SIEM Pro Cons

8/18/2019 SIEM Pro Cons

1/58


2/58

Info-Tech Research Group 2

Security Information & Event Management (SIEM) vendors approach themarket from different perspectives. Understand your organization’s

requirements for SIEM to ensure that the selected product helps achieve

key goals.

Introduction

IT leaders considering SIEM technology toreduce the cost of meeting ever-increasingcompliance requirements.

IT leaders looking to enhance theeffectiveness of existing IT security operations.

Organizations seeking to improve overall riskmanagement processes.

Understand the capabilities of SIEMtechnologies, and their potential use cases.

Differentiate between vendor offerings andidentify alignments with your organization’s

requirements.

Shortlist vendors, prepare an RFP, and scoreRFP responses to select a SIEM solution.

Develop an implementation strategy andmaximize your investment in SIEM.

This Research Is Designed For: This Research Will Help You:


3/58


Executive Summary

• Security Information & Event Management (alternatively known as Security Incident & Event Management) technologieshave evolved from point solutions into comprehensive systems that allow organizations to optimize any or all of thefollowing important security-related functions:

◦ Collection and management of critical system and network log data.◦ Execution of processes in support of regulatory and policy compliance obligations.◦ Identification of information security threats and response to them.◦ Continuous information security risk management processes.

• Understand your organization’s needs, potential costs, and readiness to undertake a SIEM deployment before taking theleap.

Understand SIEM Trends and Considerations

Evaluate SIEM Vendors

Develop a SIEM Implementation Strategy

• Vendor offerings target these security functions in substantially different ways, based on their SIEM product origins,integration with their broader security solutions, architectural deployment options, and specific market focus.

• Map your organization’s immediate and future requirements for SIEM against vendor and product capabilities, andleverage the tools and templates included in this solution set to accelerate selection of a SIEM technology.

• Understand options for managed versus self-staffed SIEM implementations and their pros and cons.

• Design a deployment architecture and capture additional implementation and operational costs and benefits, based onaddressing your organization’s specific security and compliance requirements.

• Develop a plan for a phased implementation of the selected SIEM product and architecture, ensuring that you realize bothshort and long-term objectives and benefits.


4/58


Symantec leads the market, but other SIEM vendors offercompelling alternatives to meet specific requirements

Info-Tech evaluated ten competitors in the SIEM market,including the following notable performers:

Champions:

• Symantec, with its balance of strong product and vendorcapabilities at an excellent price point, leads with a SIEM solutionthat can deliver benefits to almost any organization.

• Q1 Labs delivers exceptional reporting capabilities and additionalproduct features that distinguish it from Symantec at a higher, butstill competitive, price point.

• SenSage provides exceptional correlation and forensiccapabilities for organizations that can justify the elevated cost.

Value Award:

• Symantec’s combination of stable and committed vendor, well-rounded product, and near rock-bottom pricing earns the companythe Best Overall Value Award.

Innovation Award:

• NitroSecurity posted the highest score for product capabilities,and may be an appealing option for those seeking premiumfeatures and functionality to meet both compliance and eventmanagement requirements.

1. Focus on business requirements:

Identify the functionality that your organizationrequires to meet business needs or to justifyan investment in SIEM technology.

2. Consider future requirements:

Keep in mind all potential benefits of a SIEMdeployment, whether you are focusedprimarily on simplifying compliance, speedingevent management and incident response, orreducing overall risk.

3. Go for good enough for you :

Align current and future requirements with the

capabilities and solution feature-sets ofvendors. While Symantec is the leader, itsfocus on solution breadth over depthunderscores the importance of assessingalternative vendors against yourorganization’s needs.

Info-Tech Insight


5/58


What’s in this Section: Sections:

Understand SIEM Trends and Considerations

Understand SIEM Trends and

Considerations


Develop Your SIEMImplementation Strategy

Appendices

• What SIEM is – and what it isn’t

• The role of SIEM in managing risk• Key decision factors for SIEM

• Assessing the appropriateness of SIEM


6/58


7/58Info-Tech Research Group 7

Like every tool, SIEM has limitations; expect too much and beprepared for disappointment

SIEM technology is no silver bullet, but adds value by extending visibilityacross existing information security and system management tools.

• When clients that are using SIEMsolutions were asked about theirexpectations for the solution, they almostuniversally indicated that they had veryhigh expectations prior to deployment.

• Those same clients indicated that inalmost every measure their SIEM solutionfailed to meet expectations.

• Failure to meet expectations should not beheld against the tools as in almost everymeasurable category, the tools deliveredModerately Significant to Significantpositive Impact to the enterprise.

• The moral: oversetting expectations canlead to let-down even with deploymentsthat are successful and improve enterprisesecurity, compliance, and overall riskmanagement.



Take stock of the serious threats to systems and the business;ensure threats can be contained or costs can be managed

The cost of a major and persistent system compromise can be substantial.Standalone security tools provide some visibility; SIEM tools do much more.

• Several well-publicized breaches in recent years highlight thescale of potential impacts, including:

◦ Direct costs for TJX (2007) have exceeded $250M.◦ Heartland Payment Systems (2009) has reported over $140M

in direct costs.

◦ Sony (2011) has already booked $171M in direct costs.• Each of these breaches involved repeated system compromises

crossing multiple systems over an extended period – preciselythe types of activities that are made more visible through SIEM.

• Total costs (direct and indirect) per compromised customerrecord continue to rise, and in 2009 averaged over $200 peraffected customer .

◦ Costs per customer are typically much higher for smallerorganizations and smaller-scale breaches than for themassive breaches noted above, as enterprise-wideexpenditures are spread across a smaller number of affectedaccounts.

SIEM alone cannot eliminate similar breaches,but enhanced visibility reduces risk exposure inmany ways:

• Identify sophisticated attacks earlier usingevent data correlated across multiplesystems;

• Support more rapid and more thoroughforensics during and after initial incidentresponse;

• Enable continuous feedback from observedthreats into security and system controls to

achieve optimal protection and reduce therisk of future compromises.

