You are on page 1of 58

Vendor Landscape Plus: Security Information

& Event Management


Simplify compliance and IT risk management with SIEM tools

Info-Tech Research Group

Introduction
Security Information & Event Management (SIEM) vendors approach the
market from different perspectives. Understand your organizations
requirements for SIEM to ensure that the selected product helps achieve
key goals.
This Research Is Designed For:

This Research Will Help You:

IT leaders considering SIEM technology to

Understand the capabilities of SIEM

reduce the cost of meeting ever-increasing


compliance requirements.

IT leaders looking to enhance the


effectiveness of existing IT security operations.

Organizations seeking to improve overall risk


management processes.

technologies, and their potential use cases.

Differentiate between vendor offerings and


identify alignments with your organizations
requirements.

Shortlist vendors, prepare an RFP, and score


RFP responses to select a SIEM solution.

Develop an implementation strategy and


maximize your investment in SIEM.

Info-Tech Research Group

Executive Summary
Understand SIEM Trends and Considerations

Security Information & Event Management (alternatively known as Security Incident & Event Management) technologies
have evolved from point solutions into comprehensive systems that allow organizations to optimize any or all of the
following important security-related functions:

Collection and management of critical system and network log data.


Execution of processes in support of regulatory and policy compliance obligations.
Identification of information security threats and response to them.

Continuous information security risk management processes.

Understand your organizations needs, potential costs, and readiness to undertake a SIEM deployment before taking the
leap.

Evaluate SIEM Vendors

Vendor offerings target these security functions in substantially different ways, based on their SIEM product origins,
integration with their broader security solutions, architectural deployment options, and specific market focus.

Map your organizations immediate and future requirements for SIEM against vendor and product capabilities, and
leverage the tools and templates included in this solution set to accelerate selection of a SIEM technology.

Develop a SIEM Implementation Strategy

Understand options for managed versus self-staffed SIEM implementations and their pros and cons.
Design a deployment architecture and capture additional implementation and operational costs and benefits, based on
addressing your organizations specific security and compliance requirements.

Develop a plan for a phased implementation of the selected SIEM product and architecture, ensuring that you realize both
short and long-term objectives and benefits.
Info-Tech Research Group

Symantec leads the market, but other SIEM vendors offer


compelling alternatives to meet specific requirements
Info-Tech evaluated ten competitors in the SIEM market,
including the following notable performers:

Info-Tech Insight

Champions:
Symantec, with its balance of strong product and vendor

1. Focus on business requirements:

capabilities at an excellent price point, leads with a SIEM solution


that can deliver benefits to almost any organization.

Q1 Labs delivers exceptional reporting capabilities and additional


product features that distinguish it from Symantec at a higher, but
still competitive, price point.

SenSage provides exceptional correlation and forensic


capabilities for organizations that can justify the elevated cost.

Value Award:
Symantecs combination of stable and committed vendor, wellrounded product, and near rock-bottom pricing earns the company
the Best Overall Value Award.

Innovation Award:
NitroSecurity posted the highest score for product capabilities,
and may be an appealing option for those seeking premium
features and functionality to meet both compliance and event
management requirements.

Identify the functionality that your organization


requires to meet business needs or to justify
an investment in SIEM technology.
2. Consider future requirements:
Keep in mind all potential benefits of a SIEM
deployment, whether you are focused
primarily on simplifying compliance, speeding
event management and incident response, or
reducing overall risk.
3. Go for good enough for you:
Align current and future requirements with the
capabilities and solution feature-sets of
vendors. While Symantec is the leader, its
focus on solution breadth over depth
underscores the importance of assessing
alternative vendors against your
organizations needs.

Info-Tech Research Group

Understand SIEM Trends and Considerations


Whats in this Section:

What SIEM is and what it isnt


The role of SIEM in managing risk
Key decision factors for SIEM
Assessing the appropriateness of SIEM

Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices

Info-Tech Research Group

Understand what SIEM does, and what it doesnt do


SIEM technology is no silver bullet, but adds value by extending visibility
across existing information security and system management tools.
SIEM Tools DO:
At a minimum, SIEM tools enable IT security organizations to:

Leverage central log management to simplify correlation, alerting, and reporting of security events;
Streamline compliance, incident response, and risk management processes;
Baseline threat levels and normal network security activity;
Increase efficiency and effectiveness of security and system administrators, internal and external auditors, and senior
management involved in risk management;

Pursue a continuous risk management strategy, prioritizing attention to specific vulnerabilities based on observed
threats across multiple control systems.

SIEM Tools DO NOT:


Contrary to past hype and misconceptions, SIEM tools do not:

Eliminate the need for other IT security systems rather, SIEM enhances the value of each of those tools;

Eliminate the role of security administration/operations personnel SIEM maximizes the value of such staff.

Prevent compromises instead, SIEM provides the cross-system visibility to identify areas of elevated risk and focus
security efforts, and reduces the cost and time for incident response;

Info-Tech Research Group

Like every tool, SIEM has limitations; expect too much and be
prepared for disappointment
SIEM technology is no silver bullet, but adds value by extending visibility
across existing information security and system management tools.
When clients that are using SIEM
solutions were asked about their
expectations for the solution, they almost
universally indicated that they had very
high expectations prior to deployment.

Those same clients indicated that in


almost every measure their SIEM solution
failed to meet expectations.

Failure to meet expectations should not be


held against the tools as in almost every
measurable category, the tools delivered
Moderately Significant to Significant
positive Impact to the enterprise.

The moral: oversetting expectations can


lead to let-down even with deployments
that are successful and improve enterprise
security, compliance, and overall risk
management.

Info-Tech Research Group

Take stock of the serious threats to systems and the business;


ensure threats can be contained or costs can be managed
The cost of a major and persistent system compromise can be substantial.
Standalone security tools provide some visibility; SIEM tools do much more.
Several well-publicized breaches in recent years highlight the
scale of potential impacts, including:

Direct costs for TJX (2007) have exceeded $250M.


