siem pro cons
TRANSCRIPT
-
8/18/2019 SIEM Pro Cons
1/58
-
8/18/2019 SIEM Pro Cons
2/58
Info-Tech Research Group 2
Security Information & Event Management (SIEM) vendors approach themarket from different perspectives. Understand your organization’s
requirements for SIEM to ensure that the selected product helps achieve
key goals.
Introduction
IT leaders considering SIEM technology toreduce the cost of meeting ever-increasingcompliance requirements.
IT leaders looking to enhance theeffectiveness of existing IT security operations.
Organizations seeking to improve overall riskmanagement processes.
Understand the capabilities of SIEMtechnologies, and their potential use cases.
Differentiate between vendor offerings andidentify alignments with your organization’s
requirements.
Shortlist vendors, prepare an RFP, and scoreRFP responses to select a SIEM solution.
Develop an implementation strategy andmaximize your investment in SIEM.
This Research Is Designed For: This Research Will Help You:
-
8/18/2019 SIEM Pro Cons
3/58
Info-Tech Research Group 3
Executive Summary
• Security Information & Event Management (alternatively known as Security Incident & Event Management) technologieshave evolved from point solutions into comprehensive systems that allow organizations to optimize any or all of thefollowing important security-related functions:
◦ Collection and management of critical system and network log data.◦ Execution of processes in support of regulatory and policy compliance obligations.◦ Identification of information security threats and response to them.◦ Continuous information security risk management processes.
• Understand your organization’s needs, potential costs, and readiness to undertake a SIEM deployment before taking theleap.
Understand SIEM Trends and Considerations
Evaluate SIEM Vendors
Develop a SIEM Implementation Strategy
• Vendor offerings target these security functions in substantially different ways, based on their SIEM product origins,integration with their broader security solutions, architectural deployment options, and specific market focus.
• Map your organization’s immediate and future requirements for SIEM against vendor and product capabilities, andleverage the tools and templates included in this solution set to accelerate selection of a SIEM technology.
• Understand options for managed versus self-staffed SIEM implementations and their pros and cons.
• Design a deployment architecture and capture additional implementation and operational costs and benefits, based onaddressing your organization’s specific security and compliance requirements.
• Develop a plan for a phased implementation of the selected SIEM product and architecture, ensuring that you realize bothshort and long-term objectives and benefits.
-
8/18/2019 SIEM Pro Cons
4/58
Info-Tech Research Group 4
Symantec leads the market, but other SIEM vendors offercompelling alternatives to meet specific requirements
Info-Tech evaluated ten competitors in the SIEM market,including the following notable performers:
Champions:
• Symantec, with its balance of strong product and vendorcapabilities at an excellent price point, leads with a SIEM solutionthat can deliver benefits to almost any organization.
• Q1 Labs delivers exceptional reporting capabilities and additionalproduct features that distinguish it from Symantec at a higher, butstill competitive, price point.
• SenSage provides exceptional correlation and forensiccapabilities for organizations that can justify the elevated cost.
Value Award:
• Symantec’s combination of stable and committed vendor, well-rounded product, and near rock-bottom pricing earns the companythe Best Overall Value Award.
Innovation Award:
• NitroSecurity posted the highest score for product capabilities,and may be an appealing option for those seeking premiumfeatures and functionality to meet both compliance and eventmanagement requirements.
1. Focus on business requirements:
Identify the functionality that your organizationrequires to meet business needs or to justifyan investment in SIEM technology.
2. Consider future requirements:
Keep in mind all potential benefits of a SIEMdeployment, whether you are focusedprimarily on simplifying compliance, speedingevent management and incident response, orreducing overall risk.
3. Go for good enough for you :
Align current and future requirements with the
capabilities and solution feature-sets ofvendors. While Symantec is the leader, itsfocus on solution breadth over depthunderscores the importance of assessingalternative vendors against yourorganization’s needs.
Info-Tech Insight
-
8/18/2019 SIEM Pro Cons
5/58
Info-Tech Research Group 5
What’s in this Section: Sections:
Understand SIEM Trends and Considerations
Understand SIEM Trends and
Considerations
Evaluate SIEM Vendors
Develop Your SIEMImplementation Strategy
Appendices
• What SIEM is – and what it isn’t
• The role of SIEM in managing risk• Key decision factors for SIEM
• Assessing the appropriateness of SIEM
-
8/18/2019 SIEM Pro Cons
6/58
-
8/18/2019 SIEM Pro Cons
7/58Info-Tech Research Group 7
Like every tool, SIEM has limitations; expect too much and beprepared for disappointment
SIEM technology is no silver bullet, but adds value by extending visibilityacross existing information security and system management tools.
• When clients that are using SIEMsolutions were asked about theirexpectations for the solution, they almostuniversally indicated that they had veryhigh expectations prior to deployment.
• Those same clients indicated that inalmost every measure their SIEM solutionfailed to meet expectations.
• Failure to meet expectations should not beheld against the tools as in almost everymeasurable category, the tools deliveredModerately Significant to Significantpositive Impact to the enterprise.
• The moral: oversetting expectations canlead to let-down even with deploymentsthat are successful and improve enterprisesecurity, compliance, and overall riskmanagement.
-
8/18/2019 SIEM Pro Cons
8/58Info-Tech Research Group 8
Take stock of the serious threats to systems and the business;ensure threats can be contained or costs can be managed
The cost of a major and persistent system compromise can be substantial.Standalone security tools provide some visibility; SIEM tools do much more.
• Several well-publicized breaches in recent years highlight thescale of potential impacts, including:
◦ Direct costs for TJX (2007) have exceeded $250M.◦ Heartland Payment Systems (2009) has reported over $140M
in direct costs.
◦ Sony (2011) has already booked $171M in direct costs.• Each of these breaches involved repeated system compromises
crossing multiple systems over an extended period – preciselythe types of activities that are made more visible through SIEM.
• Total costs (direct and indirect) per compromised customerrecord continue to rise, and in 2009 averaged over $200 peraffected customer .
◦ Costs per customer are typically much higher for smallerorganizations and smaller-scale breaches than for themassive breaches noted above, as enterprise-wideexpenditures are spread across a smaller number of affectedaccounts.
SIEM alone cannot eliminate similar breaches,but enhanced visibility reduces risk exposure inmany ways:
• Identify sophisticated attacks earlier usingevent data correlated across multiplesystems;
• Support more rapid and more thoroughforensics during and after initial incidentresponse;
• Enable continuous feedback from observedthreats into security and system controls to
achieve optimal protection and reduce therisk of future compromises.