Deployed & operated properly, SIEM can reducethe risk and impact of catastrophic breaches.

Info-Tech Insight

http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/http://www.computerworld.com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_farhttp://www.zdnet.com/blog/btl/sonys-data-breach-costs-likely-to-scream-higher/49161http://www.ponemon.org/news-2/23http://www.ponemon.org/news-2/23http://www.ponemon.org/news-2/23http://www.ponemon.org/news-2/23http://www.zdnet.com/blog/btl/sonys-data-breach-costs-likely-to-scream-higher/49161http://www.computerworld.com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_farhttp://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/



Determine how and where SIEM will help you manage risk

Typically,organizations see

both compliance and

event management-

related benefits asSIEM is integrated intothe risk management

toolbox.

Adopting the right SIEM tool depends on what risk-related focus is mostimportant to your organization.

All SIEM tools provide log management functionality – collecting, aggregating, andnormalizing log data from diverse sources. Whether the enterprise chooses to move further

or not, every organization can benefit from Log Management.

Many organizations look to SIEMprimarily as a way to reduce the cost

of meeting internal andexternal/regulatory compliance

requirements:

Consolidated logs feed out-of-the-box andcustom compliance reports. In some cases,

SIEM workflow capabilities add value bytracking mandatory log review processes.

Other organizations look to SIEMprimarily as a means to reduce the

effort expended when responding toindividual security events and

incidents:

Correlated events provide earlier visibilityinto active threats. Consolidated logs allow

more rapid and thorough investigation ofevents either in progress, or after the fact.

Many organizations take a final step, leveraging the information provided by the SIEM toolto target specific changes to (or investments in) system security and operational controls

as a key component of a continuous risk management program.



Compare approaches to managing key information securityprocesses, with or without SIEM

Get a sense of how far you intend to go with SIEM to help focus setting your

organization’s requirements. Look for the SIEM you need, but not more.

SIEM

Approach

Security Management Focus Areas

Log ManagementCompliance

ManagementEvent Management

Continuous Risk

Management

No SIEM

Storage, backup,retention, andarchival settingsmust be configuredand managed foreach key system.

Compliancereporting and relatedlog reviewmanagement isdone throughmanual processes.

Incidentidentification &response processesare hampered bylack of cross-systemvisibility.

Prioritization of securityattention across systems isnearly impossible, and may notaccount for cross-system risks.

Basic SIEM

(Compliance or

Event Focus)

Central logmanagement

optimizes the timeand cost ofmanaging keysystem logs,enabling greateropportunities forusing such data.

Compliance

managementprocesses can bestreamlined with pre-defined, scheduled,cross-systemreporting.

Visibility intoincidents is

increased throughevent correlation;incident response isenhanced by alertingand forensicinvestigationfunctionality.

A more realistic view of riskemerges from increasedefficiency in compliance or event management processes,

enabling better prioritization.

Advanced SIEM

(Compliance

and Event

Focus)

Integrated information fromcompliance and eventmanagement processesprovides the most completeview of overall system risks.Staff attention and technologyinvestments can be optimized.



Be clear about the impact of SIEM-enhanced security visibility

Be prepared for dealing with issues and events that you might have beenmissing without SIEM.

1. Pre-SIEM: Information risks and associated securitymanagement costs increase over time as new threatsappear.

2. Immediately Post-SIEM: Increased visibility into extantthreats results in increased cost of managing those

threats – ignorance can no longer justify inaction.• Per event/incident costs will decline through earlier

detection opportunities and investigation efficienciesprovided by the SIEM tool.

• Since those threats always existed, and are now beingacted upon, overall risk begins to decline.

• As SIEM-based efficiencies are realized, the cost ofmanaging visible threats returns to baseline levels.

3. Long-Term Post-SIEM: Both risk and security costs canbe driven down further through feedback from SIEM intotechnical and procedural controls.

SIEM’s Impact on Risk and Cost Over Time



SIEM may make life harder before it makes it easier; if youcan’t handle the “bump,” don’t invest in SIEM

Improving organizational security stance is not an overnight process; SIEMwill help but things will get worse before they get better.

1. When first deployed,a SIEM solution willexpose the enterpriseto all the risk it was

missing but that wasthere anyway. Intoday’s regulated

world, if you’re not

prepared to addressthat increased risk,you’d best just leave

your head in the sand.

2. As visibility into risk increases, security spend willby necessity increase as new tools or time need tobe expended to combat identified risks. Mostenterprises don’t have unlimited security budgets,

so spending initially trails threat exposure.

3. As the most serious threats are addressed, risktapers off fairly quickly. At this point perceived riskand actual risk are being reduced, though levelsare likely to be higher than what was perceived forsome time.

4. Spend remains higherfor longer as solutiondeployments must berationalized and

staffing levelsfinalized. Spendbegins to go downwhen the costsassociated withbreaches and otherthreats are eliminated.

5. In time, and with concentrated effort, SIEM can allowthe enterprise to drive risk and spend to lower levelsthan were previously experienced. As a side benefit,while risk is being addressed, SIEM is also providingcompliance reporting benefits that help in other ways.

12

34

5





Understand SIEM Trends andConsiderations


Develop Your SIEMImplementation Strategy

Appendices

• Info-Tech’s Vendor Landscape for ten SIEM vendors

• Shortlisting SIEM vendors through scenario analysis• Developing and executing a SIEM RFP



SIEM Market Overview

• Security Information & Event Management grew fromthe conjoining of two separate tools: Security EventManagement and Security Information Management(which itself grew out of simpler Log Management).Indeed, some vendors still offer separate SEM and SIMproducts under the SIEM banner.

• The space was founded just prior to the 2000s but hasfailed to catch on in any significant way; even theleading vendors claim less than 2,000 clients each.

