SIEM Comparison

Posted on 2014-12-02
Medium Priority
Last Modified: 2016-03-28
Hello Experts - I'm curious if anyone has any side-by-side SIEM comparison data?  The more comparison data the better.  For example, a head-to-head comparison between McAfee's ESM SIEM and IBM's qRadar SIEM.  Any input is greatly appreciated! Trying to gather as much research as possible on what would be the best most cost effective solution to go with.
Question by:itsmevic
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40477916
In fact, I suggest you check out Gartner (esp from Anton Chuvakin's blog and also the magic quadrant) and infosecnirvana.com to explore those comparison. The evaluation criteria shared in this can be a starter in deriving your comparison baseline. This scope can include
Deployment and Support Simplicity
Real-Time Event Data Collection
Event Normalization and Taxonomy
Scalable Architecture and Deployment Flexibility
Real-Time Monitoring
Log Management and Compliance Reporting
User Activity and Application Monitoring
Analytics and Behavior Profiling
Threat Intelligence
In specific to comparing McAfee ESM and QRadar, you can also check out this "101" from infosecnirvana.com. Actually these two contender is quite comparable already as they are not new kid on the block. You can check out this sharing too. In short, just to share below some salient points (to my best knowledge since technology can advanced pretty fast for these leaders)

QRadar - It has strong integration using netflow, deep packet inspection and the typical log event with its behaviour analysis. Kind of automating the key events that the tier 1 and 2 can triage further rather than just dumping a whole list f events. Also the threat feeds from Xforce is an advantage on top of other analytical integration into IBM infosphere and visualisation suite. But the user account based on role to facilitate escalation triggers in a workflow fashion will need more granularity.

McAfee ESM -  Strong in being multi-facet as its has segregated its component even into application and database monitor besides the usual log monitoring which is highly dependent on the source native audit features to be enabled and be well configured. It has also been rated to enable high event rate to stay scalable if device source increase per site esp for MNC.. However, probably the overall correlation flexibility to statistical generation in helping user to triage and navigate through can be further enhanced for timely response. Also for custom parser which can be important fare fairly alright only in term of simplicity compared to others that can be already in build or easily created. Of course if the existing provider is an all McAfee based site, then ESM may be easily integrated to the deployment to augment the vulnerability management for greater actionable outcomes.

Just some other thoughts to share. Eventually we need to define clear objective why SIEMS is required e.g. threat use case to address. Its scope will lead us to better utilised and tune it according to our needs and not just another "buy" that is not maximising its worth. There are many direct and indirect factor in maximising SIEMS use to achieve value outcomes. Just to list some for info.
(a) not well configured leading to noise,  
(b) even hardened leading to inadvertent misconfiguration and no accountability,
(c) not scalable architecture and sizing for SIEM capacity with vague EPS (event per second metric),
(d) having many SIEMS ruleset to capture any events (including application's non security related event),
(e) no specific actions specified to act on each surfaced event,
(f) always tuning and high customisation to capture different threat scenarios which is counter productive,
(g) lacking in team competency to operationalise as part of their existing SOP for incident handling,
(h) collection did not factor many log format type, and log source from device are passive and not silent most of time

Author Closing Comment

ID: 40533571
Fantastic.  Thank you.

Expert Comment

by:Naomi Goldberg
ID: 41459841
You can read real user reviews for all the major SIEM solutions on IT Central Station: https://www.itcentralstation.com/categories/security-information-and-event-management-siem.

Users interested in this topic also read reviews for LogRhythm. This Information Security Analyst wrote that LogRhythm "brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device." Read his full review here: https://www.itcentralstation.com/product_reviews/logrhythm-review-36108-by-ryan-cossette.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
Introducing Priority Question, our latest feature.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question