SIEM Product Comparison – 2016

We at Infosecnirvana.com have done several posts on SIEM. After the Dummies Guide on SIEM, we followed it up with a SIEM Product Comparison – 101 deck. The SIEM comparison we did was in 2014. After two years we are taking a look at the SIEM market and comparing them alongside. The leaders in this space according to Gartner are still the following products (in no order):

1. HP ArcSight – Review

2. Intel Security – Review

3. IBM QRadar – Review 

4. Splunk SIEM – Review

5. LogRhythm

In the below post, we have tried to provide detailed explanations of the Strengths and Weakness of these various SIEM products as evaluated in 2016. Finally, we provide a Scorecard for the products based on various capabilities.

HP ArcSight: Since 2014, ArcSight has come a long way. They have added quite a few features along the way that has added to their strengths. For example, Connector load balancing was definitely a welcome addition after several years of being requested.  However, the weakness list is still the same. One of things frustrating users mainly is that the Web architecture for administration and management is not as mature as the thick client.

IBM QRadar: Since 2014, QRadar has continued to maintain its pole position in product ratings and evaluations. There have not been major product announcements after QVM and Incident Forensics other than IBM App Exchange (a Splunk App store style approach to extensions and plugins). While the strong points of IBM QRadar are still true, the weaknesses have started to crop up in areas of operational efficiency and reliability.

Intel Security: This is one product that underwhelms when it comes to realizing its true potential. They checked all the boxes required for monitoring with ADM, DAM, DPI, ATD etc. However, the real problem with erstwhile Nitro has always been stability and management overhead. Two years later, the strengths have increased no doubt, but the weaknesses still remain around reliability.

Splunk: This is one of the products that has gone through several changes in the past two years. They have expanded their capabilities significantly in the “App for Enterprise” space with predefined security indicators and dashboards and visualizations. They have also improved the support for packet captures and analysis. With the purchase of Caspida, behaviour analytics capabilities will come into Splunk. While the strengths column has increased, the weakness column still remains the same.

LogRhythm: The new and upcoming unified SIEM player LogRhythm has come a long way from its humble beginnings. In the past 2 years, LogRhythm has added several new features to their product including but not limited to incident response and case management workflow,  centralized evidence locker, collaboration tools, risk based profiling and behavioural analytics to identify statistical anomalies for network, user and device activity.  This combined with ease of deployment and competitive price has definitely opened up the leaders quadrant to some exciting shake up.  Let’s take a look at the strengths and weakness for LogRhythm.

Overall Scorecard: 

Any evaluation is incomplete without a scorecard. So we have consolidated feedback from various sources and provided a weighted score on the five SIEM products reviewed above.

Conclusion:

Based on the review of SIEM products done this year, we feel innovation in the SIEM space has plateaued. The next generation Security Analytics and Big Data technologies are slowly becoming mainstream thereby relegating the SIEM solution purchases to a more compliance driven initiative.

Please share your thoughts on how you would rate the various SIEM products discussed here.