• SIEM solutions have typically focused on the largest ofenterprises, but recently vendors have begun producingsimplified, streamlined all-in-one solutions aimed at theSMB space.

• Two factors combine to drive the awareness andadoption of SIEM: the first is the push into the SMBspace that began a few years ago, while the second isthe increasing amount of regulatory and industrycompliance and its comprehensive auditing demands.

• Though the space is mostly populated by smaller

dedicated players, some larger players are alreadymarketing SIEM solutions. The recent acquisition ofmarket-leader ArcSight by HP is a possible precursorof greater consolidation to come.

• As security and compliance concerns grow with eachnew regulation, each failed audit, and each publicizedsecurity breach, SIEM will finally begin to drawbroader attention in the coming year.

How it go t here Where it’s going

As the market evolves, so do the features you need to evaluate. Pay close attention toimproving collection, aggregation, and correlation capabilities and the adoption of truly openstandards for event data records.



SIEM Vendor Landscape inclusion criteria:Market share, mind share, and market consolidation

• ArcSight . The market leader with enterprise-focused ESM, pushing into SMB with Express.

• IBM . SIEM marketed under the Tivoli umbrella – a single line focused more at the enterprise than SMB.

• LogLog ic . A dedicated SIEM provider with a modular platform that offers flexibility to all enterprises.

• netForensics . One of the pioneers of SIEM; separate products focused at the enterprise and SMB.

• NitroSecurity . The most recent entrant to the SIEM market (2007) but a company definitely on the rise.

• Q1 Labs . The largest independent player remaining; Qradar anchors a capable suite of SIEM tools.

• RSA . Second in market share, its enVision products target both the large (LS line) and SMB (ES line) clients.

• SenSage . One of the smaller vendors in this evaluation and one still primarily focused on the large enterprise.

• Symantec . The world’s largest security vendor markets a single platform to all clients equally.

• TriGeo . The only player dedicated to the SMB space; may singly handedly have created this end of the market.

Included in the Vendor Landscape:

• Though over ten years old now, in many ways the SIEM space is still nascent with numerous players, many of them smalland independent. However, the landscape may be shifting as evidenced by the recent acquisition of market-leader

ArcSight by HP and the merging of NetIQ and Novell product lines.

• For this Vendor Landscape, Info-Tech focused on those vendors that have a strong market presence and/or reputationalpresence among small to mid-sized enterprises.



SIEM Criteria & Weighting Factors

30%

20%20%

30%

FeaturesUsability

Affordability Architecture

50%

50%

Product

Vendor

Vendor Evaluation

Vendor is committed to the space and has a

future product and portfolio roadmap.Strategy

Vendor offers global coverage and is able tosell and provide post-sales support.

Reach

Vendor is profitable, knowledgeable, and willbe around for the long-term.

Viability

Vendor channel strategy is appropriate and thechannels themselves are strong.

Channel

Product Evaluation

The solution’s dashboard and reporting tools

are intuitive and easy to use.Usability

The delivery method of the solution aligns withwhat is expected within the space.

Architecture

The five-year TCO of the solution iseconomical.

Affordability

The solution provides basicand advanced feature/functionality.

Features

30%

30%

15%

25%

Viability Strategy

ReachChannel



The Info-Tech SIEM Vendor Landscape

Champions receive high scores for mostevaluation criteria and offer excellent value.They have a strong market presence andare usually the trend setters for the industry.

Market Pillars are established players withvery strong vendor credentials, but withmore average product scores.

Innovators have demonstrated innovative

product strengths that act as theircompetitive advantage in appealing to nichesegments of the market.

Emerging players are newer vendors whoare starting to gain a foothold in themarketplace. They balance product andvendor attributes, though score lowerrelative to market Champions.

For a complete description of Info-Tech’s VendorLandscape methodology, see the Appendix.

SenSage

Q1 Labs

IBM

LogLogic

Symantec

RSA

ArcSight

NitroSecurity

netForensics

TriGeo



Balance individual strengths to find the best fit

Product Vendor

Features Usability Price Viability Strategy Channel

Q1 Labs

LogLogic

IBM

netForensics

NitroSecurity

RSA

ArcSight

ReachPlatform

SenSage

Symantec

Overall Overall

TriGeo

For an explanation of how Info-Tech Harvey Balls are calculated, please see the appendix.


19/58


What is a Value Score?

The Info-Tech SIEM Value Index

82324

32

566973

8386100

The Value Score indexes each vendor’s product

offering and business strength relative to theirprice point. It does not indicate vendor ranking.

Vendors that score high offer more bang for thebuck (e.g. features, usability, stability, etc.) thanthe average vendor, while the inverse is true for

those that score lower.

Price-conscious enterprises may wish to give theValue Score more consideration than those whoare more focused on specific vendor/productattributes.

On a relative basis, Symantecmaintained the highest Info-Tech ValueScoreTM of the vendor group. Vendorswere indexed against Symantec’s

performance to provide a complete,relative view of their product offerings.

Sources:To calculate the Value Score for each vendor, the affordability raw score was backed out, the product

scoring reweighted, and the affordability score multiplied by the product of the Vendor and Productscores.

Champion


20/58


Table Stakes represent the minimum standard; without thesea product doesn’t even get reviewed

If Table Stakes are all you need from your SIEM solution, the only true differentiator for the organization isprice. Otherwise, dig deeper to find the best price and value for your needs.

The products assessed in this VendorLandscapeTM meet, at the very least, therequirements outlined as Table Stakes.

Many of the vendors go above and beyond theoutlined Table Stakes, some even do so in

multiple categories. This section aims to highlightthe products capabilities in excess of the criterialisted here.

The Table Stakes What Does This Mean?

Feature Description

Basic Collection /

Aggregation /

Normalization (CAN)

Collection from firewall logs, IDS logs,Windows server logs, web server logs,and syslogs.

