How to choose a SIEM solution: 11 key features and considerations

To protect your enterprise against security threats, you need maximum visibility. That’s the fundamental notion behind SIEM (security information and event management) software, which is essential to the security defenses of most large and many medium enterprises.

SIEM aggregates event and log data in real time from a range of network equipment, servers, system software, and other infrastructure to identify patterns, flag anomalies, and send alerts when potential threats are detected. SIEM can also play an important role in incident response.

This is a rapidly evolving space, as SIEM offerings move from on-prem to the cloud, integrate with threat intelligence systems, pile on the analytics, and add machine learning along with other new capabilities. Selecting the right SIEM for your business is a crucial decision because the investment is nontrivial—and because the configuration process is something you probably want to go through only once.

11 key SIEM features and considerations

Cloud or on-prem?

Most of the modern SIEM solutions have moved to a SaaS model in order to more quickly iterate and add features. The endless capacity of the cloud also makes it easier for vendors to integrate machine learning capabilities, which require large quantities of reference data before they can identify anomalous behavior. The general consensus is that SaaS has made SIEM better.

Nonetheless, some businesses need to keep SIEM on prem—typically because they need to abide by regulations that stipulate log or related data reside on local infrastructure. A handful of options still enable customers to deploy SIEM entirely on prem.

Analytics capabilities

An SIEM solution is only as good as the information you can get out of it. Gathering all the log and event data from your infrastructure has no value unless it can help you identify problems and make educated decisions. Today, in most cases, the analytics capabilities of SIEM systems include machine learning to help identify anomalous behavior in real time—and provide a more accurate early warning system that prompts you to take a closer look at potential attacks or even new application or network errors.

Your SIEM analytics needs will depend on a variety of factors. What sort of systems are you monitoring? What skill sets do you have available to build dashboards and reports or to perform investigations? Do you have an existing investment in an analytics platform that you want to leverage? Each of these questions can help narrow down your platform options.

If you have no existing solutions or skills in place to drive the decision, your best bet may be to pursue SIEM solutions with an extensive dashboard library or managed services to help you build what’s best for you.

Log ingestion

Another practical consideration involves ingestion—that is, how your data is consumed by your SIEM. Generally, this involves a combination of push and pull: Software agents pull log and event data from some systems (particularly those located on-prem or in a private cloud) while network hardware and cloud applications send event data directly to the SIEM through an integration or an API.

One basic issue is whether the SIEM can properly identify key information from your events out of the gate. Ideally, your SIEM should be mature enough to provide a high level of fidelity when parsing event data from most common systems without requiring customization. You should also look for an SIEM that provides flexibility when you tune the way event data is processed after it has been captured, so you can remedy situations in which your log entries aren’t being parsed properly.

Configuring alerts

The primary reason to have a modern SIEM is for sophisticated real-time monitoring of your systems. But that has little value unless a human is monitoring the system for alerts or notifications (in the form of emails, text messages, or push notifications to mobile devices).

The problem with alerts and notifications, as any email user knows, is keeping the volume manageable. If users receive too many notifications, they will either disable them or ignore them. If too few, then critical threats may be missed. Look for flexibility in configuring alerts, including rules, thresholds (i.e., system was down for 15 minutes, 20 errors per minute for 10 minutes, tec.) and alert methods (SMS, email, push notifications, and webhooks).

Automated remediation

In a perfect world, computer systems would detect an attack or an application problem and automatically take steps to remediate the issue. While this isn’t fully possible yet, in certain scenarios, it’s appropriate to have certain events trigger an automated response (locking a user account, adding an IP address to a blacklist, etc.).

A key automation feature you should look for is the ability to grow into your rules, starting with monitoring and alerting (in order to fine tune conditions and limit false positives) and progressing into fully automated remediation once full confidence in your rule conditions are established.

Role-based access

For large enterprises with diverse business segments, multiple application teams, or dispersed geographic locations, role-based access is imperative. Providing admins, developers, and analysts access to just the log events they need is not only a matter of convenience, but also requisite to the principle of least privilege—and, in some industries, certain regulatory mandates.

The events captured by an SIEM often provide a deep level of detail on application and service functionality or even how devices on your network are configured. Gaining illicit access to this event data can benefit malicious actors looking to infiltrate your systems, the same way thieves benefit from casing target before a heist. Limiting user access to SIEM event data is a best practice for a reason: it limits the impact of a compromised account and ultimately helps protect your network as a whole.

Regulatory compliance

Many industry regulations—such as HIPAA or Department of Defense STIGs (Security Technical Implementation Guides), to name just two—not only require the use of an SIEM or a similar utility, but also specify how the solution should be configured.

Study the relevant requirements for your organization in detail. Things to look for include retention periods, encryption requirements (for both data in transit and data at rest), digital signatures (to ensure event data is not modified in any way), and reporting obligations. Also keep in mind that most compliance regimens include an audit or reporting element, so make sure your SIEM solution can spit out the appropriate documentation or reports to satisfy auditors.

Event correlation

Perhaps the biggest reason to implement an SIEM is the ability to correlate logs from disparate (and/or integrated) systems into a single view. For example, a single application on your network could be made up of various components such as a database, an application server, and the application itself. An SIEM should be able to consume log events from each of these components, even if they are distributed across multiple hosts, and correlate those events into a single stream. This enables you to see how events within one component lead to events within another component.