Deployed & operated properly, SIEM can reducethe risk and impact of catastrophic breaches.
Info-Tech Insight
http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/http://www.computerworld.com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_farhttp://www.zdnet.com/blog/btl/sonys-data-breach-costs-likely-to-scream-higher/49161http://www.ponemon.org/news-2/23http://www.ponemon.org/news-2/23http://www.ponemon.org/news-2/23http://www.ponemon.org/news-2/23http://www.zdnet.com/blog/btl/sonys-data-breach-costs-likely-to-scream-higher/49161http://www.computerworld.com/s/article/9176507/Heartland_breach_expenses_pegged_at_140M_so_farhttp://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/
-
8/18/2019 SIEM Pro Cons
9/58Info-Tech Research Group 9
Determine how and where SIEM will help you manage risk
Typically,organizations see
both compliance and
event management-
related benefits asSIEM is integrated intothe risk management
toolbox.
Adopting the right SIEM tool depends on what risk-related focus is mostimportant to your organization.
All SIEM tools provide log management functionality – collecting, aggregating, andnormalizing log data from diverse sources. Whether the enterprise chooses to move further
or not, every organization can benefit from Log Management.
Many organizations look to SIEMprimarily as a way to reduce the cost
of meeting internal andexternal/regulatory compliance
requirements:
Consolidated logs feed out-of-the-box andcustom compliance reports. In some cases,
SIEM workflow capabilities add value bytracking mandatory log review processes.
Other organizations look to SIEMprimarily as a means to reduce the
effort expended when responding toindividual security events and
incidents:
Correlated events provide earlier visibilityinto active threats. Consolidated logs allow
more rapid and thorough investigation ofevents either in progress, or after the fact.
Many organizations take a final step, leveraging the information provided by the SIEM toolto target specific changes to (or investments in) system security and operational controls
as a key component of a continuous risk management program.
-
8/18/2019 SIEM Pro Cons
10/58Info-Tech Research Group 10
Compare approaches to managing key information securityprocesses, with or without SIEM
Get a sense of how far you intend to go with SIEM to help focus setting your
organization’s requirements. Look for the SIEM you need, but not more.
SIEM
Approach
Security Management Focus Areas
Log ManagementCompliance
ManagementEvent Management
Continuous Risk
Management
No SIEM
Storage, backup,retention, andarchival settingsmust be configuredand managed foreach key system.
Compliancereporting and relatedlog reviewmanagement isdone throughmanual processes.
Incidentidentification &response processesare hampered bylack of cross-systemvisibility.
Prioritization of securityattention across systems isnearly impossible, and may notaccount for cross-system risks.
Basic SIEM
(Compliance or
Event Focus)
Central logmanagement
optimizes the timeand cost ofmanaging keysystem logs,enabling greateropportunities forusing such data.
Compliance
managementprocesses can bestreamlined with pre-defined, scheduled,cross-systemreporting.
Visibility intoincidents is
increased throughevent correlation;incident response isenhanced by alertingand forensicinvestigationfunctionality.
A more realistic view of riskemerges from increasedefficiency in compliance or event management processes,
enabling better prioritization.
Advanced SIEM
(Compliance
and Event
Focus)
Integrated information fromcompliance and eventmanagement processesprovides the most completeview of overall system risks.Staff attention and technologyinvestments can be optimized.
-
8/18/2019 SIEM Pro Cons
11/58Info-Tech Research Group 11
Be clear about the impact of SIEM-enhanced security visibility
Be prepared for dealing with issues and events that you might have beenmissing without SIEM.
1. Pre-SIEM: Information risks and associated securitymanagement costs increase over time as new threatsappear.
2. Immediately Post-SIEM: Increased visibility into extantthreats results in increased cost of managing those
threats – ignorance can no longer justify inaction.• Per event/incident costs will decline through earlier
detection opportunities and investigation efficienciesprovided by the SIEM tool.
• Since those threats always existed, and are now beingacted upon, overall risk begins to decline.
• As SIEM-based efficiencies are realized, the cost ofmanaging visible threats returns to baseline levels.
3. Long-Term Post-SIEM: Both risk and security costs canbe driven down further through feedback from SIEM intotechnical and procedural controls.
SIEM’s Impact on Risk and Cost Over Time
-
8/18/2019 SIEM Pro Cons
12/58Info-Tech Research Group 12
SIEM may make life harder before it makes it easier; if youcan’t handle the “bump,” don’t invest in SIEM
Improving organizational security stance is not an overnight process; SIEMwill help but things will get worse before they get better.
1. When first deployed,a SIEM solution willexpose the enterpriseto all the risk it was
missing but that wasthere anyway. Intoday’s regulated
world, if you’re not
prepared to addressthat increased risk,you’d best just leave
your head in the sand.
2. As visibility into risk increases, security spend willby necessity increase as new tools or time need tobe expended to combat identified risks. Mostenterprises don’t have unlimited security budgets,
so spending initially trails threat exposure.
3. As the most serious threats are addressed, risktapers off fairly quickly. At this point perceived riskand actual risk are being reduced, though levelsare likely to be higher than what was perceived forsome time.
4. Spend remains higherfor longer as solutiondeployments must berationalized and
staffing levelsfinalized. Spendbegins to go downwhen the costsassociated withbreaches and otherthreats are eliminated.
5. In time, and with concentrated effort, SIEM can allowthe enterprise to drive risk and spend to lower levelsthan were previously experienced. As a side benefit,while risk is being addressed, SIEM is also providingcompliance reporting benefits that help in other ways.
12
34
5
-
8/18/2019 SIEM Pro Cons
13/58Info-Tech Research Group 13
What’s in this Section: Sections:
Evaluate SIEM Vendors
Understand SIEM Trends andConsiderations
Evaluate SIEM Vendors
Develop Your SIEMImplementation Strategy
Appendices
• Info-Tech’s Vendor Landscape for ten SIEM vendors
• Shortlisting SIEM vendors through scenario analysis• Developing and executing a SIEM RFP
-
8/18/2019 SIEM Pro Cons
14/58Info-Tech Research Group 14
SIEM Market Overview
• Security Information & Event Management grew fromthe conjoining of two separate tools: Security EventManagement and Security Information Management(which itself grew out of simpler Log Management).Indeed, some vendors still offer separate SEM and SIMproducts under the SIEM banner.
• The space was founded just prior to the 2000s but hasfailed to catch on in any significant way; even theleading vendors claim less than 2,000 clients each.