Basic Correlation Canned correlation policies for CAN data

that act in near-real time.

Basic Alerting Logging for all correlated events andalerting via pager/e-mail/text for those thatexceed a given threshold.

Basic Reporting Availability of canned reports that can berun on a scheduled and ad hoc basis.


21/58


Advanced Features are the market differentiators that make or break a product

Feature What We Looked For

Log Data Enrichment Advanced CAN from Net Flow, Identity,Database, Application, Configuration, andFile Integrity data sources

Advanced Correlation Advanced canned policies, user-definedpolicies, and adaptive/heuristic policies

Advanced Alerting Programmable/customizable alertingresponses and workflow injection

Advanced Reporting Flexible dashboards, custom reportingcapabilities, and ability to export to externalreporting infrastructure

Forensic Analysis

Support

Ability to generate custom data queries withflexible drill-down capabilities

Data Management -

Security

Access controls to SIEM system and SIEM

data, encryption of SIEM data (in storageand transmission)

Data Management -

Retention

Notable storage capacity, data compression,and inherent hierarchical storagemanagement

Advanced Features

Info-Tech scored each vendor’s feature offeringas a summation of its individual score across thelisted advanced features. Vendors were given 1point for each feature the product inherentlyprovided. Some categories were scored on amore granular scale with vendors receiving halfpoints (see Partial functionality criteria).

Scoring Methodology


22/58


Each vendor offers a different feature set; concentrate on what your organization needs

ArcSight

IBM

LogLogic

netForensics

NitroSecurity

Q1 Labs

RSA

SenSage

Symantec

TriGeo

Log Data Correlation Reporting Forensics RetentionSecurity Alerting


23/58


Info-Tech Recommends:

A solid product at an attractive price from a company with a clear commitment to the security space; thesefactors make Security Information Manager a good choice for organizations with generic SIEM needs.

Product:Employees:

Headquarters:Website:

Founded:Presence:

Security Information Manager 17,500Mountain View, CASymantec.com1982NASDAQ: SYMCFY10 Revenue: $6B

Symantec delivers a solid product with an attractive price

Champion

• In contrast to most players in the space, Symantec positionsits SIEM solution as a security tool first, and compliance toolsecond; its integration into other product lines backs this upand makes it a good choice for the security conscious.

Overview

• Symantec offers the broadest base of deployment types –software, hardware, virtual hardware, and managed serviceofferings, allowing every enterprise to find a fit.

• Security Information Manager is integrated into Symantec’s

Global Intelligence Network, meaning system configurationcan be adjusted based on more than just local event data.

Strengths

• In many ways, a “jack of all trades, master of none” solution,

Symantec hits with partial marks for almost all Info-Techidentified advanced features, but full marks in hardly any.

• SIEM gets little exposure within Symantec’s ever -expandingproduct portfolio; a flip-flopping on appliance-based deliverymodel may indicate lack of understanding of market needs.

Challenges

Priced between $250,000 and $500,000


24/58



Whether simple log management with the ability to grow into fully featured SIEM, or a broad-basedsolution that includes pre-exploit management, Q1 Labs has a solution for every need.

Product:Employees:


Founded:Presence:

QRadar SIEM250Waltham, MAQ1Labs.com2001Privately Held

QRadar: a complete product from a vendor dedicated to SIEM

Champion

• Q1 Labs is the largest independent player in the SIEM spaceand supplements its SIEM play with a broad suite of productsto allow for comprehensive security management.

Overview

• The broadest and most comprehensive set of reportingcapabilities of any product in this test; its capability is so broad,integration to third-party reporting solutions is unnecessary.

• Cleanly integrated set of hierarchical products allowsenterprises to grow their security management capabilities inan additive, not rip-and-replace manner.

Strengths

• As the biggest independent, and a company experiencingtremendous growth, Q1 Labs may be a target for acquisitionas compliance mandates increase the demand for SIEM.

Challenges



25/58



Organizations looking to go deeper with their security event data may well find SenSage ideal, butmust be prepared to take the risk of dealing with one of the smallest vendors in the space.

Product:Employees:


Founded:Presence:

Event Data Warehouse50-100Redwood City, CASenSage.com2000Privately Held

SenSage turns security data into business intelligence

Champion

• SenSage grew out of traditional log management and isstaking its future on Open Security Intelligence, the extensionof SIEM into a business-focused decision support system.

Overview

• Extremely broad correlation capabilities, coupled with AlertPlayer that allows admins to replay scenario-based events,means SenSage offers BI-like capability for security data.

• SenSage, despite its size, has built a strong network of high-profile channel partners and backs them with a solid supportorganization.

Strengths

• With a client base in the mid-hundreds, SenSage is one of thesmaller players in this evaluation in terms of overall marketshare; increasing its client count is imperative.

Challenges



26/58



With its correlation and forensic analysis capabilities, NitroView ESM can be invaluable to a securitymanager though internal auditors may find its lack of external reporting integration a little limiting.

Product:Employees:


Founded:Presence:

NitroView ESMOver 100Portsmouth, NHNitroSecurity.com1999Privately Held

NitroSecurity ESM: top performance, second-lowest price

Innovator

• NitroSecurity bases all of its security technology solutions onits background in massive-scale data management, meaningits solutions correlate broadly, operate quickly, and reportefficiently.

Overview

• One of the most feature-rich solutions in this roundup, and oneof only two solutions to offer truly comprehensive and forward-looking correlation capabilities.

• Nitro falls between the pure-play SIEM providers and thebroader security vendors, meaning it has good focus on thespace, but isn’t solely reliant on SIEM sales for its revenue.

Strengths

• Nitro has expanded its product portfolio to include virtualappliances, but these are currently scaled only at smallerenterprises and remote sites; increasing performance will

improve applicability.

