Best SIEM Tools & Software for 2021
InsightIDR offers the complete approach to threat detection and response. Powered by insights from our MDR, research, and threat intelligence teams, InsightIDR combines the most impactful components of tech and service to aggregate and analyze data across logs, users, endpoints, and network to notify teams at the first signs of attack.
In our analysis, Securonix scores highly in a number of areas: Value, Deployment, Ease of Use and Detection were in the top two, with Response and Management right behind. Behavioral, user and data monitoring are standout features. The cloud-delivered service is priced based on the number of employees, making it one of the simpler pricing schemes in a market where data and incident volume predominate.
LogRhythm scored high in almost all areas. Response, Detection and Management were all top scores, and Deployment and Ease of Use were also highly rated. It’s about as full-featured as a SIEM product can be, with all of the 37 major features we look for offered, although UEBA and network monitoring cost extra. It is available in cloud, software, hardware and hybrid versions. Users are very high on the product’s detection, response, compliance and log management capabilities.
IBM QRadar came out on top in Detection, Management, Deployment and Ease of Use, and in the top quartile in Response and Value. The company offers a number of options for deployment – appliance, virtual, cloud, hybrid – and a number of possible configurations within those, plus extensive support for third-party applications. IBM’s lack of an EDR product makes for some challenges, but third-party support is available.
McAfee came out on top in Ease of Use, with strong automated response features, no small consideration for SMBs and less experienced enterprise security teams. Deployment was another high mark, and Response, Detection and Management were all above average. Product capabilities are solid across the board. McAfee offers most SIEM features, with data residency monitoring the only noteworthy omission and IDPS, EDR and file integrity monitoring costing extra.
Splunk’s SIEM offerings came out on top in Deployment and Management and in second for Ease of Use – no small achievement in a technology known for its complexity. Splunk Enterprise Security can be delivered just about every way imaginable: IaaS, cloud-hosted, software, appliance, hybrid. Splunk also scored high in Detection and Response, with reporting, data visualization, alerting, application and log monitoring and analytics some of the features praised by users.
Exabeam’s Security Management Platform shows solid results in every category, making for a nicely balanced product. Coupled with high scores in Support and Ease of Use, it’s a good SIEM product for smaller or less sophisticated companies to consider, but add-on capabilities make it a good product for larger enterprises. A broad range of deployment options and a modular approach (cloud, analytics, incident response, threat hunting) give Exabeam appeal for just about any company.
Fortinet has undergone more third-party testing than any other vendor on this list, so you can be sure you’re buying strong security. FortiSIEM scored highly in Detection, Response and Management, the three categories most aligned with security. Deployment and Ease of Use are also solid. Compliance, asset discovery and threat intelligence are particularly strong areas. Fortinet offers every feature we examined for this review, although EDR, IDPS and vulnerability monitoring cost extra.
RSA is about as close as you can get to one-stop shopping. The downside to that is a number of common SIEM features cost extra, like IDPS, EDR, behavioral analytics and asset discovery. Still, the total offering is pretty complete, with file integrity monitoring the only missing common feature. Machine learning, forensics and threat hunting are particularly strong capabilities. The SIEM product scored highest in Detection and Response, while Value and Ease of Use are areas for improvement.
AT&T’s Unified Security Management Anywhere (USM) is one of the quickest SIEM solutions to deploy, with users reporting deployment times of less than three months. The SaaS solution offers solid security backed by a strong threat intelligence team. With its EDR, intrusion detection and vulnerability management functions, USM is a solid choice for SMBs looking to up their security game.
11 Micro Focus
Micro Focus ArcSight is a full-featured SIEM offering, with ERP integration the only noteworthy missing feature. Lack of a SaaS offering limits the product to large enterprises and service providers, but its scalability and data ingestion capabilities make it a good one for distributed environments. Log management and reporting and real-time monitoring are particular strengths.
Additional SIEM market leaders
In addition to our top 11 SIEM vendors listed above, another four other vendors scored high enough to merit serious consideration by SIEM buyers.
FireEye Helix offers strong security in a full-featured SaaS offering that works particularly well in concert with other FireEye security offerings.
LogPoint offers a full-featured SIEM product with asset-based pricing and strong compliance capabilities, with particular strength in European markets.
ManageEngine provides good security for SMBs, but the absence of a number of advanced features limits its appeal for enterprises.
SolarWinds offers easy deployment and solid security that make it a good choice for SMBs and existing SolarWinds customers, but a number of missing features limits its appeal for enterprises.