Heartland Payment Systems (2009) has reported over $140M
in direct costs.
Sony (2011) has already booked $171M in direct costs.

Each of these breaches involved repeated system compromises


crossing multiple systems over an extended period precisely
the types of activities that are made more visible through SIEM.

Total costs (direct and indirect) per compromised customer


record continue to rise, and in 2009 averaged over $200 per
affected customer.

Costs per customer are typically much higher for smaller


organizations and smaller-scale breaches than for the
massive breaches noted above, as enterprise-wide
expenditures are spread across a smaller number of affected
accounts.

Info-Tech Insight
SIEM alone cannot eliminate similar breaches,
but enhanced visibility reduces risk exposure in
many ways:
Identify sophisticated attacks earlier using
event data correlated across multiple
systems;
Support more rapid and more thorough
forensics during and after initial incident
response;
Enable continuous feedback from observed
threats into security and system controls to
achieve optimal protection and reduce the
risk of future compromises.
Deployed & operated properly, SIEM can reduce
the risk and impact of catastrophic breaches.

Info-Tech Research Group

Determine how and where SIEM will help you manage risk
Adopting the right SIEM tool depends on what risk-related focus is most
important to your organization.
All SIEM tools provide log management functionality collecting, aggregating, and
normalizing log data from diverse sources. Whether the enterprise chooses to move further
or not, every organization can benefit from Log Management.

Many organizations look to SIEM


primarily as a way to reduce the cost
of meeting internal and
external/regulatory compliance
requirements:
Consolidated logs feed out-of-the-box and
custom compliance reports. In some cases,
SIEM workflow capabilities add value by
tracking mandatory log review processes.

Typically,
organizations see
both compliance and
event managementrelated benefits as
SIEM is integrated into
the risk management
toolbox.

Other organizations look to SIEM


primarily as a means to reduce the
effort expended when responding to
individual security events and
incidents:
Correlated events provide earlier visibility
into active threats. Consolidated logs allow
more rapid and thorough investigation of
events either in progress, or after the fact.

Many organizations take a final step, leveraging the information provided by the SIEM tool
to target specific changes to (or investments in) system security and operational controls
as a key component of a continuous risk management program.
Info-Tech Research Group

Compare approaches to managing key information security


processes, with or without SIEM
Get a sense of how far you intend to go with SIEM to help focus setting your
organizations requirements. Look for the SIEM you need, but not more.
SIEM
Approach

No SIEM

Basic SIEM
(Compliance or
Event Focus)

Advanced SIEM
(Compliance
and Event
Focus)

Security Management Focus Areas


Log Management
Storage, backup,
retention, and
archival settings
must be configured
and managed for
each key system.

Central log
management
optimizes the time
and cost of
managing key
system logs,
enabling greater
opportunities for
using such data.

Compliance
Management

Event Management

Continuous Risk
Management

Compliance
reporting and related
log review
management is
done through
manual processes.

Incident
identification &
response processes
are hampered by
lack of cross-system
visibility.

Prioritization of security
attention across systems is
nearly impossible, and may not
account for cross-system risks.

Compliance
management
processes can be
streamlined with predefined, scheduled,
cross-system
reporting.

Visibility into
incidents is
increased through
event correlation;
incident response is
enhanced by alerting
and forensic
investigation
functionality.

A more realistic view of risk


emerges from increased
efficiency in compliance or
event management processes,
enabling better prioritization.
Integrated information from
compliance and event
management processes
provides the most complete
view of overall system risks.
Staff attention and technology
investments can be optimized.
Info-Tech Research Group

10

Be clear about the impact of SIEM-enhanced security visibility


Be prepared for dealing with issues and events that you might have been
missing without SIEM.
1. Pre-SIEM: Information risks and associated security

SIEMs Impact on Risk and Cost Over Time

management costs increase over time as new threats


appear.

2. Immediately Post-SIEM: Increased visibility into extant


threats results in increased cost of managing those
threats ignorance can no longer justify inaction.

Per event/incident costs will decline through earlier


detection opportunities and investigation efficiencies
provided by the SIEM tool.

Since those threats always existed, and are now being


acted upon, overall risk begins to decline.
As SIEM-based efficiencies are realized, the cost of
managing visible threats returns to baseline levels.

3. Long-Term Post-SIEM: Both risk and security costs can


be driven down further through feedback from SIEM into
technical and procedural controls.

Info-Tech Research Group

11

SIEM may make life harder before it makes it easier; if you


cant handle the bump, dont invest in SIEM
Improving organizational security stance is not an overnight process; SIEM
will help but things will get worse before they get better.
2. As visibility into risk increases, security spend will
by necessity increase as new tools or time need to
be expended to combat identified risks. Most
enterprises dont have unlimited security budgets,
so spending initially trails threat exposure.

1. When first deployed,


a SIEM solution will
expose the enterprise
to all the risk it was
missing but that was
there anyway. In
todays regulated
world, if youre not
prepared to address
that increased risk,
youd best just leave
your head in the sand.

3. As the most serious threats are addressed, risk


tapers off fairly quickly. At this point perceived risk
and actual risk are being reduced, though levels
are likely to be higher than what was perceived for
some time.

3
1

4
2
5

5. In time, and with concentrated effort, SIEM can allow


the enterprise to drive risk and spend to lower levels
than were previously experienced. As a side benefit,
while risk is being addressed, SIEM is also providing
compliance reporting benefits that help in other ways.

4. Spend remains higher


for longer as solution
deployments must be
rationalized and
staffing levels
finalized. Spend
begins to go down
when the costs
associated with
breaches and other
threats are eliminated.