Challenges



27/58



A well integrated line of capable products, but LogLogic’s clear focus on the enterprise market maylimits its appeal to smaller businesses, and the appeal of those businesses to LogLogic.

Product:Employees:


Founded:Presence:

LX, ST, SEM appliancesNot availableSan Jose, CALogLogic.com2002Privately Held

LogLogic: modular platform is powerful, but complex

Innovator

• LogLogic approaches the SIEM space with a clear focus oncompliance first and foremost using its “Get-See-Use”philosophy to improve not just compliance, but also securityand even operational performance.

Overview

• The most feature-rich solution in the round-up and the onlyone to fully address system configuration data as an inputsource. Coupled with the cleanest interface, this is the solution

that delivers the most SIEM capability.

Strengths

• LogLogic is one of the smaller vendors in this review and isfocused on the enterprise space with 70% of its businesscoming from enterprises with more than $1B in revenues;

continued growth may be a challenge without more mid-market focus as the large enterprise market niche saturates.• Architecturally complex, leading to a higher than average

price.

Challenges



28/58



Express represents a well-rounded solution but one that is less exceptional than its flagship ESM;feature reduction combined with one of the highest prices limits overall appeal.

Product:Employees:


Founded:Presence:

Express324,600 (HP as a whole)Palo Alto, CA

ArcSight.com2000NASDAQ: HPQFY09 Revenue: $126B

ArcSight Express brings the power of ESM to the SMB

Market Pil lar

• Recently acquired by HP to become the most valuable asset inthat company’s focused security strategy, ArcSight is thelargest player in the SIEM space and has recently expandedits portfolio to be more applicable to the mid-market.

Overview

• An architecturally sound solution allowing for widely varyingdeployment models; the ability to mix and match Collectorsand Loggers with a core Express device offers great flexibility.

• Offers the ability to tightly correlate security events to users viaIdentityView, an add-on capability that monitors user activityacross all accounts, applications, and systems.

Strengths

• ArcSight has trimmed its impressive enterprise-focused ESMsolution to build Express but may have left out somedifferentiating capabilities.

• HP and ArcSight representatives are all saying the right thingsin regards to the recent acquisition, but only time will tell if theunion will represent a win for existing and future clients.

Challenges



29/58



The integration of enVision with RSA’s DLP and eGRC solutions underlines the company’s efforts tobecome the security management provider; current RSA clients will benefit from those synergies.

Product:Employees:


Founded:Presence:

enVision40,000+ (EMC as a whole)Bedford, MARSA.com1982NYSE: EMCFY10 Revenue: $17B

enVision integration with DLP and GRC a boon to RSA shops

Market Pil lar

• RSA, the security division of EMC, plots a careful course withits SIEM solution enVision, delivering just enough capability tomeet market needs without pushing the envelope to drive thefuture of the space.

Overview

• Very broad-based collection/aggregation/normalizationcapabilities, coupled with strong reporting, gives goodcoverage for both the security and compliance conscious.

• RSA has taken a holistic view of security management and theintegration of three security management platforms (SIEM,DLP, eGRC) is visionary.

Strengths

• enVision is solid but unspectacular in the areas of correlationand alerting when compared with its peers; in a fast-movingmarket, these shortcomings need to be addressed.

• While the ES line can be cost effective, the LS line (evaluatedhere) is the most expensive solution in the roundup.

Challenges



30/58



Lack of feature-functionality and limited architectural deployment models make it difficult torecommend Tivoli SIEM; TSOM may meet broader needs, but was not reviewed by Info-Tech.

Product:Employees:


Founded:Presence:

Tivoli SIEM400,000

Armonk, NYIBM.com1911NYSE: IBMFY10 Revenue: $95.8B

Weak correlation capabilities limit the value of Tivoli SIEM

Market Pil lar

• IBM is a truly global player in almost every aspect ofInformation Technology. Its security management solutions situnder its Tivoli systems management umbrella.

Overview

• Management of Tivoli SIEM through the common Tivoli admininterface – those familiar with the Tivoli suite will find thelearning curve remarkably flat.

• Tivoli SIEM is IBM’s integrated solution for basic SIM, SEM,

and log management; advanced SEM/SOC functionality isavailable in Tivoli Security Operations Manager (TSOM).

Strengths

• Correlation capabilities in Tivoli SIEM so minimal that it isalmost a stretch to label them as such – events fromdifferential sources cannot be linked to create analysis

patterns.

Challenges



31/58



netForensics declined to brief for this review and available product details are limited, so a detailedrecommendation cannot be made at this time.

Product:Employees:


Founded:Presence:

nFX Cinxi OneNot availableEdison, NJnetForensics.com1999Privately Held

netForensics offers dual solutions which may split focus

Emergin g Player

• netForensics is one of the pioneers of the SIEM space, havingfirst come on the scene in 1999. Since then a significantnumber of players have entered the market, and many havesurpassed netForensics in capability and market share.

Overview

• netForensics is exclusively focused on the SIEM space, aposition it reinforced by acquiring High Tower Software and

with it the Cinxi (later Cinxi One) product line.

Strengths

• The primary target of its solutions is the Managed ServiceProvider via the nFX SIM One solution. Though it offers a mid-market solution (Cinxi One), its clear focus on the highest end

of the market likely limits its applicability to mid-sizedbusinesses.

Challenges



32/58



TriGeo declined to brief for this review and available product details are limited so a detailedrecommendation cannot be made at this time.

Product:Employees:


Founded:Presence:

Security Information Manager Not availablePost Falls, IDTriGeo.com2001Privately Held

TriGeo is the only provider solely focused on SMB clients

Emergin g Player

• TriGeo is the only SIEM solution provider targeting the mid-market specifically; its turn-key appliance-based approach hasdefined mid-market SIEM and led most other players torelease competitive solutions.

