Best Security Information and Event Management (SIEM) Software include:
Security Information and Event Management (SIEM) Software TrustMap
TrustMaps are two-dimensional charts that compare products based on trScore and research frequency by prospective buyers. Products must have 10 or more ratings to appear on this TrustMap.
What is Security Information and Event Management Software?
Security Information and Event Management (SIEM) Software is a category of security software concerned with collating log and event data. A SIEM allows security analysts to look at a more comprehensive view of security logs and events that would be possible by looking at the log files of individual, point security tools. SIEM tools allow security analysts to gather and analyze logs and events from operating systems, applications, servers, network and security devices, intrusion management systems, etc.
SIEM is a management layer sitting on top of existing systems and security controls that unifies data from these disparate systems. It allows these systems to be analyzed and cross-referenced from a single user interface.
SIEM tools have recently extended their capabilities to more frequently include analytics functions. These automated analytics run in the background to proactively identify possible security breaches within businesses’ systems. SIEM software providers are refining the balance between quickly identifying breaches and flooding IT administrators with false positives. As these analytics functions become more standard, some SIEM vendors are pairing the traditional log collection with threat detection and response automation.
SIEM Features & Capabilities
Centralized event and log data collation
Log data correlation
Event and log normalization
Integration with identity and access management tools
Custom dashboards and views
Host and network-based intrusion detection
Type of Data Collected
SIEM software generally collects data as log files. Log management products were created many years ago to collect the large volumes of logs created by the various systems in a large enterprise data center. A large data center can produce terabytes of plain text log files. The volume is such that it is extremely difficult to consume the data.
SIEM systems are designed to correlate a subset of the most important data to highlight the most critical data. Unfortunately, the myriad operating systems and applications and servers all produce log files in a slightly different human-readable format, and these have to be normalized in machine-readable format that the SIEM can understand and parse.
One of the most difficult aspects of deriving value from a SIEM is the difficulty of tuning the system by balancing correlation rules that catch all possible attacks and do not produce too many false positives, which can be very difficult to manage.
When comparing Security Information and Event Management tools, consider these factors:
Support for existing security systems: Does each SIEM tool in question support log inputs from the business’s preexisting security and monitoring systems? Most SIEMs will advertise compatibility with hundreds of business systems, but few if any will support every tool available. Create a list of the systems the organization already uses that the SIEM tool will need to integrate with. Then match that list specifically against each product’s advertised support list.
Data collation and formatting vs. log generation: Do the business’s systems generate their own logs for the SIEM to import, or does the tool need to do more of the lift in terms of taking and formatting the raw data output from systems? Understanding the business’s existing systems’ capabilities will help determine whether a viable SIEM has to include the ability to generate its own logs based on suboptimal data exports from systems that don’t generate logs on their own.
Traditional SIEM vs. additional threat response: While many leading SIEM tools have added on various threat detection and response features, this functionality is not universal. Businesses should consider whether they need a specific point solution for log collation and management and use other tools for threat detection and response, or if there are benefits to the organization to combine these capabilities into one product.
Pricing for SIEM software can vary widely from about $5k to over $100k, depending largely on the quantity of events and logs being monitored. In addition to software expense, the total cost of ownership will include maintenance, professional services, hardware, personnel, and training.