GigaOm Radar for Security Information and Event Managementv2.0

1. Summary

The security information and event management (SIEM) solution space is mature and competitive. Most vendors have had well over a decade to refine their products, and the differentiation among basic SIEM functions is fairly minor.

In response, SIEM vendors are developing advanced platforms that provide greater context and deploy machine learning (ML) and automation capabilities to augment security analysts’ efforts. These solutions deliver value by giving security analysts deeper and broader visibility into complex infrastructures, increasing efficiency, and decreasing the time to detection and response.

Vendors offer SIEM solutions in various forms, such as physical appliances, virtual appliances that can be installed in the customers’ on-premises or cloud environments, cloud-hosted solutions on either dedicated or shared infrastructure, and software as a service (SaaS) models. Many vendors have developed multitenant SIEM solutions for large enterprises or managed security service providers (MSSPs). Customers often find SIEM solutions challenging to deploy, maintain, or even operate, leading to a growing demand for managed SIEM services, whether provided by the SIEM vendor or third-party partners.

SIEM solutions continue to vie for space with other security solutions, such as user and entity behavior analytics (UEBA), endpoint detection and response (EDR), security orchestration, automation, and response (SOAR), and security analytics solutions. All SIEM vendors support integrations with other security solutions. Many vendors also offer tightly integrated solution stacks, allowing customers to choose the solutions they need most, whether just a SIEM, a SIEM and a SOAR, or some other combination. Other vendors are incorporating limited EDR- or SOAR-like capabilities into their SIEM solutions for customers who want the extra features but are not ready to invest in multiple solutions.

This GigaOm Radar report details the key SIEM solutions in the market, identifies key criteria and evaluation metrics for selecting a SIEM, and identifies vendors and products that excel. It will give you an overview of the key SIEM offering and help decision-makers evaluate existing solutions and decide where to invest.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well SIEM solutions are positioned to serve specific market segments.

• Small-to-medium enterprise: Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, advanced features may be less important than compliance and audit reporting and ease of use and deployment. Newer small enterprises may also rely heavily on cloud-based infrastructure, services, and apps, and favor cloud-based SIEM solutions.
• Large enterprise: Large enterprises will require high-performance SIEM solutions with the throughput and storage capacity to ingest huge volumes of data. Flexibility in deployment, scalability, and integration with existing infrastructure will be key differentiators.
• Regulated industries: These typically include verticals such as finance, healthcare, and government, for which vendors need to adhere to strict rules and regulations as well as support on-premises deployments.
• Managed security service provider (MSSP): Managed security service providers will require multitenant architectures, flexibility, and scalability. They may also favor solutions with predictable pricing models.
• Network service provider (NSP): Network providers have a large infrastructure footprint to monitor for both consumer and enterprise customers, spanning wide geographical areas.
• Cloud service provider (CSP): Providers of cloud services must be able to monitor the large number of tenants that use the provider’s underlying infrastructure, ensuring visibility across shared devices to prevent lateral movement and lower the risk inherited from each tenant.

In addition, we recognize five deployment models for solutions in this report: physical appliance, virtual appliance, cloud-hosted on either shared or dedicated infrastructure, and SaaS.

• Physical appliance: These are hardware solutions installed on the customer’s premises. Customers are responsible for operations and maintenance, though some will purchase support services through the vendor or a third-party service provider.
• Virtual appliance: This is a software version of the solution that can be installed on a customer’s on-premises equipment or in private clouds.
• Cloud-hosted on shared infrastructure: In this model, the vendor hosts the solution in a cloud environment on the customer’s behalf, taking care of the solution’s management. The vendor can deploy solutions for multiple customers without ensuring that the underlying infrastructure is physically segmented for each customer.
• Cloud hosted on dedicated infrastructure: As above, the vendor hosts the solution on the customer’s behalf, but the underlying infrastructure for running the solution is dedicated to the customer to prevent issues of noisy neighbors or vulnerabilities from other tenants.
• SaaS: Compared to cloud-hosted models, software-as-a-service has a different licensing and consumption model, in which customers often subscribe and “pay-as-you-go” without purchasing the solution outright and paying separately for management.

Table 1. Vendor Positioning

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating SIEM Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Table 3. Evaluation Metrics Comparison

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SIEM

As you can see in the Radar chart in Figure 1, all vendors featured in the report have well-established solutions, with no new entrants in the space. In the Innovation and Feature-Play quadrant, Fortinet and ManageEngine approach the SIEM space from a different perspective. Fortinet’s solution is designed to bring together the network operations center (NOC) and security operations center (SOC) in a unified tool, while ManageEngine offers a highly modular solution.

In the Maturity and Feature-Play quadrant, we find DataDog, Elastic, Huntsman, and LogPoint. Each has distinguishing features, such as DataDog’s infrastructure monitoring background and capabilities, Elastic’s open-source platform (whose search-engine tool is used by other SIEM vendors), LogPoint’s focus on high security and compliance with some of the tightest regulations, and Huntsman’s MSSP and public-sector focus.

In the Maturity and Platform-Play quadrant, we find the highest concentration of vendors. These include: Exabeam, Graylog, LogRhythm, Micro Focus, Microsoft, IBM, NetWitness, SolarWinds, Sumo Logic, and Splunk. Even though their overall level of capabilities differ, the only key criteria on which Leaders commonly score higher than Challengers is monitoring ephemeral resources. Besides that, Challengers can generally improve capabilities in convergence and collaboration and case management.

Lastly, in the Innovation and Platform-Play quadrant, we find Securonix and Rapid7, who both have comprehensive and innovative portfolios of security services, including proprietary threat-intelligence labs.