Info-Tech Research Group

12

Evaluate SIEM Vendors


Whats in this Section:

Info-Techs Vendor Landscape for ten SIEM vendors


Shortlisting SIEM vendors through scenario analysis
Developing and executing a SIEM RFP

Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices

Info-Tech Research Group

13

SIEM Market Overview


How it got here
Security Information & Event Management grew from
the conjoining of two separate tools: Security Event
Management and Security Information Management
(which itself grew out of simpler Log Management).
Indeed, some vendors still offer separate SEM and SIM
products under the SIEM banner.
The space was founded just prior to the 2000s but has
failed to catch on in any significant way; even the
leading vendors claim less than 2,000 clients each.
SIEM solutions have typically focused on the largest of
enterprises, but recently vendors have begun producing
simplified, streamlined all-in-one solutions aimed at the
SMB space.

Where its going


Two factors combine to drive the awareness and
adoption of SIEM: the first is the push into the SMB
space that began a few years ago, while the second is
the increasing amount of regulatory and industry
compliance and its comprehensive auditing demands.
Though the space is mostly populated by smaller
dedicated players, some larger players are already
marketing SIEM solutions. The recent acquisition of
market-leader ArcSight by HP is a possible precursor
of greater consolidation to come.
As security and compliance concerns grow with each
new regulation, each failed audit, and each publicized
security breach, SIEM will finally begin to draw
broader attention in the coming year.

As the market evolves, so do the features you need to evaluate. Pay close attention to
improving collection, aggregation, and correlation capabilities and the adoption of truly open
standards for event data records.

Info-Tech Research Group

14

SIEM Vendor Landscape inclusion criteria:


Market share, mind share, and market consolidation
Though over ten years old now, in many ways the SIEM space is still nascent with numerous players, many of them small
and independent. However, the landscape may be shifting as evidenced by the recent acquisition of market-leader
ArcSight by HP and the merging of NetIQ and Novell product lines.

For this Vendor Landscape, Info-Tech focused on those vendors that have a strong market presence and/or reputational
presence among small to mid-sized enterprises.

Included in the Vendor Landscape:

ArcSight. The market leader with enterprise-focused ESM, pushing into SMB with Express.

IBM. SIEM marketed under the Tivoli umbrella a single line focused more at the enterprise than SMB.

LogLogic. A dedicated SIEM provider with a modular platform that offers flexibility to all enterprises.

netForensics. One of the pioneers of SIEM; separate products focused at the enterprise and SMB.

NitroSecurity. The most recent entrant to the SIEM market (2007) but a company definitely on the rise.

Q1 Labs. The largest independent player remaining; Qradar anchors a capable suite of SIEM tools.

RSA. Second in market share, its enVision products target both the large (LS line) and SMB (ES line) clients.

SenSage. One of the smaller vendors in this evaluation and one still primarily focused on the large enterprise.

Symantec. The worlds largest security vendor markets a single platform to all clients equally.

TriGeo. The only player dedicated to the SMB space; may singly handedly have created this end of the market.

Info-Tech Research Group

15

SIEM Criteria & Weighting Factors


Product Evaluation

Features

Features

The solution provides basic


and advanced feature/functionality.

Affordability

The five-year TCO of the solution is


economical.

Usability
Architecture

Architecture

30%

30%

20%

The solutions dashboard and reporting tools


are intuitive and easy to use.

50%

The delivery method of the solution aligns with


what is expected within the space.
50%

Vendor is profitable, knowledgeable, and will

Vendor

Viability be around for the long-term.

Vendor is committed to the space and has a

Strategy future product and portfolio roadmap.

Channel

Affordability

Product

Vendor Evaluation

Reach

20%

Usability

Vendor offers global coverage and is able to


sell and provide post-sales support.
Vendor channel strategy is appropriate and the
channels themselves are strong.

Viability

25%

30%

Strategy

15%

Channel

30%

Reach

Info-Tech Research Group

16

The Info-Tech SIEM Vendor Landscape


Champions receive high scores for most
evaluation criteria and offer excellent value.
They have a strong market presence and
are usually the trend setters for the industry.

NitroSecurity

LogLogic

Market Pillars are established players with


very strong vendor credentials, but with
more average product scores.

Q1 Labs
SenSage
Symantec

Innovators have demonstrated innovative


product strengths that act as their
competitive advantage in appealing to niche
segments of the market.
Emerging players are newer vendors who
are starting to gain a foothold in the
marketplace. They balance product and
vendor attributes, though score lower
relative to market Champions.

RSA

netForensics

ArcSight

TriGeo

IBM

For a complete description of Info-Techs Vendor


Landscape methodology, see the Appendix.

Info-Tech Research Group

17

Balance individual strengths to find the best fit


Product
Overall

Features

Usability

Vendor
Price

Platform

Overall

Viability

Strategy

Reach

Channel

ArcSight
IBM
LogLogic
netForensics
NitroSecurity
Q1 Labs
RSA
SenSage
Symantec
TriGeo
For an explanation of how Info-Tech Harvey Balls are calculated, please see the appendix.

Info-Tech Research Group

18

The Info-Tech SIEM Value Index


What is a Value Score?

On a relative basis, Symantec


maintained the highest Info-Tech Value
ScoreTM of the vendor group. Vendors
were indexed against Symantecs
performance to provide a complete,
relative view of their product offerings.

Champion

The Value Score indexes each vendors product


offering and business strength relative to their
price point. It does not indicate vendor ranking.
Vendors that score high offer more bang for the
buck (e.g. features, usability, stability, etc.) than
the average vendor, while the inverse is true for
those that score lower.
Price-conscious enterprises may wish to give the
Value Score more consideration than those who
are more focused on specific vendor/product
attributes.

100
86

83

73

69
56
32

24

23
8

Sources:
To calculate the Value Score for each vendor, the affordability raw score was backed out, the product
scoring reweighted, and the affordability score multiplied by the product of the Vendor and Product
scores.

Info-Tech Research Group

19

Table Stakes represent the minimum standard; without these


a product doesnt even get reviewed
The Table Stakes

What Does This Mean?

Feature

Description

Basic Collection /
Aggregation /
Normalization (CAN)

Collection from firewall logs, IDS logs,


Windows server logs, web server logs,
and syslogs.

