SIEM Comparison

Posted on 2014-12-02
Last Modified: 2016-03-28
Hello Experts - I'm curious if anyone has any side-by-side SIEM comparison data?  The more comparison data the better.  For example, a head-to-head comparison between McAfee's ESM SIEM and IBM's qRadar SIEM.  Any input is greatly appreciated! Trying to gather as much research as possible on what would be the best most cost effective solution to go with.
Question by:itsmevic
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 64

Accepted Solution

btan earned 500 total points
ID: 40477916
In fact, I suggest you check out Gartner (esp from Anton Chuvakin's blog and also the magic quadrant) and to explore those comparison. The evaluation criteria shared in this can be a starter in deriving your comparison baseline. This scope can include
Deployment and Support Simplicity
Real-Time Event Data Collection
Event Normalization and Taxonomy
Scalable Architecture and Deployment Flexibility
Real-Time Monitoring
Log Management and Compliance Reporting
User Activity and Application Monitoring
Analytics and Behavior Profiling
Threat Intelligence
In specific to comparing McAfee ESM and QRadar, you can also check out this "101" from Actually these two contender is quite comparable already as they are not new kid on the block. You can check out this sharing too. In short, just to share below some salient points (to my best knowledge since technology can advanced pretty fast for these leaders)

QRadar - It has strong integration using netflow, deep packet inspection and the typical log event with its behaviour analysis. Kind of automating the key events that the tier 1 and 2 can triage further rather than just dumping a whole list f events. Also the threat feeds from Xforce is an advantage on top of other analytical integration into IBM infosphere and visualisation suite. But the user account based on role to facilitate escalation triggers in a workflow fashion will need more granularity.

McAfee ESM -  Strong in being multi-facet as its has segregated its component even into application and database monitor besides the usual log monitoring which is highly dependent on the source native audit features to be enabled and be well configured. It has also been rated to enable high event rate to stay scalable if device source increase per site esp for MNC.. However, probably the overall correlation flexibility to statistical generation in helping user to triage and navigate through can be further enhanced for timely response. Also for custom parser which can be important fare fairly alright only in term of simplicity compared to others that can be already in build or easily created. Of course if the existing provider is an all McAfee based site, then ESM may be easily integrated to the deployment to augment the vulnerability management for greater actionable outcomes.

Just some other thoughts to share. Eventually we need to define clear objective why SIEMS is required e.g. threat use case to address. Its scope will lead us to better utilised and tune it according to our needs and not just another "buy" that is not maximising its worth. There are many direct and indirect factor in maximising SIEMS use to achieve value outcomes. Just to list some for info.
(a) not well configured leading to noise,  
(b) even hardened leading to inadvertent misconfiguration and no accountability,
(c) not scalable architecture and sizing for SIEM capacity with vague EPS (event per second metric),
(d) having many SIEMS ruleset to capture any events (including application's non security related event),
(e) no specific actions specified to act on each surfaced event,
(f) always tuning and high customisation to capture different threat scenarios which is counter productive,
(g) lacking in team competency to operationalise as part of their existing SOP for incident handling,
(h) collection did not factor many log format type, and log source from device are passive and not silent most of time

Author Closing Comment

ID: 40533571
Fantastic.  Thank you.

Expert Comment

by:Naomi Goldberg
ID: 41459841
You can read real user reviews for all the major SIEM solutions on IT Central Station:

Users interested in this topic also read reviews for LogRhythm. This Information Security Analyst wrote that LogRhythm "brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device." Read his full review here:

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times a day do you open, acknowledge, or close an IT incident? What’s your process? Do you have a process depending on the incident, systems involved, and other factors? New Relic Alerts gives you options for how you interact with notifica…
Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question