5. Vendor Insights

Datadog

As part of a wider portfolio of infrastructure observability, Datadog’s Cloud SIEM provides extended coverage of security services. Cloud SIEM is fully integrated with all of Datadog’s application and infrastructure monitoring products, allowing users to pivot seamlessly from a potential threat to relevant monitored data so as to quickly triage security alerts.

Leveraging an extended set of data streams from the rest of the IT infrastructure, Datadog uses application, infrastructure, and cloud provider logs to provide deeper insights into application and security activity. The solution supports niche use cases such as generating a security signal to automatically alert you when a support administrator creates a new API or application key for a service.

For data enrichment, Datadog Cloud SIEM offers threat-intelligence feeds curated by specialized threat-intelligence partners such as IPinfo and GreyNoise. This feature enriches all ingested logs with curated threat intelligence in real time, detecting activity from known threat actors and automatically surfacing relevant context within security alerts. Datadog will also include information such as the activity category (for example, scanner, attack, or abuse) and the actor’s intention (such as malicious or benign, if known) as new attributes, giving you rich context when investigating security alerts. Threat intelligence also provides relevant context that reduces false positives and accelerates triage of security signals by automatically summarizing context from all triggering events.

While Datadog does not offer a native collaboration environment, Cloud SIEM integrates with Slack and PagerDuty, allowing you to automatically loop in relevant teams when a high-severity rule detects a threat and send security signals to collaboration tools like JIRA or ServiceNow.

For automation, Datadog uses webhooks as script-based connectors that link Datadog to your other tools. By setting up webhooks that respond to your Datadog security notifications, you can create simple, automated, remediation workflows that neutralize threats in real time. Webhooks deliver their payloads to the services you want to automate whenever a detection rule is broken.

Strengths: Cloud SIEM’s integration with the rest of DataDog’s portfolio of services offers it extended visibility across IT environments. The solution’s data enrichment and threat-intelligence feeds are also well-developed.

Challenges: Compared to other vendors featured in the report, the solution ranks lower on metrics such as convergence, ML-based analytics, and workflow automation.

Elastic

Elastic Security stands out from other SIEM solutions because it’s built on the open-source Elasticsearch, Logstash, and Kibana (ELK) stack, which the company today continues to extend as the “free and open” Elastic Stack. It’s worth noting that other SIEM vendors are using Elasticsearch as the underlying engine to query and extract information from their databases.

Elastic Security offers a superior user experience and an intuitive, dynamic, and highly responsive interface. Its seamless design, rapid search, and level of detail combine to rank it high on the key criterion for threat hunting as well as in the evaluation metrics for capability and usability. Furthermore, the platform features graphical views of events and timelines, which equips security analysts with the right tools to investigate long-term threats in a context-rich environment.

In the latest release, Elastic 8.4, the solution started offering native orchestration and response capabilities powered by Elastic Agent. It offers a terminal-like interface that lets practitioners view and invoke response actions quickly.

A distinguishing feature of Elastic Security 8.4 is self-healing, an automated remediation feature that erases attack artifacts from a system. When malicious activity is identified on a host, self-cleaning automatically returns the host to its pre-attack state by reversing changes implemented during the attack.

The latest anomaly detection modules enable the platform to perform several actions, such as identifying OS processes that do not usually use the network but have unexpected network activity and searching for unusual listening ports, unusual web URL requests from hosts, rare processes running on multiple hosts in an entire fleet or network, activity from users who are not normally active, and many other use cases.

Elastic Security supports excellent communication between security analysts by allowing annotations and comments on most functions, accompanied by full audit trails that ensure visibility across all the actions undertaken on the platform.

Strengths: Elastic Security ranks high on most key criteria described in the report. The recent feature releases with Elastic 8.4 have solidified Elastic’s position as a leader in the SIEM space.

Challenges: Elastic Security does not support a physical appliance deployment model, making the solution unsuitable for customers that need to deploy SIEM as a physical appliance on their premises.

Exabeam

Exabeam Fusion SIEM unifies extended detection and response (XDR) with the conventional capabilities of centralized data storage and compliance reporting alongside rapid and intelligent search. Fusion SIEM is a cloud-delivered solution that uses ML and automation for threat detection, analysis, and response. Fusion SIEM also offers SOAR-like capabilities, making the vendor rank high on the convergence key criteria.

Fusion SIEM can be integrated with existing security stacks through many prebuilt integrations with technologies like endpoint protection systems, business support systems, network modules, and cloud environments. These integrations span the full threat detection and incident response lifecycle (TDIR), from data ingestion and normalization to response automation.

Fusion SIEM ranks high on ease of use because it leverages prescriptive threat-centered use-case packages that provide repeatable workflows and prepackaged content that spans the entire TDIR lifecycle. These use cases provide a standardized way to quickly achieve effective, repeatable security outcomes for specific threat types. They include all of the content necessary to operationalize that use case, including prescribed data sources, parsers, detection rules and models, investigation and response checklists, and automated playbooks.

A mature feature in the Fusion SIEM solution is the machine-built timelines which automatically gather evidence and assemble it into a cohesive step-by-step representation of an attack that can be used to perform an initial investigation.

The behavior analytics module, “Automated Incident Diagnosis,” analyzes abnormal user activity to automatically classify incidents by threat-centric use cases and diagnose threats associated with an incident. It classifies the threats by use case to guide investigations with tailored checklists that prescribe the appropriate steps for resolving specific threat types. The UEBA module, “Behavior-Based Detection,” detects threats such as credential-based attacks, insider threats, and ransomware.