• SIEM solutions have typically focused on the largest ofenterprises, but recently vendors have begun producingsimplified, streamlined all-in-one solutions aimed at theSMB space.
• Two factors combine to drive the awareness andadoption of SIEM: the first is the push into the SMBspace that began a few years ago, while the second isthe increasing amount of regulatory and industrycompliance and its comprehensive auditing demands.
• Though the space is mostly populated by smaller
dedicated players, some larger players are alreadymarketing SIEM solutions. The recent acquisition ofmarket-leader ArcSight by HP is a possible precursorof greater consolidation to come.
• As security and compliance concerns grow with eachnew regulation, each failed audit, and each publicizedsecurity breach, SIEM will finally begin to drawbroader attention in the coming year.
How it go t here Where it’s going
As the market evolves, so do the features you need to evaluate. Pay close attention toimproving collection, aggregation, and correlation capabilities and the adoption of truly openstandards for event data records.
-
8/18/2019 SIEM Pro Cons
15/58Info-Tech Research Group 15
SIEM Vendor Landscape inclusion criteria:Market share, mind share, and market consolidation
• ArcSight . The market leader with enterprise-focused ESM, pushing into SMB with Express.
• IBM . SIEM marketed under the Tivoli umbrella – a single line focused more at the enterprise than SMB.
• LogLog ic . A dedicated SIEM provider with a modular platform that offers flexibility to all enterprises.
• netForensics . One of the pioneers of SIEM; separate products focused at the enterprise and SMB.
• NitroSecurity . The most recent entrant to the SIEM market (2007) but a company definitely on the rise.
• Q1 Labs . The largest independent player remaining; Qradar anchors a capable suite of SIEM tools.
• RSA . Second in market share, its enVision products target both the large (LS line) and SMB (ES line) clients.
• SenSage . One of the smaller vendors in this evaluation and one still primarily focused on the large enterprise.
• Symantec . The world’s largest security vendor markets a single platform to all clients equally.
• TriGeo . The only player dedicated to the SMB space; may singly handedly have created this end of the market.
Included in the Vendor Landscape:
• Though over ten years old now, in many ways the SIEM space is still nascent with numerous players, many of them smalland independent. However, the landscape may be shifting as evidenced by the recent acquisition of market-leader
ArcSight by HP and the merging of NetIQ and Novell product lines.
• For this Vendor Landscape, Info-Tech focused on those vendors that have a strong market presence and/or reputationalpresence among small to mid-sized enterprises.
-
8/18/2019 SIEM Pro Cons
16/58Info-Tech Research Group 16
SIEM Criteria & Weighting Factors
30%
20%20%
30%
FeaturesUsability
Affordability Architecture
50%
50%
Product
Vendor
Vendor Evaluation
Vendor is committed to the space and has a
future product and portfolio roadmap.Strategy
Vendor offers global coverage and is able tosell and provide post-sales support.
Reach
Vendor is profitable, knowledgeable, and willbe around for the long-term.
Viability
Vendor channel strategy is appropriate and thechannels themselves are strong.
Channel
Product Evaluation
The solution’s dashboard and reporting tools
are intuitive and easy to use.Usability
The delivery method of the solution aligns withwhat is expected within the space.
Architecture
The five-year TCO of the solution iseconomical.
Affordability
The solution provides basicand advanced feature/functionality.
Features
30%
30%
15%
25%
Viability Strategy
ReachChannel
-
8/18/2019 SIEM Pro Cons
17/58Info-Tech Research Group 17
The Info-Tech SIEM Vendor Landscape
Champions receive high scores for mostevaluation criteria and offer excellent value.They have a strong market presence andare usually the trend setters for the industry.
Market Pillars are established players withvery strong vendor credentials, but withmore average product scores.
Innovators have demonstrated innovative
product strengths that act as theircompetitive advantage in appealing to nichesegments of the market.
Emerging players are newer vendors whoare starting to gain a foothold in themarketplace. They balance product andvendor attributes, though score lowerrelative to market Champions.
For a complete description of Info-Tech’s VendorLandscape methodology, see the Appendix.
SenSage
Q1 Labs
IBM
LogLogic
Symantec
RSA
ArcSight
NitroSecurity
netForensics
TriGeo
-
8/18/2019 SIEM Pro Cons
18/58Info-Tech Research Group 18
Balance individual strengths to find the best fit
Product Vendor
Features Usability Price Viability Strategy Channel
Q1 Labs
LogLogic
IBM
netForensics
NitroSecurity
RSA
ArcSight
ReachPlatform
SenSage
Symantec
Overall Overall
TriGeo
For an explanation of how Info-Tech Harvey Balls are calculated, please see the appendix.
-
8/18/2019 SIEM Pro Cons
19/58
Info-Tech Research Group 19
What is a Value Score?
The Info-Tech SIEM Value Index
82324
32
566973
8386100
The Value Score indexes each vendor’s product
offering and business strength relative to theirprice point. It does not indicate vendor ranking.
Vendors that score high offer more bang for thebuck (e.g. features, usability, stability, etc.) thanthe average vendor, while the inverse is true for
those that score lower.
Price-conscious enterprises may wish to give theValue Score more consideration than those whoare more focused on specific vendor/productattributes.
On a relative basis, Symantecmaintained the highest Info-Tech ValueScoreTM of the vendor group. Vendorswere indexed against Symantec’s
performance to provide a complete,relative view of their product offerings.
Sources:To calculate the Value Score for each vendor, the affordability raw score was backed out, the product
scoring reweighted, and the affordability score multiplied by the product of the Vendor and Productscores.
Champion
-
8/18/2019 SIEM Pro Cons
20/58
Info-Tech Research Group 20
Table Stakes represent the minimum standard; without thesea product doesn’t even get reviewed
If Table Stakes are all you need from your SIEM solution, the only true differentiator for the organization isprice. Otherwise, dig deeper to find the best price and value for your needs.
The products assessed in this VendorLandscapeTM meet, at the very least, therequirements outlined as Table Stakes.
Many of the vendors go above and beyond theoutlined Table Stakes, some even do so in
multiple categories. This section aims to highlightthe products capabilities in excess of the criterialisted here.
The Table Stakes What Does This Mean?
Feature Description
Basic Collection /
Aggregation /
Normalization (CAN)
Collection from firewall logs, IDS logs,Windows server logs, web server logs,and syslogs.
Basic Correlation Canned correlation policies for CAN data
that act in near-real time.
Basic Alerting Logging for all correlated events andalerting via pager/e-mail/text for those thatexceed a given threshold.
