May 2018 Product Reviews: SIEM and UTM-NGFW
May 2018 Product Reviews: SIEM and UTM-NGFW

All the tools reviewed allow organisations to collect, sift through and interact with the mounds of information and events generated by networks and devices, says technical writer Dan Cure. 

This group review combines two variant security solutions, SIEM and UTM / NGFW. While the UTM/NGFW protect our networks from ourselves and outside attackers, the SIEM technologies provide the ability to log any and all resultant events.

These solutions offer an intriguing promise. Allow us to collect, sift through, and interact with mounds of the information and events generated on your network and devices. In return, you gain the ability to stop and respond to an intrusion a mile away.

Consider that the varying products in this group have been on the road toward convergence for some time now. The common theme among all SIEM/UTM/NGFW remains ingesting and touching information points, which renders a composite – either an outline of enemy activities or hopefully, on most days, a collected series of insignificant network events. What is not established, however, is which strand of the three should appear most prominent given the braided nature of the overlapping product features.

The SIEM (Security Information and Event Monitoring) approach achieves this primarily by gathering and analysing event logs on a system. UTM-oriented products also handle incoming information but are designed more for taking action. They utilise traditional firewalls, secure gateways, email filters, and IPS, to address dangers once a threat has been recognised. NGFW (Next-Generation Firewalls) follow a similar tack, being informed by threat signatures and other activity interpretation protocols to inspect application data, they freeze malicious perpetrators in their tracks. Which method should be prioritised? A prudent view says to include all three in your anti-threat arsenal.

UTM/NGFWs essentially exhibit common behaviors, many that match a variety of other security solutions such as email filters and firewalls for example. The argument is that housing multiple anti-intrusion instruments within one device is a much cleaner and manageable arrangement. And practically speaking, this unified set of tools allows an IT professional to navigate and build up competencies in a more streamlined manner.

SIEM solutions sing a slightly different song. Their forte is more identification through sheer concentration. Yet this sophisticated, powerful analytic process relies on next-generation machine learning to recognise suspicious activities. The cost of this insight grows with the number of devices on a system, each one adding to the collection, normalisation, storage, correlation, analysis, and finally reporting of event patterns that emerge. SIEMs are obliged to rely on dedicated appliances that monitor in real time to produce their ever-expanding treasure trove of information.

For this round of testing, we looked at a handful of UTM and NGFW devices, as well as SIEM solutions. With the UTM devices, we set them up in our secure sandbox located inside the cyber-range and configured policies and applied security profiles and threat management tools to investigate our data packets to ensure that our perimeter was safe, inspecting traffic for any potential threats. These tools included web filtering, DNS filtering, antivirus filtering, and an intrusion detection and prevention system. We also employed port filtering, SSL inspections, and a handful of other, product-specific features. During testing, we monitored system logs, packets, and system resources to see how the system would handle this additional workload on the device.

All of the devices were software, excluding one. All were similarly setup in the sandbox with network connectivity to a wide variety of hosts, both server, and workstations of various operating systems and versions. Our main objective was to make sure our SIEM were operational and could handle a load of Syslog collections and reporting. We ran test scripts that would generate results from creating user accounts, changing passwords, brute force password cracking techniques, and others. We then looked into the SIEM to see how easy it was to trace back the information to the specific event. We also focused on how intuitive the system was and how long it took to respond while under load.

This month's look at leading SIEM /UTM /NGFW solutions found some technologies moving in new directions that will continue to evolve this space. Splunk Enterprise Security is a promising add-on to the powerful Splunk app that takes advantage of its machine data analytics engine to provide information around security data to support intelligent decisions. Whether you are familiar with Splunk or not this product deserves a look.

LogRhythm continues to amaze us here at SC Labs. This tool looks polished and very well put together. This tool can pull data from many sources and is moving into the End User Behavioral Analytics (EUBA) space. While we didn't get a chance to really dig deep into this functionality, if it's anything like the rest of the solution it won't disappoint.

EventTracker 9.0 is a major release that has really changed our minds about the solution. It has great analytics and a vast compliance toolset. With its ability to perform all major functions of a SIEM and the benefits of its Endpoint Threat Detection and Response (ETDR) agent, it can respond to threats at endpoints. It is approved for use in SC Labs and should be in your environment as well.

So, please take a look at this month's reviews.  Please note, pricing and support options are US-based thus for guidance only as they may vary in other territories.

AlienVault USM Anywhere

CorreLog SIEM Correlation Server

EventTracker 9.0

FortiGate 501E

LogRhythm Platform

McAfee Enterprise Security Manager

XG Firewall

Splunk Enterprise Security

Firebox M470 w/Total Security Suite