Security Information and Event Management (SIEM, pronounced “sim”) is a key enterprise security technology, with the ability to tie systems together for a comprehensive view of IT security.
What is SIEM?
A SIEM system ingests log and event data from a wide variety of sources such as security software and appliances, network infrastructure devices, applications, and endpoints such as servers and PCs, to give IT security teams a centralized tool for spotting and responding to security incidents.
How SIEM works
A SIEM has two closely related purposes: to collect, store, analyze, investigate and report on log and other data for incident response, forensics and regulatory compliance purposes; and to analyze the event data it ingests in real time to facilitate the early detection of targeted attacks, advanced threats, and data breaches.
A SIEM works by ingesting and interpreting all that data and incorporating threat intelligence and advanced analytics to correlate events that could signal a cyberattack is underway. The system will then alert security teams of the threat, and potentially suggest responses to mitigate the attack, such as shutting down access to data or machines and applying a missing patch or update.
An example of correlation might be to connect a port scan with access to sensitive data, perhaps in multiple locations, thus adding context to what might otherwise seem to be unrelated events.
Why is SIEM important?
To get an idea of how important a SIEM is, consider the scale of the security incidents and data involved. A large enterprise may generate more than 25,000 events per second (EPS) and require 50 TB or more of data storage.
A SIEM’s ability to filter through all the data and prioritize the most critical security issues makes security more manageable. An effective SIEM will pay for itself in staff time saved, even as the system itself requires management and tuning.
What to look for in the best SIEM solutions
SIEM products are differentiated by cost, features, and ease of use. Generally, the more you pay, the greater the capabilities and range of coverage, so buyers must weigh their needs, budget and expertise as they decide on a SIEM system. A small business might focus on automation, ease of use and cost, while an enterprise with a sophisticated security operations center (SOC) might focus on the breadth of threats and assets covered and machine learning capabilities for discovering new and emerging threats. Regardless of an organization’s size, deployment and integration of such a complex technology can take time, so the help of consultants and services firms is often needed.
Despite its relative maturity, the SIEM market is still growing at double-digit rates. A major trend is the growing use of behavioral analytics and automation to filter out less urgent alerts so security teams can focus on the biggest threats, with advanced UEBA and SOAR capabilities becoming increasingly common. Analysts see the cloud as a growing means of delivery for SIEM services, both for SMBs and for hybrid organizations seeking easier ways to keep track of their complex environments.
There are many good SIEM products out there; our top 11 received overall scores within 5 points of each other on a 100-point scale, so your buying decision should be driven by how well a product meets your specific needs. To that end, we used 115 data points in our analysis, including product features, user experiences, independent testing where available, analyst reports, pricing data and more. We ranked SIEM products in seven areas, in order of weighting: Detection, Response, Management, Ease of Use, Support, Value and Deployment. For more information on our evaluation process, see the list of key SIEM features we considered and our section on methodology.
Jump ahead to:
- IBM QRadar
- McAfee ESM
- AT&T Cybersecurity
- Micro Focus
- Additional market leaders
- Key SIEM features
Top SIEM Products
Key takeaway: Securonix is the rare SIEM product with appeal for both advanced security teams and those seeking ease of use and value.
- Full-featured, with strong behavioral and data monitoring
- Relatively easy to use
- Stable pricing model
SIEM systems are not known for being cheap or easy to use or deploy. That said, Securonix, which tied for the top spot with LogRhythm and IBM, managed to score high in a number of areas: Value, Deployment, Ease of Use and Detection were in the top two, with Response and Management right behind. About the only place the company was average was in Support. Behavioral, user and data monitoring are standout features. The cloud-delivered service is priced based on the number of employees, making it one of the simpler pricing schemes in a market where data and incident volume predominate. It is full-featured, with the only omissions of note being that IDPS, EDR, forensics and asset discovery come at an additional cost.
Key takeaway: LogRhythm is a SIEM system for security teams willing to pay a little more for top security, response and management capabilities
- Tops in Response, Detection and Management – the trifecta of enterprise security
- Deployment and ease of use get surprisingly high marks for an enterprise-class security product
- Full-featured – offers users just about everything possible in a SIEM product
- UEBA and network monitoring cost extra
- Can get a little pricey
LogRhythm scored high in almost all areas, with a top-third score in Value the only exception. Response, Detection and Management were all top scores, and Deployment and Ease of Use were also highly rated. It’s about as full-featured as a SIEM product can be, with all of the 37 major features we look for offered, although UEBA and network monitoring cost extra. About the only thing lacking is managed services, although support and professional services receive high scores. It is available in cloud, software, hardware and hybrid versions. Users are very high on the product’s detection, response, compliance and log management capabilities.
Key takeaway: The rich variety of standard features and relative ease of use make QRadar an option for smaller companies, but its advanced detection and response capabilities make it most popular with companies with strong security needs and expertise.
