Product Group Tests
TriGeo Security Information Management is the Best Buy this month for its power, simplicity and value for money.
For its excellent functionality and granular features, we rate LogRhythm Recommended.
NitroView Enterprise Security Manager v8.4 is an analyst's power tool with strong SIEM capabilities. Approved for SC Labs.
Full Group Summary
Security information and event management products offer interesting differences in focus. Peter Stephenson looks at 11 complex tools.
This month we took a look at some of the top players in the security information and event management (SIEM) market. All of the products we tested had the same core capabilities, such as correlating data from multiple sources and giving a consolidated report. They do however show interesting differences in aims.
Some had a strong forensics focus. As we know, any good SIEM is a very useful network forensics tool in the context of incident response. There are some purely forensic requirements when legal issues come into play and not all SIEMs can cover those. We did have some products in this test that covered all of the forensics bases well.
All SIEMs do some log management, but a few of the solutions that we reviewed have a legacy of log management. On the topic of log correlation, there are a couple of ways to handle that. One is to cull metadata or important pieces of data from the original logs and throw the rest away or store it in an archive. Some keep a lot of the logs online, how many usually depends upon storage. These generally offer robust drilldown capabilities, often to the level that the contents of the original log can be analysed in context with other correlated logs.
An extension of log correlation and deep diving into raw log content is the ability to replay events that the SIEM captures. Part of that includes how well it creates graphical network maps and representations of attack paths and that fits well with forensics capabilities.
What makes a good SIEM?
In this case there are a number of important considerations and it should be possible for you to find a solid product in this crop that fits your needs.
Your first step is to determine how you are going to feed the SIEM. Generally, it does not originate data logging, it simply analyses what you send it, so you will need to decide what the data sources are going to be and more is always better than less.
The extension of that requirement is what types of data your SIEM will need to handle. At the very least you should be able to handle syslogs, your firewall logs, any IDS logs that you are generating and if your infrastructure provides it, net flow data. Beyond that, Windows server logs, database logs and web server logs are very useful. The third level includes other types of application logs.
With regards to your network architecture, if you have a widely distributed environment such as multiple data centres, you need to consider how you are going to (or if you are going to) feed a centralised SIEM. Some products lend themselves easily to distributed environments with separate data collection boxes, often called receivers or collectors. These put the large volumes of data collected in a production environment into a format that allows efficient transfer to the central point without overloading the wide area network.
Finally, what kinds of reports do you need? Do you need to get regulatory reports off your SIEM? Although it is nice to be able to do that it is not always necessary. SIEMs are most valuable for trouble-shooting, investigating, correlating and alerting. Distributed attacks, complicated attack paths, insider abuse and a raft of other events that take place across the enterprise instead of in a single place need the correlation capabilities of a robust SIEM. These events are not limited to security events, as normal network performance failures often can be spotted with a good SIEM and a capable analyst.
How we tested
Testing these products in our lab was a huge challenge because they are so complex. We decided to focus on a select criteria including, how easy the product is to deploy, the range of data sources it can support, how well you can drill down to raw log data and how easy the dashboards and analysis screens are to populate and read. We also looked at reporting to ensure that it was consistent with the personality of the SIEM and how complete the reporting was in that context. For example, who is/are the audience(s) for the reports and is the audience well supported?
These reviews only scratch the surface of a very interesting and competent crop of SIEM products.