Strengths: Exabeam’s Fusion SIEM is a comprehensive solution that covers a broad attack surface, ranking high on convergence, threat hunting, and data enrichment.

Challenges: Fusion SIEM is a cloud-delivered solution, so customers who require on-premises deployments via either physical or virtual appliances may not find the solution suitable. Similarly, the platform could improve capabilities for the monitoring ephemeral resources key criterion.

Fortinet

Fortinet is a key player in the security space. Its FortiSIEM product consolidates its position in the market, and it ranks high on many key criteria described in the report, including data enrichment, collaboration, and automation. FortiSIEM enables true cross-team collaboration and integration, namely between the SOC and NOC.

FortiSIEM ranks high on the data enrichment metric due to its distributed event correlation engine that can detect complex threats in near real-time. In this context, threats can be users or machine behavioral anomalies, specified in terms of event patterns sequenced over time. The FortiSIEM rule engine can include any data in a rule such as performance and change metrics along with security logs. This feature can generate a dynamic watch list that can be used recursively in a new rule to create a nested rule hierarchy and use the SIEM’s native configuration management database (CMDB) objects to define rules.

FortiSIEM also scores full marks on the automation metric because it has automated many processes that were traditionally carried out by security and network analysts. These include infrastructure discovery, incident mitigation, and detecting network configuration changes. For customers with more advanced automation requirements, Fortinet also offers a SOAR product that can integrate and enhance FortiSIEM.

FortiSIEM’s rapid-scale architecture allows organizations to scale up the platform quickly by deploying additional worker and collector nodes. This scalable system, combined with the platform’s multitenancy capability, makes Fortinet’s SIEM suitable for MSSPs. FortiSIEM has a built-in ticketing system and can also integrate with third-party ticketing systems.

FortiSIEM’s ML-based UEBA models offer a built-in rule library for use cases such as login behavior anomalies. The behavioral anomaly rules work out of the box but can also be adapted by the user for their own environment. A framework is provided so the user can write new rules via the GUI, test them with real events, and then deploy in production.

A distinguishing feature is its business service, which allows for the prioritization of incidents and performance metrics from a business service perspective. A business service in the FortiSIEM context is defined as a container of relevant devices and applications serving a common business purpose.

Strengths: FortiSIEM has a highly scalable infrastructure with support for MSSPs. The solution also ranks high on data enrichment, collaboration, and automation.

Challenges: FortiSIEM has the opportunity of improving on convergence by integrating SOAR-like capabilities natively in SIEM as well as further developing UEBA functions.

Graylog

Graylog Security is a comprehensive SIEM solution built on the Graylog platform, offering anomaly detection services built upon prepackaged content. Graylog Illuminate is the solution’s prebuilt content that addresses common cybersecurity and log management tasks such as correlation and alerting, dashboards, dynamic lookup tables, schedule reports, search templates, streams, and pipelines for routing log messages into categories.

The alerting mechanism works by performing periodic searches that can trigger notifications when a defined condition is satisfied. Alert time frames can be set to search only a specific time in the past and to perform the searches only at certain intervals of time. It triggers when the result of an aggregation is met through a statistical computation. Aggregation has been improved to group results by fields, allowing for individualized alerts per field. Multiple groupings can also be done per alert.

Illuminate offers index-on-write and data organizing with pipelines and streams, so that data is well structured and searches can be limited to the relevant data set. The Anomaly Detection module uses the Graylog environment structured by Illuminate, which receives log data, then normalizes and enriches it. Graylog then feeds the enriched data into the Anomaly Detection tool, which breaks the data into time slices and looks for data points outside the expected range based on your historical data.

When anomalous data points are detected, these messages are logged into a special anomaly index in the Graylog instance. Users can create alerts and receive notifications regarding these anomalies based on configuration settings. Additionally, these anomalies are represented on security dashboards with various customizable widgets, offering users interactive and actionable analytics.

The anomaly detection module can self-learn with a minimum amount of historical data, improve over time without manual tuning, and adapt to new data sets. To define baselines, the module combines user, entity, and network profiling. Graylog’s anomaly detection feature aggregates, normalizes, and correlates events such as unauthorized web activity, new host authentication, authentication using new application, account creation account deletion, short-lived account creation, and local and global privilege escalation.

Strengths: Graylog’s Illuminate feature and prepackaged content contribute to a high score for ease of use. The anomaly detection tool is also well-developed and can improve autonomously without analyst intervention.

Challenges: The solution can further improve its automation capabilities to support playbook builders. Compared to other vendors in the report, Graylog also ranks lower on convergence as a result of not offering SOAR or detection and response capabilities.

Huntsman

Huntsman Security is an Australian company with a strong presence in the UK market and clients in the private and public sectors, including defense, intelligence, and law enforcement agencies. Its SIEM offering includes SIEM Enterprise and SIEM MSSP, each with a strong focus on simplifying and optimizing security operations through automation and workflow support. Huntsman also provides an integrated SOAR solution, and an optional scorecard module that gives details about a system’s patch status and software versions, in addition to misconfigurations and other vulnerabilities.

Huntsman’s SIEM solution is a single product, delivered as software, deployable on-premises, or in public and private cloud environments, but the vendor does not currently offer a SaaS option. Its SIEM MSSP product supports multitenancy to manage business units as separate siloes or as federated units managed by a single team able to share threat intelligence across multiple end customers.

Huntsman provides strong security controls for its SIEM solution through fine-grained role-based access control (RBAC) and a full-access record and audit trail of SIEM/SOC operations. It supports multiple classification networks for government clients and compliance monitoring and reporting for GDPR, ISO27001, and a number of other standards. The solution’s MITRE ATT&CK heat map graphically represents the progress of an attack across an enterprise.