Basic Correlation

Canned correlation policies for CAN data


that act in near-real time.

Basic Alerting

Logging for all correlated events and


alerting via pager/e-mail/text for those that
exceed a given threshold.

Basic Reporting

Availability of canned reports that can be


run on a scheduled and ad hoc basis.

The products assessed in this Vendor


LandscapeTM meet, at the very least, the
requirements outlined as Table Stakes.
Many of the vendors go above and beyond the
outlined Table Stakes, some even do so in
multiple categories. This section aims to highlight
the products capabilities in excess of the criteria
listed here.

If Table Stakes are all you need from your SIEM solution, the only true differentiator for the organization is
price. Otherwise, dig deeper to find the best price and value for your needs.

Info-Tech Research Group

20

Advanced Features are the market differentiators that make or


break a product
Scoring Methodology
Info-Tech scored each vendors feature offering
as a summation of its individual score across the
listed advanced features. Vendors were given 1
point for each feature the product inherently
provided. Some categories were scored on a
more granular scale with vendors receiving half
points (see Partial functionality criteria).

Advanced Features
Feature

What We Looked For

Log Data Enrichment

Advanced CAN from Net Flow, Identity,


Database, Application, Configuration, and
File Integrity data sources

Advanced Correlation

Advanced canned policies, user-defined


policies, and adaptive/heuristic policies

Advanced Alerting

Programmable/customizable alerting
responses and workflow injection

Advanced Reporting

Flexible dashboards, custom reporting


capabilities, and ability to export to external
reporting infrastructure

Forensic Analysis
Support

Ability to generate custom data queries with


flexible drill-down capabilities

Data Management Security

Access controls to SIEM system and SIEM


data, encryption of SIEM data (in storage
and transmission)

Data Management Retention

Notable storage capacity, data compression,


and inherent hierarchical storage
management

Info-Tech Research Group

21

Each vendor offers a different feature set; concentrate on what


your organization needs
Log Data

Correlation

Alerting

Reporting

Forensics

Security

Retention

ArcSight
IBM
LogLogic
netForensics
NitroSecurity
Q1 Labs

RSA
SenSage
Symantec
TriGeo

Info-Tech Research Group

22

Symantec delivers a solid product with an attractive price


Champion
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

Security Information Manager


17,500
Mountain View, CA
Symantec.com
1982
NASDAQ: SYMC
FY10 Revenue: $6B

Overview
In contrast to most players in the space, Symantec positions
its SIEM solution as a security tool first, and compliance tool
second; its integration into other product lines backs this up
and makes it a good choice for the security conscious.

Strengths
Symantec offers the broadest base of deployment types
software, hardware, virtual hardware, and managed service
offerings, allowing every enterprise to find a fit.
Security Information Manager is integrated into Symantecs
Global Intelligence Network, meaning system configuration
can be adjusted based on more than just local event data.

Challenges

Priced between $250,000 and $500,000

In many ways, a jack of all trades, master of none solution,


Symantec hits with partial marks for almost all Info-Tech
identified advanced features, but full marks in hardly any.
SIEM gets little exposure within Symantecs ever-expanding
product portfolio; a flip-flopping on appliance-based delivery
model may indicate lack of understanding of market needs.

Info-Tech Recommends:

A solid product at an attractive price from a company with a clear commitment to the security space; these
factors make Security Information Manager a good choice for organizations with generic SIEM needs.
Info-Tech Research Group

23

QRadar: a complete product from a vendor dedicated to SIEM


Champion
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

QRadar SIEM
250
Waltham, MA
Q1Labs.com
2001
Privately Held

Overview
Q1 Labs is the largest independent player in the SIEM space
and supplements its SIEM play with a broad suite of products
to allow for comprehensive security management.

Strengths
The broadest and most comprehensive set of reporting
capabilities of any product in this test; its capability is so broad,
integration to third-party reporting solutions is unnecessary.
Cleanly integrated set of hierarchical products allows
enterprises to grow their security management capabilities in
an additive, not rip-and-replace manner.

Challenges
As the biggest independent, and a company experiencing
tremendous growth, Q1 Labs may be a target for acquisition
as compliance mandates increase the demand for SIEM.
Priced between $250,000 and $500,000

Info-Tech Recommends:

Whether simple log management with the ability to grow into fully featured SIEM, or a broad-based
solution that includes pre-exploit management, Q1 Labs has a solution for every need.
Info-Tech Research Group

24

SenSage turns security data into business intelligence


Champion
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

Event Data Warehouse


50-100
Redwood City, CA
SenSage.com
2000
Privately Held

Overview
SenSage grew out of traditional log management and is
staking its future on Open Security Intelligence, the extension
of SIEM into a business-focused decision support system.

Strengths
Extremely broad correlation capabilities, coupled with Alert
Player that allows admins to replay scenario-based events,
means SenSage offers BI-like capability for security data.
SenSage, despite its size, has built a strong network of highprofile channel partners and backs them with a solid support
organization.

Challenges
With a client base in the mid-hundreds, SenSage is one of the
smaller players in this evaluation in terms of overall market
share; increasing its client count is imperative.
Priced between $250,000 and $500,000

Info-Tech Recommends:

Organizations looking to go deeper with their security event data may well find SenSage ideal, but
must be prepared to take the risk of dealing with one of the smallest vendors in the space.
Info-Tech Research Group

25

NitroSecurity ESM: top performance, second-lowest price


Innovator
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

NitroView ESM
Over 100
Portsmouth, NH
NitroSecurity.com
1999
Privately Held

Overview
NitroSecurity bases all of its security technology solutions on
its background in massive-scale data management, meaning
its solutions correlate broadly, operate quickly, and report
efficiently.

Strengths
One of the most feature-rich solutions in this roundup, and one
of only two solutions to offer truly comprehensive and forwardlooking correlation capabilities.
Nitro falls between the pure-play SIEM providers and the
broader security vendors, meaning it has good focus on the
space, but isnt solely reliant on SIEM sales for its revenue.

