7/23/2019 SIEM Comparison
1/10
SIEM Product Comparison
7/23/2019 SIEM Comparison
2/10
SIEM Technology Space
SIEM market analysis of the last 3 years suggest:
Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013) Only products with technology maturity and a strong road map have featured in leaders
quadrant.
HP ArcSight & IBM Q1 Labs have maintained leadership in SIEM industry with continued
technology upgrade
McAfee Nitro has strong product features & road map to challenge HP & IBM for leadership
2011 2012 2013
7/23/2019 SIEM Comparison
3/10
HP ArcSight
Strengths Weakness
Extensive Log collection support for commercial IT
products & applications
Complex deployment & configuration
Advanced support for Threat Management, Fraud
Management & Behavior Analysis
Mostly suited for Medium to Large Scale deployment
Mature Event Correlation, Categorization & Reporting Requires skilled resources to manage the solution
Tight integration with Big data Analytics platform like
Hadoop
Steep learning curve for Analysts & Operators
Highly customizable based on organizations
requirements
Highly Available & Scalable Architecture supporting
Multi-tier & Multi-tenancy
The ArcSight Enterprise Threat and Risk Management (ETRM) Platform is an integrated set of
products for collecting, analysing, and managing enterprise Security Event information.
ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used toidentify security threat in real-time
ArcSight Logger: Log storage and Search solution
ArcSight IdentityView: User Identity tracking/User activity monitoring
ArcSight Connectors: for data collection from a variety of data sources
ArcSight Auditor Applications: automated continuous controls monitoring for both mobile
& virtual environments
7/23/2019 SIEM Comparison
4/10
IBM QRadar
Strengths Weakness
Very simple deployment & configuration Limited customizations capabilities
Integrated view of the threat environment using
Netflow data , IDS/IPS data & Event logs from the
environment
Limited Multi-tenancy support
Behavior & Anomaly Detection capabilities for bothNetflow & Log data
Limited capability to perform Advanced Use Casedevelopment & analytics
Suited for small, medium & large enterprises
Highly Scalable & Available architecture
The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for
collecting, analysing, and managing enterprise Security Event information.
QRadar Log Manager turn key log management solution for Event log collection & storage QRadar SIEM Integrated Log, Threat & Risk Management solution
QRadar Risk Manager Predictive threat & risk modelling, impact analysis & simulation
QRadar QFlow Network Behaviour Analysis & Anomaly detection using network flow data
QRadar vFlow Application Layer monitoring for both Physical & Virtual environment
7/23/2019 SIEM Comparison
5/10
McAfee Nitro
The McAfee Enterprise Security Management (formerly Nitro Security) Platform is an integrated
set of products for collecting, analysing, and managing enterprise Security Event information.
McAfee Enterprise Log Manager turn key log management solution for Event log
collection & storage McAfee Event Receiver collecting log data & native flow data
McAfee Database Event Monitor database transaction & Log monitoring
McAfee Application data Monitor application layer event monitoring
McAfee Advanced Correlation Engine advanced correlation engine for correlating events
both historical & real time
Strengths Weakness
Integrated Application Data monitoring & Deep Packet
Inspection
Very basic correlation capabilities when compared
with HP & IBM
Integrated Database monitoring without dependence
on native audit functions
Limitations in user interface when it concerns
navigation
High event collection rate suited for very large scale
deployment
Requires a lot of agent installs for Application &
database monitoring thereby increasing managementcomplexity
Efficient query performance in spite of high event
collection rate
No Analytics capability both Big Data & Risk based
Limited customization capabilities
Limited support for multi-tier & multi-tenancy
architecture
7/23/2019 SIEM Comparison
6/10
Splunk
Strengths Weakness
Extensive Log collection capabilities across the ITenvironment
Pre-SIEM solution with very limited correlationcapabilities
Log search is highly intuitive like Google search Even though easy to deploy, increasingly difficult to
configure for SIEM related functions
Flexible dash boarding & analytics capability
improves Log visualization capabilities
Built-in support for external threat intelligence feedsboth open source & commercial
App Store based architecture allowing development
of Splunk Plugins to suit monitoring & analytics
requirements
Splunk Enterprise is an integrated set of products that provide Log Collection, management &
reporting capabilities using
Splunk Indexer used to collect and index logs from IT environment Splunk Search Heads used to search & report on IT logs
Splunk App for Enterprise Security - used to collect external threat intelligence feeds,
parse log sources and provide basic analytics for session monitoring (VPN, Netflow etc.)
