SIEM Product Comparison – 2016


SIEM Product Comparison – 2016

We at Infosecnirvana.com have done several posts on SIEM. After the Dummies Guide on SIEM, we followed it up with a SIEM Product Comparison – 101 deck. The SIEM comparison we did was in 2014. After two years we are taking a look at the SIEM market and comparing them alongside. The leaders in this space according to Gartner are still the following products (in no order):

1. HP ArcSight – Review

2. Intel Security – Review

3. IBM QRadar – Review 

4. Splunk SIEM – Review

5. LogRhythm

In the below post, we have tried to provide detailed explanations of the Strengths and Weakness of these various SIEM products as evaluated in 2016. Finally, we provide a Scorecard for the products based on various capabilities.

HP ArcSight: Since 2014, ArcSight has come a long way. They have added quite a few features along the way that has added to their strengths. For example, Connector load balancing was definitely a welcome addition after several years of being requested.  However, the weakness list is still the same. One of things frustrating users mainly is that the Web architecture for administration and management is not as mature as the thick client.

Picture1

IBM QRadar: Since 2014, QRadar has continued to maintain its pole position in product ratings and evaluations. There have not been major product announcements after QVM and Incident Forensics other than IBM App Exchange (a Splunk App store style approach to extensions and plugins). While the strong points of IBM QRadar are still true, the weaknesses have started to crop up in areas of operational efficiency and reliability.

Picture2

Intel Security: This is one product that underwhelms when it comes to realizing its true potential. They checked all the boxes required for monitoring with ADM, DAM, DPI, ATD etc. However, the real problem with erstwhile Nitro has always been stability and management overhead. Two years later, the strengths have increased no doubt, but the weaknesses still remain around reliability.

Picture3

Splunk: This is one of the products that has gone through several changes in the past two years. They have expanded their capabilities significantly in the “App for Enterprise” space with predefined security indicators and dashboards and visualizations. They have also improved the support for packet captures and analysis. With the purchase of Caspida, behaviour analytics capabilities will come into Splunk. While the strengths column has increased, the weakness column still remains the same.
Picture1

LogRhythm: The new and upcoming unified SIEM player LogRhythm has come a long way from its humble beginnings. In the past 2 years, LogRhythm has added several new features to their product including but not limited to incident response and case management workflow,  centralized evidence locker, collaboration tools, risk based profiling and behavioural analytics to identify statistical anomalies for network, user and device activity.  This combined with ease of deployment and competitive price has definitely opened up the leaders quadrant to some exciting shake up.  Let’s take a look at the strengths and weakness for LogRhythm.

Picture2

Overall Scorecard: 

Any evaluation is incomplete without a scorecard. So we have consolidated feedback from various sources and provided a weighted score on the five SIEM products reviewed above.

Picture3

Conclusion:

Based on the review of SIEM products done this year, we feel innovation in the SIEM space has plateaued. The next generation Security Analytics and Big Data technologies are slowly becoming mainstream thereby relegating the SIEM solution purchases to a more compliance driven initiative.

Please share your thoughts on how you would rate the various SIEM products discussed here.

37 thoughts on “SIEM Product Comparison – 2016”

    1. Hi Garth, I would love to review Trustwave, but I have not been able to get a closer look at them. Once I do, I can put up a post on it.

      1. Just saw this. Really helpful.

        I am also interested in your view about Trustwave. Have you got a chance to review it?

  1. It is because you keep only reviewing leaders – the leaders are those that don’t need to innovate because they have captured market share. we asked that you review Accelops as it has been in the quadrant for some time and is used across USA and EMEA.

  2. Well – I am Qradar fan and I can’t believe there arent mentioned couple of important things in new versions. Vertical and horizontal scalability with Data Node, historical data correlation and analysis, third party technology management via scripts from main management console, new purchase of Resilient Systems and integrated incident response, X Force integration and many many more incredible things. Compare also by implementation time and this 30.8 against 30.2 will turn to much bigger win towards QRadar which in fact soon will also be complimented with IBM Watson analytics/AI power:)

    1. Actually Andris, I did mention most of these items in my detailed QRadar review. IBM Watson and Exabeam integration is something that will definitely improve QRadar scores in the future.

  3. Have you considered looking at this market on a newer approach? Compliance Siem Log solution like the one listed here failed! just look at the number of breaches reported where those limited visibility log tools are used in their SOC.
    Log Siem is not enough, and currently failed!

  4. Greetings,

    Can you tell me if some of this vendors have managed services (SOC) to see, monitor and alert 24×7?

    1. Some do, but most let the General Dynamics, SecureWorks, Alertlogic do this 24/7 monitoring. General Dynamics handles Arcsight to a T, SecureWorks can handle all of them but prefers Q-Radar. HP and IBM have MSSP services but mainly on Vuln/scans, IDS/IPS, Malware monitoring, App scans. HP and IBM make money off of the software licensing not servicing it.

        1. On the Tier that the value is (Threat Analysis) they don’t have integration with technologies. Lets suppose you have Sophos on endpoint, palo alto UTM, Cisco WLAN controller, Symantec AV on ATM’s, Bluecoat, etc. Well, my expectation is that a MSSP put its SIEM technology and collect & understand every well-known technology deployed, without change it!

  5. Is Dell SecureWorks the same product as LogRhythm? Also, how does Solarwinds SIEM stack up against these other tools? thank you

  6. Thanks for sharing this! I definitely see some value of including alternative players in the market e.g. EventLog Analyzer, LogPoint, etc. I think it would also make you stand out compared to what ‘everyone’ else are describing 🙂

    1. Hi Ashish,

      You can look at the comparison done in 2014 for more details on RSA. The product has dropped in popularity over the last two years and hence we have removed it from comparison.

  7. I strongly recommend Lookwise. It has many features like Log Management, Incident Management and GRC features for compliance.

  8. ArcSight has horrible HA capabilities. It can’t be scaled horizontally or vertically. It’s a giant monolithic application not designed for the present age.

    1. I agree with you that ArcSight definitely does not have HA capabilities like other competitors. But from a scalability point of view, it is a surprise you mention it can’t be scaled. On the contrary, tier based scalability has been one of the strong points of ArcSight ever since its inception.
      I would love to hear your experience that led to this statement.

      1. RSA SA is a much better product given both Log and Packet capability, while later capability is probably not there with anyone. Also both their products Secops for Incident Management and Ecat for EDR, supports native integration with SA and all these platforms/systems working together is quite essential in dealing with current & future gen threats.

  9. Consider RSA Security Analytics as well. It has the deep packet analysis feature which will not provide by any vendor as I know. You can integrate with Bigdata as well..

  10. What about the ease of reporting capabilities across SIEMs? As far as I have seen, RSA enVision really worked well. Some SIEMs are terrible at reporting.

    1. Hi Balaji,

      All the products in the leaders quadrant have strong reporting capabilities. RSA enVision is an older generation product which has now been replaced with RSA SA.

  11. Hi guys, do you have any plan to review LogRhythm more deeply? I am already going around looking for a review for this product but can not find one that really great like all of yours review with other SIEM products. I hope that you could do the review for LogRhythm also

Leave a Reply