Basic Reporting Availability of canned reports that can berun on a scheduled and ad hoc basis.
-
8/18/2019 SIEM Pro Cons
21/58
Info-Tech Research Group 21
Advanced Features are the market differentiators that make or break a product
Feature What We Looked For
Log Data Enrichment Advanced CAN from Net Flow, Identity,Database, Application, Configuration, andFile Integrity data sources
Advanced Correlation Advanced canned policies, user-definedpolicies, and adaptive/heuristic policies
Advanced Alerting Programmable/customizable alertingresponses and workflow injection
Advanced Reporting Flexible dashboards, custom reportingcapabilities, and ability to export to externalreporting infrastructure
Forensic Analysis
Support
Ability to generate custom data queries withflexible drill-down capabilities
Data Management -
Security
Access controls to SIEM system and SIEM
data, encryption of SIEM data (in storageand transmission)
Data Management -
Retention
Notable storage capacity, data compression,and inherent hierarchical storagemanagement
Advanced Features
Info-Tech scored each vendor’s feature offeringas a summation of its individual score across thelisted advanced features. Vendors were given 1point for each feature the product inherentlyprovided. Some categories were scored on amore granular scale with vendors receiving halfpoints (see Partial functionality criteria).
Scoring Methodology
-
8/18/2019 SIEM Pro Cons
22/58
Info-Tech Research Group 22
Each vendor offers a different feature set; concentrate on what your organization needs
ArcSight
IBM
LogLogic
netForensics
NitroSecurity
Q1 Labs
RSA
SenSage
Symantec
TriGeo
Log Data Correlation Reporting Forensics RetentionSecurity Alerting
-
8/18/2019 SIEM Pro Cons
23/58
Info-Tech Research Group 23
Info-Tech Recommends:
A solid product at an attractive price from a company with a clear commitment to the security space; thesefactors make Security Information Manager a good choice for organizations with generic SIEM needs.
Product:Employees:
Headquarters:Website:
Founded:Presence:
Security Information Manager 17,500Mountain View, CASymantec.com1982NASDAQ: SYMCFY10 Revenue: $6B
Symantec delivers a solid product with an attractive price
Champion
• In contrast to most players in the space, Symantec positionsits SIEM solution as a security tool first, and compliance toolsecond; its integration into other product lines backs this upand makes it a good choice for the security conscious.
Overview
• Symantec offers the broadest base of deployment types –software, hardware, virtual hardware, and managed serviceofferings, allowing every enterprise to find a fit.
• Security Information Manager is integrated into Symantec’s
Global Intelligence Network, meaning system configurationcan be adjusted based on more than just local event data.
Strengths
• In many ways, a “jack of all trades, master of none” solution,
Symantec hits with partial marks for almost all Info-Techidentified advanced features, but full marks in hardly any.
• SIEM gets little exposure within Symantec’s ever -expandingproduct portfolio; a flip-flopping on appliance-based deliverymodel may indicate lack of understanding of market needs.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
24/58
Info-Tech Research Group 24
Info-Tech Recommends:
Whether simple log management with the ability to grow into fully featured SIEM, or a broad-basedsolution that includes pre-exploit management, Q1 Labs has a solution for every need.
Product:Employees:
Headquarters:Website:
Founded:Presence:
QRadar SIEM250Waltham, MAQ1Labs.com2001Privately Held
QRadar: a complete product from a vendor dedicated to SIEM
Champion
• Q1 Labs is the largest independent player in the SIEM spaceand supplements its SIEM play with a broad suite of productsto allow for comprehensive security management.
Overview
• The broadest and most comprehensive set of reportingcapabilities of any product in this test; its capability is so broad,integration to third-party reporting solutions is unnecessary.
• Cleanly integrated set of hierarchical products allowsenterprises to grow their security management capabilities inan additive, not rip-and-replace manner.
Strengths
• As the biggest independent, and a company experiencingtremendous growth, Q1 Labs may be a target for acquisitionas compliance mandates increase the demand for SIEM.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
25/58
Info-Tech Research Group 25
Info-Tech Recommends:
Organizations looking to go deeper with their security event data may well find SenSage ideal, butmust be prepared to take the risk of dealing with one of the smallest vendors in the space.
Product:Employees:
Headquarters:Website:
Founded:Presence:
Event Data Warehouse50-100Redwood City, CASenSage.com2000Privately Held
SenSage turns security data into business intelligence
Champion
• SenSage grew out of traditional log management and isstaking its future on Open Security Intelligence, the extensionof SIEM into a business-focused decision support system.
Overview
• Extremely broad correlation capabilities, coupled with AlertPlayer that allows admins to replay scenario-based events,means SenSage offers BI-like capability for security data.
• SenSage, despite its size, has built a strong network of high-profile channel partners and backs them with a solid supportorganization.
Strengths
• With a client base in the mid-hundreds, SenSage is one of thesmaller players in this evaluation in terms of overall marketshare; increasing its client count is imperative.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
26/58
Info-Tech Research Group 26
Info-Tech Recommends:
With its correlation and forensic analysis capabilities, NitroView ESM can be invaluable to a securitymanager though internal auditors may find its lack of external reporting integration a little limiting.
Product:Employees:
Headquarters:Website:
Founded:Presence:
NitroView ESMOver 100Portsmouth, NHNitroSecurity.com1999Privately Held
NitroSecurity ESM: top performance, second-lowest price
Innovator
• NitroSecurity bases all of its security technology solutions onits background in massive-scale data management, meaningits solutions correlate broadly, operate quickly, and reportefficiently.
Overview
• One of the most feature-rich solutions in this roundup, and oneof only two solutions to offer truly comprehensive and forward-looking correlation capabilities.
• Nitro falls between the pure-play SIEM providers and thebroader security vendors, meaning it has good focus on thespace, but isn’t solely reliant on SIEM sales for its revenue.
Strengths
• Nitro has expanded its product portfolio to include virtualappliances, but these are currently scaled only at smallerenterprises and remote sites; increasing performance will
improve applicability.
Challenges
Priced between $100,000 and $250,000
-
8/18/2019 SIEM Pro Cons
27/58
Info-Tech Research Group 27
Info-Tech Recommends:
A well integrated line of capable products, but LogLogic’s clear focus on the enterprise market maylimits its appeal to smaller businesses, and the appeal of those businesses to LogLogic.
