Best SIEM Solution

QRadar

IBM Security offers a suite of offerings in its QRadar platform, which can be deployed as an appliance, virtual appliance, or SaaS/IaaS option. QRadar’s components can be deployed as an all-in-one solution or piecemeal. With the IBM SIEM products, organizations can collect and process log data, NetFlow data, DPI, full packet data, and behavioral analysis data.

Recent enhancements to QRadar include incident forensics support, new data storage appliances, improved query support across logs, flow data, threat intelligence, and vulnerability and asset data. In addition, historical event data can be replayed using existing correlation rules.

Among QRadar’s strengths, according to Gartner, is its ability to provide an organization with an integrated view of log and event data with network, vulnerability, asset, and threat intelligence data. The platform is also straightforward to deploy and maintain. In addition, it provides behavioral analysis capabilities for NetFlow and log events.

Gartner cautioned, however, that QRadar provides fewer granular role definitions and integrations with enterprise directions for workflow assignments. What’s more, Gartner customers have reported problems with one of the platform’s components, Vulnerability Manager. Those problems include limited functionality, instability, late feature updates, and support delays.

ArcSight

HP ArcSight is one of the oldest SIEM systems in the market. The company offers two flavors of the solution: Enterprise Security Manager for large-scale deployments, and ArcSight Express, an appliance for the midmarket. Licensing is based on gigabyte usage per day.

A number of improvements were added in 2014: fully integrated, high-availability capabilities for ESM, a better web UI for ArcSight Logger, and an enhanced ArcSight Management Center to include better health monitoring and distributed management features.

ArcSight strengths identified by Gartner include a complete set of SIEM capabilities that can be used to support a securities operations center; user behavior analytics with true and full UBA capabilities; a wide variety of out-of-the-box, third-party technology connectors; and integrations. ArcSight also has high visibility in the market.

Some cautions noted by Gartner included a dated client console UI and the need for more professional services during deployment. Gartner customers also found ESM more complex than competitors and cited customer service as an issue.

IBM Security offers a suite of offerings in its QRadar platform, which can be deployed as an appliance, virtual appliance, or SaaS/IaaS option. QRadar’s components can be deployed as an all-in-one solution or piecemeal. With the IBM SIEM products, organizations can collect and process log data, NetFlow data, DPI, full packet data, and behavioral analysis data.

Recent enhancements to QRadar include incident forensics support, new data storage appliances, improved query support across logs, flow data, threat intelligence, and vulnerability and asset data. In addition, historical event data can be replayed using existing correlation rules.

Among QRadar’s strengths, according to Gartner, is its ability to provide an organization with an integrated view of log and event data with network, vulnerability, asset, and threat intelligence data. The platform is also straightforward to deploy and maintain. In addition, it provides behavioral analysis capabilities for NetFlow and log events.

Gartner cautioned, however, that QRadar provides fewer granular role definitions and integrations with enterprise directions for workflow assignments. What’s more, Gartner customers have reported problems with one of the platform’s components, Vulnerability Manager. Those problems include limited functionality, instability, late feature updates, and support delays.

Hewlett Packard Enterprise

Hewlett Packard Enterprise‘s ArcSight is one of the oldest SIEM systems in the market. The company offers two flavors of the solution: Enterprise Security Manager for large-scale deployments, and ArcSight Express, an appliance for the midmarket. Licensing is based on gigabyte usage per day.

A number of improvements were added in 2014: fully integrated, high-availability capabilities for ESM, a better web UI for ArcSight Logger, and an enhanced ArcSight Management Center to include better health monitoring and distributed management features.

ArcSight strengths identified by Gartner include a complete set of SIEM capabilities that can be used to support a securities operations center; user behavior analytics with true and full UBA capabilities; a wide variety of out-of-the-box, third-party technology connectors; and integrations. ArcSight also has high visibility in the market.

Some cautions noted by Gartner included a dated client console UI and the need for more professional services during deployment. Gartner customers also found ESM more complex than competitors and cited customer service as an issue.

McAfee Enterprise Security Manager

Intel Security’s SIEM entry is McAfee Enterprise Security Manager, available as a physical, virtual, or software appliance. The product has three components—Enterprise Security Manager, Event Receiver, and Enterprise Log Manager—which can be deployed together or separately. Add-ons include a correlation engine, an event database monitor, an application data monitor, and a threat intelligence component.

Intel has enhanced its SIEM offering in recent months with support for Amazon Web Services, new dashboards for analytics and threat management, and improved case and incident management functions. Integration with other McAfee security products, such as Advanced Threat Defense and Threat Intelligence Exchange, have also been added to the enterprise product.

Gartner recommended Enterprise Security Manager for organizations already using Intel security products or those looking for an integrated security framework that includes protection for industrial control systems.

Strengths of ESM include strong out-of-the-box support for third-party devices and in-depth database and application monitoring, as well as strong support for monitoring industrial control systems. Gartner customers also reported good synergies among the McAfee products, resulting in improved performance of previously installed solutions.

On the other hand, Gartner cautioned that advanced SIEM functions often need installation of another Intel product. It added that NetFlow can be used to generate events and alerts but is not automatically used to enrich log-based events. Gartner customers also found that Version 9.4.x of the program has some stability and performance problems.

LogRhythm

LogRhythm‘s SIEM product has four components: Event Manager, Log Manager, Advanced Intelligence Engine, and Console. Site Log Forwarders are available for distributing log information of distributed networks. Local log data can also be collected by agents, which run on Linux, Unix, and Windows. Windows registry monitoring is also provided by the agent. Network capabilities include DPI, NetFlow monitoring, and full packet capture. The solution is offered as either an appliance or software and is aimed at midsize and large enterprises.