- A rich, full-featured product with many options for deployment and use cases
- Good ease of use for a sophisticated product
- Good for high security needs
- Investigation and incident management costs extra
- Lack of native EDR
- Licensing can be complex
Big Blue came out on top in Detection, Management, Deployment and Ease of Use, and in the top quartile in Response and Value. The only area the company lagged in was Support, where it was roughly in the lower middle. SIEM deployments generally aren’t simple, but two-thirds of QRadar users report getting the job done in less than 6 months. Deployment is not just about ease, however, and that’s where IBM scored high. The company offers a number of options for deployment – appliance, virtual, cloud, hybrid – and a number of possible configurations within those, plus extensive support for third-party applications. We examined 34 features as part of this review, and IBM is one of only five SIEM vendors to offer all 34 features, and only one of them – investigation and incident management – costs extra. The others offering all 34 features include Splunk, Securonix, LogRhythm and Fortinet, and only LogRhythm offers all of them standard. IBM’s lack of an EDR product makes for some challenges, but third-party support is there. Perhaps not surprisingly, a product this versatile and complex can come with licensing challenges.
Key takeaway: Those seeking ease of use and automated response and McAfee shops will most benefit from ESM.
- Tops in Ease of Use
- Automated response features
- Solid capabilities across the board
- Behavioral capabilities need improvement
- No data residency monitoring
- IDPS, EDR and file integrity monitoring cost extra
McAfee was one of three vendors in the second tier of our results – along with Splunk and Exabeam – but we should note that the difference between first and second in this case is 1 point out of 100. McAfee came out on top in Ease of Use, with strong automated response features, no small consideration for SMBs and less experienced enterprise security teams. Deployment was another high mark, and Response, Detection and Management were all above average. Support and Value were about average. Product capabilities are solid across the board, but behavior analytics is one area for improvement. McAfee offers most SIEM features, with data residency monitoring the only noteworthy omission and IDPS, EDR and file integrity monitoring costing extra.
Key takeaway: Organizations seeking top-notch security and deployment flexibility will find much to like in Splunk, even though pricing may be a challenge.
- Does just about everything right: Deployment, security and management are all tops
- Flexibility in deployment and features
- Reporting and alerting get high marks
- Can get pricey
- IDPS, EDR, database monitoring, file integrity and vulnerability monitoring cost extra
Splunk’s SIEM offerings came out on top in Deployment and Management and in second for Ease of Use – no small achievement in a technology known for its complexity. Splunk Enterprise Security can be delivered just about every way imaginable: IaaS, cloud-hosted, software, appliance, hybrid. Splunk also scored high in Detection and Response, with reporting, data visualization, alerting, application and log monitoring and analytics some of the features praised by users. Value and Support were two areas the company lagged in. Splunk can get pricey, users note, and it remains to be seen whether new pricing options will help alleviate that issue. Enterprise Security remains the core offering, with UBA and the Phantom SOAR solution available at extra cost. IDPS, EDR, database monitoring, file integrity monitoring and vulnerability monitoring are some of the features costing extra.
Key takeaway: A combination of ease of use and a modular approach make Exabeam a good choice for smaller businesses up to larger enterprises and sophisticated security teams.
- Strong behavioral analytics
- Ease of use and automation features
- User-based pricing
- Some common features missing, such as EDR, IDPS, vulnerability monitoring
- Deployment could be simpler
Exabeam’s Security Management Platform tied Securonix for top value while posting solid results in every category, making for a nicely balanced product. Coupled with high scores in Support and Ease of Use, it’s a good SIEM product for smaller or less sophisticated companies to consider, but add-on capabilities make it a good product for larger enterprises and sophisticated security teams. A broad range of deployment options and a modular approach (cloud, analytics, incident response, threat hunting) give Exabeam appeal for just about any company and level of sophistication. Strong behavior analytics, automation and machine learning functions give the SIEM product a nice balance between security and ease of use, but a few common features are missing, such as EDR, IDPS, vulnerability monitoring, virtualization monitoring, file integrity monitoring, data residency monitoring and forensics. User-based pricing is a plus for transparency and simplicity.
Key takeaway: A good choice for those who want strong security, particular for existing Fortinet customers.
- Strong security
- Compliance, asset discovery and threat intelligence are particular strengths
- EDR, IDPS and vulnerability monitoring cost extra
- Support has room for improvement
Fortinet has undergone more third-party testing than any other vendor on this list – its breach and intrusion prevention, gateways and EDR capabilities have all been tested by NSS Labs – so you can be sure you’re buying strong security. Not surprisingly, FortiSIEM scored highest in Detection, Response and Management, the three categories most aligned with security. Deployment and Ease of Use are also solid, while Value and Support were areas for improvement. Compliance, asset discovery and threat intelligence are particularly strong areas. Users are high on the SIEM product’s real-time monitoring capabilities, with behavioral monitoring being one area the product could improve in. Fortinet offers every one of the 34 SIEM features we examined for this review, although EDR, IDPS and vulnerability monitoring cost extra.
Key takeaway: Strong security teams with a need for a comprehensive product would do well to consider the RSA NetWitness platform.