Product:Employees:
Headquarters:Website:
Founded:Presence:
LX, ST, SEM appliancesNot availableSan Jose, CALogLogic.com2002Privately Held
LogLogic: modular platform is powerful, but complex
Innovator
• LogLogic approaches the SIEM space with a clear focus oncompliance first and foremost using its “Get-See-Use”philosophy to improve not just compliance, but also securityand even operational performance.
Overview
• The most feature-rich solution in the round-up and the onlyone to fully address system configuration data as an inputsource. Coupled with the cleanest interface, this is the solution
that delivers the most SIEM capability.
Strengths
• LogLogic is one of the smaller vendors in this review and isfocused on the enterprise space with 70% of its businesscoming from enterprises with more than $1B in revenues;
continued growth may be a challenge without more mid-market focus as the large enterprise market niche saturates.• Architecturally complex, leading to a higher than average
price.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
28/58
Info-Tech Research Group 28
Info-Tech Recommends:
Express represents a well-rounded solution but one that is less exceptional than its flagship ESM;feature reduction combined with one of the highest prices limits overall appeal.
Product:Employees:
Headquarters:Website:
Founded:Presence:
Express324,600 (HP as a whole)Palo Alto, CA
ArcSight.com2000NASDAQ: HPQFY09 Revenue: $126B
ArcSight Express brings the power of ESM to the SMB
Market Pil lar
• Recently acquired by HP to become the most valuable asset inthat company’s focused security strategy, ArcSight is thelargest player in the SIEM space and has recently expandedits portfolio to be more applicable to the mid-market.
Overview
• An architecturally sound solution allowing for widely varyingdeployment models; the ability to mix and match Collectorsand Loggers with a core Express device offers great flexibility.
• Offers the ability to tightly correlate security events to users viaIdentityView, an add-on capability that monitors user activityacross all accounts, applications, and systems.
Strengths
• ArcSight has trimmed its impressive enterprise-focused ESMsolution to build Express but may have left out somedifferentiating capabilities.
• HP and ArcSight representatives are all saying the right thingsin regards to the recent acquisition, but only time will tell if theunion will represent a win for existing and future clients.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
29/58
Info-Tech Research Group 29
Info-Tech Recommends:
The integration of enVision with RSA’s DLP and eGRC solutions underlines the company’s efforts tobecome the security management provider; current RSA clients will benefit from those synergies.
Product:Employees:
Headquarters:Website:
Founded:Presence:
enVision40,000+ (EMC as a whole)Bedford, MARSA.com1982NYSE: EMCFY10 Revenue: $17B
enVision integration with DLP and GRC a boon to RSA shops
Market Pil lar
• RSA, the security division of EMC, plots a careful course withits SIEM solution enVision, delivering just enough capability tomeet market needs without pushing the envelope to drive thefuture of the space.
Overview
• Very broad-based collection/aggregation/normalizationcapabilities, coupled with strong reporting, gives goodcoverage for both the security and compliance conscious.
• RSA has taken a holistic view of security management and theintegration of three security management platforms (SIEM,DLP, eGRC) is visionary.
Strengths
• enVision is solid but unspectacular in the areas of correlationand alerting when compared with its peers; in a fast-movingmarket, these shortcomings need to be addressed.
• While the ES line can be cost effective, the LS line (evaluatedhere) is the most expensive solution in the roundup.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
30/58
Info-Tech Research Group 30
Info-Tech Recommends:
Lack of feature-functionality and limited architectural deployment models make it difficult torecommend Tivoli SIEM; TSOM may meet broader needs, but was not reviewed by Info-Tech.
Product:Employees:
Headquarters:Website:
Founded:Presence:
Tivoli SIEM400,000
Armonk, NYIBM.com1911NYSE: IBMFY10 Revenue: $95.8B
Weak correlation capabilities limit the value of Tivoli SIEM
Market Pil lar
• IBM is a truly global player in almost every aspect ofInformation Technology. Its security management solutions situnder its Tivoli systems management umbrella.
Overview
• Management of Tivoli SIEM through the common Tivoli admininterface – those familiar with the Tivoli suite will find thelearning curve remarkably flat.
• Tivoli SIEM is IBM’s integrated solution for basic SIM, SEM,
and log management; advanced SEM/SOC functionality isavailable in Tivoli Security Operations Manager (TSOM).
Strengths
• Correlation capabilities in Tivoli SIEM so minimal that it isalmost a stretch to label them as such – events fromdifferential sources cannot be linked to create analysis
patterns.
Challenges
Priced between $250,000 and $500,000
-
8/18/2019 SIEM Pro Cons
31/58
Info-Tech Research Group 31
Info-Tech Recommends:
netForensics declined to brief for this review and available product details are limited, so a detailedrecommendation cannot be made at this time.
Product:Employees:
Headquarters:Website:
Founded:Presence:
nFX Cinxi OneNot availableEdison, NJnetForensics.com1999Privately Held
netForensics offers dual solutions which may split focus
Emergin g Player
• netForensics is one of the pioneers of the SIEM space, havingfirst come on the scene in 1999. Since then a significantnumber of players have entered the market, and many havesurpassed netForensics in capability and market share.
Overview
• netForensics is exclusively focused on the SIEM space, aposition it reinforced by acquiring High Tower Software and
with it the Cinxi (later Cinxi One) product line.
Strengths
• The primary target of its solutions is the Managed ServiceProvider via the nFX SIM One solution. Though it offers a mid-market solution (Cinxi One), its clear focus on the highest end
of the market likely limits its applicability to mid-sizedbusinesses.
Challenges
Priced between $100,000 and $250,000
-
8/18/2019 SIEM Pro Cons
32/58
Info-Tech Research Group 32
Info-Tech Recommends:
TriGeo declined to brief for this review and available product details are limited so a detailedrecommendation cannot be made at this time.
Product:Employees:
Headquarters:Website:
Founded:Presence:
Security Information Manager Not availablePost Falls, IDTriGeo.com2001Privately Held
TriGeo is the only provider solely focused on SMB clients
Emergin g Player
• TriGeo is the only SIEM solution provider targeting the mid-market specifically; its turn-key appliance-based approach hasdefined mid-market SIEM and led most other players torelease competitive solutions.
Overview
• TriGeo SIEM is the only product truly built for the mid-market;this is not some enterprise-grade solution that has beentrimmed of capability, and shoe-horned into a smaller box. It
may not offer the same complexity as many competingsolutions, but it offers unmatched efficiency and ease ofoperations.
Strengths
• SIEM, though clearly of value to the mid-market, hastraditionally been an enterprise play and the lack of productsfor that space has limited TriGeo’s size and reach.