Recent additions to LogRhythm’s solution include new incident response and case management workflow capabilities, expansion of support for devices for log normalization, and applications for network monitoring. The SIEM’s AI Engine has also been beefed up to include risk-based profiling and behavioral analytics.

Organizations that want a SIEM solution with endpoint and network monitoring capabilities, value ease of deployment, and prefer predefined functionality to customization will find LogRhythm’s offering a good fit, Gartner said.

It noted that ease of deployment is a LogRhythm strength, and it provides effective out-of-the-box use cases and reporting templates.

Gartner cautioned, however, that customers reported that the new reporting templates are insufficiently intuitive and that the options for alert trend reporting are limited.

Splunk

Splunk has two products, Enterprise and Cloud, for search, alerting, real-time correlation, and visualization supported by a query language. They’re used by IT and application support teams for log management, analytics, monitoring, and advanced search and correlation. The company has good visibility in the market, and Gartner noted that its solutions are often found on its customers’ short lists. Its SIEM offering can be deployed as software, in a public or private cloud, or as SaaS. Licensing is based on data volume indexed per day.

Recent upgrades to Splunk’s Enterprise product include predefined security indicators, dashboards, and visualizations. Splunk has also improved support for wire data capture and analysis and added an advanced query and pivot feature for easier access to functions previously accessible only through the Splunk query language.

Splunk has strong visualization and behavioral predictive and statistical analytics, which Gartner customers found very effective in identifying anomalous user behavior. The company also supports a large number of threat intelligence feeds from commercial and open sources.

Gartner warned organizations considering Splunk that it provides only basic support for predefined correlation for user monitoring. More advanced monitoring requires customization. It also noted that Splunk’s workflow and case management functions lag behind those of competitors and that customization or third-party solutions may be needed to bring them up to snuff.

Challengers quadrant

Companies fall into the Challengers quadrant if they have a high

Intel Security‘s SIEM entry is McAfee Enterprise Security Manager, available as a physical, virtual, or software appliance. The product has three components—Enterprise Security Manager, Event Receiver, and Enterprise Log Manager—which can be deployed together or separately. Add-ons include a correlation engine, an event database monitor, an application data monitor, and a threat intelligence component.

Intel has enhanced its SIEM offering in recent months with support for Amazon Web Services, new dashboards for analytics and threat management, and improved case and incident management functions. Integration with other McAfee security products, such as Advanced Threat Defense and Threat Intelligence Exchange, have also been added to the enterprise product.

Gartner recommended Enterprise Security Manager for organizations already using Intel security products or those looking for an integrated security framework that includes protection for industrial control systems.

Strengths of ESM include strong out-of-the-box support for third-party devices and in-depth database and application monitoring, as well as strong support for monitoring industrial control systems. Gartner customers also reported good synergies among the McAfee products, resulting in improved performance of previously installed solutions.

On the other hand, Gartner cautioned that advanced SIEM functions often need installation of another Intel product. It added that NetFlow can be used to generate events and alerts but is not automatically used to enrich log-based events. Gartner customers also found that Version 9.4.x of the program has some stability and performance problems.

LogRhythm

LogRhythm‘s SIEM product has four components: Event Manager, Log Manager, Advanced Intelligence Engine, and Console. Site Log Forwarders are available for distributing log information of distributed networks. Local log data can also be collected by agents, which run on Linux, Unix, and Windows. Windows registry monitoring is also provided by the agent. Network capabilities include DPI, NetFlow monitoring, and full packet capture. The solution is offered as either an appliance or software and is aimed at midsize and large enterprises.

Recent additions to LogRhythm’s solution include new incident response and case management workflow capabilities, expansion of support for devices for log normalization, and applications for network monitoring. The SIEM’s AI Engine has also been beefed up to include risk-based profiling and behavioral analytics.

Organizations that want a SIEM solution with endpoint and network monitoring capabilities, value ease of deployment, and prefer predefined functionality to customization will find LogRhythm’s offering a good fit, Gartner said.

It noted that ease of deployment is a LogRhythm strength, and it provides effective out-of-the-box use cases and reporting templates.

Gartner cautioned, however, that customers reported that the new reporting templates are insufficiently intuitive and that the options for alert trend reporting are limited.

Splunk

Splunk has two products, Enterprise and Cloud, for search, alerting, real-time correlation, and visualization supported by a query language. They’re used by IT and application support teams for log management, analytics, monitoring, and advanced search and correlation. The company has good visibility in the market, and Gartner noted that its solutions are often found on its customers’ short lists. Its SIEM offering can be deployed as software, in a public or private cloud, or as SaaS. Licensing is based on data volume indexed per day.

Recent upgrades to Splunk’s Enterprise product include predefined security indicators, dashboards, and visualizations. Splunk has also improved support for wire data capture and analysis and added an advanced query and pivot feature for easier access to functions previously accessible only through the Splunk query language.

Splunk has strong visualization and behavioral predictive and statistical analytics, which Gartner customers found very effective in identifying anomalous user behavior. The company also supports a large number of threat intelligence feeds from commercial and open sources.

Gartner warned organizations considering Splunk that it provides only basic support for predefined correlation for user monitoring. More advanced monitoring requires customization. It also noted that Splunk’s workflow and case management functions lag behind those of competitors and that customization or third-party solutions may be needed to bring them up to snuff.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

X