What is SIEM?
Security information and event management refers to a device and environmental analysis strategy that is intended to help secure and protect company operations, data and personnel. By providing a comprehensive analysis of security-related details and related recommendations, SIEM tools assist by ensuring compliance and remediating potential or active threats.
What is a SIEM tool?
A SIEM tool analyzes and helps prevent or respond to active security events, usually from a centrally managed console that provides a top-level view into your environment. The comprehensive layers of SIEM software assess end-user systems, servers, network devices, active traffic, resource utilization — everything that entails technological operations, either on premises or remote.
This level of deep protection usually comes at a hefty cost. Companies should consider investments in SIEM software as preventative measures to reduce the risk of further investments in the wake of data or security breaches to remediate attacks, settle lawsuits or pay damages.
SEE: 4 ways companies can increase their cybersecurity (TechRepublic Premium)
There’s no shortage of quality security solutions to choose from – here are 10 of the best SIEM software products. Note that where the information was available, I identify the applicable platforms related to each product.
How do SIEM tools work?
The primary focus of SIEM tools involves device logging capabilities that record activities, access, changes, traffic, resource utilization – everything a device does whether on its own or through user manipulation. These tools gather all aspects of what’s occurring in an environment and present the analysis of what is happening as well as what needs to happen to IT personnel.
Best SIEM software
SolarWinds Security Event Manager (SEM) is a comprehensive security platform that provides a diverse array of protection mechanisms. Highly focused on log aggregation and threat detection (which can be automated to help remediate incidents behind the scenes), SEM provides powerful dashboards to indicate the state of company security at a glance. There are detailed reports available to satisfy compliance requirements and numerous prebuilt connectors to pull data from sources.
A file integrity checker can track access and changes made to files and folders to detect unauthorized or malicious activity. SEM allows you to leverage data encryption, single sign-on and smart card authorization, and powerful control mechanisms to restrict access from IPs, block applications and deny access to removable media such as USB flash drives.
SolarWinds offers a handy guide to 62 specific use cases for SEM.
I’ve worked with SolarWinds networking tools and can attest to the quality and capability put into them. On that vein, SEM is particularly strong with network-related events to maintain security, but it’s also excellent at analyzing per-host activities, such as logons, privilege usage and registry alterations.
You can download a free trial.
Platforms: Windows, Linux and Mac
Price: SolarWinds says the subscription price starts at $2,369, and the perpetual price at $5,144. You can obtain a quote here.
I’ve worked with Splunk log monitoring and can attest to the efficacy of their efforts, which are built upon here to offer diverse security monitoring. I’ve relied upon Splunk not just for security-related event notifications but to identify resource bottlenecks, failing hardware, capacity issues and just about any other potential technological warning or event out there.
Splunk’s focus entails events and triggers that respond to logged situations with customized response patterns. At-a-glance details involving individual hosts is one of its superior capabilities — I’ve found it particularly handy in analyzing long-term graphs to see what a standalone host or hypervisor has been up to and where additional capacity or resources are needed.
The product is free for one user with a limit of 500MB per day. You can find the trial version here.
Platforms: Windows, Linux and Mac
Price: The enterprise license will cost $6,000 for 500MB per day for a perpetual license. The term license is also available for $2,000 per year. Splunk recommends contacting it directly for pricing details.
I have a special fondness for Datadog products because they’re very customizable, comprehensive and just plain fun, due to their unique level of applicability. Datadog Security Monitoring doesn’t disappoint in any of those categories, either. Datadog is relied upon by tech giants such as Samsung and Comcast for SIEM protection.
It’s easy to see at a glance what’s happening with all sources being analyzed:
Over 350 detection rules and more than 500 integrations with log sources provide full visibility into security operations. The product has three modes: free, which provides collection and visualization features for up to five hosts (and is basically a demo version), pro and enterprise.
The pro version offers the same as the free version, on a per-host licensing basis, as well as unlimited alerts, containing monitoring (10 per host), custom metrics (100 per host), custom events (500 per host) and single sign-on with SAML as well as outlier detection.
The enterprise version includes the same as the pro except with more container monitoring, custom metrics and custom events (20 per hosts / 200 / 1,000, respectively) as well as automated insights, correlations, anomaly detection, forecast monitoring, live process and advanced administrative tools.
You can download a free trial.
Platforms: Windows, Linux and Mac
Price: The pro version costs $15 per host per month, and the enterprise version is $23 per host per month.
LogRhythm’s strength and focus is based upon AI and automation features. Reporting based on queries is easy to configure and the product integrates well with a broad array of security and technological solutions. A “top log source” and “top impacted hosts” segment of the dashboard makes it easy to see where company priorities and concerns lie, and a bird’s-eye global map view can pinpoint where hosts are being impacted and to what extent.
Integration with third-party platforms is one of the key assets of LogRhythm, and the product offers support for many popular cloud services.
Price: Pricing begins at $28,000, but LogRhythm recommends contacting it directly for a quote.
RSA, well known for its multifactor soft and hard token authentication products, has a strong footprint in the overall security community, and its NetWitness SIEM tool exemplifies that.
Geared more for large businesses with versions that work both on-premises and via cloud-based means, NetWitness monitors for actionable events and utilizes behavior analytics to observe hacker activity as well as recreating full sessions to observe the precise anatomy of an attack. Intelligence feeds based on your own customizable information can help track and remain focused on key operations. That being said, the learning curve and the implementation efforts can be steep, but the user documentation is extensive.
You can download a free trial here.
Price: Pricing starts at $857 per node per month, but RSA recommends contacting it directly for a quote.