Challenges
Nitro has expanded its product portfolio to include virtual
appliances, but these are currently scaled only at smaller
enterprises and remote sites; increasing performance will
improve applicability.
Priced between $100,000 and $250,000

Info-Tech Recommends:

With its correlation and forensic analysis capabilities, NitroView ESM can be invaluable to a security
manager though internal auditors may find its lack of external reporting integration a little limiting.
Info-Tech Research Group

26

LogLogic: modular platform is powerful, but complex


Innovator
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

LX, ST, SEM appliances


Not available
San Jose, CA
LogLogic.com
2002
Privately Held

Overview
LogLogic approaches the SIEM space with a clear focus on
compliance first and foremost using its Get-See-Use
philosophy to improve not just compliance, but also security
and even operational performance.

Strengths
The most feature-rich solution in the round-up and the only
one to fully address system configuration data as an input
source. Coupled with the cleanest interface, this is the solution
that delivers the most SIEM capability.

Challenges

Priced between $250,000 and $500,000

LogLogic is one of the smaller vendors in this review and is


focused on the enterprise space with 70% of its business
coming from enterprises with more than $1B in revenues;
continued growth may be a challenge without more midmarket focus as the large enterprise market niche saturates.
Architecturally complex, leading to a higher than average
price.

Info-Tech Recommends:

A well integrated line of capable products, but LogLogics clear focus on the enterprise market may
limits its appeal to smaller businesses, and the appeal of those businesses to LogLogic.
Info-Tech Research Group

27

ArcSight Express brings the power of ESM to the SMB


Market Pillar
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

Express
324,600 (HP as a whole)
Palo Alto, CA
ArcSight.com
2000
NASDAQ: HPQ
FY09 Revenue: $126B

Overview
Recently acquired by HP to become the most valuable asset in
that companys focused security strategy, ArcSight is the
largest player in the SIEM space and has recently expanded
its portfolio to be more applicable to the mid-market.

Strengths
An architecturally sound solution allowing for widely varying
deployment models; the ability to mix and match Collectors
and Loggers with a core Express device offers great flexibility.
Offers the ability to tightly correlate security events to users via
IdentityView, an add-on capability that monitors user activity
across all accounts, applications, and systems.

Challenges

Priced between $250,000 and $500,000

ArcSight has trimmed its impressive enterprise-focused ESM


solution to build Express but may have left out some
differentiating capabilities.
HP and ArcSight representatives are all saying the right things
in regards to the recent acquisition, but only time will tell if the
union will represent a win for existing and future clients.

Info-Tech Recommends:

Express represents a well-rounded solution but one that is less exceptional than its flagship ESM;
feature reduction combined with one of the highest prices limits overall appeal.
Info-Tech Research Group

28

enVision integration with DLP and GRC a boon to RSA shops


Market Pillar
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

enVision
40,000+ (EMC as a whole)
Bedford, MA
RSA.com
1982
NYSE: EMC
FY10 Revenue: $17B

Overview
RSA, the security division of EMC, plots a careful course with
its SIEM solution enVision, delivering just enough capability to
meet market needs without pushing the envelope to drive the
future of the space.

Strengths
Very broad-based collection/aggregation/normalization
capabilities, coupled with strong reporting, gives good
coverage for both the security and compliance conscious.
RSA has taken a holistic view of security management and the
integration of three security management platforms (SIEM,
DLP, eGRC) is visionary.

Challenges

Priced between $250,000 and $500,000

enVision is solid but unspectacular in the areas of correlation


and alerting when compared with its peers; in a fast-moving
market, these shortcomings need to be addressed.
While the ES line can be cost effective, the LS line (evaluated
here) is the most expensive solution in the roundup.

Info-Tech Recommends:

The integration of enVision with RSAs DLP and eGRC solutions underlines the companys efforts to
become the security management provider; current RSA clients will benefit from those synergies.
Info-Tech Research Group

29

Weak correlation capabilities limit the value of Tivoli SIEM


Market Pillar
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

Tivoli SIEM
400,000
Armonk, NY
IBM.com
1911
NYSE: IBM
FY10 Revenue: $95.8B

Overview
IBM is a truly global player in almost every aspect of
Information Technology. Its security management solutions sit
under its Tivoli systems management umbrella.

Strengths
Management of Tivoli SIEM through the common Tivoli admin
interface those familiar with the Tivoli suite will find the
learning curve remarkably flat.
Tivoli SIEM is IBMs integrated solution for basic SIM, SEM,
and log management; advanced SEM/SOC functionality is
available in Tivoli Security Operations Manager (TSOM).

Challenges
Correlation capabilities in Tivoli SIEM so minimal that it is
almost a stretch to label them as such events from
differential sources cannot be linked to create analysis
patterns.
Priced between $250,000 and $500,000

Info-Tech Recommends:

Lack of feature-functionality and limited architectural deployment models make it difficult to


recommend Tivoli SIEM; TSOM may meet broader needs, but was not reviewed by Info-Tech.
Info-Tech Research Group

30

netForensics offers dual solutions which may split focus


Emerging Player
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

nFX Cinxi One


Not available
Edison, NJ
netForensics.com
1999
Privately Held

Overview
netForensics is one of the pioneers of the SIEM space, having
first come on the scene in 1999. Since then a significant
number of players have entered the market, and many have
surpassed netForensics in capability and market share.

Strengths
netForensics is exclusively focused on the SIEM space, a
position it reinforced by acquiring High Tower Software and
with it the Cinxi (later Cinxi One) product line.

Challenges

Priced between $100,000 and $250,000

The primary target of its solutions is the Managed Service


Provider via the nFX SIM One solution. Though it offers a midmarket solution (Cinxi One), its clear focus on the highest end
of the market likely limits its applicability to mid-sized
businesses.