Huntsman’s patented Behaviour Anomaly Detection (BAD2) engine is integrated into its SIEM to provide real-time ML capabilities to detect unknown threats. BAD2 supports use cases such as higher or unusual volumes of network session or user traffic on a per-user or per-host basis, volumes of events such as file accesses or other activity on hosts and workstations, changes in the usage profile of application servers, or query operations on databases and changes in the frequency or prevalence of operations. The detection engine adapts to changes and trends over time, either adjusting and relearning “normal” values or using fixed, preset baselines, depending on the nature of the environment and risk.

Strengths: The vendor ranks high on alarm fidelity, threat hunting, and multitenancy metrics. Huntsman SIEM is a strong choice for customers working in regulated industries and for MSSPs.

Challenges: Huntsman has been focused primarily on Australian and UK compliance requirements and public sector customers. As it moves into other markets, it may need to develop reporting capabilities for a wider range of compliance regimes.

IBM

IBM has a strong security portfolio, including the IBM QRadar Security Intelligence platform, which features SIEM at the platform’s core. QRadar SIEM is a well-established and mature platform with deep features, which contributes to high scores on various key criteria, including alarm fidelity, data enrichment, threat hunting, and advanced analytics. The comprehensive platform has a long learning curve and requires fine-tuning but becomes highly efficient once it has been calibrated to the customer’s requirements.

For a faster time to value, QRadar includes prebuilt security use cases, anomaly detection algorithms, rules, and real-time correlation policies to detect known and unknown threats. QRadar Network Insights is another optional module to be integrated with the SIEM deployment for gaining insight into which systems communicated with each other, which applications were involved, and what information was exchanged in the packets. QRadar Advisor with IBM Watson uses AI and automation to provide prioritized alert research and correlated data by automatically linking investigations through connected incidents, which reduces duplication of effort and extends the investigation beyond the current probable incident and alert.

QRadar SIEM is suitable for large organizations, MSSPs, and cloud and network operators. Due to high cost and high complexity, the platform is not a prime choice for small and medium enterprises that need to satisfy only basic use cases. QRadar can be deployed as either a physical or virtual appliance or hotels in the cloud, referred to as QRadar on Cloud or QRoC.

QRadar can graph relationships between indicators of compromise (IOC), assets, users, or other investigations and map the investigation to the MITRE ATT&CK framework, so security teams can visualize attacker tactics and techniques, drill into events and flows by ATT&CK stage, and make more confident decisions.

QRadar SIEM does not support workflow automation natively, so customers who have automation requirements would need to buy IBM’s SOAR solution as a separate product. Similarly, while the QRadar Security Intelligence platform comprises multiple security modules—including UEBA, Advisor with Watson, and vulnerability management—these features are not directly integrated into the SIEM platform. This approach is different from other leading competitors, which focus on convergence and often include these features within the SIEM platform at no additional cost.

Strengths: QRadar has all-round powerful capabilities and is a good choice for large organizations, MSSPs, and cloud and network operators. Its multiple deployment models and suite of additional security features allow QRadar to meet a wide range of requirements.

Challenges: The main challenge with IBM’s QRadar is its cost, which makes the product unviable for small-to-medium sized organizations. Furthermore, the solution ranks low on convergence, which goes hand-in-hand with the high total cost of ownership (TCO), as other security intelligence solutions must be bought separately.

Logpoint

Headquartered in Copenhagen, Denmark, the Logpoint SIEM is a solid solution with exceptional security and privacy controls. Its distinguishing feature is the high level of compliance, having been awarded the Common Criteria EAL3+ certification in 2015 and 2020. To achieve and maintain EAL3+ certification, the highest software security standard achieved by any SIEM vendor, the on-premises solution comes as a standard built on a hardened OS maintained by Logpoint. This makes the Logpoint SIEM highly suitable to be deployed in highly regulated industries, including national governments and international agencies.

Logpoint’s latest developments include the convergence of SOAR and UEBA capabilities into a single end-to-end security operations platform. Supported by case management and threat intelligence features, Logpoint ensures a converged experience both with on-premises and in cloud-hosted deployments.

Logpoint has taken a modular approach to security monitoring and analytics. The Logpoint SIEM, which can be deployed as a single physical appliance or as software spread across multiple physical or virtual servers, provides basic log management, incident detection, and investigation capabilities. Logpoint’s Director for SIEM module provides multitenancy capabilities for MSSPs or large enterprise deployments.

Logpoint also ranks high on threat hunting, offering security analysts a wide range of features for searching vast amounts of information and creating macros. It also leverages ML-enabled UEBA capabilities and integrates the MITRE ATT&CK framework as visualizations and predefined alerts mapped to the techniques.

Logpoint offers predictable pricing based on the number of devices sending logs to the SIEM rather than data volume or endpoint security (EPS). It also uses a tiered storage model to provide more economical storage for compliance data while maintaining ready access to data needed for analytics.

Besides the solution being compliant across many industries and regulations, another distinguishing feature is the business integrity monitoring, which monitors for fraud detection, financial, and value-chain anomalies. This helps analysts eliminate financial and reputational losses in organizations by detecting flaws and deviations from standards in business processes that are vulnerable to fraud.

Strengths: Logpoint is a good choice for companies looking for a solid SIEM solution with excellent support for privacy compliance at a predictable price. With an emphasis on basic SIEM capabilities, the solution is easier to deploy and operate than many competitors with broader feature sets.

Challenges: Logpoint currently lacks a marketplace integrated within the product interface that would allow customers to integrate or purchase other security services using prebuilt connectors. Logpoint is currently working on developing this feature.

