Security Information and Event Management (SIEM) systems ingest and monitor data from multiple hardware, software and security sources to prevent attacks, spot network incursions and trace back defensive weaknesses in the event of a breach. SIEM systems bring together a wide array of IT security tools such as firewalls, endpoint security, intrusion prevention and threat intelligence and can be an important piece of your enterprise's optimal security posture. Instead of a security administrator having to open multiple apps and attempt to tie together different alerts, SIEM provides management, integration, correlation and analysis in one place.
While each vendor has its own take on SIEM, Gartner lists the primary features for enterprise SIEM as: Ingestion of data from multiple sources; interpretation of data; incorporation of threat intelligence feeds; alert correlation; analytics; profiling; automation; and summation of potential threats.
- Product feature comparison chart
- Micro Focus ArcSight
- Splunk Enterprise Security (ES)
- IBM Security QRadar
- AlienVault Unified Security Management (USM)
- LogRhythm SIEM
- McAfee Enterprise Security Manager (ESM)
- Micro Focus Sentinel Enterprise
- SolarWinds Log & Event Manager
- Trustwave SIEM Enterprise and Log Management Enterprise
- RSA NetWitness Suite
Methodology behind this report
This guide was based on the latest Gartner SIEM Magic Quadrant. Ten were chosen, favoring "ability to execute" slightly more than "completeness of vision." Gartner also lays out the basic requirements of a SIEM in order to make it into its report. It sees SIEM as an expanding field and one where behavior analytics will play a strong role.
"Organizations are failing at early breach detection, with more than 80% of breaches undetected by the breached organization," said Kelly Kavanagh, an analyst at Gartner. "We expect SIEM vendors to continue to increase their native support for behavior analysis capabilities as well as integrations with third-party technologies."
Below is a brief summary of the top SIEM vendors, in no particular order, along with a chart giving basic details of each product. The summaries link to a detailed analysis of each product, including target markets and use cases, features, metrics, intelligence, use of agents, security certifications, product delivery (e.g., cloud, software or hardware), and pricing.
ArcSight is an enterprise-class SIEM system that can ingest data from more than 350 sources and process up to 75,000 security events per second. It can be delivered via appliance, software or cloud.
Splunk leverages the company's strength in operations intelligence into its growing security business, which now makes up 40% of its revenues. Splunk ES boasts integration with the company's User Behavior Analytics (UBA) and Machine Learning toolkit, and its customers ingest petabytes of data a day. It is available as a software or cloud offering.
QRadar boasts more than 400 support modules for ingesting data, which it can do at a rate of millions of events per second and billions of events per day, prioritizing risks into a manageable list. It is available on premises or in the cloud.
AlienVault offers a lower-cost SIEM option thanks to its open source Open Threat Exchange (OTX). It can handle up to 15,000 events per second, and is available as a virtual or hardware appliance or in the cloud.
Get an in-depth look at AlienVault Unified Security Management.
See AlienVault Unified Security Management user reviews.
LogRhythm leverages the company's background in security intelligence to unify SIEM, log management, security analytics and network and endpoint monitoring and forensics. It can scale from mid-sized businesses up to large enterprises thanks to its decentralized architecture, and can be deployed as an appliance, software or virtual instance.
ESM processes tens of thousands of events per second and can store billions of events and flows. It is particularly popular with public sector, higher education and healthcare companies, and McAfee has added specific capabilities to support those markets. It is available as a physical or virtual appliance.
Micro Focus Sentinel Enterprise is aimed at managed security services providers (MSSPs) and enterprises with distributed IT environments. It analyzes data from a range of applications and devices and adds intelligence from the company's NetIQ subsidiary. It is offered as software or a virtual appliance.
SolarWinds is an easy to use, lower-cost SIEM option that can process up to 250 million events per day and allows for automated incident response. It is available as a virtual appliance, and pricing starts at $4,495 for 30 nodes.
Trustwave is aimed at mid-market and enterprise users and can retain data from millions of daily events for up to five years. It incorporates analytics and threat intelligence from SpiderLabs. The product is available as an appliance, software or managed service.
Get an in-depth look at Trustwave SIEM.
RSA NetWitness is most popular with financial, government, energy and telecom organizations. It can process 30,000 events per second, ingest up to 10Gbps and support up to 100,000 endpoints per scalable system.