Security Information and Event Management (SIEM) is a key enterprise security technology, with the ability to tie systems together for a comprehensive view of IT security.
While each vendor has its own take on SIEM, Gartner lists the primary features for enterprise SIEM as: Ingestion of data from multiple sources; interpretation of data; incorporation of threat intelligence feeds; alert correlation; analytics; profiling; automation; and summation of potential threats.
SIEM products are differentiated by cost, features, and ease of use. Generally, the more you pay, the greater the sophistication and management complexity, so buyers must weigh their needs, budget and expertise as they decide on a SIEM system.
Despite its relative maturity, the SIEM market is still growing at double-digit rates. A major trend is the growing use of behavioral analytics and automation to filter out less urgent alerts so security teams can focus on the biggest threats. Analysts see the cloud as a growing means of delivery for SIEM services, both for SMBs and for hybrid organizations seeking easier ways to keep track of their complex environments.
Below is a brief summary of the top SIEM vendors, followed by a chart rating key features such as security, performance, value and support. Each summary links to an in-depth look at each SIEM product, including features, intelligence, analysis, pricing and more. Read more about our top security vendor methodology.
Here then are our picks for top SIEM products.
- Product feature comparison chart
- SolarWinds Log & Event Manager
- Splunk Enterprise Security (ES)
- LogRhythm SIEM
- AlienVault Unified Security Management (USM)
- Micro Focus ArcSight
- Micro Focus Sentinel Enterprise
- McAfee Enterprise Security Manager (ESM)
- Trustwave SIEM Enterprise and Log Management Enterprise
- IBM Security QRadar
- RSA NetWitness Suite
- SIEM Product Comparisons
- Honorable Mentions
SolarWinds may lack the full security suite of competitors, but it scores well in ease of deployment, cost, performance, and support. Its virtual appliance format makes it a good choice for SMEs and larger organizations with limited IT resources.
Splunk's SIEM system is highly rated and popular, but licensing costs may push it beyond the reach of some SMEs. It is best fit for larger, well staffed IT organizations that are willing to pay the price for high security effectiveness.https://o1.qnsr.com/log/p.gif?;n=203;c=204660767;s=9477;x=7936;f=201812281314300;u=j;z=TIMESTAMP;a=20392941;e=i
LogRhythm is another SIEM vendor with high ratings and popularity. It is easier to deploy than some of the other top-of-the-line SIEM products, but may not scale to support very high event volume environments. It is best for small and mid-sized organizations that already possess some kind of threat intelligence and analytics functionality.
AlienVault offers a low-cost entry with surprisingly robust features for small and mid-sized companies. It may not offer all the advanced capabilities that enterprises seek, but for small and mid-sized organizations looking for their first SIEM product, AlienVault is hard to beat.
ArcSight is in a transitional period as Micro Focus integrates the SIEM solution with its products after acquiring HPE's security software products. ArcSight is strongest in organizations with large, complex SOC environments and for basic log collection use cases.
Large enterprises may not be the best fit for Micro Focus Sentinel Enterprise, which lags behind some competitors in enterprise functionality and completeness of vision. But it should definitely be considered by small and mid-sized organizations that do not have a high-maturity SOC and do not have requirements for full incident case management, as well as by MSSPs.
McAfee might be behind IBM, Splunk and LogRhythm in overall SIEM completeness, but its turnkey appliances and ease of deployment, as well as integration with other McAfee tools, make it a strong contender on many SIEM shortlists.
Trustwave SIEM is aimed at mid-market and enterprise users. It is particularly attractive to current users of other Trustwave tools as well as buyers with diverse IT environments. One downside is a lack of threat intelligence feeds out of the box, forcing users to buy or incorporate additional threat intelligence tools.
QRadar is rated highly by most analyst firms. Implementation complexity may limit its appeal to midsize and large enterprises that require core SIEM capabilities and those looking for a unified platform that covers a wide range of security monitoring and operational technologies.
RSA NetWitness is popular in larger enterprises with well-trained, veteran IT security teams, particularly in financial, government, energy and telecom organizations. It may lack some of the features of SIEM leaders such as Splunk, LogRhythm and IBM, but has a definite edge in existing RSA, Dell and EMC shops.
See these pages that compare two SIEM products against each other:
- ArcSight vs. IBM QRadar
- IBM QRadar vs. Splunk
- LogRhythm vs. Splunk
- AlienVault vs. Splunk
- SolarWinds vs. Splunk
In addition to our top SIEM picks, there are a number of other promising SIEM solutions out there. Here are some others to consider.
Sumo Logic is a new entrant to the SIEM market, offering a solution the company says is purpose-built for cloud, hybrid and DevSecOps environments, and machine learning surfaces recommendations for security teams to address.
Exabeam SMP's advanced analytics, threat hunting and incident response make it a good choice for enterprises with behavioral use cases and those seeking integrated orchestration and response capabilities.
Securonix offers SaaS and on-premises versions, advanced analytics and incident response, along with modules aimed at fraud, patient data and trade surveillance, making it an attractive option for large enterprises with sensitive data and a need for advanced features.
Rapid7 works best for small and midsize organizations looking for SIEM as a service with the option to outsource monitoring and response to the vendor.
Organizations and managed service providers already using Fortinet network technologies should consider FortiSIEM, as the solution is part of Fortinet's Security Fabric framework.
SMBs with compliance needs looking for basic threat detection with the option of vendor co-management should consider EventTracker.
Ideal for midsize organizations with monitoring requirements in Europe and those seeking to include SAP in their security and compliance monitoring.
Venustech is best suited for organizations in the Asia/Pacific region seeking a SIEM solution with analytics and network monitoring capabilities.
ManageEngine is best suited for midsize organizations with Windows-centric and AWS/Azure environments looking for basic threat detection and IT operations monitoring.
BlackStratus is best for midsize organizations seeking a cloud-based SIEM solution with optional managed services, and MSSPs seeking a multitenant SIEM to deliver monitoring services.