The same principle applies to an enterprise network as a whole. In many cases, correlated event logs can be employed to identify suspicious privilege escalation or to track an attack as it impacts various segments of your network. This broad view has become increasingly relevant as organizations move to the cloud or implement container-based infrastructure such as Kubernetes.

SIEM ecosystems

An SIEM by nature depends on connecting with other systems from a variety of vendors. Of course, there are data exchange standards—from text-based log files to protocols such as SNMP (simple network monitoring protocol) or Syslog. If an SIEM can integrate directly (or through plugins) with other systems, that makes things much easier. An SIEM with a robust, mature ecosystem enables you to enhance such features as event collection, analysis, alerting, and automation.

In addition to the system enhancements to be had through an SIEM ecosystem, there are other business benefits to be considered as well. For example, a mature SIEM will often create demand for training, drive community-based support, and even help streamline the hiring process.

Interaction via API

An ecosystem offering extensibility is great, but it will not meet all the diverse needs of every business. If your business involves software development, and particularly if your company has invested time and effort in devops, the ability to interact with your SIEM programmatically can make a huge difference. Rather than spending development time on logging capability for the sake of security or debugging, an SIEM can ingest, correlate, and analyze event data from your custom code.

How much to pay for SIEM

Cost is a factor in your SIEM decision, of course, but calculating it involves nuance. SIEM platforms offered as a cloud service are almost always offered by subscription. But your bill may include usage charges, such as event data volume or the number of endpoints being monitored. The bottom line: Once you’ve narrowed down your SIEM candidates to those that have the features you need, compare in detail the subscription and usage charges you’re likely to incur. If you have a preference for a more expensive offering, consider how you might be able gain efficiencies or scale back a little.

9 top SIEM vendors

While there are dozens of SIEM vendors, the same set surfaces again and again. The following nine vendors have been selected from the most current Forrester Wave and Gartner Magic Quadrant analyst reports and arranged alphabetically. Inclusion in this list is not a recommendation and exclusion is not a condemnation:

Exabeam: Fusion SIEM from Exabeam is a cloud-only solution that combines SIEM analytics with XDR (extended detection and response), which attempts to streamline and unify a range of security capabilities. One key to the software is that it’s as much about the processes involved with triaging, diagnosing, and remediating as it is about any of the technology tools. This focus on processes and the people managing your security posture makes the technology that much more valuable.

IBM: Identified as a leader by both Forrester and Gartner, IBM offers its Security QRadar SIEM both on prem and in the cloud under the banner of “intelligent security analytics.” The SIEM solution works alongside IBM’s Security QRadar Advisor with Watson to automate investigations of anomalies and other security tasks.

LogRhythm: No SIEM solution enjoys name recognition comparable to that of Splunk, but LogRhythm comes close. LogRhythm boasts an expansive feature set that includes integration with hundreds of other IT systems, a library of modules to evaluate compliance with various industry standards, and an array of offerings that run the gamut from basic SIEM to advanced SOAR-based automation and response.

Microsoft: A new entry, Azure Sentinel is available only on Microsoft’s cloud, but also offers visibility across on-prem systems. A key differentiation is easy integration with Microsoft 365 and Windows Defender, but it can ingest logs from a variety of sources. Azure Sentinel bills itself as both an SIEM and a SOAR platform that adds AI, automation, and collaborative tools.

Rapid7: Identifying attacks and compromised resources—and then streamlining the response—is where Rapid7 excels. You can select from a curated set of threat patterns, pick some from the community, or create your own. Rapid7 also lets you deploy honeypots, or even fake honey credentials or files, which provide an additional early warning system. Once a threat has been identified, Rapid7 helps build a timeline of related events affecting users or assets, allowing you to expand the scope of your investigation or to evaluate the risk incurred by compromised identities.

RSA: Another vendor that needs no introduction, RSA plays a role in securing most large enterprises, big government agencies included. RSA’s SIEM platform is built with this sort of scale in mind—in terms of event volume, geographic spread, and complexity of architecture, as well as in resource-shift (new or changing applications, services, or resources). RSA also encourages you to incorporate business context, identifying critical or valuable resources to be prioritized when threats emerge.

Securonix: Securonix enhances your log and event data with data enrichment. You can add relationships between different types of events in order to correlate and contextualize your alerting and analysis capabilities. As an added bonus, Securonix runs on Hadoop with an open architecture, enabling you to use a wide variety of third-party analytics tools.

Splunk: Another Forrester and Gartner favorite, Splunk was one of the first software vendors to discover gold in log file analysis. Splunk Enterprise Security draws on the company’s mature data analytics and visualization capabilities to deliver an SIEM solution integrated with threat intelligence and available in the cloud or on prem. IDC maintains that Splunk has the largest SIEM market share.

FireEye: The street cred of FireEye is legendary, recently boosted once again in the company’s response to both the Colonial Pipeline and SolarWinds attacks. Along with white glove professional services, FireEye offers a variety of security tools, including SIEM capabilities in its Helix Security Platform. Helix offers much of the same functionality as the competition, but the real selling point is that FireEye’s consulting branch can be tapped if you need additional expertise.

More on SIEM:

• What is SIEM software? How it works and how to choose the right tool
• How to close SIEM visibility gaps created by legacy apps
• 8 ways to get more life out of an old SIEM