Professional Documents
Culture Documents
Introduction
Security Information & Event Management (SIEM) vendors approach the
market from different perspectives. Understand your organizations
requirements for SIEM to ensure that the selected product helps achieve
key goals.
This Research Is Designed For:
Executive Summary
Understand SIEM Trends and Considerations
Security Information & Event Management (alternatively known as Security Incident & Event Management) technologies
have evolved from point solutions into comprehensive systems that allow organizations to optimize any or all of the
following important security-related functions:
Understand your organizations needs, potential costs, and readiness to undertake a SIEM deployment before taking the
leap.
Vendor offerings target these security functions in substantially different ways, based on their SIEM product origins,
integration with their broader security solutions, architectural deployment options, and specific market focus.
Map your organizations immediate and future requirements for SIEM against vendor and product capabilities, and
leverage the tools and templates included in this solution set to accelerate selection of a SIEM technology.
Understand options for managed versus self-staffed SIEM implementations and their pros and cons.
Design a deployment architecture and capture additional implementation and operational costs and benefits, based on
addressing your organizations specific security and compliance requirements.
Develop a plan for a phased implementation of the selected SIEM product and architecture, ensuring that you realize both
short and long-term objectives and benefits.
Info-Tech Research Group
Info-Tech Insight
Champions:
Symantec, with its balance of strong product and vendor
Value Award:
Symantecs combination of stable and committed vendor, wellrounded product, and near rock-bottom pricing earns the company
the Best Overall Value Award.
Innovation Award:
NitroSecurity posted the highest score for product capabilities,
and may be an appealing option for those seeking premium
features and functionality to meet both compliance and event
management requirements.
Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices
Leverage central log management to simplify correlation, alerting, and reporting of security events;
Streamline compliance, incident response, and risk management processes;
Baseline threat levels and normal network security activity;
Increase efficiency and effectiveness of security and system administrators, internal and external auditors, and senior
management involved in risk management;
Pursue a continuous risk management strategy, prioritizing attention to specific vulnerabilities based on observed
threats across multiple control systems.
Eliminate the need for other IT security systems rather, SIEM enhances the value of each of those tools;
Eliminate the role of security administration/operations personnel SIEM maximizes the value of such staff.
Prevent compromises instead, SIEM provides the cross-system visibility to identify areas of elevated risk and focus
security efforts, and reduces the cost and time for incident response;
Like every tool, SIEM has limitations; expect too much and be
prepared for disappointment
SIEM technology is no silver bullet, but adds value by extending visibility
across existing information security and system management tools.
When clients that are using SIEM
solutions were asked about their
expectations for the solution, they almost
universally indicated that they had very
high expectations prior to deployment.
Info-Tech Insight
SIEM alone cannot eliminate similar breaches,
but enhanced visibility reduces risk exposure in
many ways:
Identify sophisticated attacks earlier using
event data correlated across multiple
systems;
Support more rapid and more thorough
forensics during and after initial incident
response;
Enable continuous feedback from observed
threats into security and system controls to
achieve optimal protection and reduce the
risk of future compromises.
Deployed & operated properly, SIEM can reduce
the risk and impact of catastrophic breaches.
Determine how and where SIEM will help you manage risk
Adopting the right SIEM tool depends on what risk-related focus is most
important to your organization.
All SIEM tools provide log management functionality collecting, aggregating, and
normalizing log data from diverse sources. Whether the enterprise chooses to move further
or not, every organization can benefit from Log Management.
Typically,
organizations see
both compliance and
event managementrelated benefits as
SIEM is integrated into
the risk management
toolbox.
Many organizations take a final step, leveraging the information provided by the SIEM tool
to target specific changes to (or investments in) system security and operational controls
as a key component of a continuous risk management program.
Info-Tech Research Group
No SIEM
Basic SIEM
(Compliance or
Event Focus)
Advanced SIEM
(Compliance
and Event
Focus)
Central log
management
optimizes the time
and cost of
managing key
system logs,
enabling greater
opportunities for
using such data.
Compliance
Management
Event Management
Continuous Risk
Management
Compliance
reporting and related
log review
management is
done through
manual processes.