LogRhythm

The LogRhythm SIEM delivers comprehensive security analytics, UEBA, network traffic analysis, and SOAR within a single, integrated platform for threat detection, response, and neutralization. The LogRhythm SIEM can be deployed on-premises, as a virtual appliance, or as a SaaS solution.

The platform ranks high on advanced analytics, offering comprehensive ML models in UEBA and network detection and response (NDR) and a wide variety of out-of-the-box deterministic rules in the AI Engine modules. It provides event progression rule alerting and creates the base architecture for IOC-based AI Engine rules to be auto-deployed within the organization’s environment. The solution can also integrate pretuned AI Engine rules for any environment, offering dynamic ranking for emerging threat severity.

For alert tuning, LogRhythm’s False Positive Probability feature is used in risk-based priority calculation for AI Engine rules. It estimates how likely the rule is to generate a false positive response. A low value indicates the pattern the rule matches is almost always a true positive. However, a high value indicates the pattern the rule matches is very likely to be a false positive.

LogRhythm’s Financial Fraud Detection Module is intended to assist financial institutions collecting transactional data with LogRhythm in identifying and preventing fraudulent activity on their customers’ accounts. The Network Detection and Response Module (NDRM) detects unusual or malicious user activity occurring within customers’ organization networks by using deep forensic visibility into network traffic to detect a wide variety of advanced threats.

The solution also has capabilities to monitor ephemeral resources, protect containers against crypto-mining malware, alert malicious keywords to locate unapproved containers, and discover the location where the attack originated.

Strengths: LogRhythm ranks high on many key criteria described in the report, including alarm fidelity, data enrichment, convergence, and advanced analytics.

Challenges: The setup and onboarding of LogRhythm SIEM require deep technical knowledge, and customers often need additional support via professional services. This makes the solution rank lower on the ease-of-use metric.

ManageEngine

ManageEngine’s suite of products is the Swiss Army knife of SIEM. Its main SIEM platform, Log360, takes a modular approach to information and event management, integrating several products into a single console. Users can mix and match multiple products to create a bespoke solution, or choose the whole suite for a comprehensive SIEM.

Log360’s UEBA add-on is powered by ML and can detect anomalies by recognizing subtle shifts in user or entity activity. It helps identify, qualify, and investigate threats that might otherwise go unnoticed by extracting more information from logs to give a better picture of context . Administrators can identify the network’s count, time, and pattern anomalies based on users and their peer groups. Out-of-the-box analytics are provided for use cases such as insider threats, account compromise, and data exfiltration.

While Log360 is suitable for a range of small and large organizations, its capabilities are limited from a network or CSP’s perspective. In addition, its cloud visibility is currently limited, supporting only log collection for cloud environments.

Log360 has good automation capabilities and supports the creation of workflows that automate common procedures carried out by security analysts. The solution also features an analytics system, which classifies events in trend reports and system events that help security practitioners with analysis and response. It features out-of-the-box correlation rules, including for common ransomware attacks. The custom correlation rule builder allows analysts to correlate seemingly unrelated events across the network to detect attacks.

The EventLog Analyzer supports a variety of use cases, including event-log correlation, compliance management, and audits network devices, servers, and applications. Risk scores are calculated for each user and entity based on deviations from their baseline behavior.

Strengths: ManageEngine’s modular approach to SIEM allows customers to build a solution that fits their needs. The platform supports a robust range of features and capabilities and has ongoing ML-related developments at a competitive price.

Challenges: ManageEngine can further improve its collaboration and case management features. The solution is not currently able to monitor ephemeral resources.

Micro Focus

ArcSight is a well-known name within the security space, having been developed over more than 20 years. After ArcSight became part of the Micro Focus portfolio, the SIEM platform became a central piece of Micro Focus’ security strategy. This gives ArcSight a high rating in the convergence metric, as it offers a complete end-to-end security operations (SecOps) solution that consists of SIEM, UEBA, SOAR, and big-data threat hunting. These features reside on a unified platform that includes common storage, a shared data platform, and a unified interface.

Similarly, ArcSight also ranks high on the automation criterion because it offers a fully integrated SOAR solution within the SIEM platform at no additional cost. In creating a fully integrated solution that can scale, Micro Focus faces several challenges that buyers should investigate. While having many advanced capabilities on a single platform may enhance the user experience in some areas, it also introduces the potential for a more complex user experience and a longer learning curve. This level of product depth may also require the vendor to align a significant portion of its resources to ensure that any change-management issues can be addressed quickly.

ArcSight’s approach to layered analytics is a distinguishing aspect that simplifies threat detection. It can provide SOCs with an end-to-end, enterprise-security operations platform powered by an advanced correlation engine that can detect known threats in real time. Furthermore, ArcSight leverages unsupervised ML to detect unknown threats using behavioral analysis and big-data threat hunting.

ArcSight supports all the deployment models described in Table 1. The SaaS deployment is hosted by the CyberRes SaaS Operations team, with the underlying hosting components provided by Amazon Web Services (AWS).

Strengths: Micro Focus has a well-defined strategy that combines multiple security products, including ArcSight SIEM, into a unified platform. The vendor ranks high on enrichment, automation, and convergence, and we expect the integrated platform to mature soon.

Challenges: Currently, Micro Focus SIEM solution is not oriented toward serving NSPs, whose requirements include geographically distributed infrastructure serving both enterprise customers and consumers.

Microsoft

Microsoft Sentinel is a cloud-native SIEM solution that uses built-in AI to help analyze large volumes of data. Microsoft Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud. Microsoft Sentinel is built on the Azure platform. It provides a fully integrated experience in the Azure portal that seamlessly integrates with existing services such as Microsoft Defender for Cloud and Azure Machine Learning.

