SIEM
Security Information and Event Management (SIEM) is a software solution that aggregates and analyses activity from many different resources across your entire IT infrastructure.
SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalises, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organisations to investigate any alerts.
Varonis captures file event data from various data stores – on-premises and in the cloud – to give the who, what, when, and where of each file accessed on the network. Varonis also collects DNS, VPN, and web proxy activity. You’ll be able to correlate the network activity with the data store activity to paint a complete picture of an attack from infiltration through file access to exfiltration.
Varonis classifies unstructured files based on hundreds of possible pattern matches, including PII, government ID numbers, credit card numbers, addresses, and more. That classification can be extended to search for company-specific intellectual property, discover vulnerable, sensitive information, and help meet compliance for regulated data. Varonis reads files in place without any impact to end users.
Varonis also performs user behaviour analytics (UBA) to provide meaningful alerts based upon learned behaviour patterns of users, along with advanced data analysis against threat models that inspect patterns for insider threats (such as exfiltration, lateral movement, account elevation) and outsider threats (like ransomware).
Integration Highlights
Varonis integrates with SIEM applications to give security analytics with deep data context so that organisations can be confident in their data security strategy. Benefits include:
- Out of the box analytics
- Integrated Varonis dashboards and alerts for streamlined investigation
- Alert specific investigation pages
- Critical information highlighted at a glance, with actionable insights and rich context
- Integration into your SIEM workflow
Top SIEM Solutions
SIEM has become a basic component of cybersecurity. However, not all SIEM solutions are created equal. When deciding on which SIEM to adopt, it is important to keep in mind that SIEM is not an isolated solution but should be part of a larger security strategy. Some of the top SIEM solutions are listed below.
As a next-gen SIEM, Exabeam Fusion is a cloud-delivered solution that uses a behavior-based approach for Threat Detection, Investigation, and Response (TDIR). By aggregating all relevant events and weeding out illegitimate events, Fusion SIEM boosts analyst productivity and detects threats missed by other tools. This improves detection rates and response time, and ensures that all alerts are considered — even those coming from “noisy” systems that generate many alerts.
In addition, Fusion SIEM is natively integrated with its security orchestration and automation (SOAR) solution, which provides automated incident response. This enables almost any threat to be dealt with automatically (or semi-automated if preferred) in real time. Prescriptive workflows and pre-packaged use-case content (external threats, compromised insiders, and malicious insiders), enable successful SOC outcomes and response automation. Fusion SIEM also provides the cloud-based log storage, rapid and guided search, and comprehensive compliance reporting expected of any modern SIEM.
Splunk has a popular SIEM solution. What sets it apart from other vendors is its ability to handle both security as well as application and network monitoring use cases. This makes it popular with both security personnel as well as IT operations users. Like most top SIEM solutions, Splunk’s SIEM provides information in real time, and the user interface is relatively user-friendly. Pricing is based on workloads protected.
However, Splunk Enterprise Security has limited integrated behavioral analytics and automation capabilities which creates a challenge detecting advanced threats and techniques such as lateral movement. The solution requires significant customization to be effective for most organizations and cannot be used “out of the box”. To detect lateral movement, many custom queries need to be run by a specialized user, potentially resulting in a large number of false positives. One other challenge users report is a lack of integration across products: SIEM, SOAR, UEBA
LogRhythm is a pioneer of SIEM and earned itself a solid reputation. LogRythm’s solution also incorporates many analytical tools, as well as incorporating AI and log correlation. While integrating with LogRhythm is relatively hassle-free, there is a steeper learning curve as it is not considered as user-friendly as other SIEMs.
Moreover, LogRhythm’s solution does not support automated detection of all lateral movement. Therefore, analysts are required to manually combine different timelines to detect account switching. This is problematic because attackers often use lateral movement in your network to search for valuable information or assets. The solution’s detection engine is strongly dependent on indicators of compromise (IOCs), and has difficulty detecting advanced threats.
In addition, as noted in a recent Gartner Magic Quadrant report, LogRhythm has several deficiencies in their cloud-based SIEM offering.
IBM QRadar SIEM
IBM QRadar SIEM allows you to view your IT infrastructure in real time. It is a modular architecture that facilitates the detection and prioritization of threats. It supports multiple logging protocols and offers various configuration-side options, as well as high-end analytics. The solution provides an app store where customers can download additional IBM and 3rd party content to use with QRadar.
However, IBM QRadar has some drawbacks, including the relatively high cost (and complex pricing model), and the requirement for collaboration features like chat tools and improved asset management. In addition, QRadar has weak UEBA capabilities, which are a basic component of next-gen SIEM.
Other drawbacks are that in distributed environments, upgrades can be complex and require extensive effort, as there is often limited product support (although you can purchase upgraded support). The product has limited reporting capabilities, which must be supplemented with externally-developed scripts.
