Security Information and Event Management (SIEM) systems ingest and monitor data from multiple hardware, software and security sources to prevent attacks, spot network incursions and trace back defensive weaknesses in the event of a breach. SIEM systems bring together a wide array of IT security tools such as firewalls, endpoint security, intrusion prevention and threat intelligence. Instead of a security administrator having to open multiple apps and attempt to tie together different alerts, SIEM provides management, integration, correlation and analysis in one place.
While each vendor has its own take on SIEM, Gartner lists the primary features for enterprise SIEM as: Ingestion of data from multiple sources; interpretation of data; incorporation of threat intelligence feeds; alert correlation; analytics; profiling; automation; and summation of potential threats.
Methodology behind this report
This guide was based on the latest Gartner SIEM Magic Quadrant. Ten were chosen, favoring "ability to execute" slightly more than "completeness of vision." Gartner also lays out the basic requirements of a SIEM in order to make it into its report. It sees SIEM as an expanding field and one where behavior analytics will play a strong role.
"Organizations are failing at early breach detection, with more than 80% of breaches undetected by the breached organization," said Kelly Kavanagh, an analyst at Gartner. "We expect SIEM vendors to continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies."
Below is a brief summary of the top SIEM vendors, in no particular order, along with a chart giving basic details of each product. The summaries link to a detailed analysis of each product, including target markets and use cases, features, metrics, intelligence, use of agents, security certifications, product delivery (e.g., cloud, software or hardware), and pricing.
Hewlett Packard Enterprise (HPE) ArcSight
HPE ArcSight is an enterprise-class SIEM system that can ingest data from more than 350 sources and process up to 75,000 security events per second. It can be delivered via appliance, software or cloud.
Get an in-depth look at HPE ArcSight.
Splunk Enterprise Security (ES)
Splunk leverages the company's strength in operations intelligence into its growing security business, which now makes up 40% of its revenues. Splunk ES boasts integration with the company's User Behavior Analytics (UBA) and Machine Learning toolkit, and its customers ingest petabytes of data a day. It is available as a software or cloud offering.
Get an in-depth look at Splunk Enterprise Security.
IBM Security QRadar
QRadar boasts more than 400 support modules for ingesting data, which it can do at a rate of millions of events per second and billions of events per day, prioritizing risks into a manageable list. It is available on premises or in the cloud.
Get an in-depth look at IBM Security QRadar.
AlienVault Unified Security Management (USM)
AlienVault offers a lower-cost SIEM option thanks to its open source Open Threat Exchange (OTX). It can handle up to 15,000 events per second, and is available as a virtual or hardware appliance or in the cloud.
Get an in-depth look at AlienVault Unified Security Management.
LogRhythm leverages the company's background in security intelligence to unify SIEM, log management, security analytics and network and endpoint monitoring and forensics. It can scale from mid-sized businesses up to large enterprises thanks to its decentralized architecture, and can be deployed as an appliance, software or virtual instance.
Get an in-depth look at LogRhythm SIEM.
McAfee Enterprise Security Manager (ESM)
ESM processes tens of thousands of events per second and can store billions of events and flows. It is particularly popular with public sector, higher education and healthcare companies, and McAfee has added specific capabilities to support those markets. It is available as a physical or virtual appliance.
Get an in-depth look at McAfee ESM.
Micro Focus Sentinel Enterprise
Micro Focus Sentinel Enterprise is aimed at managed security services providers (MSSPs) and enterprises with distributed IT environments. It analyzes data from a range of applications and devices and adds intelligence from the company's NetIQ subsidiary. It is offered as software or a virtual appliance.
Get an in-depth look at Micro Focus Sentinel Enterprise.
SolarWinds Log & Event Manager
SolarWinds is an easy to use, lower-cost SIEM option that can process up to 250 million events per day and allows for automated incident response. It is available as a virtual appliance, and pricing starts at $4,495 for 30 nodes.
Get an in-depth look at SolarWinds Log & Event Manager.
Trustwave SIEM Enterprise and Log Management Enterprise
Trustwave is aimed at mid-market and enterprise users and can retain data from millions of daily events for up to five years. It incorporates analytics and threat intelligence from SpiderLabs. The product is available as an appliance, software or managed service.
Get an in-depth look at Trustwave SIEM.
RSA NetWitness Suite
RSA NetWitness is most popular with financial, government, energy and telecom organizations. It can process 30,000 events per second, ingest up to 10Gbps and support up to 100,000 endpoints per scalable system.
Get an in-depth look at RSA NetWitness Suite.