Incident
identification &
response processes
are hampered by
lack of cross-system
visibility.
Prioritization of security
attention across systems is
nearly impossible, and may not
account for cross-system risks.
Compliance
management
processes can be
streamlined with predefined, scheduled,
cross-system
reporting.
Visibility into
incidents is
increased through
event correlation;
incident response is
enhanced by alerting
and forensic
investigation
functionality.
10
11
3
1
4
2
5
12
Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices
13
As the market evolves, so do the features you need to evaluate. Pay close attention to
improving collection, aggregation, and correlation capabilities and the adoption of truly open
standards for event data records.
14
For this Vendor Landscape, Info-Tech focused on those vendors that have a strong market presence and/or reputational
presence among small to mid-sized enterprises.
ArcSight. The market leader with enterprise-focused ESM, pushing into SMB with Express.
IBM. SIEM marketed under the Tivoli umbrella a single line focused more at the enterprise than SMB.
LogLogic. A dedicated SIEM provider with a modular platform that offers flexibility to all enterprises.
netForensics. One of the pioneers of SIEM; separate products focused at the enterprise and SMB.
NitroSecurity. The most recent entrant to the SIEM market (2007) but a company definitely on the rise.
Q1 Labs. The largest independent player remaining; Qradar anchors a capable suite of SIEM tools.
RSA. Second in market share, its enVision products target both the large (LS line) and SMB (ES line) clients.
SenSage. One of the smaller vendors in this evaluation and one still primarily focused on the large enterprise.
Symantec. The worlds largest security vendor markets a single platform to all clients equally.
TriGeo. The only player dedicated to the SMB space; may singly handedly have created this end of the market.
15
Features
Features
Affordability
Usability
Architecture
Architecture
30%
30%
20%
50%
Vendor
Channel
Affordability
Product
Vendor Evaluation
Reach
20%
Usability
Viability
25%
30%
Strategy
15%
Channel
30%
Reach
16
NitroSecurity
LogLogic
Q1 Labs
SenSage
Symantec
RSA
netForensics
ArcSight
TriGeo
IBM
17
Features
Usability
Vendor
Price
Platform
Overall
Viability
Strategy
Reach
Channel
ArcSight
IBM
LogLogic
netForensics
NitroSecurity
Q1 Labs
RSA
SenSage
Symantec
TriGeo
For an explanation of how Info-Tech Harvey Balls are calculated, please see the appendix.
18
Champion
100
86
83
73
69
56
32
24
23
8
Sources:
To calculate the Value Score for each vendor, the affordability raw score was backed out, the product
scoring reweighted, and the affordability score multiplied by the product of the Vendor and Product
scores.
19
Feature
Description
Basic Collection /
Aggregation /
Normalization (CAN)
Basic Correlation
Basic Alerting
Basic Reporting
If Table Stakes are all you need from your SIEM solution, the only true differentiator for the organization is
price. Otherwise, dig deeper to find the best price and value for your needs.
20
Advanced Features
Feature
Advanced Correlation
Advanced Alerting
Programmable/customizable alerting
responses and workflow injection
Advanced Reporting
Forensic Analysis
Support
21
Correlation
Alerting
Reporting
Forensics
Security
Retention
ArcSight
IBM
LogLogic
netForensics
NitroSecurity
Q1 Labs
RSA
SenSage
Symantec
TriGeo
22
Overview
In contrast to most players in the space, Symantec positions
its SIEM solution as a security tool first, and compliance tool
second; its integration into other product lines backs this up
and makes it a good choice for the security conscious.
Strengths
Symantec offers the broadest base of deployment types
software, hardware, virtual hardware, and managed service
offerings, allowing every enterprise to find a fit.
Security Information Manager is integrated into Symantecs
Global Intelligence Network, meaning system configuration
can be adjusted based on more than just local event data.
Challenges
Info-Tech Recommends:
A solid product at an attractive price from a company with a clear commitment to the security space; these
factors make Security Information Manager a good choice for organizations with generic SIEM needs.