7/23/2019 SIEM Comparison
7/10
RSA Security Analytics
Strengths Weakness
Great Analytics using Event Log Data & Network
Packet Capture
New Product release from RSA, hence advanced
Security correlation support is poorNetwork forensics, Big Data (Parallel Computing) are
cornerstones in SIEM world
Security Analytics Warehouse is a new capability with
very little real world use cases
Tightly Integrates with RSA ecosystem for Threat
Intelligence, Fraud Detection, Malware Analysis etc.
(each requires separate RSA Tools)
Suited only for large enterprises with need for
complex deployment and management resources.
Poor deployment options for small and midsize
customers
RSA Security Analytics is an integrated set of products that provide Network Forensics, Log
Collection, management & reporting capabilities using
Capture Infrastructure
RSA Security Analytics Decoder Real time capture of Network Packet and log datawith Analysis and filtering capabilities
RSA Security Analytics Concentrator Aggregates metadata from the Decoder
RSA Security Analytics Broker Server For reporting, management and
administration of capture data
Analysis & Retention Infrastructure
Event Stream Analysis Correlation Engine Archiver Long term retention, storage, security & compliance reporting
RSA Security Analytics Warehouse Big Data Infrastructure for Advanced Analytics
7/23/2019 SIEM Comparison
8/10
LogRhythm
Strengths Weakness
Well balanced log management, reporting, event
management, privileged user monitoring and File
integrity monitoring capabilities
Suitable for Security event data only, as Operational
data sets cause slowing performance for searches and
reports
Fast deployment with minimal configuration because
of appliance form factor
No Support for Active Directory integration for Role-
Based Access Control
Quarterly Health Check programs post-deployment
offers great After sales-Service experience
Suited best for small and mid size companies with
basic security, regulatory compliance and reporting
needs. Not scalable for very large deployments.
The LogRhythm SIEM 2.0 Security Intelligence Platform is an integrated set of products for
collecting, analysing, and managing enterprise Security Event information.
Log Manager high performance, distributed and redundant log collection and managementappliance
Event Manager provide centralized event management and administration for a
LogRhythm deployment
Network Monitor provide full visibility into network traffic, identifying applications via
deep packet inspection, providing real-time unstructured search access to all metadata and
packet captures
7/23/2019 SIEM Comparison
9/10
CapabilityRSA
Security
Analytics
Log
RhythmSplunk
McAfee
Nitro
IBM
QRadar
HP
ArcSight
Real-time Security Monitoring 3.1 3.2 2.5 3.9 4.2 4.4
Threat Intelligence 3.7 2.5 3.0 2.8 3.5 4.5
Behavior Profiling 2.5 2.3 3.0 3.0 5.0 4.0
Data & End User Monitoring 3.6 3.5 1.7 3.6 3.5 4.0
Application Monitoring 3.8 3.5 1.8 3.7 3.3 3.8
Analytics 2.5 2.5 3.8 4.5 3.5 4.0
Log Management & Reporting 3.5 3.8 3.5 3.8 3.9 4.0
Deployment & Support
Simplicity3.0 4.0 2.5 3.5 3.5 3.0
Total (Weighted Score) 25.7 25.3 21.8 28.8 30.4 31.7
SIEM Vendors Critical Capabilities Score Card
1.0 Low level of Capability5.0 High Level of Capability
A Summary scoring sheet for SIEM Vendors based on their Core capabilities is given
below:
7/23/2019 SIEM Comparison
10/10
Use Cases
RSA
SecurityAnalytics
Log
Rhythm Splunk
McAfee
Nitro
IBM
QRadar
HP
ArcSight
Overall Use Cases 3.2 3.2 2.7 3.6 3.8 4.0
Compliance Use Cases 3.3 3.7 3.0 3.7 3.8 3.8
Threat Monitoring 3.1 3.1 2.9 3.8 3.7 4.0
SIEM 3.2 3.4 2.8 3.6 3.8 3.9
Total (Weighted Score) 12.8 13.4 11.7 14.7 15.1 15.7
SIEM Vendors Use Cases Score Card
1.0 Low level of Capability5.0 High Level of Capability
Top Related