Ensuring the security and smooth operation of the entire IT infrastructure of the enterprise is one of the most important and, at the same time, the most complex tasks of modern business. One of the key tools used to solve it is SIEM systems (short for Security information and event management) – information security event management systems. The main tasks solved by the modern SIEM application: collection, analysis and provision to the user in a convenient form of information received from various network components and security devices. Such tools allow you to quickly and with the least effort to respond to both existing and potential threats to the security of the company’s IT infrastructure.
As more and more business leaders come to understand the need for a thorough approach to information security, the market for SIEM systems is actively developing, and the number of solutions presented is steadily expanding. According to a report by Gartner, an IT solutions research agency, the undisputed leaders among developers of SIEM systems are Splunk (with the product Splunk Enterprise Security), IBM (QRadar Security Intelligence Platform) , LogRhythm (NextGen SIEM) and McAfee(McAfee Enterprise Security Manager). The above tools currently have the greatest functionality among the whole variety of systems and at the same time have very flexible settings. They are also represented on the Global market and can boast of such large customers.
However, several unpleasant moments for Indian users are associated with market leaders:
- High cost due to their “western” roots and high exchange rates;
- With a variety of functionality and settings, a significant part of them may be irrelevant for medium and small enterprises that do not have a fleet of several hundred or thousands of components (stations, servers, terminals, etc.).
Therefore, when choosing a SIEM system, you should first of all look at how much it satisfies your particular needs, even if in general the set of its capabilities will be slightly narrower than that of competitors. And often it makes sense not to choose only from the “rating leaders”.
Splunk and Graylog
The fact that SIEM Tools of market leaders on average have more functionality and flexibility does not mean at all that they are ahead of the OpenSource ones in all respects. For example, speaking of the informativeness of the event report, we can recall that the incident card in McAfee Enterprise Security Manager has 8 fields, in Splunk Enterprise Security there are a maximum of 236 regular fields, and in Graylog there are 1000+ user-configurable fields.
Also, an example of the advantages of Graylog is the possibility of using the query language when working with filters, and not just the regex format.
In addition to the technical parameters, when choosing a solution, you should pay attention to the features of licensing, since in the end it can significantly affect its final cost, and it is important to choose the option that suits your company. For instance:
- IBM Qradar – licensing depends on the number of events per second (EPS), flows per minute (FPM) and the number of modules purchased;
- Splunk – licensing by the amount of data collected per day (while servers / resources / installations are not licensed);
- GrayLog – licensing by how much data you collect, in Enterprise Free for Under 5 GB/Day.
Due to the large number of factors that can affect the choice of a particular SIEM system, the purpose of this article is not to provide a detailed comparison of different products. We want to draw your attention to a wide selection of SIEM products available in the market. There is no single answer to the question of which system to choose. Our experts will help you understand this diversity, analyze the needs of your company and, during the development of the project and clarification of the terms of reference, pilot implementation and testing, select the SIEM system option that is optimal for solving the tasks of your business both in terms of functionality and price.
In more detail, we will compare the SIEM Tools on the market next time.