QRadar is based on IBM’s Cloud Pak for Security and is strong on the use of AI to provide risk assessments as well as offering analytics for risk modeling, which can simulate potential attacks in order to gain insights into how to prevent or remediate them. Workflows can help triage events utilizing shared input and insights.
The appliance utilized by QRadar offers varying degrees of capability depending on price level and selection, handling thousands of events per second and tens of thousands of flows per minute across a rugged amount of available storage.
While QRadar is one of the most complete solutions featured here, it could use more work on integration into other SIEM products.
You can obtain a free trial here.
Price: IBM estimates a per node monthly cost of $2,340-$2,808 but recommends contacting it directly for a quote.
McAfee is a familiar name in the security space and its SIEM offering is Active Directory-based, which means it is well suited for Windows environments with a strong focus on endpoint, but it also features strong cloud support with tie-ins to AWS, Office 365, Azure and more. The management console is cloud-based, and the client software has been described as compact, meaning it doesn’t consume excessive resources.
McAfee also supports 430 data sources and the company adds new connectors monthly. Scalability is easy to achieve, though automation capabilities may not be as extensive as some of the other competitors listed here. One feature well-loved by users is the integration with identity and access management tools.
You can get a free trial here.
Platforms: Windows Linux and Mac
Price: While you’ll find a baseline price of $61,194.90 on websecurityworks.com, McAfee recommends contacting it directly for a quote.
AlienVault Unified Security Management platform, also known as USM, is good at discovering assets and gathering data about running services, users, operating systems and hardware information. It specializes in focusing on “assets,” which are any devices in the environment that it can detect and protect.
The essentials version is the most basic option and provides 15 days of searchable real-time events, along with asset discovery and inventory, vulnerability assessments, intrusion detection, SIEM event correlation, incident / endpoint detection and response, log management, compliance reports and email alerts, and it’s federation-ready.
The standard version offers all of the elements of the essentials version along with 30 days of searchable real-time events and adds on an integrated ticketing and alerting function, orchestration with security tools, automated incident response and forensics, Dark Web monitoring, and support for higher data volumes.
The premium version offers all the elements of the standard version along with 90 days of searchable real-time events, and it adds support for PCI log storage requirements and enhanced support case response times.
You can find a free trial here.
Price: The essentials version starts at $1,075 per month. The standard starts at $1,695 per month and the premium at $2,595. All plans are based on annual billing.
The last two products we’ll look at are managed service providers in the SIEM space and included here to represent the benefit of letting another organization manage your SIEM priorities.
SolarWinds Threat Monitor (TM) is an SIEM tool that detects and responds to network threats via log management capabilities. It differs from SolarWinds SEM in that it’s a singularly focused product, whereas SEM is more of a broad-based Swiss army knife, and it relies upon threat monitoring service providers (TMSPs) to do the backend work of implementing and deploying the product.
It’s up to the customer to perform the actual remediation, with guidance from the TMSP, which offers a regularly updated global threat database to help provide the roadmap for response in the event of security incidents, whether real or potential.
A common use case scenario involves TM being used by a solutions provider to help protect clients from threats and vulnerabilities. It also comes in handy to help businesses plan how to improve their environment based on findings or potential liabilities.
You can find a free trial here.
Price: Pricing starts at $3,000 per year for 10 log sources.
The UnderDefense Managed SIEM has 5 stars from Gartner due to its strengths in security monitoring, compliance and audit, incident response and penetration testing. Offering powerful and robust services, UnderDefense can operate either in fully managed or co-managed mode. The first option requires your organization to remediate events based on the findings provided, and the second option entails active investigation and remediation work on the part of UnderDefense to address issues and threats, both potential and active.
Price: UnderDefense has not publicly released this data. The company recommends contacting it directly for a quote.
How to pick the SIEM software that’s right for you
Every one of the products outlined here offers quality security protection and would be of value to any organization — and every organization needs some level of log-based real-time security analysis to help prevent and detect threats.
Making the right choice when selecting SIEM software is going to depend on company priorities, company requirements (specifically related to compliance) budget, level of IT expertise and level of IT availability to assess and handle threats. If money is no object and tech staff isn’t able or willing to roll up its sleeves and tackle security risks, a managed SIEM like UnderDefense may be the way to go. If company budgets are less robust and in-house talent and time are copious, SolarWinds SEM, Datadog, McAfee or AlienVault would be among my choices.
Since product trials for all 10 options are available, companies seeking to implement SIEM software should pick two or three that seem the best fit and develop a proof-of-concept test mechanism to identify what constitutes a successful SIEM implementation as well as weekly, monthly and yearly deliverables in terms of protection, reporting, alerting and long-term data analysis. Make sure the proof of concept factors in training and documentation for both end users and IT staff, covering how to work with and administer the product.
End users should be encouraged to report any locally detected threats, but proper alerting mechanisms should also ensure that IT staff receives the same notifications; there should be no dependency on users informing staff something is afoot.
SEE: 5 types of cybersecurity tools every admin should know (TechRepublic)
When it comes to support options, I recommend getting the lowest possible response / resolution times via service level agreement, or SLA, from the vendor or an applicable third party. Even companies that choose to remediate their own issues should ensure that they have comprehensive support resources to do so, to obtain advice from the vendor as rapidly as possible.
Be sure to keep in mind that all log-based SIEM tools, regardless of vendor, have one dependency: Logs must be analyzed for the tool to work. If logging is turned off, hard drives fill up, network connectivity prevents data analysis or any other factor interferes, the tool loses its value. Mechanisms should be put in place independent of the SIEM tools in case they are compromised to detect issues with logging and alert the responsible personnel.