Let's start out by saying that the SIEM and UTM clubs are not mutually exclusive. You can - and should - belong to both. The histories of these two tools are, actually, quite similar. Both came from the concatenation of several point solutions to point problems. In the case of the SIEM, it was the joining of security information and event management. In the UTM, it was grouping a number of tools together that conveniently fit into a single appliance. Typically, the appliance was located on the perimeter of the enterprise. The functionality of these two types of appliances - and they can be physical or virtual - has grown to keep pace with the times, but they still have two defining differentiators: SIEMs consume data from multiple external sources while UTMs develop their own data from various forms of monitoring.
We start with SIEMs because they are the easiest to place in the architecture of the typical enterprise. The main purpose of the SIEM is analysis. Different SIEMs use the analysis in different ways but, at their cores, SIEMs take in a lot of data from multiple sources, normalize it and correlate it so that conclusions can be drawn and decisions made. The key - or, at least, the first key - to SIEM functionality is normalization. This means that the SIEM must be able to consume whatever kind of data you want to feed it. It is not enough, of course, simply to consume the data. Once consumed and normalized - placed into a format that the SIEM will find consistent with other consumed data - the SIEM can analyze.
Normalization consists of parsing the consumed data into chunks that are meaningful in the context of the SIEM's analysis functions. So if the only thing the SIEM can consume is syslog format, you have a problem. Data comes into the device in a variety of formats and not all of them are syslogs. This usually means that the manufacturer will, at some point, need to write a custom connector for some obscure data format brought to it by a customer. If your SIEM manufacturer can't - or won't - do that, you have the wrong product.
| The bottom line? You likely need both SIEM and UTM...
|
However, most SIEM manufacturers will, and most have, very large collections of pre-written collectors. The collectors may be called something else, such as interfaces, but their purpose is to parse the data from a particular source into useful chunks. Check the devices in your enterprise and the product logs that you want to watch and make sure they all are supported by the SIEM you are considering. Next comes correlation.
SIEMs take the normalized data and correlates it so that they have a complete picture from the perspective of every device connected to them. That means that they "connect the dots" between the firewall, IDS/IPS and any other log-producing devices on the network. The more data points a SIEM has, the more useful it becomes. Finally, the SIEM makes something useful out of all of the data points.
This often means that there are additional data points that are not threat-related. Typically, we think of SIEMs as taking in threat information and telling us what we should worry about. In reality, a good SIEM is a risk analysis tool. It not only should take in threat data from sources such as event logs, it also should take in vulnerability data from recent scans. It should know about the assets on your network and it should be able to accept your weightings so that it can triage alerts and other analysis properly.
UTMs, on the other hand, generate data from events that they are intended to monitor. A UTM might be an excellent feed for a SIEM. UTMs do not just generate data, either. Some UTM functionality is aimed at such things as providing VPN service. Here is where it can be difficult to select a UTM product. If you are not using a UTM at the moment, you probably have many of the point solutions to individual challenges. So, for example, if you are running a VPN already, does it make sense to buy a UTM that also provides a VPN?
Actually, it might. Depending on the other functionality - and how much redundancy it has with tools that you have already - it may make perfect sense to buy the UTM and turn off the unneeded functions. But don't assume that just because you are running a suite of tools individually that are redundant with a UTM, you shouldn't buy the UTM. In many cases, the UTM offers several advantages over those point solutions.
First, it likely is easier and more efficient to administer the UTM than a bunch of individual tools. Ease of administration translates into efficiency and that translates straight to your bottom line. Also, there are benefits to seeing the bulk of your security environment in a single pane of glass. Again, more efficiency is better.
So, the bottom line? You likely need both SIEM and UTM, and just because you have point solutions does not mean that a good UTM is out of the question for your enterprise.
| Vendor | Performs log | Offers agentless log | Availble as a cloud appliance | Supports gateway anti-virus capabillity | Offers intrusion prevention | Performs web content filtering | Supports DLP functionality | Includes built-in templates to support regulatory compliance |
| AlienVault | ● | ● | ● | ○ | ● | ○ | ○ | ● |
| Check Point | ● | ● | ● | ● | ● | ● | ● | ● |
| CorreLog | ● | ● | ○ | ● | ○ | ○ | ● | ● |
| Cyberoam | ● | ● | ● | ● | ● | ● | ○ | ● |
| Dell | ● | ● | ○ | ● | ● | ● | ● | ● |
| EiQ Networks | ● | ● | ● | ○ | ○ | ○ | ○ | ● |
| EventTracker | ● | ● | ● | ○ | ○ | ○ | ● | ○ |
| LogRhythm | ● | ● | ● | ○ | ● | ○ | ● | ● |
| ManageEngine | ● | ● | ○ | ○ | ○ | ○ | ○ | ○ |
| McAfee/ | ● | ● | ● | ● | ○ | ○ | ● | ● |
| Netikus | ● | ● | ○ | ○ | ○ | ○ | ○ | ● |
| NetIQ | ● | ● | ● | ○ | ○ | ○ | ○ | ● |
| SolarWinds | ● | ● | ● | ○ | ○ | ○ | ○ | ○ |
| WatchGuard | ○ | ○ | ● | ● | ● | ● | ● | ● |
| ZyXEL | ● | ○ | ○ | ● | ● | ● | ○ | ○ |
