New SIEM Reviews 2017

What added value do SIEM tools give security professionals and network engineers? 

Are users satisfied with the advanced threat protection capabilities? Do the log management features meet their expectations?

In the reviews quoted below, real users compare and share feedback on their security information and event management (SIEM) tools — based on product reviews, ratings, and comparisons.

Continue reading to learn what IT Central Station users have to say.

Splunk

Joshua Biggley, Engineer, Infrastructure Applications at a healthcare company with 1,001-5,000 employees, describes the value that Splunk has added to his organization:

“Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.”

Paul Gilowey, Foundation Technology Specialist at an insurance company with 1,001-5,000 employees, writes about the challenges he’s experienced with Splunk:

“Official training, even CBT, is expensive so not many people are able to get certified. This leads/causes the users to make use of the most basic functionality only.

It is a challenge to manage the environment in such a way, that one’s log, even with the bandwidth license, isn’t exceeded. Splunk has moved towards not applying hard caps in data ingestion, and this will help us in the future.

However, I’d like an easier way to flag certain source log files as non-critical and have Splunk automatically disable those event sources when the license capacity exceeds an arbitrary value.”

IBM QRadar

A Vulnerability Manager at a tech services company with 51-200 employees emphasizes the value of IBM QRadar’s “threat protection network”:

“The threat protection network is the most valuable feature because when you get an offense, you can actually trace it back to where it originated from, how it originated, and why.”

Miguel Angel Beltran Vargas, Director SOC at a tech services company with 51-200 employees, suggests that improvements be made to IBM QRadar’s backup procedures:

“From my point of view, they should improve the backup procedures. QRadar does not allow sending backups by FTP or SFTP, limiting the tool. I had to make a script but it is a manual process. It would be great to have it automated.”

AlienVault

An IS Manager at a financial services firm with 501-1,000 employees shares which AlienVault features he uses most and how they benefit his organization:

“We use several features extensively; logging, vulnerability scanning, file integrity monitoring, and threat information.

It has allowed us to centralize our logging. We had used previous products and found AlienVault centralized the logging for our security. Additionally, we are better able to meet our compliance needs.”

Paruvathakumar P, Delivery Manager at a tech services company with 11-50 employees, would like to see improvements be made to AlienVault’s report section;

“The report section needs to be improved. Most of the correlation rules are based on the NIDS event, which needs to be improved. In other words, we have to use the device logs also.”

HPE ArcSight

A Product Specialist Security Solutions at a tech services company with 501-1,000 employees emphasizes the value that the Active List/Session List capability adds to his organization:

“One of the most valuable features is the Active List/Session List capability.

Multiple use cases were only possible to be created due to this feature list. The feature list allows us to input data dynamically to list it as a rule action.

For example: If you need to take a Source IP from an IPS event and put it in an ActiveList suspicious IP, you can create another rule for AntiVirus events where it only matches IPs within that list.”

Andy Sustano, Sales Engineer at a tech services company with 1,001-5,000 employees, suggests that ArcSight’s UI be improved, listing Splunk’s UI as an example to follow;

“They need to improve the Web UI, similar to how it is done with Splunk.

ArcSight is still using a Java app to do analytics. ArcSight Express is using HTML5, which is good. However, the capabilities of ArcSight Express are not good when the data grows.”

Fortinet FortiSIEM (AccelOps)

Nick Korosi, Network Engineer at a sports company with 51-200 employees, describes what he considers to be Fortinet FortiSIEM’s most valuable feature:

“The ability to write my own parsers for the devices that are not supported by Fortinet is the most valuable feature. It’s impossible to find an application that supports every device/manufacturer that we have. Thus, being able to write my own parsers for device logs, allows for greater scalability.”

Similar to Andy Sustano’s suggestion that HPE ArcSight’s UI could use improvement, Vinod Shankar, Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees, discusses what is currently lacking in AccelOps’s UI capabilities:

“The UI, while presents data in a very informative way, suffers from too much clutter hindering usability. While this is a personal opinion, when compared against the likes of IBM, Splunk, and even LogRhythm, the AccelOps UI does not excite. We hope that Fortinet brings to fore its UI maturity to AccelOps, thereby becoming much more savvy.”

RSA NetWitness Logs and Packets

Muntaser Bdair, Founder & CEO at a tech services company with 11-50 employees, shares that RSA NetWitness Logs and Packets grants his organization “full visibility of the networks and activities of the systems”;

“RSA NetWitness is a SIEM and real-time network traffic solution. It collects logs/packets and applies a set of alerting, reporting and analysis rules on them. Thus, it provides the enterprise with a full visibility of the networks and activities of the systems…

For example, it provides detection of the attacks in early stages (brute-force attacks), by which the attackers try to gain access to the systems, by trying to log in using different usernames and passwords (might be in a dictionary).”

A Direct Sales Director at a tech services company with 501-1,000 employees mentions the challenge of needing to use an “external backup solution” for backing up data;

“Data is stored on separate components without redundancy. It’s possible to have backup for data, but you have to use an external backup solution.”

McAfee Enterprise Security Manager

Vagner Araujo Silva, Information Security Analyst at a tech services company with 501-1,000 employees, states that McAfee Enterprise Security Manager’s “easy interface is the most valuable feature”;

Silva elaborates that “Through correlation rules, it finds malware that compromised the computer that anti-virus and other security solutions do not find.”

In a second review that Silva wrote about McAfee Enterprise Security Manager, he notes that “the disk space needed for events is not clear. In all clients, we had at least more than 100GB free that we could not use...I suggest that you configure the data archive prior to deployment because once the partition is detached, it will be deleted and you can lose a week’s worth of events. You don't know when it will be deleted because even with a lot of space disk the partition is detached.”

NetIQ Sentinel

Tomasz Nogalski, Security/Service Engineer at a comms service provider with 10,001+ employees, writes about the security value he’s found in NetIQ Sentinel’s anomaly dashboards, as well as its search/filters features;

“Anomaly dashboards provide the possibility to find zero-day attacks. This feature is built based on the second - search/filters. It's great and very useful because I would first find out if search/filter can give me the data that I needed. If not, I have the possibility to change it e.g. using regex or made search/filter fine-tuning.

And when I have search/filter tested and know that it will catch information that I want see on the chart, then I implement search/filter in the new Anomaly Dashboard.”

Silvestre Figueroa, Information Systems Manager at a healthcare company with 501-1,000 employees, would like to see improvements made to the Java desktop tool and the WMI integration (WECS server architecture);

“The integration UI and modules deployment can improve. In my opinion, the web interface can manage all the functionalities and configurations; no Java desktop app is necessary.

The Java app functions can be migrated to the web interface. On the other hand, WMI integration can be improved by removing the WECS collector. Sentinel Node can include all the functions. If an escenary needs more power, just deploy another Sentinel node (all in one) that can help in multiples use cases, not just WECS.”

What else do users say about their SIEM tools?

Read more of our users’ security information and event management reviews on IT Central Station.