Solved

SIEM Comparison

Posted on 2014-12-02
3
530 Views
Last Modified: 2016-03-28
Hello Experts - I'm curious if anyone has any side-by-side SIEM comparison data?  The more comparison data the better.  For example, a head-to-head comparison between McAfee's ESM SIEM and IBM's qRadar SIEM.  Any input is greatly appreciated! Trying to gather as much research as possible on what would be the best most cost effective solution to go with.
0
Comment
Question by:itsmevic
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40477916
In fact, I suggest you check out Gartner (esp from Anton Chuvakin's blog and also the magic quadrant) and infosecnirvana.com to explore those comparison. The evaluation criteria shared in this can be a starter in deriving your comparison baseline. This scope can include
Deployment and Support Simplicity
Real-Time Event Data Collection
Event Normalization and Taxonomy
Scalable Architecture and Deployment Flexibility
Real-Time Monitoring
Log Management and Compliance Reporting
User Activity and Application Monitoring
Analytics and Behavior Profiling
Threat Intelligence
In specific to comparing McAfee ESM and QRadar, you can also check out this "101" from infosecnirvana.com. Actually these two contender is quite comparable already as they are not new kid on the block. You can check out this sharing too. In short, just to share below some salient points (to my best knowledge since technology can advanced pretty fast for these leaders)

QRadar - It has strong integration using netflow, deep packet inspection and the typical log event with its behaviour analysis. Kind of automating the key events that the tier 1 and 2 can triage further rather than just dumping a whole list f events. Also the threat feeds from Xforce is an advantage on top of other analytical integration into IBM infosphere and visualisation suite. But the user account based on role to facilitate escalation triggers in a workflow fashion will need more granularity.

McAfee ESM -  Strong in being multi-facet as its has segregated its component even into application and database monitor besides the usual log monitoring which is highly dependent on the source native audit features to be enabled and be well configured. It has also been rated to enable high event rate to stay scalable if device source increase per site esp for MNC.. However, probably the overall correlation flexibility to statistical generation in helping user to triage and navigate through can be further enhanced for timely response. Also for custom parser which can be important fare fairly alright only in term of simplicity compared to others that can be already in build or easily created. Of course if the existing provider is an all McAfee based site, then ESM may be easily integrated to the deployment to augment the vulnerability management for greater actionable outcomes.

Just some other thoughts to share. Eventually we need to define clear objective why SIEMS is required e.g. threat use case to address. Its scope will lead us to better utilised and tune it according to our needs and not just another "buy" that is not maximising its worth. There are many direct and indirect factor in maximising SIEMS use to achieve value outcomes. Just to list some for info.
(a) not well configured leading to noise,  
(b) even hardened leading to inadvertent misconfiguration and no accountability,
(c) not scalable architecture and sizing for SIEM capacity with vague EPS (event per second metric),
(d) having many SIEMS ruleset to capture any events (including application's non security related event),
(e) no specific actions specified to act on each surfaced event,
(f) always tuning and high customisation to capture different threat scenarios which is counter productive,
(g) lacking in team competency to operationalise as part of their existing SOP for incident handling,
(h) collection did not factor many log format type, and log source from device are passive and not silent most of time
0
 

Author Closing Comment

by:itsmevic
ID: 40533571
Fantastic.  Thank you.
0
 

Expert Comment

by:Naomi Goldberg
ID: 41459841
You can read real user reviews for all the major SIEM solutions on IT Central Station: https://www.itcentralstation.com/categories/security-information-and-event-management-siem.

Users interested in this topic also read reviews for LogRhythm. This Information Security Analyst wrote that LogRhythm "brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device." Read his full review here: https://www.itcentralstation.com/product_reviews/logrhythm-review-36108-by-ryan-cossette.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

How can you create a game plan that lets you focus on special projects instead of running from cubicle to cubicle every day and feeling like you’ve accomplished nothing? Try these strategies for prioritizing your tasks, offloading what you can, and …
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now