Overview

• TriGeo SIEM is the only product truly built for the mid-market;this is not some enterprise-grade solution that has beentrimmed of capability, and shoe-horned into a smaller box. It

may not offer the same complexity as many competingsolutions, but it offers unmatched efficiency and ease ofoperations.

Strengths

• SIEM, though clearly of value to the mid-market, hastraditionally been an enterprise play and the lack of productsfor that space has limited TriGeo’s size and reach.

Challenges

*TriGeo’s rankings were affected by its inability to provideInfo-Tech with pricing for the SIEM solution.


33/58


Security Event Management relies on strong correlation and deep forensicanalysis.

Streamline monitoring, alerting, and incident responseprocesses to minimize the cost of individual security events

Management of

Security Events

Reduction of Compliance Complexity

Enhancement of Overall Risk Management

1

2

3

Exemplary Performers

Viable Performers

Adequate Performers

4


34/58


Compliance capabilities are defined by broad and deep reporting.

Reduce the cost of demonstrating regulatory and policycompliance by simplifying reporting and log review functions

Management of Security Events

Reduction of

Compliance Complexity

Enhancement of Overall Risk Management

1

2

3


Viable Performers

Adequate Performers

4


35/58


The broadest possible feature-functionality is required for true RiskReduction.

Ensure the reduction of enterprise risk by bringing broad- based collection, aggregation, and response abilities to bear

Management of Security Events

Reduction of Compliance Complexity

Enhancement of

Overall Risk Management

1

2

3


Viable Performers

Adequate Performers

4


36/58


Info-Tech’s Secur i ty Info rmat ion & Event Management Vendor Sho rt l ist Too l

is designed to generate a customized shortlist of vendors based on your keypriorities.

Identify leading candidates with the SIEM Vendor Shortlist Tool

• Overall Vendor vs. Product Weightings

• Top-level weighting of product vs. vendorcriteria

• Individual product criteria weightings:FeaturesUsability Affordability Architecture

• Individual vendor criteria weightings:Viability

StrategyReachChannel

This tool offers the ability to modify:

http://www.infotech.com/research/it-security-information-event-management-siem-vendor-shortlist-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-shortlist-tool


37/58


Issue an RFP to ensure that SIEM vendors fit your needs, andnot the other way around

Use Info-Tech’s Secur i ty Informat ion & Event Management RFP Template to

conduct this critical step in your vendor selection process.

The Statement of Work Proposal Preparation Instructions

Scope of Work Functional Requirements Technical Specifications Operations & Support Sizing & Implementation Vendor Qualifications & References Budget & Estimated Pricing Vendor Certification

Info-Tech’s SIEM RFP Template is populatedwith critical elements, including:

http://www.infotech.com/research/it-security-information-event-management-siem-rfp-templatehttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-template


38/58


Evaluate RFP Responses

The Security Information & EventManagement RFP Scoring Tool is pre-builtwith essential criteria complementing theSIEM RFP Template from the previous slide.

Accelerate Procurement

Use the tool to drive the meeting with yourprocurement department.

A standard & transparent process for scoring individual vendor RFPresponses will help ensure that internal team biases are minimized.

To get the most value out of the RFP process, use the SIEM RFP Scoring Tool

Use Info-Tech’sSIEM RFP Scoring Tool to:

http://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-templatehttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-templatehttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-tool


39/58


The Security Information & Event ManagementVendor Demo Script covers:

• Standard and advanced log source and logmanagement/retention configurations.

• Canned and custom event correlation andalerting capabilities.

• Canned and custom reporting functionality.

• Forensic log analysis and incident

management tools.

• Custom dashboard and granular systemaccess features.

Take charge of vendor finalist demonstrations with a Vendor Demonstration Script

An onsite product demonstration will help enterprise decision-makers better

understand the capabilities and constraints of various solutions.

This tool is designed to provide vendors with aconsistent set of instructions for demonstratingkey scenarios for the SIEM implementation.

http://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-scripthttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-scripthttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-scripthttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-script


40/58



Develop Your SIEM Implementation Strategy


Evaluate SIEM VendorsDevelop Your SIEM

Implementation Strategy

Appendices

• SIEM implementation architectures

• Assessing the total cost of SIEM

• Moving forward with your SIEM implementation


41/58


Get a handle on overall costs, understand the resource implications, and

develop a plan to realize immediate and long-term benefits of SIEM.

Getting to a SIEM implementation strategy

• Hard implementation costs:

◦ Design and size a SIEM solution that meets operationalrequirements.

◦ Include the costs of additional hardware components.• Soft implementation costs:

◦ Identify and track the resources consumed in systemimplementation and training.

• Ongoing staffing costs:

◦ Understand the immediate and ongoing impact on existingcompliance and security management staffing.

• Getting approval and moving ahead:

◦ Stay attuned to the “tone from the top,” and grow use of theSIEM tool methodically.


42/58


SIEM is not a toaster, but SIEM appliance models have undeniable merits.

Consider the available SIEM hardware platform options

Regardless of the platform selection, don’t forget to plan for log data backup to meet regulatory and internal policyrequirements.

Platform Pros Cons

Hardware Appliance Simplified management maximizes focuson SIEM operations.

Simplified support – no vendor concerns

about underlying hardware.

Dedicated onboard storage is unavailablefor other uses.

Scalability limited by appliance

capabilities.Virtual Appliance Leverages existing server virtualization

and shared storage (SAN) investments.

Scalability and resiliency limited only bythose environments.

High-performance requirements consumevirtual server resources.

Requires additional virtual servermanagement.

Software-only Solutions Allows wider choice of hardware. Requires dedicated server hardware andongoing server management.

Elevates risk of HW vs. SW finger-pointing during support calls.


43/58


Consider performance, capacity, and regulatory inputs in your design

process.

Identify constraints for your SIEM architecture

• SIEM vendors offer a variety of centralized and distributeddeployment options – sometimes the best design is a mix of both.

• Centralized components typically include log collectors, eventcorrelation engines, and functions including alerting, reporting, andincident management tools.