Key SIEM features
We examined more than 30 key SIEM features and capabilities in our analysis. They include:
- asset discovery
- Deployment options: on-premises, cloud/SaaS, hybrid, virtual, appliance
- unified management
- Investigation and incident management
- advanced threat detection
- advanced analytics
- behavioral analytics
- automated correlation
- automated risk prioritization
- threat intelligence integration
- automated Indicators of Compromise
- automated response
- analyst workflow
- database monitoring
- application monitoring
- network monitoring
- email monitoring
- IoT monitoring
- vulnerability monitoring
- file integrity monitoring
- data residency monitoring
- managed services capabilities
- integration with identity management systems
- ERP integration
- Big Data platform integration
- SOAR integration
- IaaS monitoring
- cloud office suite monitoring
- virtualization monitoring
- threat hunting
- compliance reporting
We analyzed third-party test data, user reviews, product features, analyst reports, and reseller and vendor-supplied pricing, and winnowed an initial list of 30 SIEM vendors to come up with our list of 11 top vendors and four additional market leaders.
Here’s an explanation of our ratings categories, in order of their weighting:
- Detection: Not just whether the SIEM product stops a high percentage of threats, but also whether it offers features to respond to advanced and emerging threats, and user opinions of the product’s capabilities.
- Response: How well the product removes threats, alerts security teams and guides response.
- Management: Ease of use plays a role here, but more important are features that give a security team control over a broad range of attack surfaces and vectors.
- Ease of use: The higher the score, the more suitable the product may be for SMBs or less experienced security teams.
- Support: Everyone contacting support has a problem that needs solving, so responsiveness matters
- Value: Value isn’t just price, but is also found in advanced features and high security that cost less than competing products and save companies data breach costs and security staff time in the process.
- Deployment: Not just how easy a product is to implement, but also how well it integrates with user environments.
What is SIEM?
A SIEM system ingests log and event data from a wide variety of sources such as security software and appliances, network infrastructure devices, applications, and endpoints such as servers and PCs, to give IT security teams a centralized tool for spotting and responding to security incidents.
How SIEM works
A SIEM has two closely related purposes: to collect, store, analyze, investigate and report on log and other data for incident response, forensics and regulatory compliance purposes; and to analyze the event data it ingests in real time to facilitate the early detection of targeted attacks, advanced threats, and data breaches.
A SIEM works by ingesting and interpreting all that data and incorporating threat intelligence and advanced analytics to correlate events that could signal a cyberattack is underway. The system will then alert security teams of the threat, and potentially suggest responses to mitigate the attack, such as shutting down access to data or machines and applying a missing patch or update.
An example of correlation might be to connect a port scan with access to sensitive data, perhaps in multiple locations, thus adding context to what might otherwise seem to be unrelated events.
Why is SIEM important?
To get an idea of how important a SIEM is, consider the scale of the security incidents and data involved. A large enterprise may generate more than 25,000 events per second (EPS) and require 50 TB or more of data storage.
A SIEM’s ability to filter through all the data and prioritize the most critical security issues makes security more manageable. An effective SIEM will pay for itself in staff time saved, even as the system itself requires management and tuning.
What to look for in the best SIEM solutions
SIEM products are differentiated by cost, features, and ease of use. Generally, the more you pay, the greater the capabilities and range of coverage, so buyers must weigh their needs, budget and expertise as they decide on a SIEM system. A small business might focus on automation, ease of use and cost, while an enterprise with a sophisticated security operations center (SOC) might focus on the breadth of threats and assets covered and machine learning capabilities for discovering new and emerging threats. Regardless of an organization’s size, deployment and integration of such a complex technology can take time, so the help of consultants and services firms is often needed.
Despite its relative maturity, the SIEM market is still growing at double-digit rates. A major trend is the growing use of behavioral analytics and automation to filter out less urgent alerts so security teams can focus on the biggest threats, with advanced UEBA and SOAR capabilities becoming increasingly common. Analysts see the cloud as a growing means of delivery for SIEM services, both for SMBs and for hybrid organizations seeking easier ways to keep track of their complex environments.
There are many good SIEM products out there; our top 11 received overall scores within 5 points of each other on a 100-point scale, so your buying decision should be driven by how well a product meets your specific needs. To that end, we used 115 data points in our analysis, including product features, user experiences, independent testing where available, analyst reports, pricing data and more. We ranked SIEM products in seven areas, in order of weighting: Detection, Response, Management, Ease of Use, Support, Value and Deployment. For more information on our evaluation process, see the list of key SIEM features we considered and our section on methodology.