SIEM review: Splunk, ArcSight, LogRhythm and QRadar

IT and security managers in the IT Central Station online community say that the most important characteristics of security information and event management (SIEM) products is the ability to combine information from several sources and the ability to do intelligent queries on that information.

Four of the top SIEM solutions are Splunk, HPE ArcSight, LogRhythm, and IBM Security QRadar SIEM, according to online reviews by enterprise users in the IT Central Station community.

But what do enterprise users really think about these tools? Here, users give a shout out for some of their favorite features, but also give the vendors a little tough love.

Splunk

Valuable features

“Great for making sense of the application log’s events for business needs, e.g. requests per day, completed tasks per user, exceptions, etc. — Hristo D., Systems/Applications Specialist at a energy/utilities company

“What Splunk calls operational intelligence: fast availability of operational data spread across several servers to prevent or react faster to outages or performance decreases. — Enrico M., Integration Architect at a manufacturing company

Room for improvement

“It [could] be easier to set up and add new [data] sources, which Splunk [is] improving with every new version. — Hristo D.

It needs “operational workflow … and ticketing systems to make it suitable for security operation center environments. — Vinod S., Manager, Enterprise Risk Consulting

You can find more Splunk reviews on IT Central Station.

HPE ArcSight

Valuable features

“It reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I’ve seen for our network, it’s the best at ingestion of events. — Joseph L., Security Response Engineer at a communications service provider

“Very stable system components (connectors, logger and correlation engine), combined with satisfactory vendor support; and the ability to create parsers for all kinds of applications and systems is an important differentiator. — Kerem O., IT Security Assistant Manager at a financial services firm

It’s a reliable service and provides our team members with a lot of knowledge. In turn, it provides solutions for the needs of the IT department. — SrMgrFraud840, Senior Manager Fraud Services at a financial services firm

Room for improvement

It’s complicated to deploy. I need a logger at each site, which also gets quite expensive. There’s no shared loggers. — Mathew V., EVP & Global Head – Services at a tech company

Although we’re able to customize it, it requires some level of subject-matter expertise for all the special adapters for collection. — Dwaine O., Sr. Director, Corporate Information Security at a communications service provider

I’d like to see some threat intelligence out of the box rather than adding it in subscriptions. It also needs more straightforward and simplified correlation rules so that a [security operations center] analyst can dive right in rather than undergo a separate induction program. Right now, the attrition rate is high. — SecOpsMgr861, Technical Support & Enterprise Security Operations Manager at a communications service provider

Reuters

You can find more HPE ArcSight reviews on IT Central Station.

LogRhythm

Valuable features

It creates a good feedback loop whereby I’m able to scan through and see what off-limits activities users have been doing. — ITDirector685, Director of Information Technology at a university

The most valuable feature is the AI engine, as well as the usual SIEM product stuff. The ability to have all of our logs in one place is a big [advantage]. — Ryan C., Information Security Analyst at a financial services firm

Out of the box, it’s very easy and intuitive to get started. It’s easy to see the impact of the event. — Jon A., VP, Information Systems Security Officer at a financial services firm

Room for improvement

We would like to see better base templates for reporting. — ITSecManager188, IT Security Manager at a financial services firm

The main area of improvement is that the client must be installed on the computer for all of the functions to work. So if the client doesn’t have a customer in their system, they can’t use it. — SecAnalyst1262, Security Analyst at a retailer

You can find more LogRhythm reviews on IT Central Station.

IBM Security QRadar SIEM

Valuable features

I find that the dashboards are the most helpful to get an overview of traffic flow and issues. — John C., Cyber Security Adviser at a security firm

Built-in “rules and reports are comprehensive so out of the box the system does things. — Jock F., Security Solution Architect at a communications service provider

Room for improvement

Need for multiple Java versions for deployment setup is a pain. — Jock F.

You can find more IBM Security QRadar SIEM reviews on IT Central Station.

These reviews of select SIEM products come from the IT Central Station community. They are the opinions of the users and are based on their own experiences.

More on SIEM:

• What is SIEM software? How it works and how to choose the right tool
• ArcSight vs. Splunk? Why you might want both
• Evaluation criteria for SIEM
• SIEM: 14 questions to ask before you buy
• Log management basics
• SIEMs-as-a-service addresses needs of small, midsize enterprises