The solution provides contextual and behavioral information for threat hunting, investigation, and response using built-in entity-behavioral analytics features.

The solution has a mature querying function such that it can be written to extract data before, during, and after a compromise. Before an incident occurs, analysts can take proactive action by running any threat-hunting queries related to the data they’re ingesting to provide early insight into events that may confirm that a compromise is in process. During a compromise, analysts can use livestream to run a specific query constantly, presenting results as they come in. After a compromise, analysts can improve coverage and insight to prevent similar incidents in the future.

To help reduce noise and minimize the number of alerts generated, Microsoft Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that indicate an actionable possible-threat you can investigate and resolve. Microsoft Sentinel also provides ML rules to determine baseline network behavior and look for anomalies.

The platform has good automation capabilities enabled by a playbook engine that integrates with Azure services and your existing tools. To build playbooks with Azure Logic Apps, users can choose from a set of prebuilt playbooks such as ticketing integrations with ServiceNow.

Microsoft Sentinel supports Jupyter notebooks in Azure Machine Learning workspaces, including full libraries for ML, visualization, and data analysis. They can be used to extend the scope of what you can do with Microsoft Sentinel data, such as performing analytics that aren’t built in Microsoft Sentinel, creating bespoke data visualizations, and integrating data sources outside of Microsoft Sentinel.

Microsoft’s ML capabilities can deliver good alarm fidelity by identifying suspicious behavior and presenting a condensed list of the most probable attacks or vulnerabilities to a human cybersecurity worker. Following that, the model takes feedback and actions carried out by the security analysts go into its model and rules system to better identify threats.

Strengths: Microsoft Sentinel has well-developed capabilities for threat hunting and alerting. The solution’s advanced analytics features are notable. Sentinel supports data scientists with Jupyter notebook integrations.

Challenges: As a cloud-native, Azure-based solution with no option of deploying the solution on-premises, Sentinel may not be suitable for organizations that require a non-Azure deployment model.

NetWitness

Having developed its SIEM platform over the past 15 years, NetWitness fully embraces the concept of an evolved SIEM, and the platform ranks high on the convergence and automation key criteria. NetWitness goes beyond the traditional capabilities of a SIEM, including XDR, UBA, and automation and orchestration.

A distinguishing feature of NetWitness is its integration of a fully featured network capture and analytics solution (NTA/NDR). This combination of packet and metadata capture, static file analysis, threat intelligence, and orchestration workflows enables analysts to perform thorough investigations and identify threats that are not detectable with logs alone.

These capabilities are further backed up by NetWitness Detect AI, a cloud-based behavior-analytics solution powered by AWS that applies unsupervised ML to data captured by the NetWitness Platform to rapidly detect unknown threats.

For data enrichment, NetWitness can add business context to threat analysis, so organizations can prioritize threats based on potential impact to their businesses. In addition, intelligence gathered from industry research and crowdsourced from their customer base and the organization’s own data is fully aggregated and operationalized at ingestion.

NetWitness supports various deployment models, including on-premises, private and public cloud, and hybrid deployments where required. However, NetWitness doesn’t currently offer a complete soSaaS model—although the platform does offer several SaaS-based components, including a cloud-based SIEM for logs. While NetWitness is suitable for MSSPs, small business, and large organizations, its capabilities for network and CSPs require improvement.

Netwitness ranks high on automation due to its integrated orchestrator, which uses a playbook mechanism for automated response actions, automatic detection, and ML-powered insights.

Strengths: With the concept of “evolved SIEM” at the core of NetWitness’ strategy, NetWitness is a powerful solution that ranks high on automation, convergence, and data enrichment. The platform distinguishes itself with a network capture feature that can offer low-level information that may not be available on other platforms.

Challenges: NetWitness currently does not offer a complete SaaS deployment model, although its Detect AI and Orchestrator products are available as SaaS. A common challenge NetWitness users may experience is the learning curve and the overall experience of managing a large number of features within a single platform.

Rapid7

Rapid7’s InsightIDR is a cloud-native integrated SIEM and XDR solution. InsightDR has many modules available natively, making the solution rank high on the convergence key criterion and attack surface evaluation metric. InsightIDR supports a robust library of third-party integrations to supplement its out-of-the-box endpoint, network, and user coverage.

The InsightDR solution’s native network traffic analysis feature provides network visibility and detection coverage alongside data from the rest of the environment. InsightIDR’s Enhanced Network Traffic Analysis feature leverages proprietary packet capture to access additional network metadata to understand the full scope of activity.

For data enrichment, InsightIDR leverages external threat intelligence from Rapid7’s open-source community, advanced attack surface mapping, and proprietary ML. Detections are constantly curated by Rapid7’s Threat Intelligence and Detections Engineering team. The solution auto-enriches every log line with user and asset details and correlates events across different data sources displaying visual investigation timelines.

The solution also includes a UEBA module, which continuously baselines normal user activity to identify anomalies. Correlated user data also offers rich context for other attacker alerts to help speed your investigations and response. Besides UEBA, InsightDR also has an Attacker Behavior Analytics (ABA) module, which identifies how attackers gain persistence on an asset and send and receive commands to victim machines. Each ABA detection rule hunts for a unique attacker behavior.

The UEBA and ABA detection rules are flexible, and analysts can modify out-of-the-box rules, create custom alerts, and subscribe or contribute to community threats.