- A comprehensive offering from one of the best-known security brands
- Machine learning, forensics and threat hunting are particularly strong
- IDPS, EDR, behavioral analytics and asset discovery cost extra
- File integrity monitoring is a missing feature
- Value and Ease of Use are areas for improvement
With NetWitness Logs, Network, Endpoint, UEBA and Orchestrator, RSA is about as close as you can get to one-stop shopping. The downside to that is a number of common SIEM features cost extra, like IDPS, EDR, behavioral analytics and asset discovery. Still, the total offering is pretty complete, with file integrity monitoring the only missing common feature. Machine learning, forensics and threat hunting are particularly strong capabilities. The SIEM product scored highest in Detection and Response, while Value and Ease of Use are areas for improvement.
Key takeaway: InsightIDR is a good choice for SMBs seeking simplicity and a managed service to back them up.
- Simple SaaS-based deployment
- Strong behavioral monitoring
- Managed services and additional security products available
- Database, email, data residency and IoT monitoring are missing features
- Vulnerability management, application security and SOAR require additional products
Rapid7’s InsightIDR posted solid scores across the board, with Value the area the SIEM product scored highest in. Deployment of the SaaS product is relatively painless, and with a product as complex as a SIEM system, that’s saying something. In addition to the core SIEM/UEBA offering, Rapid7 has other products that address vulnerability management, application security, SOAR and more. It’s not the most complete offering on the market – database, email, data residency and; IoT monitoring needs would have to be met in other ways – but it’s a good choice for SMBs needing simplicity, particularly if they want a managed services offering to help fill in the gaps.
Key takeaway: A good choice for SMBs looking for good security and a painless deployment.
- Fast deployment
- EDR, intrusion detection and vulnerability management support
- Strong threat intelligence team
- A number of missing features limit USM’s usefulness to enterprises
AT&T’s Unified Security Management Anywhere (USM) is one of the quickest SIEM solutions to deploy, with users reporting deployment times of less than three months. The SaaS solution offers solid security backed by a strong threat intelligence team, but it isn’t the most complete SIEM product on the market, with database, application, network, email, ERP and IoT monitoring missing features. Still, with its EDR, intrusion detection and vulnerability management functions, USM is a solid choice for SMBs looking to up their security game.
Key takeaway: Especially good for distributed enterprises and service providers.
- Full-featured SIEM product
- Strong log management and real-time monitoring
- Strong scalability and data ingestion capabilities
- No SaaS offering
- No ERP support
Micro Focus ArcSight is a full-featured SIEM offering, with ERP integration the only noteworthy missing feature. Lack of a SaaS offering limits the product to large enterprises and service providers, but its scalability and data ingestion capabilities make it a good one for distributed environments. Log management and reporting and real-time monitoring are particular strengths.
In addition to our top 11 SIEM vendors listed above, another four other vendors scored high enough to merit serious consideration by SIEM buyers.
FireEye Helix offers strong security in a full-featured SaaS offering that works particularly well in concert with other FireEye security offerings.
LogPoint offers a full-featured SIEM product with asset-based pricing and strong compliance capabilities, with particular strength in European markets.
ManageEngine provides good security for SMBs, but the absence of a number of advanced features limits its appeal for enterprises.
SolarWinds offers easy deployment and solid security that make it a good choice for SMBs and existing SolarWinds customers, but a number of missing features limits its appeal for enterprises.
We examined more than 30 key SIEM features and capabilities in our analysis. They include:
- asset discovery
- Deployment options: on-premises, cloud/SaaS, hybrid, virtual, appliance
- unified management
- Investigation and incident management
- advanced threat detection
- advanced analytics
- behavioral analytics
- automated correlation
- automated risk prioritization
- threat intelligence integration
- automated Indicators of Compromise
- automated response
- analyst workflow
- database monitoring
- application monitoring
- network monitoring
- email monitoring
- IoT monitoring
- vulnerability monitoring
- file integrity monitoring
- data residency monitoring
- managed services capabilities
- integration with identity management systems
- ERP integration
- Big Data platform integration
- SOAR integration
- IaaS monitoring
- cloud office suite monitoring
- virtualization monitoring
- threat hunting
- compliance reporting
We analyzed third-party test data, user reviews, product features, analyst reports, and reseller and vendor-supplied pricing, and winnowed an initial list of 30 SIEM vendors to come up with our list of 11 top vendors and four additional market leaders.
Here’s an explanation of our ratings categories, in order of their weighting:
- Detection: Not just whether the SIEM product stops a high percentage of threats, but also whether it offers features to respond to advanced and emerging threats, and user opinions of the product’s capabilities.
- Response: How well the product removes threats, alerts security teams and guides response.
- Management: Ease of use plays a role here, but more important are features that give a security team control over a broad range of attack surfaces and vectors.
- Ease of use: The higher the score, the more suitable the product may be for SMBs or less experienced security teams.
- Support: Everyone contacting support has a problem that needs solving, so responsiveness matters
- Value: Value isn’t just price, but is also found in advanced features and high security that cost less than competing products and save companies data breach costs and security staff time in the process.
- Deployment: Not just how easy a product is to implement, but also how well it integrates with user environments.