SIEM Comparison

Hello Experts - I'm curious if anyone has any side-by-side SIEM comparison data?  The more comparison data the better.  For example, a head-to-head comparison between McAfee's ESM SIEM and IBM's qRadar SIEM.  Any input is greatly appreciated! Trying to gather as much research as possible on what would be the best most cost effective solution to go with.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
In fact, I suggest you check out Gartner (esp from Anton Chuvakin's blog and also the magic quadrant) and to explore those comparison. The evaluation criteria shared in this can be a starter in deriving your comparison baseline. This scope can include
Deployment and Support Simplicity
Real-Time Event Data Collection
Event Normalization and Taxonomy
Scalable Architecture and Deployment Flexibility
Real-Time Monitoring
Log Management and Compliance Reporting
User Activity and Application Monitoring
Analytics and Behavior Profiling
Threat Intelligence
In specific to comparing McAfee ESM and QRadar, you can also check out this "101" from Actually these two contender is quite comparable already as they are not new kid on the block. You can check out this sharing too. In short, just to share below some salient points (to my best knowledge since technology can advanced pretty fast for these leaders)

QRadar - It has strong integration using netflow, deep packet inspection and the typical log event with its behaviour analysis. Kind of automating the key events that the tier 1 and 2 can triage further rather than just dumping a whole list f events. Also the threat feeds from Xforce is an advantage on top of other analytical integration into IBM infosphere and visualisation suite. But the user account based on role to facilitate escalation triggers in a workflow fashion will need more granularity.

McAfee ESM -  Strong in being multi-facet as its has segregated its component even into application and database monitor besides the usual log monitoring which is highly dependent on the source native audit features to be enabled and be well configured. It has also been rated to enable high event rate to stay scalable if device source increase per site esp for MNC.. However, probably the overall correlation flexibility to statistical generation in helping user to triage and navigate through can be further enhanced for timely response. Also for custom parser which can be important fare fairly alright only in term of simplicity compared to others that can be already in build or easily created. Of course if the existing provider is an all McAfee based site, then ESM may be easily integrated to the deployment to augment the vulnerability management for greater actionable outcomes.

Just some other thoughts to share. Eventually we need to define clear objective why SIEMS is required e.g. threat use case to address. Its scope will lead us to better utilised and tune it according to our needs and not just another "buy" that is not maximising its worth. There are many direct and indirect factor in maximising SIEMS use to achieve value outcomes. Just to list some for info.
(a) not well configured leading to noise,  
(b) even hardened leading to inadvertent misconfiguration and no accountability,
(c) not scalable architecture and sizing for SIEM capacity with vague EPS (event per second metric),
(d) having many SIEMS ruleset to capture any events (including application's non security related event),
(e) no specific actions specified to act on each surfaced event,
(f) always tuning and high customisation to capture different threat scenarios which is counter productive,
(g) lacking in team competency to operationalise as part of their existing SOP for incident handling,
(h) collection did not factor many log format type, and log source from device are passive and not silent most of time

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
itsmevicAuthor Commented:
Fantastic.  Thank you.
Naomi GoldbergCommented:
You can read real user reviews for all the major SIEM solutions on IT Central Station:

Users interested in this topic also read reviews for LogRhythm. This Information Security Analyst wrote that LogRhythm "brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device." Read his full review here:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.