Challenges
*TriGeo’s rankings were affected by its inability to provideInfo-Tech with pricing for the SIEM solution.
-
8/18/2019 SIEM Pro Cons
33/58
Info-Tech Research Group 33
Security Event Management relies on strong correlation and deep forensicanalysis.
Streamline monitoring, alerting, and incident responseprocesses to minimize the cost of individual security events
Management of
Security Events
Reduction of Compliance Complexity
Enhancement of Overall Risk Management
1
2
3
Exemplary Performers
Viable Performers
Adequate Performers
4
-
8/18/2019 SIEM Pro Cons
34/58
Info-Tech Research Group 34
Compliance capabilities are defined by broad and deep reporting.
Reduce the cost of demonstrating regulatory and policycompliance by simplifying reporting and log review functions
Management of Security Events
Reduction of
Compliance Complexity
Enhancement of Overall Risk Management
1
2
3
Exemplary Performers
Viable Performers
Adequate Performers
4
-
8/18/2019 SIEM Pro Cons
35/58
Info-Tech Research Group 35
The broadest possible feature-functionality is required for true RiskReduction.
Ensure the reduction of enterprise risk by bringing broad- based collection, aggregation, and response abilities to bear
Management of Security Events
Reduction of Compliance Complexity
Enhancement of
Overall Risk Management
1
2
3
Exemplary Performers
Viable Performers
Adequate Performers
4
-
8/18/2019 SIEM Pro Cons
36/58
Info-Tech Research Group 36
Info-Tech’s Secur i ty Info rmat ion & Event Management Vendor Sho rt l ist Too l
is designed to generate a customized shortlist of vendors based on your keypriorities.
Identify leading candidates with the SIEM Vendor Shortlist Tool
• Overall Vendor vs. Product Weightings
• Top-level weighting of product vs. vendorcriteria
• Individual product criteria weightings:FeaturesUsability Affordability Architecture
• Individual vendor criteria weightings:Viability
StrategyReachChannel
This tool offers the ability to modify:
http://www.infotech.com/research/it-security-information-event-management-siem-vendor-shortlist-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-shortlist-tool
-
8/18/2019 SIEM Pro Cons
37/58
Info-Tech Research Group 37
Issue an RFP to ensure that SIEM vendors fit your needs, andnot the other way around
Use Info-Tech’s Secur i ty Informat ion & Event Management RFP Template to
conduct this critical step in your vendor selection process.
The Statement of Work Proposal Preparation Instructions
Scope of Work Functional Requirements Technical Specifications Operations & Support Sizing & Implementation Vendor Qualifications & References Budget & Estimated Pricing Vendor Certification
Info-Tech’s SIEM RFP Template is populatedwith critical elements, including:
http://www.infotech.com/research/it-security-information-event-management-siem-rfp-templatehttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-template
-
8/18/2019 SIEM Pro Cons
38/58
Info-Tech Research Group 38
Evaluate RFP Responses
The Security Information & EventManagement RFP Scoring Tool is pre-builtwith essential criteria complementing theSIEM RFP Template from the previous slide.
Accelerate Procurement
Use the tool to drive the meeting with yourprocurement department.
A standard & transparent process for scoring individual vendor RFPresponses will help ensure that internal team biases are minimized.
To get the most value out of the RFP process, use the SIEM RFP Scoring Tool
Use Info-Tech’sSIEM RFP Scoring Tool to:
http://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-templatehttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-templatehttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-toolhttp://www.infotech.com/research/it-security-information-event-management-siem-rfp-scoring-tool
-
8/18/2019 SIEM Pro Cons
39/58
Info-Tech Research Group 39
The Security Information & Event ManagementVendor Demo Script covers:
• Standard and advanced log source and logmanagement/retention configurations.
• Canned and custom event correlation andalerting capabilities.
• Canned and custom reporting functionality.
• Forensic log analysis and incident
management tools.
• Custom dashboard and granular systemaccess features.
Take charge of vendor finalist demonstrations with a Vendor Demonstration Script
An onsite product demonstration will help enterprise decision-makers better
understand the capabilities and constraints of various solutions.
This tool is designed to provide vendors with aconsistent set of instructions for demonstratingkey scenarios for the SIEM implementation.
http://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-scripthttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-scripthttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-scripthttp://www.infotech.com/research/it-security-information-event-management-siem-vendor-demo-script
-
8/18/2019 SIEM Pro Cons
40/58
Info-Tech Research Group 40
What’s in this Section: Sections:
Develop Your SIEM Implementation Strategy
Understand SIEM Trends andConsiderations
Evaluate SIEM VendorsDevelop Your SIEM
Implementation Strategy
Appendices
• SIEM implementation architectures
• Assessing the total cost of SIEM
• Moving forward with your SIEM implementation
-
8/18/2019 SIEM Pro Cons
41/58
Info-Tech Research Group 41
Get a handle on overall costs, understand the resource implications, and
develop a plan to realize immediate and long-term benefits of SIEM.
Getting to a SIEM implementation strategy
• Hard implementation costs:
◦ Design and size a SIEM solution that meets operationalrequirements.
◦ Include the costs of additional hardware components.• Soft implementation costs:
◦ Identify and track the resources consumed in systemimplementation and training.
• Ongoing staffing costs:
◦ Understand the immediate and ongoing impact on existingcompliance and security management staffing.
• Getting approval and moving ahead:
◦ Stay attuned to the “tone from the top,” and grow use of theSIEM tool methodically.
-
8/18/2019 SIEM Pro Cons
42/58
Info-Tech Research Group 42
SIEM is not a toaster, but SIEM appliance models have undeniable merits.
Consider the available SIEM hardware platform options
Regardless of the platform selection, don’t forget to plan for log data backup to meet regulatory and internal policyrequirements.
Platform Pros Cons
Hardware Appliance Simplified management maximizes focuson SIEM operations.
Simplified support – no vendor concerns
about underlying hardware.
Dedicated onboard storage is unavailablefor other uses.
Scalability limited by appliance
capabilities.Virtual Appliance Leverages existing server virtualization
and shared storage (SAN) investments.
Scalability and resiliency limited only bythose environments.
High-performance requirements consumevirtual server resources.
Requires additional virtual servermanagement.
Software-only Solutions Allows wider choice of hardware. Requires dedicated server hardware andongoing server management.
Elevates risk of HW vs. SW finger-pointing during support calls.
-
8/18/2019 SIEM Pro Cons
43/58
Info-Tech Research Group 43
Consider performance, capacity, and regulatory inputs in your design
process.