Info-Tech Recommends:

netForensics declined to brief for this review and available product details are limited, so a detailed
recommendation cannot be made at this time.
Info-Tech Research Group

31

TriGeo is the only provider solely focused on SMB clients


Emerging Player
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:

Security Information Manager


Not available
Post Falls, ID
TriGeo.com
2001
Privately Held

Overview
TriGeo is the only SIEM solution provider targeting the midmarket specifically; its turn-key appliance-based approach has
defined mid-market SIEM and led most other players to
release competitive solutions.

Strengths
TriGeo SIEM is the only product truly built for the mid-market;
this is not some enterprise-grade solution that has been
trimmed of capability, and shoe-horned into a smaller box. It
may not offer the same complexity as many competing
solutions, but it offers unmatched efficiency and ease of
operations.

Challenges
SIEM, though clearly of value to the mid-market, has
traditionally been an enterprise play and the lack of products
for that space has limited TriGeos size and reach.
*TriGeos rankings were affected by its inability to provide
Info-Tech with pricing for the SIEM solution.

Info-Tech Recommends:

TriGeo declined to brief for this review and available product details are limited so a detailed
recommendation cannot be made at this time.
Info-Tech Research Group

32

Streamline monitoring, alerting, and incident response


processes to minimize the cost of individual security events
Security Event Management relies on strong correlation and deep forensic
analysis.
Exemplary Performers

1
2
3
4

Management of
Security Events

Reduction of
Compliance Complexity

Enhancement of
Overall Risk Management

Viable Performers

Adequate Performers

Info-Tech Research Group

33

Reduce the cost of demonstrating regulatory and policy


compliance by simplifying reporting and log review functions
Compliance capabilities are defined by broad and deep reporting.

1
2
3
4

Exemplary Performers
Management of
Security Events

Reduction of
Compliance Complexity

Enhancement of
Overall Risk Management

Viable Performers

Adequate Performers

Info-Tech Research Group

34

Ensure the reduction of enterprise risk by bringing broadbased collection, aggregation, and response abilities to bear
The broadest possible feature-functionality is required for true Risk
Reduction.
Exemplary Performers

1
2
3
4

Management of
Security Events

Reduction of
Compliance Complexity

Enhancement of
Overall Risk Management

Viable Performers

Adequate Performers

Info-Tech Research Group

35

Identify leading candidates with the SIEM Vendor


Shortlist Tool
Info-Techs Security Information & Event Management Vendor Shortlist Tool
is designed to generate a customized shortlist of vendors based on your key
priorities.
This tool offers the ability to modify:
Overall Vendor vs. Product Weightings
Top-level weighting of product vs. vendor
criteria
Individual product criteria weightings:
Features
Usability
Affordability
Architecture
Individual vendor criteria weightings:
Viability
Strategy
Reach
Channel

Info-Tech Research Group

36

Issue an RFP to ensure that SIEM vendors fit your needs, and
not the other way around
Use Info-Techs Security Information & Event Management RFP Template to
conduct this critical step in your vendor selection process.
Info-Techs SIEM RFP Template is populated
with critical elements, including:
The Statement of Work
Proposal Preparation Instructions
Scope of Work
Functional Requirements
Technical Specifications
Operations & Support
Sizing & Implementation
Vendor Qualifications & References
Budget & Estimated Pricing
Vendor Certification

Info-Tech Research Group

37

To get the most value out of the RFP process, use the
SIEM RFP Scoring Tool
A standard & transparent process for scoring individual vendor RFP
responses will help ensure that internal team biases are minimized.
Use Info-Techs
SIEM RFP Scoring Tool to:
Evaluate RFP Responses
The Security Information & Event
Management RFP Scoring Tool is pre-built
with essential criteria complementing the
SIEM RFP Template from the previous slide.
Accelerate Procurement
Use the tool to drive the meeting with your
procurement department.

Info-Tech Research Group

38

Take charge of vendor finalist demonstrations with a Vendor


Demonstration Script
An onsite product demonstration will help enterprise decision-makers better
understand the capabilities and constraints of various solutions.
This tool is designed to provide vendors with a
consistent set of instructions for demonstrating
key scenarios for the SIEM implementation.

The Security Information & Event Management


Vendor Demo Script covers:
Standard and advanced log source and log
management/retention configurations.
Canned and custom event correlation and
alerting capabilities.
Canned and custom reporting functionality.
Forensic log analysis and incident
management tools.
Custom dashboard and granular system
access features.

Info-Tech Research Group

39

Develop Your SIEM Implementation Strategy


Whats in this Section:

SIEM implementation architectures


Assessing the total cost of SIEM
Moving forward with your SIEM implementation

Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices

Info-Tech Research Group

40

Getting to a SIEM implementation strategy


Get a handle on overall costs, understand the resource implications, and
develop a plan to realize immediate and long-term benefits of SIEM.
Hard implementation costs:

Design and size a SIEM solution that meets operational


requirements.
Include the costs of additional hardware components.

Soft implementation costs:

Identify and track the resources consumed in system


implementation and training.

Ongoing staffing costs:

Understand the immediate and ongoing impact on existing


compliance and security management staffing.

Getting approval and moving ahead:

Stay attuned to the tone from the top, and grow use of the
SIEM tool methodically.

Info-Tech Research Group

41

Consider the available SIEM hardware platform options


SIEM is not a toaster, but SIEM appliance models have undeniable merits.
Platform

Pros

Cons

Hardware Appliance

Simplified management maximizes focus


on SIEM operations.

Dedicated onboard storage is unavailable


for other uses.

Simplified support no vendor concerns


about underlying hardware.

Scalability limited by appliance


capabilities.

Leverages existing server virtualization


and shared storage (SAN) investments.

High-performance requirements consume


virtual server resources.

Scalability and resiliency limited only by


those environments.

Requires additional virtual server


management.

Allows wider choice of hardware.

Requires dedicated server hardware and


ongoing server management.

Virtual Appliance

Software-only Solutions

Elevates risk of HW vs. SW fingerpointing during support calls.

Regardless of the platform selection, dont forget to plan for log data backup to meet regulatory and internal policy
requirements.