Info-Tech Research Group
23
QRadar SIEM
250
Waltham, MA
Q1Labs.com
2001
Privately Held
Overview
Q1 Labs is the largest independent player in the SIEM space
and supplements its SIEM play with a broad suite of products
to allow for comprehensive security management.
Strengths
The broadest and most comprehensive set of reporting
capabilities of any product in this test; its capability is so broad,
integration to third-party reporting solutions is unnecessary.
Cleanly integrated set of hierarchical products allows
enterprises to grow their security management capabilities in
an additive, not rip-and-replace manner.
Challenges
As the biggest independent, and a company experiencing
tremendous growth, Q1 Labs may be a target for acquisition
as compliance mandates increase the demand for SIEM.
Priced between $250,000 and $500,000
Info-Tech Recommends:
Whether simple log management with the ability to grow into fully featured SIEM, or a broad-based
solution that includes pre-exploit management, Q1 Labs has a solution for every need.
Info-Tech Research Group
24
Overview
SenSage grew out of traditional log management and is
staking its future on Open Security Intelligence, the extension
of SIEM into a business-focused decision support system.
Strengths
Extremely broad correlation capabilities, coupled with Alert
Player that allows admins to replay scenario-based events,
means SenSage offers BI-like capability for security data.
SenSage, despite its size, has built a strong network of highprofile channel partners and backs them with a solid support
organization.
Challenges
With a client base in the mid-hundreds, SenSage is one of the
smaller players in this evaluation in terms of overall market
share; increasing its client count is imperative.
Priced between $250,000 and $500,000
Info-Tech Recommends:
Organizations looking to go deeper with their security event data may well find SenSage ideal, but
must be prepared to take the risk of dealing with one of the smallest vendors in the space.
Info-Tech Research Group
25
NitroView ESM
Over 100
Portsmouth, NH
NitroSecurity.com
1999
Privately Held
Overview
NitroSecurity bases all of its security technology solutions on
its background in massive-scale data management, meaning
its solutions correlate broadly, operate quickly, and report
efficiently.
Strengths
One of the most feature-rich solutions in this roundup, and one
of only two solutions to offer truly comprehensive and forwardlooking correlation capabilities.
Nitro falls between the pure-play SIEM providers and the
broader security vendors, meaning it has good focus on the
space, but isnt solely reliant on SIEM sales for its revenue.
Challenges
Nitro has expanded its product portfolio to include virtual
appliances, but these are currently scaled only at smaller
enterprises and remote sites; increasing performance will
improve applicability.
Priced between $100,000 and $250,000
Info-Tech Recommends:
With its correlation and forensic analysis capabilities, NitroView ESM can be invaluable to a security
manager though internal auditors may find its lack of external reporting integration a little limiting.
Info-Tech Research Group
26
Overview
LogLogic approaches the SIEM space with a clear focus on
compliance first and foremost using its Get-See-Use
philosophy to improve not just compliance, but also security
and even operational performance.
Strengths
The most feature-rich solution in the round-up and the only
one to fully address system configuration data as an input
source. Coupled with the cleanest interface, this is the solution
that delivers the most SIEM capability.
Challenges
Info-Tech Recommends:
A well integrated line of capable products, but LogLogics clear focus on the enterprise market may
limits its appeal to smaller businesses, and the appeal of those businesses to LogLogic.
Info-Tech Research Group
27
Express
324,600 (HP as a whole)
Palo Alto, CA
ArcSight.com
2000
NASDAQ: HPQ
FY09 Revenue: $126B
Overview
Recently acquired by HP to become the most valuable asset in
that companys focused security strategy, ArcSight is the
largest player in the SIEM space and has recently expanded
its portfolio to be more applicable to the mid-market.
Strengths
An architecturally sound solution allowing for widely varying
deployment models; the ability to mix and match Collectors
and Loggers with a core Express device offers great flexibility.
Offers the ability to tightly correlate security events to users via
IdentityView, an add-on capability that monitors user activity
across all accounts, applications, and systems.
Challenges
Info-Tech Recommends:
Express represents a well-rounded solution but one that is less exceptional than its flagship ESM;
feature reduction combined with one of the highest prices limits overall appeal.