◦ Whether “all in one” or separate but adjacent devices, deployingthese components centrally reduces the management burden forSIEM.

• Distributed designs may include single-purpose collectors andcombination collector/correlation devices, which can support:

◦ Regulatory requirements (e.g. EU Safe Harbour) that restrictoffshore movement of private/sensitive data.

◦ Performance and scalability needs by aggregating data from logsources at remote sites and offloading event correlationprocessing.

Cloud-based SIEM solutions (akaSIEMaaS) are emerging, but remainscarce. Regulatory restrictions may limit

the applicability of such services.

In contrast, managed security serviceprovider (MSSP) solutions, in which athird party maintains and monitors aSIEM system housed on customerpremises, offer greater promise today:

• Customer control over sensitivedata.

• Shared access to 24x7 monitoringat a fraction of the cost.

Info-Tech Insight


44/58


Understand your current IT environment in order to size the SIEM solution

properly and minimize WAN impact.

Optimize the SIEM solution design

• SIEM deployments are sized based on two key factors: logging rate and storagecapacity .

• Logging rates, or the number of log records that the system can process, aremeasured in events or messages per second (eps or MPS):

◦ Collectors must be sized to handle the peak number of events per second, orrisk losing critical log records.

◦ Peak eps requirements for a SIEM solution are determined by summing thepeak logging rates of all source devices. Though it is unlikely that all deviceswill hit peak rates simultaneously, this provides the capacity to handle elevatedlogging demands from extraordinary events such as denial of service attacksand malware outbreaks.

• Storage capacity requirements depend on logging rates, but with a twist:

◦ All SIEM solutions perform some level of log file compression, typically ranging

between a 20 to 40-fold reduction in log file sizes.◦ Total storage capacity requirements can be calculated by summing the

average daily log file size of each source device, multiplying by the requiredretention period, and dividing by the SIEM compression rate.

◦ Some SIEM solutions allow retention periods to be defined by device (or groupof devices), while others establish a single, default retention period.

For multi-site deployments, lookto distributed components tooptimize SIEM and networkperformance:

Distributed log collectors:• Spread the peak eps load

across multiple devices.

• Compress log data beforeforwarding on to a central

collector, saving considerablyon WAN traffic.

Info-Tech Insight


45/58


Success with SIEM involves more than just the Security team. Make sure all

the right parties are engaged up front.

Account for implementation resource costs

Project Team Composition

• Security, network, and system administrators all have substantialinvolvement:

• Identifying and configuring log data sources.

• Defining event severity levels; monitoring, alerting &escalation processes; and reporting formats & schedules.

• Internal auditors and other compliance personnel also play a keyrole:

• Designing dashboards and reports to simplify compliancemanagement efforts.

• Specifying elevated requirements for regulated systems –architectural or procedural.

Training Considerations

• Training is critical for project team members and the groups theyrepresent.

• System training is necessary for all those who use SIEM directly(e.g. security operators, compliance auditors); process training isappropriate for those who only use SIEM outputs.


46/58


Examine compliance management savings and increased monitoring costs.

The rest is just noise.

Understand the ongoing staffing impact

• For incident response staff and supporting systemadministrators, SIEM is a double-edged sword:

◦ Increased response efficiencies are countered by increasedevents visibility, until and unless SIEM-driven improvementsare made to key security and system controls.

• Organizations facing regular and/or diverse regulatoryrequirements can reduce the associated reporting burdensubstantially:

◦ Required reports can be generated automatically andconsistently across multiple systems, without burdening thesystem admins.

◦ Where needed, internal SIEM activity can be reported on todemonstrate compliance with log review requirements.

• Real-time event monitoring can be a huge cost driver for SIEM:◦ For organizations lacking a dedicated Security Operations

Center, adding a dedicated 24x7 monitoring capability couldequate to 5 FTEs.

◦ Consider adding a “best effort” event monitoring responsibilityto existing security staff – a 10-20% rise in staffing levelscould enable much better incident response outcomes.

SIEM monitoring through an MSSP canprovide cost-effective alternatives forreal-time event monitoring:

• MicroAge, an IT services firm, optedfor an MSSP to provide on-premise

SIEM equipment and remotemonitoring services.

• For a monthly fee, MicroAge avoidedthe capital cost of a SIEM solutionsupporting 120 log sources.

• In the same monthly fee, MicroAgereceives 24x7 real-time eventmonitoring, with serious eventsescalated to internal IT staff, at asmall fraction of the cost of staffingsuch a capability internally.

Info-Tech Insight

You get an alarm system for your network,but you don't get the cops to go with it.

- Perry Kuhnen, IT Manager, MicroAge(about SIEM without real-time monitoring)


47/58


Perspective matters: position initial SIEM plans based on what’s mos t

important to leadership, and focus on relevant cost reduction opportunities.

Factor decision-makers’ concerns into the SIEM proposal

• Where leadership has a strong focus oninformation risk management, pitchingevent-focused SIEM is easier:

◦ Even without 24x7 monitoring, event-focused SIEM enables risk reduction

simply through enhanced visibility.◦ Reducing incident-related costs can

offset SIEM investments.

• Where that strong risk focus is missing,compliance-focused SIEM may be themore effective route to approval:

◦ Reducing the costs of demonstratingcompliance can offset SIEM

investments.

◦ Leverage enhanced visibility toelevate information risk to aleadership level, and evolve SIEMtoward a greater focus on event andrisk management.


48/58


Don’t try to execute the whole SIEM vision at once. Learn from early stages,

and build capabilities & benefits incrementally.

Start modestly, but keep the final objective in mind

• Embarking on a SIEM initiative requires a serious investment of time and money. Implementation can be phased in twodistinct, but complementary, ways.

• Phased by SIEM function:

◦ Start with a compliance management focus, but explore the benefits of enhanced event visibility, or◦ Start with an event management focus, but take advantage of compliance reporting for internal purposes.