Identify constraints for your SIEM architecture
• SIEM vendors offer a variety of centralized and distributeddeployment options – sometimes the best design is a mix of both.
• Centralized components typically include log collectors, eventcorrelation engines, and functions including alerting, reporting, andincident management tools.
◦ Whether “all in one” or separate but adjacent devices, deployingthese components centrally reduces the management burden forSIEM.
• Distributed designs may include single-purpose collectors andcombination collector/correlation devices, which can support:
◦ Regulatory requirements (e.g. EU Safe Harbour) that restrictoffshore movement of private/sensitive data.
◦ Performance and scalability needs by aggregating data from logsources at remote sites and offloading event correlationprocessing.
Cloud-based SIEM solutions (akaSIEMaaS) are emerging, but remainscarce. Regulatory restrictions may limit
the applicability of such services.
In contrast, managed security serviceprovider (MSSP) solutions, in which athird party maintains and monitors aSIEM system housed on customerpremises, offer greater promise today:
• Customer control over sensitivedata.
• Shared access to 24x7 monitoringat a fraction of the cost.
Info-Tech Insight
-
8/18/2019 SIEM Pro Cons
44/58
Info-Tech Research Group 44
Understand your current IT environment in order to size the SIEM solution
properly and minimize WAN impact.
Optimize the SIEM solution design
• SIEM deployments are sized based on two key factors: logging rate and storagecapacity .
• Logging rates, or the number of log records that the system can process, aremeasured in events or messages per second (eps or MPS):
◦ Collectors must be sized to handle the peak number of events per second, orrisk losing critical log records.
◦ Peak eps requirements for a SIEM solution are determined by summing thepeak logging rates of all source devices. Though it is unlikely that all deviceswill hit peak rates simultaneously, this provides the capacity to handle elevatedlogging demands from extraordinary events such as denial of service attacksand malware outbreaks.
• Storage capacity requirements depend on logging rates, but with a twist:
◦ All SIEM solutions perform some level of log file compression, typically ranging
between a 20 to 40-fold reduction in log file sizes.◦ Total storage capacity requirements can be calculated by summing the
average daily log file size of each source device, multiplying by the requiredretention period, and dividing by the SIEM compression rate.
◦ Some SIEM solutions allow retention periods to be defined by device (or groupof devices), while others establish a single, default retention period.
For multi-site deployments, lookto distributed components tooptimize SIEM and networkperformance:
Distributed log collectors:• Spread the peak eps load
across multiple devices.
• Compress log data beforeforwarding on to a central
collector, saving considerablyon WAN traffic.
Info-Tech Insight
-
8/18/2019 SIEM Pro Cons
45/58
Info-Tech Research Group 45
Success with SIEM involves more than just the Security team. Make sure all
the right parties are engaged up front.
Account for implementation resource costs
Project Team Composition
• Security, network, and system administrators all have substantialinvolvement:
• Identifying and configuring log data sources.
• Defining event severity levels; monitoring, alerting &escalation processes; and reporting formats & schedules.
• Internal auditors and other compliance personnel also play a keyrole:
• Designing dashboards and reports to simplify compliancemanagement efforts.
• Specifying elevated requirements for regulated systems –architectural or procedural.
Training Considerations
• Training is critical for project team members and the groups theyrepresent.
• System training is necessary for all those who use SIEM directly(e.g. security operators, compliance auditors); process training isappropriate for those who only use SIEM outputs.
-
8/18/2019 SIEM Pro Cons
46/58
Info-Tech Research Group 46
Examine compliance management savings and increased monitoring costs.
The rest is just noise.
Understand the ongoing staffing impact
• For incident response staff and supporting systemadministrators, SIEM is a double-edged sword:
◦ Increased response efficiencies are countered by increasedevents visibility, until and unless SIEM-driven improvementsare made to key security and system controls.
• Organizations facing regular and/or diverse regulatoryrequirements can reduce the associated reporting burdensubstantially:
◦ Required reports can be generated automatically andconsistently across multiple systems, without burdening thesystem admins.
◦ Where needed, internal SIEM activity can be reported on todemonstrate compliance with log review requirements.
• Real-time event monitoring can be a huge cost driver for SIEM:◦ For organizations lacking a dedicated Security Operations
Center, adding a dedicated 24x7 monitoring capability couldequate to 5 FTEs.
◦ Consider adding a “best effort” event monitoring responsibilityto existing security staff – a 10-20% rise in staffing levelscould enable much better incident response outcomes.
SIEM monitoring through an MSSP canprovide cost-effective alternatives forreal-time event monitoring:
• MicroAge, an IT services firm, optedfor an MSSP to provide on-premise
SIEM equipment and remotemonitoring services.
• For a monthly fee, MicroAge avoidedthe capital cost of a SIEM solutionsupporting 120 log sources.
• In the same monthly fee, MicroAgereceives 24x7 real-time eventmonitoring, with serious eventsescalated to internal IT staff, at asmall fraction of the cost of staffingsuch a capability internally.
Info-Tech Insight
You get an alarm system for your network,but you don't get the cops to go with it.
- Perry Kuhnen, IT Manager, MicroAge(about SIEM without real-time monitoring)
-
8/18/2019 SIEM Pro Cons
47/58
Info-Tech Research Group 47
Perspective matters: position initial SIEM plans based on what’s mos t
important to leadership, and focus on relevant cost reduction opportunities.
Factor decision-makers’ concerns into the SIEM proposal
• Where leadership has a strong focus oninformation risk management, pitchingevent-focused SIEM is easier:
◦ Even without 24x7 monitoring, event-focused SIEM enables risk reduction
simply through enhanced visibility.◦ Reducing incident-related costs can
offset SIEM investments.
• Where that strong risk focus is missing,compliance-focused SIEM may be themore effective route to approval:
◦ Reducing the costs of demonstratingcompliance can offset SIEM
investments.
◦ Leverage enhanced visibility toelevate information risk to aleadership level, and evolve SIEMtoward a greater focus on event andrisk management.
-
8/18/2019 SIEM Pro Cons
48/58
Info-Tech Research Group 48
Don’t try to execute the whole SIEM vision at once. Learn from early stages,
and build capabilities & benefits incrementally.
Start modestly, but keep the final objective in mind
• Embarking on a SIEM initiative requires a serious investment of time and money. Implementation can be phased in twodistinct, but complementary, ways.
• Phased by SIEM function:
◦ Start with a compliance management focus, but explore the benefits of enhanced event visibility, or◦ Start with an event management focus, but take advantage of compliance reporting for internal purposes.