Info-Tech Research Group

42

Identify constraints for your SIEM architecture


Consider performance, capacity, and regulatory inputs in your design
process.
SIEM vendors offer a variety of centralized and distributed
deployment options sometimes the best design is a mix of both.

Centralized components typically include log collectors, event


correlation engines, and functions including alerting, reporting, and
incident management tools.

Whether all in one or separate but adjacent devices, deploying


these components centrally reduces the management burden for
SIEM.

Distributed designs may include single-purpose collectors and


combination collector/correlation devices, which can support:

Regulatory requirements (e.g. EU Safe Harbour) that restrict


offshore movement of private/sensitive data.
Performance and scalability needs by aggregating data from log
sources at remote sites and offloading event correlation
processing.

Info-Tech Insight

Cloud-based SIEM solutions (aka


SIEMaaS) are emerging, but remain
scarce. Regulatory restrictions may limit
the applicability of such services.
In contrast, managed security service
provider (MSSP) solutions, in which a
third party maintains and monitors a
SIEM system housed on customer
premises, offer greater promise today:
Customer control over sensitive
data.
Shared access to 24x7 monitoring
at a fraction of the cost.

Info-Tech Research Group

43

Optimize the SIEM solution design


Understand your current IT environment in order to size the SIEM solution
properly and minimize WAN impact.
SIEM deployments are sized based on two key factors: logging rate and storage

Info-Tech Insight

capacity.

Logging rates, or the number of log records that the system can process, are
measured in events or messages per second (eps or MPS):

Collectors must be sized to handle the peak number of events per second, or
risk losing critical log records.
Peak eps requirements for a SIEM solution are determined by summing the
peak logging rates of all source devices. Though it is unlikely that all devices
will hit peak rates simultaneously, this provides the capacity to handle elevated
logging demands from extraordinary events such as denial of service attacks
and malware outbreaks.

Storage capacity requirements depend on logging rates, but with a twist:

All SIEM solutions perform some level of log file compression, typically ranging
between a 20 to 40-fold reduction in log file sizes.
Total storage capacity requirements can be calculated by summing the
average daily log file size of each source device, multiplying by the required
retention period, and dividing by the SIEM compression rate.

For multi-site deployments, look


to distributed components to
optimize SIEM and network
performance:
Distributed log collectors:
Spread the peak eps load
across multiple devices.
Compress log data before
forwarding on to a central
collector, saving considerably
on WAN traffic.

Some SIEM solutions allow retention periods to be defined by device (or group
of devices), while others establish a single, default retention period.

Info-Tech Research Group

44

Account for implementation resource costs


Success with SIEM involves more than just the Security team. Make sure all
the right parties are engaged up front.
Project Team Composition
Security, network, and system administrators all have substantial
involvement:
Identifying and configuring log data sources.
Defining event severity levels; monitoring, alerting &
escalation processes; and reporting formats & schedules.
Internal auditors and other compliance personnel also play a key
role:
Designing dashboards and reports to simplify compliance
management efforts.
Specifying elevated requirements for regulated systems
architectural or procedural.

Training Considerations
Training is critical for project team members and the groups they
represent.
System training is necessary for all those who use SIEM directly
(e.g. security operators, compliance auditors); process training is
appropriate for those who only use SIEM outputs.

Info-Tech Research Group

45

Understand the ongoing staffing impact


Examine compliance management savings and increased monitoring costs.
The rest is just noise.
For incident response staff and supporting system
administrators, SIEM is a double-edged sword:

Increased response efficiencies are countered by increased


events visibility, until and unless SIEM-driven improvements
are made to key security and system controls.

Organizations facing regular and/or diverse regulatory


requirements can reduce the associated reporting burden
substantially:

Required reports can be generated automatically and


consistently across multiple systems, without burdening the
system admins.
Where needed, internal SIEM activity can be reported on to
demonstrate compliance with log review requirements.

Real-time event monitoring can be a huge cost driver for SIEM:

For organizations lacking a dedicated Security Operations


Center, adding a dedicated 24x7 monitoring capability could
equate to 5 FTEs.
Consider adding a best effort event monitoring responsibility
to existing security staff a 10-20% rise in staffing levels
could enable much better incident response outcomes.

Info-Tech Insight

SIEM monitoring through an MSSP can


provide cost-effective alternatives for
real-time event monitoring:
MicroAge, an IT services firm, opted
for an MSSP to provide on-premise
SIEM equipment and remote
monitoring services.
For a monthly fee, MicroAge avoided
the capital cost of a SIEM solution
supporting 120 log sources.
In the same monthly fee, MicroAge
receives 24x7 real-time event
monitoring, with serious events
escalated to internal IT staff, at a
small fraction of the cost of staffing
such a capability internally.

You get an alarm system for your network,


but you don't get the cops to go with it.
- Perry Kuhnen, IT Manager, MicroAge
(about SIEM without real-time monitoring)
Info-Tech Research Group

46

Factor decision-makers concerns into the SIEM proposal


Perspective matters: position initial SIEM plans based on whats most
important to leadership, and focus on relevant cost reduction opportunities.
Where leadership has a strong focus on
information risk management, pitching
event-focused SIEM is easier:

Even without 24x7 monitoring, eventfocused SIEM enables risk reduction


simply through enhanced visibility.
Reducing incident-related costs can
offset SIEM investments.

Where that strong risk focus is missing,


compliance-focused SIEM may be the
more effective route to approval:

Reducing the costs of demonstrating


compliance can offset SIEM
investments.
Leverage enhanced visibility to
elevate information risk to a
leadership level, and evolve SIEM
toward a greater focus on event and
risk management.

Info-Tech Research Group

47

Start modestly, but keep the final objective in mind


Dont try to execute the whole SIEM vision at once. Learn from early stages,
and build capabilities & benefits incrementally.
Embarking on a SIEM initiative requires a serious investment of time and money. Implementation can be phased in two
distinct, but complementary, ways.