Microsoft Azure Sentinel
Azure Sentinel is a powerful SIEM solution that is relatively new to the market, with Microsoft releasing the platform in late 2019. It is a very popular choice for customers who have existing Microsoft security and IT investments and are looking to unify them under one pane of glass. It also offers a unique “pay-as-you-go” licensing model which meets budget requirements of SMBs, and can also appeal to large enterprises. Azure Sentinel is also known for their smooth data onboarding process.
However, Azure Sentinel has a few notable drawbacks. They take a very Microsoft-first approach to security, and they do not have nearly as many 3rd party integrations with security vendors as other leading SIEMs do. This makes them an unattractive solution for organizations using non-Microsoft security products. There will also be a steep learning curve for security analysts unfamiliar with Microsoft data sources.
Securonix
Securonix has a strong SIEM solution that is highly ranked by analyst firms. Their platform includes next-gen SIEM capabilities, including an analytics-driven UEBA engine. They also advertise deployment partnerships with AWS and Snowflake. In addition to their out of the box rules and models, Securonix offers customers the ability to purchase vertical-specific content via “Premium Apps”, which include packages for fraud, aerospace analytics, etc.
However, customers should be aware that Securonix lacks a built-out native SOAR engine. In the past, they have whitelabeled a SOAR engine from CyberSponse. Securonix now advertises a SOAR component, but it lacks much of the functionality that other leading SIEM vendors incorporate into their security orchestration and automation platforms. As another drawback, Securonix’s standard licensing package includes less hot storage than other SIEM vendors.
McAfee Enterprise Security Manager
McAfee Enterprise Security Manager allows you to carry out advanced threat detection, manage compliance-related activity, and generate real-time reports. The user interface enables new resources to handle a range of emergency scenarios. You can deploy McAfee Enterprise Security Manager in the cloud or on-premises, and scale up according to your data requirements.
McAfee Enterprise Security Manager works by collecting logs from multiple sources, which can significantly increase network traffic. One reported drawback is logging: the system reduces logs to only the most essential elements — this can result in logs being collected again to see full event contexts.
Some McAfee users report slow performance. Frequent updates can impact continuity, and system prompts can interrupt with regular pop-up windows.
LogPoint
LogPoint is a SIEM that facilitates application event management and enhances application security. It covers most monitoring and security use cases, and is highly scalable. You can scale from one to thousands of servers (or vice versa) according to your needs.
You can implement LogPoint in any environment, including development, production and testing. It facilitates storage, search, filtering, error tracing, and report creation based on log analysis. This helps you detect security issues and investigate them faster.
Users report LogPoint doesn’t have an intuitive user interface, with some features being difficult to find. Alert configurations, for example, are accessed under Alert Rules, which is hidden in the Knowledge Base section in the Settings menu.
Another potential drawback for users can be the query language, which is versatile but has a steep learning curve and can be difficult to handle. The necessary information is not always easily accessible, and setting up UEBA can be complicated and time-consuming. This makes it a less suitable option for organizations that lack highly technical staff.
Elastic Stack
ELK stack is a monitoring and log management tool developed by Elastic, which works with Elasticsearch, Logstash and Kibana. Elasticsearch allows you to search and filter logs as needed. Logstash facilitates the generation and collection of logs in real time, at a single location. Kibana supports visualization of statistics through graphs and charts and graphs.
These tools are open-source, and enable efficient application management and monitoring. With ELK stack, applications can be logged centrally, which allows you to identify and remediate issues quickly, and ensure the applications perform correctly. Organizations use it to detect IT issues early on, so the security team can address them immediately.
Drawbacks of ELK include out-of-memory exceptions for queries with large index sizes, the complexity of setting up and managing projects (due to the multiplex architecture), and a lack of support for integrating third-party tools. ELK is also known to have poor documentation and is difficult to debug, so learning to use it involves a lot of knowledge and trial and error.
ArcSight Enterprise Security Manager
ArcSight Enterprise Security Manager is known to be easy to deploy and maintain (at least initially), and offers many possibilities, provided you are willing to invest in developing the necessary tools. Its powerful capabilities include correlation, action triggers, and a normalization feature.
However, ArcSight can be slow when it comes to deploying large environments, and pulling logs can be time-consuming. It also has a complex backend, which means the proper maintenance may require skilled SIEM engineers — especially if you need to develop meaningful categories of events.
InsightIDR
InsightIDR offers out-of-the-box capabilities, pre-built alerts and triggers. It unifies disparate data sources, enabling security analysts to work more efficiently. It has a cloud-forward approach, although it still offers on-prem log collectors.
A major drawback of InsightIDR is that it can be time-consuming and tedious to search raw logs. This means that teams often rely on established on-host log reviews to speed up discovery. It also lacks a smooth user interface for incident management, making it harder to collect in-context details about security events.
In addition, InsightIDR has limited integrations. The solution works with other Rapid7 tools and selected third party vendors, which goes against one of the main value propositions of SIEM, which is to become a central repository of all security data in the organization.
