem offerings have the potential to support your needs with AI but may require those workloads be farmed out to cloud services.
How much to pay for SIEM
SIEM is not an area you want to overly-tighten your purse strings. Cost is a factor in your SIEM decision, of course, but calculating it involves nuance. You also don’t want to be caught in a situation where you cut corners to save money on your SIEM only to end up as the victim of an attack that could’ve been prevented.
SIEM platforms offered as a cloud service are almost always offered by subscription. But your bill may include usage charges, such as event data volume or the number of endpoints being monitored. There are well-respected SIEM platforms available for free under an open-source license, but be aware of hidden costs such as support, and make sure the solution meets all your business needs.
The bottom line: Once you’ve narrowed down your SIEM candidates to those that have the features you need, compare in detail the subscription and usage charges you’re likely to incur. If you prefer a more expensive offering, consider how you might be able to gain efficiency or scale back a little.
Leading security information and event management (SIEM) vendors
There are multiple SIEM solutions on the market, so to help you begin your research, we’ve highlighted the following 15 products.
Datadog
Datadog brings a mature suite of SIEM tools and features to the table, including everything from event ingestion to analytics and alerting. Datadog adds context automatically using history and industry intelligence. From log events Datadog offers actionable workflows to follow predefined response plans, allowing less technical users to initiate threat response rather than requiring a security engineer to evaluate each event.
Datadog’s analysis tools display event data with a variety of visualizations including time-series and flowcharts. Investigations and threat hunting can be triggered from individual log events with the click of a button, Datadog offers more than 800 integrations and 350 prebuilt detection rules to jump-start your roll-out.
Elastic Logstash
Elastic does not offer a true SIEM platform (if PCI compliance is a requirement for your organization, you’ll need to look elsewhere), but Logstash allows for log events from a wide array of sources to be parsed and handled using its Elastic Stack platform. Elastic offers tools such as Beats to move data, Elasticsearch to facilitate parsing large amounts of data, and Kibana to handle visualizations and analysis.
Logstash might be the most flexible of the tools on this list, but it comes with a couple of key concerns. Elastic’s Stack platform is incredibly powerful, but it’s largely built for a devops world, and expectations should be set accordingly. On the other hand, the entirety of the Elastic Stack platform is open source software, making it incredibly cheap to put through its paces. For customers looking for enterprise support or assistance in getting your solution set up, Elastic offers services to help in either scenario.
Exabeam LogRhythm SIEM
Exabeam has long been a major provider in the SIEM space, as has LogRhythm, but the joining of forces is a relatively new development. Exabeam LogRhythm SIEM brings more than 1,000 external data streams, 1,100 correlation rules, and a wide ecosystem of plugins and prebuilt compliance frameworks to bring to bear from Day One. This existing logic brings massive value to your security stack with a minimal amount of effort or training on your part.
In addition to providing tools and integrated data sets for compiling, aggregating, and analyzing your event logs, Exabeam offers SOAR tools for handling incident responses. Exabeam LogRhythm offers options for assigning incidents to personnel and tracking status updates as the incidents are worked. Incident Responder also leverages workflow-based playbooks, both automatic and customized, which define the steps that should be taken for different types of incidents as well as potential opportunities for automation and integration with other systems.
Fortinet FortiSIEM
Fortinet offers a diverse range of network appliances and services, with FortiSIEM as its SIEM solution. FortiSIEM has asset discovery and role-based access in either an on-premises deployment using a hardware or virtual appliance, or within Amazon Web Services (AWS).
FortiSIEM is built to integrate, both in terms of gathering events and automating event response. The FortiSIEM Remediation Library offers built-in scripts that can be used against devices and systems from a variety of vendors to perform remediation steps such as disabling a switch port or Active Directory account. FortiSIEM also uses user and entity behavior analytics (UEBA) and more than 3,000 correlation rules appropriate for both traditional IT and operational technology (OT) environments, making it a very flexible solution with a minimal amount of customization.
Huntress Managed SIEM
Huntress is quickly becoming one of the big names in the security space, and its managed SIEM solution is a solid representative of what a modern SIEM should be. Log events are captured, ingested, analyzed, and filtered to help your security team focus on the events that actually matter to your business. As a managed service, Huntress employs analysts and security engineers to do the heavy lifting for you, freeing up your internal staff to handle incident response and service restoration.
IBM QRadar SIEM
IBM has long been a leader in the enterprise software arena, and it’s fair to expect its QRadar SIEM platform to be able to handle large data sets and the myriad features needed in an enterprise event management solution. QRadar’s support for more than 500 integrations and a built-in analytics engine are what you’ve come to expect from an IBM software product.
IBM’s AI Watson can be used against your event logs using IBM QRadar Advisor with Watson. Advisor allows your security team to focus on anomalous behavior without having to manually identify trends. Watson Advisor also incorporates new threat intel from external sources to identify zero-day attacks.
LevelBlue Unified Security Management
Being a partnership between AT&T and WillJam Ventures (an investor with cybersecurity history), LevelBlue is uniquely positioned to cater to the security needs of the enterprise. LevelBlue Unified Security Management (USM) platform provides tools to monitor, analyze, and manage your system events across a wide range of systems. Adding your system components and recognizing new candidates for inclusion is facilitated through asset discovery and inventory.