◦ Once both are implemented, look at continuous risk management opportunities – demonstrated benefits from pastexperiences might even outweigh the cost of adding 24x7 monitoring.

• Phased by source system:

◦ Start with the most critical systems (key applications, core infrastructure, regulated environments).◦ Expand to other log data sources as the benefits of SIEM are demonstrated for those key assets.

• Mix and match these approaches to minimize initial costs, maximize the benefits delivered, and build additional support forbroader SIEM deployments:

◦ Later stages may not deliver the same magnitude of benefits, but they involve lower equipment and configuration costs,as they leverage initial investments made in earlier stages.


49/58



Appendices


Evaluate SIEM VendorsDevelop Your SIEMImplementation Strategy

Appendices

• Vendor Landscape methodology

• SIEM survey demographics


50/58


Vendor Evaluation Methodology

Info-Tech Research Group’s Vendor Landscape market evaluations are a part of a larger program of vendor evaluations which includes

Solution Sets that provide both Vendor Landscapes and broader Selection Advice.

From the domain experience of our analysts, as well as through consultation with our clients, a vendor/product shortlist is established. Productbriefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, salesmodels, and pricing.

Our analysts then score each vendor and product across a variety of categories, on a scale of 0-10 points. The raw scores for each vendor arethen normalized to the other vendors’ scores to provide a sufficient degree of separation for a meaningful comparison. These scores are thenweighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. Theweighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scoresis generated to place vendors in one of four categories: Champion, Innovator, Market Pillar, and Emerging Player.

For a more granular category by category comparison, analysts convert the individual scores (absolute, non-normalized) for eachvendor/product in each evaluated category to a scale of zero to four whereby exceptional performance receives a score of four and poorperformance receives a score of zero. These scores are represented with “Harvey Balls,” ranging from an open circle for a score of zero to afilled in circle for a score of four. Harvey Ball scores are indicative of absolute performance by category but are not an exact correlation tooverall performance.

Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make correctionswhere factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality,value, etc.; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are notcorroborated by actual client experience or wording changes that are purely part of a vendor’s market messaging or positioning. Any resultingchanges to final scores are then made as needed, before publishing the results to Info-Tech clients.

Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market.


51/58


Value Index Ranking Methodology

Info-Tech Research Group’s Value Index is part of a larger program of vendor evaluations which includes Solution Sets that provide both

Vendor Landscapes and broader Selection Advice.

The Value Index is an indexed ranking of value per dollar as determined by the raw scores given to each vendor by analysts. To perform thecalculation, Affordability is removed from the Product score and the entire Product category is reweighted to represent the same proportions.The Product and Vendor scores are then summed, and multiplied by the Affordability raw score to come up with Value Score. Vendors arethen indexed to the highest performing vendor by dividing their score into that of the highest scorer, resulting in an indexed ranking with a topscore of 100 assigned to the leading vendor.

The Value Index calculation is then repeated on the raw score of each category against Affordability, creating a series of indexes for Features,Usability, Viability, Strategy and Support, with each being indexed against the highest score in that category. The results for each vendor aredisplayed in tandem with the average score in each category to provide an idea of over and under performance.

The Value Index, where applicable, is refreshed every 12 to 24 months, depending upon the dynamics of each individual market.


52/58


Product Pricing Scenario & Methodology

Info-Tech Research Group provided each vendor with a common pricing scenario to enable normalized scoring of Affordability, calculation of

Value Index rankings, and identification of the appropriate solution pricing tier as displayed on each vendor scorecard.Vendors were asked to provide list costs for SIEM appliances and/or SIEM software licensing to address the needs of a reference organizationdescribed in the pricing scenario. For non-appliance solutions ( i.e. software-only and virtual appliance architectures), physical or virtualhardware requirements were requested in support of comparing as-installed costs.

Additional consulting, deployment, and training services were explicitly out of scope of the pricing request, as was the cost of enhancedsupport options, though vendors were encouraged to highlight any such items included with the base product acquisition. The annualsoftware/hardware maintenance rate was also requested, along with clarity on whether or not the first year of maintenance was included in thequoted appliance/software costs, allowing a three-year total acquisition cost to be calculated for each vendor’s SIEM solution. This three-yeartotal acquisition cost is the basis of the solution pricing tier indicated for each vendor.

Finally, the vendors’ three-year total acquisition costs were normalized to produce the Affordability raw scores and calculate Value Indexratings for each solution.

Key elements of the common pricing scenario provided to SIEM vendors included:

• A three-site organization with 2200 employees located at a US head office facility, a second US satellite office, and a European satelliteoffice. IT functions, including 3 dedicated IT security professionals, are located primarily at the US head office, with a small proportion of ITstaff and systems located at the European site, which also acts as a DR facility.

• The firm is interested in reducing the effort associated with monitoring, alerting, and responding to security events at the Endpoint, Network,and Data Center levels:

◦ The volume & complexity of ad hoc queries against logged and correlated event data is fairly small, driven primarily by incident responseefforts and gaps in canned compliance reports.

◦ The SIEM product would be used regularly by four IT staff across the US head office and European satellite site, with additionaldashboard-/report-level access for another four users in compliance/audit and IT management/executive roles.

• 200 devices were identified as log data sources for a SIEM solution, including network components, security systems, and both physicaland virtual servers. Windows Domain, Oracle databases, MS Exchange and SharePoint, and BES and VOIP environments were explicitlyidentified in the scenario, and the peak logging volume was specified at 5000 events per second (eps).


53/58


SIEM Survey Demographics


54/58


Industry


55/58


Country


56/58


Revenue


57/58


FTEs


58/58

IT Employees

Date post:	06-Jul-2018
Category:	Documents
Upload:	sagar-gautam
View:	224 times
Download:	0 times

SIEM Pro Cons

Documents