SIEM play important role in In the field of computer security, Security Information and Event Management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by network hardware and applications.(#WiKi)
When attackers compromise the perimeter or are operating from within, you need to know. Evidence of intruders and insider threats lies within network communications. Detect network-based threats with real-time network monitoring and big data analytics. Expedite investigations by giving your incident responders access to rich network forensics data.
Many companies approach achieving better security the way some people approach achieving better fitness. They spend a lot of money buying a Security Information and Event Management (SIEM) product, much like the way people will purchase an expensive health club membership. But if the company does not follow through and use the SIEM properly, they will fail. Same with people and health clubs – paying for it is just the first step; it is no guarantee of results.
Comparision with SoC
- A Security Operations Center (SOC) is a department within a company or often outsourced which does (but not limited to) configuration management, change management of security devices like Firewalls, IDS/IPS, VPN, SIEM, AV etc. They also perform Security Incident Response and Monitor the near real-time logs with the help of SIEM tools. There may be dedicated teams within a SOC with different reporting hierarchy for Device management and Monitoring to avoid conflict of interest depending upon contract/ legal requirement etc.
- A Security Information & Event Management (SIEM) tool is simply a correlation tool through which SOC monitors the near real-time logs. It logs (if working properly) qualified events and alerts whenever there is an incident. It may also create tickets in local ticketing tool and send email/ SMS alerts when integrated with other tools. You can tweak the tool as per your requirement.
Security Information and Event Management (SIEM) is about looking at your network through a larger lens than can be provided by a single security control or information source. For example:
- Your Asset Management system only sees applications, business processes and administrative contacts.
- Your Network Intrusion Detection system (IDS) only understands Packets, Protocols and IP Addresses
- Your Endpoint Security system only sees files, usernames, and hosts
- Your Service Logs show user sessions, transactions in databases and configuration changes.
- File Integrity Monitoring (FIM) systems only see changes in files and registry settings
Let come to comparison point :
The SIEM comparison taking a look at the SIEM market and comparing them alongside. The leaders in this space according to Gartner are still the following products (in no order):
1. HP ArcSight
2. Intel Security
3. IBM QRadar
4. Splunk SIEM
In the below post, we have tried to provide detailed explanations of the Strengths and Weakness of these various SIEM products as evaluated in 2016. Finally, we provide a Scorecard for the products based on various capabilities.
HP ArcSight: Since 2014, ArcSight has come a long way. They have added quite a few features along the way that has added to their strengths. For example, Connector load balancing was definitely a welcome addition after several years of being requested. However, the weakness list is still the same. One of the things frustrating users mainly is that the Web architecture for administration and management is not as mature as the thick client.
IBM QRadar: Since 2014, QRadar has continued to maintain its pole position in product ratings and evaluations. There have not been major product announcements after QVM and Incident Forensics other than IBM App Exchange (a Splunk App Store style approach to extensions and plugins). While the strong points of IBM QRadar are still true, the weaknesses have started to crop up in areas of operational efficiency and reliability.
Intel Security: This is one product that underwhelms when it comes to realizing its true potential. They checked all the boxes required for monitoring with ADM, DAM, DPI, ATD etc. However, the real problem with erstwhile Nitro has always been stability and management overhead. Two years later, the strengths have increased no doubt, but the weaknesses still remain around reliability.
Splunk: This is one of the products that has gone through several changes in the past two years. They have expanded their capabilities significantly in the “App for Enterprise” space with predefined security indicators and dashboards and visualizations. They have also improved the support for packet captures and analysis. With the purchase of Caspida, behavior analytics capabilities will come into Splunk. While the strengths column has increased, the weakness column still remains the same.LogRhythm: The new and upcoming unified SIEM player LogRhythm has come a long way from its humble beginnings. In the past 2 years, LogRhythm has added several new features to their product including but not limited to incident response and case management workflow, centralized evidence locker, collaboration tools, risk based profiling and behavioral analytics to identify statistical anomalies for the network, user, and device activity. This combined with ease of deployment and competitive price has definitely opened up the leader’s quadrant to some exciting shake up. Let’s take a look at the strengths and weakness for LogRhythm.
Any evaluation is incomplete without a scorecard. So we have consolidated feedback from various sources and provided a weighted score on the five SIEM products reviewed above.
Based on the review of SIEM products done this year, we feel innovation in the SIEM space has plateaued. The next generation Security Analytics and Big Data technologies are slowly becoming mainstream thereby relegating the SIEM solution purchases to a more compliance driven initiative.
Please share your thoughts on how you would rate the various SIEM products. For more read about Gartner SIEM research quadrant, Forrester, KuppingerCole, Chaordix, G2crowd, Whalepath etc.
Reference: Infosecnirvana.com, Gartner