SolarWinds is one of the smaller players in the SIEM market, but as a vendor specializing in system management and reporting tools, the company has the intelligence to effectively create a SIEM product.
Nevertheless, SolarWinds has focused on value as the keystone of the company's SIEM product, which goes by the moniker Log & Event Manager (LEM for short) and is now in v5.3. LEM has a bargain-basement price of $4,495 and is shipped as a virtual appliance. Although the product lacks some features found in other SIEM products, such as Netflow analysis, it remains surprisingly robust.
As a virtual appliance, installation proves to be rather simple - it is just a matter of importing the virtual appliance files onto a virtual server and then configuring the virtual server with the appropriate networking and storage configuration. Simply put, installation requires little more than knowledge of how a virtual appliance is added to the network infrastructure.
LEM works with hundreds of different network devices and can import Syslog data, as well as work directly with the log capabilities of dozens of security appliances, firewalls, intrusion detection systems and so on. LEM can gather data from servers, desktops and other pieces of network equipment as well.
Initial configuration proves straightforward, as the company includes hundreds of pre-defined rules and reports that make it easy to get started. The browser-based GUI offers excellent, actionable information in a clean and easy-to-use interface. Setup wizards and best practice tips round out the configuration tasks, allowing most anyone to quickly get the system up and running.
One of the key features of LEM is its ability to visualize events. The product offers a plethora of charts, graphs and more that make it easy for an administrator to observe what is going on across the network. Many of those visualizations support real-time feeds as well. The product includes more than 300 built-in templates for report generation, making it a little easier to satisfy requirements for PCI DSS, Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), NERC CIP, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) reporting.
The product also includes the ability to monitor for specific events and then execute scripts to take action. Administrators also can define notifications based on specific occurrences. Other features include compliance reporting and the ability export out data for further analysis.
A correlation engine rounds out the product's capabilities, which can process events in real time and in memory, using nonlinear and multidimensional techniques. The tool comes with nearly 700 built-in event correlation rules, potentially saving an administrator hours of work from defining rules.
Like many of the better SIEM products available on the market, LEM not only identifies and reports on anomalous behavior, it is also able to automatically take action to prevent that behavior from increasing and potentially compromising systems further, which means that LEM is able to prevent attacks in real time.