Info-Tech Research Group
28
enVision
40,000+ (EMC as a whole)
Bedford, MA
RSA.com
1982
NYSE: EMC
FY10 Revenue: $17B
Overview
RSA, the security division of EMC, plots a careful course with
its SIEM solution enVision, delivering just enough capability to
meet market needs without pushing the envelope to drive the
future of the space.
Strengths
Very broad-based collection/aggregation/normalization
capabilities, coupled with strong reporting, gives good
coverage for both the security and compliance conscious.
RSA has taken a holistic view of security management and the
integration of three security management platforms (SIEM,
DLP, eGRC) is visionary.
Challenges
Info-Tech Recommends:
The integration of enVision with RSAs DLP and eGRC solutions underlines the companys efforts to
become the security management provider; current RSA clients will benefit from those synergies.
Info-Tech Research Group
29
Tivoli SIEM
400,000
Armonk, NY
IBM.com
1911
NYSE: IBM
FY10 Revenue: $95.8B
Overview
IBM is a truly global player in almost every aspect of
Information Technology. Its security management solutions sit
under its Tivoli systems management umbrella.
Strengths
Management of Tivoli SIEM through the common Tivoli admin
interface those familiar with the Tivoli suite will find the
learning curve remarkably flat.
Tivoli SIEM is IBMs integrated solution for basic SIM, SEM,
and log management; advanced SEM/SOC functionality is
available in Tivoli Security Operations Manager (TSOM).
Challenges
Correlation capabilities in Tivoli SIEM so minimal that it is
almost a stretch to label them as such events from
differential sources cannot be linked to create analysis
patterns.
Priced between $250,000 and $500,000
Info-Tech Recommends:
30
Overview
netForensics is one of the pioneers of the SIEM space, having
first come on the scene in 1999. Since then a significant
number of players have entered the market, and many have
surpassed netForensics in capability and market share.
Strengths
netForensics is exclusively focused on the SIEM space, a
position it reinforced by acquiring High Tower Software and
with it the Cinxi (later Cinxi One) product line.
Challenges
Info-Tech Recommends:
netForensics declined to brief for this review and available product details are limited, so a detailed
recommendation cannot be made at this time.
Info-Tech Research Group
31
Overview
TriGeo is the only SIEM solution provider targeting the midmarket specifically; its turn-key appliance-based approach has
defined mid-market SIEM and led most other players to
release competitive solutions.
Strengths
TriGeo SIEM is the only product truly built for the mid-market;
this is not some enterprise-grade solution that has been
trimmed of capability, and shoe-horned into a smaller box. It
may not offer the same complexity as many competing
solutions, but it offers unmatched efficiency and ease of
operations.
Challenges
SIEM, though clearly of value to the mid-market, has
traditionally been an enterprise play and the lack of products
for that space has limited TriGeos size and reach.
*TriGeos rankings were affected by its inability to provide
Info-Tech with pricing for the SIEM solution.
Info-Tech Recommends:
TriGeo declined to brief for this review and available product details are limited so a detailed
recommendation cannot be made at this time.
Info-Tech Research Group
32
1
2
3
4
Management of
Security Events
Reduction of
Compliance Complexity
Enhancement of
Overall Risk Management
Viable Performers
Adequate Performers
33
1
2
3
4
Exemplary Performers
Management of
Security Events
Reduction of
Compliance Complexity
Enhancement of
Overall Risk Management
Viable Performers
Adequate Performers
34
Ensure the reduction of enterprise risk by bringing broadbased collection, aggregation, and response abilities to bear
The broadest possible feature-functionality is required for true Risk
Reduction.
Exemplary Performers
1
2
3
4
Management of
Security Events
Reduction of
Compliance Complexity
Enhancement of
Overall Risk Management
Viable Performers
Adequate Performers
35
36
Issue an RFP to ensure that SIEM vendors fit your needs, and
not the other way around
Use Info-Techs Security Information & Event Management RFP Template to
conduct this critical step in your vendor selection process.