For automation, InsightDR includes prebuilt workflows for containing threats on an endpoint, suspending user accounts, and integration with ticketing systems. InsightIDR also integrates seamlessly with InsightConnect (Rapid7’s SOAR solution) for more advanced workflow-building capabilities.

Strengths: Rapid7’s InsightDR ranks high on a wide variety of key criteria, including alarm fidelity, data enrichment, automation, and convergence. The solution also scores high on the attack surface and scalability evaluation metrics.

Challenges: InsightDR’s capabilities around monitoring ephemeral resources and automation can be supported natively at a basic level, but more advanced functions require InsightCloudSec and InsightConnect. While InsightDR can integrate with third-party case management systems, the solution can further develop its native case management and collaboration capabilities.

Securonix

Securonix ranks high on a variety of criteria and metrics, which is a testament to the company’s strategy for creating a next-generation SIEM that is well-integrated, comprehensive, and aspires to provide a true end-to-end security analytics and operations platform. Securonix differs from other vendors of similar capabilities in its approach to the cloud. It is one of few vendors that provides a native and robust SaaS deployment model and has even implemented a bring-your-own-cloud model.

Another differentiator is the vendor’s Threat Research Lab, which continuously monitors emerging threats and develops detection content that customers can apply in production. In addition, Securonix offers prepackaged content that can be deployed using its automated content dispenser. The content includes use cases such as insider threat detection, fraud analytics, threat hunting, compliance reporting, and identity and access analytics.

Securonix’s Autonomous Threat Sweeper (ATS) service automatically performs threat hunting retroactively, using historic logs to scan customer environments for threats that have only been recently discovered.

While other SIEM vendors implement ML capabilities to enhance existing features, Securonix took a different approach, putting ML at the platform’s core. It leverages both supervised and unsupervised ML to achieve capabilities such as behavior pattern and rare event detection, automated phishing, and spam identification.

The vendor scores high on several key criteria, including alarm fidelity, data enrichment, automation, and threat hunting. For convergence, the Securonix platform includes capabilities relating to security data lake (SDL), UEBA, security orchestration, automation, andXDR. Buyers interested in Securonix’s SIEM need to consider user experience, learning curve, and available documentation. These will be essential to ensure that the platform’s capabilities are used as intended and that the platform’s complexity will not be a hindrance for security analysts.

Strengths: Securonix ranks high on several key criteria and evaluation metrics and supports most use cases, deployment models, and verticals. It’s a well-developed platform that distinguishes itself by putting ML at the core of the solution, which may secure Securonix’s position as a leader in the SIEM space.

Challenges: To support security analysts in using Securonix’s comprehensive SIEM, it’s important to consider the learning curve and overall user experience. This process could address challenges related to the platform’s time-to-value and disruptions caused by security analyst churn.

SolarWinds

SolarWinds’ Security Event Manager (SEM) is a mature SIEM solution that offers deep visibility into IT environments. SEM collects, consolidates, normalizes, and visualizes logs and events from firewalls, IDS/IPS devices and applications, switches, routers, servers, operating systems, and other applications. Features include log management, threat detection, normalization and correlation, file integrity monitoring, and threat intelligence. The solution can be deployed as a virtual appliance.

For threat hunting, the solution’s search and event-time correlation capabilities help carry out forensic analysis and network security audits by processing and normalizing log data before it’s written to the database. SEM offers predefined rules and a custom correlation rule builder to automatically alert on possible security breaches and other critical issues. The SEM log analyzer tool can forward correlated log data to an external source for further analysis if and when required.

For automation, the solution can respond to suspicious activity using predefined processes (including blocking USB devices), killing malicious processes, logging off users, quarantining infected machines, blocking IP addresses, and adjusting Active Directory settings.

The File Integrity Monitoring (FIM) feature delivers broader compliance support and deeper security intelligence for insider threats, zero-day malware, and other advanced attacks. FIM can detect and alert changes to key files, folders, and registry settings. The correlation engine can leverage sources such as Active Directory and file audit events to obtain information on which user was responsible for accessing and changing a file and to identify other users’ activities occurring before and after the file change.

For alert triage, SEM can support rule definitions that include use cases such as IDS/IPS systems with infection symptoms, antivirus software addressing potential infections, system errors, and crash reports. The platform supports compliance and regulatory use cases, providing out-of-the-box reports and filters for HIPAA, PCI DSS, SOX, ISO, and other notable regulations.

Strengths: SolarWinds SEM is a mature platform that offers deep observability across the IT infrastructure. The solution covers the core functionality of SIEM very well, along with additional features around support for compliance and regulatory reporting.

Challenges: While SEM covers the core functionality of SIEM solutions very well, more advanced features of ML-based analytics or convergence with other security systems are lacking.

Splunk

Splunk Enterprise Security (ES) is a mature and powerful platform that equips security analysts with all the information they need to conduct investigations and respond to threats. It ranks high on the alarm fidelity, threat hunting, and advanced analytics criteria.

A new feature in the Splunk ES portfolio is risk-based alerting (RBA), which enables analysts to create risk attributions for entities when something suspicious happens. Then, instead of triggering an alert for each attribution, the attributions are sent to the risk index so that a notable event is triggered when an entity’s risk score meets a predetermined threshold. The behavioral analytics service uses anomalies along with notable events and RBA events from Splunk ES and Splunk Cloud Platform to generate risk scores for any entity.

Spunk ES evaluates and identifies threats from three categories. First, unknown-unknowns are identified using behavioral analytics services that cluster related entities to identify new threats based on peer or group analysis and profile entities to find new threats based on multiclass, deep neural net classifiers. Following that, known-unknowns are threats that have been identified, and the behavioral analytics services perform predictive analytics to understand when these events might occur in the future. Lastly, known-knowns are detected using correlation rules, threat intelligence, and risk-based priority sorting for notable events.

