Incident Response, TDR

SIEM: A mature category attracts some surprising new players

This month, we look at security information and event management (SIEM) tools. What struck me about this category – which I thought was fairly mature – is that there are players this year that I did not expect. Companies that are not traditional SIEM suppliers are getting in the game and doing a very credible job of it at that.

Given that this month has a few surprises, I thought I would stay in that spirit and add something else new to the mix. This month marks the debut of a new contributor at the labs: Frank Ohlhorst is a reviewer of long experience in our field, in particular, and computing in general. He shares the spotlight with Mike Stephenson this month and the results, I'm sure you'll agree, are gratifying. There is a lot to digest this month with a pretty good stable of products in the lab.

The whole idea behind SIEM has been evolving and morphing for several years now. Personally, I find the SIEM one of the most important devices on the network. I take that position because a really good SIEM will do two things for you. First, it will allow alerting on complicated events that might otherwise escape notice. Second, it allows detailed analysis into root cause from a forensic perspective.

From the alerting perspective, because the SIEM is taking its input from a variety of sources, it gets different perspectives on the data flowing through the network. Taking, for example, net flows, syslogs and output from intrusion detection system (IDS)/intrusion prevention systems (IPS) and firewalls and correlating them with criticality weightings gets you to an alert a lot faster than looking at those events and flows separately. An especially important aspect is the ability to correlate net flows with events. This provides a sort of vectoring ability that can help the analyst figure out what devices in the enterprise have been affected by an event.

From the analytic viewpoint, a major analytical challenge is dealing with very large amounts of data. Information security should focus on the data, so even if there are devices involved – which, of course, there are –understanding how the data flows through those devices is the key to understanding how to analyze the event. The SIEM facilitates that understanding because it correlates the large amount of information on the network to pare it down to a manageable size.

Some SIEMS, as we will see, have more capability and some a bit less. However, this is a very good crop, including a few surprising entries, and there likely is a product here for just about any size and complexity of enterprise. Take a close look, always with your particular requirements in mind, and narrow your selection down to a short list of products that fit your needs and interest you. Then take a deeper look at those few products.

Be sure that you define your needs thoroughly. There are a few of these products that excel in log management, for example, so if that is what you need, take a look at them. There are a few that focus on alerting, and a few that focus on analytics. Then there is that small group of power products that do all of that. Take your pick. One of the great advantages of a maturing product group is that there should be available exactly the product for your application. This month's offerings are no exception.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.