Info-Techs SIEM RFP Template is populated
with critical elements, including:
The Statement of Work
Proposal Preparation Instructions
Scope of Work
Functional Requirements
Technical Specifications
Operations & Support
Sizing & Implementation
Vendor Qualifications & References
Budget & Estimated Pricing
Vendor Certification
37
To get the most value out of the RFP process, use the
SIEM RFP Scoring Tool
A standard & transparent process for scoring individual vendor RFP
responses will help ensure that internal team biases are minimized.
Use Info-Techs
SIEM RFP Scoring Tool to:
Evaluate RFP Responses
The Security Information & Event
Management RFP Scoring Tool is pre-built
with essential criteria complementing the
SIEM RFP Template from the previous slide.
Accelerate Procurement
Use the tool to drive the meeting with your
procurement department.
38
39
Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices
40
Stay attuned to the tone from the top, and grow use of the
SIEM tool methodically.
41
Pros
Cons
Hardware Appliance
Virtual Appliance
Software-only Solutions
Regardless of the platform selection, dont forget to plan for log data backup to meet regulatory and internal policy
requirements.
42
Info-Tech Insight
43
Info-Tech Insight
capacity.
Logging rates, or the number of log records that the system can process, are
measured in events or messages per second (eps or MPS):
Collectors must be sized to handle the peak number of events per second, or
risk losing critical log records.
Peak eps requirements for a SIEM solution are determined by summing the
peak logging rates of all source devices. Though it is unlikely that all devices
will hit peak rates simultaneously, this provides the capacity to handle elevated
logging demands from extraordinary events such as denial of service attacks
and malware outbreaks.
All SIEM solutions perform some level of log file compression, typically ranging
between a 20 to 40-fold reduction in log file sizes.
Total storage capacity requirements can be calculated by summing the
average daily log file size of each source device, multiplying by the required
retention period, and dividing by the SIEM compression rate.
Some SIEM solutions allow retention periods to be defined by device (or group
of devices), while others establish a single, default retention period.
44
Training Considerations
Training is critical for project team members and the groups they
represent.
System training is necessary for all those who use SIEM directly
(e.g. security operators, compliance auditors); process training is
appropriate for those who only use SIEM outputs.
45
Info-Tech Insight
46
47
Start with a compliance management focus, but explore the benefits of enhanced event visibility, or
Start with an event management focus, but take advantage of compliance reporting for internal purposes.
Once both are implemented, look at continuous risk management opportunities demonstrated benefits from past
experiences might even outweigh the cost of adding 24x7 monitoring.
Start with the most critical systems (key applications, core infrastructure, regulated environments).
Expand to other log data sources as the benefits of SIEM are demonstrated for those key assets.
Mix and match these approaches to minimize initial costs, maximize the benefits delivered, and build additional support for
broader SIEM deployments:
Later stages may not deliver the same magnitude of benefits, but they involve lower equipment and configuration costs,
as they leverage initial investments made in earlier stages.
48
Appendices
Whats in this Section:
Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices
49
50
51
A three-site organization with 2200 employees located at a US head office facility, a second US satellite office, and a European satellite
office. IT functions, including 3 dedicated IT security professionals, are located primarily at the US head office, with a small proportion of IT
staff and systems located at the European site, which also acts as a DR facility.
The firm is interested in reducing the effort associated with monitoring, alerting, and responding to security events at the Endpoint, Network,
and Data Center levels:
The volume & complexity of ad hoc queries against logged and correlated event data is fairly small, driven primarily by incident response
efforts and gaps in canned compliance reports.
The SIEM product would be used regularly by four IT staff across the US head office and European satellite site, with additional
dashboard-/report-level access for another four users in compliance/audit and IT management/executive roles.
200 devices were identified as log data sources for a SIEM solution, including network components, security systems, and both physical
and virtual servers. Windows Domain, Oracle databases, MS Exchange and SharePoint, and BES and VOIP environments were explicitly
identified in the scenario, and the peak logging volume was specified at 5000 events per second (eps).
52
53
Industry
54
Country
55
Revenue
56
FTEs
57
IT Employees
58