Phased by SIEM function:

Start with a compliance management focus, but explore the benefits of enhanced event visibility, or
Start with an event management focus, but take advantage of compliance reporting for internal purposes.
Once both are implemented, look at continuous risk management opportunities demonstrated benefits from past
experiences might even outweigh the cost of adding 24x7 monitoring.

Phased by source system:

Start with the most critical systems (key applications, core infrastructure, regulated environments).
Expand to other log data sources as the benefits of SIEM are demonstrated for those key assets.

Mix and match these approaches to minimize initial costs, maximize the benefits delivered, and build additional support for
broader SIEM deployments:

Later stages may not deliver the same magnitude of benefits, but they involve lower equipment and configuration costs,
as they leverage initial investments made in earlier stages.

Info-Tech Research Group

48

Appendices
Whats in this Section:

Vendor Landscape methodology


SIEM survey demographics

Sections:
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEM
Implementation Strategy
Appendices

Info-Tech Research Group

49

Vendor Evaluation Methodology


Info-Tech Research Groups Vendor Landscape market evaluations are a part of a larger program of vendor evaluations which includes
Solution Sets that provide both Vendor Landscapes and broader Selection Advice.
From the domain experience of our analysts, as well as through consultation with our clients, a vendor/product shortlist is established. Product
briefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, sales
models, and pricing.
Our analysts then score each vendor and product across a variety of categories, on a scale of 0-10 points. The raw scores for each vendor are
then normalized to the other vendors scores to provide a sufficient degree of separation for a meaningful comparison. These scores are then
weighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. The
weighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scores
is generated to place vendors in one of four categories: Champion, Innovator, Market Pillar, and Emerging Player.
For a more granular category by category comparison, analysts convert the individual scores (absolute, non-normalized) for each
vendor/product in each evaluated category to a scale of zero to four whereby exceptional performance receives a score of four and poor
performance receives a score of zero. These scores are represented with Harvey Balls, ranging from an open circle for a score of zero to a
filled in circle for a score of four. Harvey Ball scores are indicative of absolute performance by category but are not an exact correlation to
overall performance.
Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make corrections
where factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality,
value, etc.; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are not
corroborated by actual client experience or wording changes that are purely part of a vendors market messaging or positioning. Any resulting
changes to final scores are then made as needed, before publishing the results to Info-Tech clients.
Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market.

Info-Tech Research Group

50

Value Index Ranking Methodology


Info-Tech Research Groups Value Index is part of a larger program of vendor evaluations which includes Solution Sets that provide both
Vendor Landscapes and broader Selection Advice.
The Value Index is an indexed ranking of value per dollar as determined by the raw scores given to each vendor by analysts. To perform the
calculation, Affordability is removed from the Product score and the entire Product category is reweighted to represent the same proportions.
The Product and Vendor scores are then summed, and multiplied by the Affordability raw score to come up with Value Score. Vendors are
then indexed to the highest performing vendor by dividing their score into that of the highest scorer, resulting in an indexed ranking with a top
score of 100 assigned to the leading vendor.
The Value Index calculation is then repeated on the raw score of each category against Affordability, creating a series of indexes for Features,
Usability, Viability, Strategy and Support, with each being indexed against the highest score in that category. The results for each vendor are
displayed in tandem with the average score in each category to provide an idea of over and under performance.
The Value Index, where applicable, is refreshed every 12 to 24 months, depending upon the dynamics of each individual market.

Info-Tech Research Group

51

Product Pricing Scenario & Methodology


Info-Tech Research Group provided each vendor with a common pricing scenario to enable normalized scoring of Affordability, calculation of
Value Index rankings, and identification of the appropriate solution pricing tier as displayed on each vendor scorecard.
Vendors were asked to provide list costs for SIEM appliances and/or SIEM software licensing to address the needs of a reference organization
described in the pricing scenario. For non-appliance solutions (i.e. software-only and virtual appliance architectures), physical or virtual
hardware requirements were requested in support of comparing as-installed costs.
Additional consulting, deployment, and training services were explicitly out of scope of the pricing request, as was the cost of enhanced
support options, though vendors were encouraged to highlight any such items included with the base product acquisition. The annual
software/hardware maintenance rate was also requested, along with clarity on whether or not the first year of maintenance was included in the
quoted appliance/software costs, allowing a three-year total acquisition cost to be calculated for each vendors SIEM solution. This three-year
total acquisition cost is the basis of the solution pricing tier indicated for each vendor.
Finally, the vendors three-year total acquisition costs were normalized to produce the Affordability raw scores and calculate Value Index
ratings for each solution.
Key elements of the common pricing scenario provided to SIEM vendors included:

A three-site organization with 2200 employees located at a US head office facility, a second US satellite office, and a European satellite
office. IT functions, including 3 dedicated IT security professionals, are located primarily at the US head office, with a small proportion of IT
staff and systems located at the European site, which also acts as a DR facility.

The firm is interested in reducing the effort associated with monitoring, alerting, and responding to security events at the Endpoint, Network,
and Data Center levels:

The volume & complexity of ad hoc queries against logged and correlated event data is fairly small, driven primarily by incident response
efforts and gaps in canned compliance reports.
The SIEM product would be used regularly by four IT staff across the US head office and European satellite site, with additional
dashboard-/report-level access for another four users in compliance/audit and IT management/executive roles.

200 devices were identified as log data sources for a SIEM solution, including network components, security systems, and both physical
and virtual servers. Windows Domain, Oracle databases, MS Exchange and SharePoint, and BES and VOIP environments were explicitly
identified in the scenario, and the peak logging volume was specified at 5000 events per second (eps).

Info-Tech Research Group

52

SIEM Survey Demographics

Info-Tech Research Group

53

Industry

Info-Tech Research Group

54

Country

Info-Tech Research Group

55

Revenue

Info-Tech Research Group

56

FTEs

Info-Tech Research Group

57

IT Employees

Info-Tech Research Group

58

You might also like