◦ Once both are implemented, look at continuous risk management opportunities – demonstrated benefits from pastexperiences might even outweigh the cost of adding 24x7 monitoring.
• Phased by source system:
◦ Start with the most critical systems (key applications, core infrastructure, regulated environments).◦ Expand to other log data sources as the benefits of SIEM are demonstrated for those key assets.
• Mix and match these approaches to minimize initial costs, maximize the benefits delivered, and build additional support forbroader SIEM deployments:
◦ Later stages may not deliver the same magnitude of benefits, but they involve lower equipment and configuration costs,as they leverage initial investments made in earlier stages.
-
8/18/2019 SIEM Pro Cons
49/58
Info-Tech Research Group 49
What’s in this Section: Sections:
Appendices
Understand SIEM Trends andConsiderations
Evaluate SIEM VendorsDevelop Your SIEMImplementation Strategy
Appendices
• Vendor Landscape methodology
• SIEM survey demographics
-
8/18/2019 SIEM Pro Cons
50/58
Info-Tech Research Group 50
Vendor Evaluation Methodology
Info-Tech Research Group’s Vendor Landscape market evaluations are a part of a larger program of vendor evaluations which includes
Solution Sets that provide both Vendor Landscapes and broader Selection Advice.
From the domain experience of our analysts, as well as through consultation with our clients, a vendor/product shortlist is established. Productbriefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, salesmodels, and pricing.
Our analysts then score each vendor and product across a variety of categories, on a scale of 0-10 points. The raw scores for each vendor arethen normalized to the other vendors’ scores to provide a sufficient degree of separation for a meaningful comparison. These scores are thenweighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. Theweighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scoresis generated to place vendors in one of four categories: Champion, Innovator, Market Pillar, and Emerging Player.
For a more granular category by category comparison, analysts convert the individual scores (absolute, non-normalized) for eachvendor/product in each evaluated category to a scale of zero to four whereby exceptional performance receives a score of four and poorperformance receives a score of zero. These scores are represented with “Harvey Balls,” ranging from an open circle for a score of zero to afilled in circle for a score of four. Harvey Ball scores are indicative of absolute performance by category but are not an exact correlation tooverall performance.
Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make correctionswhere factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality,value, etc.; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are notcorroborated by actual client experience or wording changes that are purely part of a vendor’s market messaging or positioning. Any resultingchanges to final scores are then made as needed, before publishing the results to Info-Tech clients.
Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market.
-
8/18/2019 SIEM Pro Cons
51/58
Info-Tech Research Group 51
Value Index Ranking Methodology
Info-Tech Research Group’s Value Index is part of a larger program of vendor evaluations which includes Solution Sets that provide both
Vendor Landscapes and broader Selection Advice.
The Value Index is an indexed ranking of value per dollar as determined by the raw scores given to each vendor by analysts. To perform thecalculation, Affordability is removed from the Product score and the entire Product category is reweighted to represent the same proportions.The Product and Vendor scores are then summed, and multiplied by the Affordability raw score to come up with Value Score. Vendors arethen indexed to the highest performing vendor by dividing their score into that of the highest scorer, resulting in an indexed ranking with a topscore of 100 assigned to the leading vendor.
The Value Index calculation is then repeated on the raw score of each category against Affordability, creating a series of indexes for Features,Usability, Viability, Strategy and Support, with each being indexed against the highest score in that category. The results for each vendor aredisplayed in tandem with the average score in each category to provide an idea of over and under performance.
The Value Index, where applicable, is refreshed every 12 to 24 months, depending upon the dynamics of each individual market.
-
8/18/2019 SIEM Pro Cons
52/58
Info-Tech Research Group 52
Product Pricing Scenario & Methodology
Info-Tech Research Group provided each vendor with a common pricing scenario to enable normalized scoring of Affordability, calculation of
Value Index rankings, and identification of the appropriate solution pricing tier as displayed on each vendor scorecard.Vendors were asked to provide list costs for SIEM appliances and/or SIEM software licensing to address the needs of a reference organizationdescribed in the pricing scenario. For non-appliance solutions ( i.e. software-only and virtual appliance architectures), physical or virtualhardware requirements were requested in support of comparing as-installed costs.
Additional consulting, deployment, and training services were explicitly out of scope of the pricing request, as was the cost of enhancedsupport options, though vendors were encouraged to highlight any such items included with the base product acquisition. The annualsoftware/hardware maintenance rate was also requested, along with clarity on whether or not the first year of maintenance was included in thequoted appliance/software costs, allowing a three-year total acquisition cost to be calculated for each vendor’s SIEM solution. This three-yeartotal acquisition cost is the basis of the solution pricing tier indicated for each vendor.
Finally, the vendors’ three-year total acquisition costs were normalized to produce the Affordability raw scores and calculate Value Indexratings for each solution.
Key elements of the common pricing scenario provided to SIEM vendors included:
• A three-site organization with 2200 employees located at a US head office facility, a second US satellite office, and a European satelliteoffice. IT functions, including 3 dedicated IT security professionals, are located primarily at the US head office, with a small proportion of ITstaff and systems located at the European site, which also acts as a DR facility.
• The firm is interested in reducing the effort associated with monitoring, alerting, and responding to security events at the Endpoint, Network,and Data Center levels:
◦ The volume & complexity of ad hoc queries against logged and correlated event data is fairly small, driven primarily by incident responseefforts and gaps in canned compliance reports.
◦ The SIEM product would be used regularly by four IT staff across the US head office and European satellite site, with additionaldashboard-/report-level access for another four users in compliance/audit and IT management/executive roles.
• 200 devices were identified as log data sources for a SIEM solution, including network components, security systems, and both physicaland virtual servers. Windows Domain, Oracle databases, MS Exchange and SharePoint, and BES and VOIP environments were explicitlyidentified in the scenario, and the peak logging volume was specified at 5000 events per second (eps).
-
8/18/2019 SIEM Pro Cons
53/58
Info-Tech Research Group 53
SIEM Survey Demographics
-
8/18/2019 SIEM Pro Cons
54/58
Info-Tech Research Group 54
Industry
-
8/18/2019 SIEM Pro Cons
55/58
Info-Tech Research Group 55
Country
-
8/18/2019 SIEM Pro Cons
56/58
Info-Tech Research Group 56
Revenue
-
8/18/2019 SIEM Pro Cons
57/58
Info-Tech Research Group 57
FTEs
-
8/18/2019 SIEM Pro Cons
58/58
IT Employees