LevelBlue USM is more than just a SIEM solution. In addition to monitoring and managing your event logs, the platform provides tools for both vulnerability assessment and intrusion detection (both network and host-based), adding value for customers who might not have these capabilities in place. LevelBlue also offers open source security information and event management (OSSIM), which as the name suggests is an open source SIEM solution that gives you a subset of the tools available with the full USM suite in an open-source package.
LogPoint
LogPoint uses UEBA as its threat modeling and machine learning offering. UEBA enables customers to get up and running quickly without having to create or modify extensive rulesets. LogPoint supports translation of event messages, enabling your global security team to operate in their native language. LogPoint also correlates events to the MITRE AT&CK framework and major regulatory frameworks such as GDPR and various industry-specific compliance standards.
To streamline adoption, LogPoint offers canned dashboards to monitor access management, incident management, and perimeter security.
Microsoft Sentinel
Microsoft is undeniably a major provider in the information security space, and Microsoft Sentinel is its SIEM solution. Poised to inject, correlate, and analyze events from both on-prem resources and those in the cloud, Sentinel integrates tightly with Microsoft’s suite of tools, but also fully supports workloads hosted in other cloud or on-prem environments.
A recent development with Microsoft Sentinel is the availability of Microsoft Security Copilot. Microsoft Security Copilot allows you to perform analysis and investigate incidents using queries based on natural language.
OpenText ArcSight Enterprise Security Manager
OpenText‘s ArcSight Enterprise Security Manager (ESM) is a full-featured solution that checks all the boxes of an enterprise SIEM. ArcSight ESM supports a range of integrations and customization options, allowing security analysts to perform incident response from a single pane of glass. ArcSight’s Marketplace enables you to leverage new dashboards, reports, or correlation rules with minimal fuss.
ArcSight ESM supports workflow-based automation, allowing analysts to quickly correlate events, referencing them in a case, and respond or escalate as necessary. Each action taken can be audited and reported on to maintain service-level agreement (SLA) compliance and track response time. Integrations with third-party systems allow users to begin remediation, such as disabling ports or accounts, or rule sets can even be created to automate these steps.
RSA NetWitness
RSA NetWitness SIEM has many of the features necessary in an enterprise-level SIEM, including UEBA, automation tools, and architecture flexibility (support for hardware and virtual appliances, software-based options, or cloud deployments). In addition, RSA NetWitness includes the ability to add context from both your business and threat intelligence to incidents based on the asset or user being impacted through integrations with RSA Archer and SecurID.
Encrypted or encoded event data or web traffic can be difficult to incorporate into your SIEM. RSA NetWitness uses a variety of cryptography tools including decryption, decompression, and entropy measurements to surface this information and bring it into your SIEM workflow. This visibility into encrypted traffic can be the difference in determining if the traffic is malicious or legitimate in nature.
SentinelOne Singularity AI SIEM
SentinelOne has built itself into a huge contender in the information security space through innovation and feature delivery, and its Singularity AI SIEM is a case-in-point for their success. With Singularity AI SIEM, Singularity is looking to modernize your SIEM by an order of magnitude, using modern techniques to scale security operations through efficient ingestion and filtering, robust analytics, and intuitive, resilient automation. SentinelOne Singularity SIEM of course integrates tightly with other solutions in SentinelOne’s portfolio, namely the SentinelOne Singularity Data Lake and its endpoint and XDR platforms.
SolarWinds Security Event Manager
SolarWinds is a familiar name to many IT pros, as it has long used a set of free tools and aggressive marketing to earn a place in many small to medium size IT shops. SolarWinds Security Event Manager, its SIEM solution, offers tools to detect and investigate threats, analyze and audit events, and even automate remediation steps.
Security Event Manager does not offer machine-learning-based analytics or the same level of integration with third-party systems you can expect from the enterprise grade tools in this list. SolarWinds does offer USB device monitoring, designed to mitigate the risks posed by USB flash drives to your network, and offers an impressive array of compliance reporting to meet any applicable government or industry standards.
Splunk
Splunk might well be the most well-known entry in this list and is the standard against which SIEM platforms are judged. Splunk offers two versions of its platform:
- Splunk Enterprise may be installed on premises as a server application on a variety of Unix or Windows operating systems, or as a Docker container application.
- Splunk Cloud allows you to realize the benefits of Splunk in a SaaS environment, minimizing infrastructure and maintenance requirements.
Both platform versions support customizable dashboards and reporting, anomaly detection, and a high degree of access control.
Perhaps Splunk’s biggest selling point is Splunkbase, its app store for the Splunk platform. Splunkbase apps can run on either Splunk Enterprise or Splunk Cloud, and add third-party integrations, analytics, or automation capabilities.
Trellix Enterprise Security Manager
Trellix Enterprise Security Manager (ESM) is designed to provide analysts information critical to beginning the triage and incident response process. Events are evaluated in the context of related log entries, and ESM guides users through the process of preliminary investigative steps using actionable alerts.
Flexibility in terms of architecture and integration are key points with Trellix ESM. ESM is available in both physical and virtual appliances in a range of sizes, with virtual appliances supporting a wide array of hypervisors and cloud platforms. Trellix offers content packs that enable monitoring and alerts for specific use cases or partner platforms, and integration partnerships with more than a dozen third-party vendors makes ESM incredibly extensible.