Splunk ES supports multiple deployment models, including on-premises appliances, virtual instances in public or private clouds, SaaS, or a combination of any of those. The solution’s out-of-the-box content makes it easy to use and lowers the learning curve for analysts. This content helps create and tune alerts, perform contextual searches, and increase the speed of detection and analysis. Furthermore, the use-case library enables faster detection of and incident response to both new and known threats.

The Splunk ES solution can help analysts investigate compromised systems using event sequencing, investigation timelines, and investigation workbenches. These features are designed to tackle common challenges security analysts face, making the platform rank high on the threat hunting key criterion.

Strengths: Splunk ES is a powerful, analyst-focused SIEM that ranks high on alarm fidelity, threat hunting, and advanced analytics criteria.

Challenges: The solution ranks lower on capabilities such as collaboration and monitoring ephemeral resources. While Splunk offers a separate SOAR product, the native automation capabilities in the platform are limited.

Sumo Logic

Sumo Logic Cloud SIEM is a SaaS-delivered solution built from the ground up as a multitenant, microservices architecture that scales elastically and supports large volumes of data ingestion.

The Global Intelligence for Security Insights feature provides a crowd-sourced and ML-predicted global confidence score that offers security analysts validated and fully contextualized events. Insights with a higher confidence score signify that an insight is more likely to be a true positive based on the actions from other Sumo Logic Cloud SIEM customers as well as previous actions taken on similar signals by that customer.

Sumo Logic’s Cloud SIEM is one of few solutions featured in this report that ranks high on monitoring ephemeral resources. The solution provides visibility into Kubernetes clusters and provides out-of-the-box integration with Falco, an open-source runtime security tool that monitors for privilege escalation using privileged containers, unexpected network connections or socket mutations, and read-writes to well-known directories.

Cloud SIEM’s Insight Engine pulls together alert signals from multiple sources into a single insight tied to specific entities. Cloud SIEM’s Insight Engine reduces triage and investigation time by automatically correlating related activities and potential threats. It also provides a powerful view back in time, evaluating all signals associated with an entity up to the last 30 days. The insights include AI/ML-based confidence scores, which help analysts prioritize their work based on the likelihood that the insight is a true event.

Entity Criticality provides the control to adjust the severity of signals for specific entities based on some risk factor or other consideration. For example, an executive’s laptop is likely to contain important data, so signals related to that entity should have a higher signal severity. To allow for this calibration, you define a criticality, a single arithmetic expression used to adjust the severity of signals on entities the criticality is assigned to.

Cloud SIEM includes automated enrichment and supports ingestion of threat-intelligence data that is automatically merged with entities (like IP addresses) detected in insights. For customers needing threat intelligence, Sumo Logic includes CrowdStrike Threat Intelligence feed with its Sumo Logic platform free of charge.

Strengths: Sumo Logic’s Cloud SIEM ranks high on multiple key criteria, including alarm fidelity, data enrichment, automation, monitoring ephemeral resources, and advanced analytics.

Challenges: While Sumo Logic’s cloud-native SaaS delivery may be an advantage for seamless enterprise deployments, Cloud SIEM is unsuitable for customers who need to run the solution in other environments.

6. Analyst’s Take

Most vendors in the SIEM space have well-developed core capabilities in alert ingesting, storage, scalability, and reporting. To develop new features, SIEM solutions are now entering the realm of other security services, such as UEBA, SOAR, and XDR. Vendors are tackling these new sets of capabilities by either developing them natively in the SIEM solution, or developing or acquiring these capabilities as separate products and closely integrating them. It appears that integrations with third-party point-solution vendors still exist, but the focus has shifted to having the capabilities available in-house. This movement in the market is captured in the report through the convergence key criterion.

One interesting observation is the approach to ML. While trying to apply ML-based analytics directly over SIEM logs has not produced proven results, almost all vendors are achieving implementation of ML through UEBA. UEBA has ML at its core, for understanding baseline behavior and detecting deviations or anomalies from that baseline. Vendors that have started in the UEBA space and transitioned into the SIEM space are leveraging more experience and developments in this area. Today, most SIEM vendors offer ML-based UEBA capabilities, albeit at different maturity levels. To illustrate this point further, point-solution SIEM vendors who do not play in the UEBA space have little to no ML capabilities.

Another aspect that differentiates vendors in the SIEM space is the deployment model. Some vendors offer only cloud-native SaaS deployments, while more mature vendors provide most types of deployments, from physical appliances to virtual and cloud-hosted, with SaaS being on the roadmap for most players. As the main tool for security operations, SIEMs are crucial for regulated industries where on-premises deployments are often required. Cloud-native vendors are, therefore, unable to cater to vendors in this space, making it much easier for vendors who offer more deployment models to capture that part of the market.

Looking forward, we expect SIEMs to be increasing their capabilities to operate autonomously, mainly through prepackaged content, self-tuning capabilities, playbook changes, ML-based applications, and AIOps.

7. About Logan Andrew Green

Logan Andrew Green is an experienced technologist, whose areas of expertise include enterprise IT, fintech, Internet of Things, artificial intelligence, and fixed and mobile connectivity. His engineering experience as an operational support system designer and radio networks optimization engineer helps him assess new technologies from both a technical and commercial perspective. Currently, Logan oversees Vodafone’s portfolio of managed IT products targeted at large enterprises. He has also been working as a technical writer and business strategist across the technology industry, helping mid-sized organizations define their propositions, offerings, and market positioning.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2022 "GigaOm Radar for Security Information and Event Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.