Modern corporate IT infrastructure consists of many systems and components. And tracking them individually can be quite difficult - the larger the enterprise, the more onerous these tasks are. But there are tools that collect in one place reports on the operation of the entire corporate infrastructure - SIEM systems (Security information and event management). Read about the best of these products, according to Gartner experts, in our review, and learn about the main features in our comparison table .
In a nutshell, SIEM technology gives administrators an overview of what's happening on the network. Such systems provide real-time analysis of security events, as well as the activity of devices and users, which allows you to respond to them before significant damage is caused.
SIEM programs collect information from servers, domain controllers, firewalls and many other network devices and provide it in the form of easy-to-use reports. This data is not necessarily security related. With their help, for example, you can understand how the network infrastructure functions and develop a plan for its optimization. But the main thing, of course, is the detection of potential gaps, as well as the localization and elimination of existing threats. This data is provided through the collection and aggregation of network device log data.
After collecting information (this procedure occurs automatically at specified intervals), events are identified and classified. Then (again, in accordance with the specified settings) alerts are sent that certain actions of equipment, programs or users may be potential security problems.
What opportunities are opening up?
SIEM helps to solve a variety of tasks. Among them: timely detection of targeted attacks and unintentional violations of information security by users, assessing the security of critical systems and resources, conducting incident investigations, and much more.
At the same time, SIEM platforms have a number of limitations. They, for example, do not know how to classify data, often do not work well with e-mail, have blind spots regarding their own events. And, of course, they cannot completely cover the issues of information security at the enterprise. But at the same time, they are an important part of the enterprise's defense system, albeit not critical. Moreover, the development of SIEM platforms does not stand still. For example, some modern products have analytical functions, that is, they not only issue reports and indicate potential problems, but also know how to analyze events themselves and make decisions about informing about certain events.
In any case, when choosing a specific product, you should focus on many parameters, among which we single out the centralized collection, processing and storage of information, notification of incidents and data analysis (correlation), as well as the width of the corporate network coverage. And, of course, if possible, you should run a trial / demo version before buying and see how it suits the company.
IBM QRadar Security Intelligence
The SIEM platform from the tech giant IBM is one of the most advanced on the market: even in the Gartner quadrant of leaders, it stands above the competition, and has been there for 10 years in a row. The product consists of several integrated systems that together provide maximum coverage of events taking place in the network, and many functions work right out of the box. The tool is able to collect data from a variety of sources, such as operating systems, security devices, databases, applications, and many others.
QRadar Security Intelligence can sort events by priority and highlight those that pose the greatest security threat. This is due to the functions of analyzing the anomalous behavior of objects (users, equipment, services and processes in the corporate network). This includes determining the actions associated with accessing suspicious IP addresses or requests from them. Detailed reports are provided for all suspicious activity, which, for example, makes it possible to detect suspicious activity outside of working hours. This approach, combined with user monitoring features and application-level visibility of the network, can help combat insider threats. In addition, in conventional cyber attacks, information arrives very quickly and allows them to be prevented beforehow they will achieve their goal and cause significant damage.
One of the key features of IBM QRadar Security Intelligence is risk-based detection and prioritization using advanced analysis and correlation between assets, users, network activity, existing vulnerabilities, threat analysis, and more. IBM Qradar can chain events together to create there is a separate process for each incident.
Due to the fact that information is collected and displayed on the screen in one place, the administrator can see all the associated suspicious activities that were detected by the system. And new related events are added to a single chain, so analysts don't have to switch between multiple alerts. And for deeper investigations, the special tool IBM QRadar Incident Forensics can restore all network packets associated with the incident and recreate the actions of the attacker step by step.
Splunk Enterprise Security
One of the leading platforms in the industry, distinguished by the wide range of information sources it works with. Splunk Enterprise Security is able to collect event logs from traditional network components (servers, security devices, gateways, databases, etc.), mobile devices (smartphones, laptops, tablets), web services and distributed sources. Collected information: data on user actions, logs, diagnostic results, etc. This allows for convenient search and analysis in automatic and manual mode. The solution has a variety of customizable notifications that, based on the collected information, warn of existing threats and proactively report potential problems.
The product consists of several modules that are responsible for conducting investigations, logical diagrams of the protected resources and integration with many external services. This approach makes it possible to conduct a detailed analysis on a variety of parameters and establish a relationship between events that, at first glance, do not correlate with each other in any way. Splunk Enterprise Security allows you to correlate data by time, location, queries generated, connections to various systems, and more.
The tool can also work with large data sets and is a full-fledged Big Data platform. Large amounts of data can be processed both in real time and in the historical search mode, and, as mentioned above, a huge number of data sources are supported. Splunk Enterprise Security can index hundreds of TB of data per day, so it can be applied to even very large enterprise networks. A dedicated tool MapReduce allows you to quickly scale the system horizontally and evenly distribute the loads, so that the system performance always remains at an acceptable level. At the same time, configurations for clustering and disaster recovery are available to users.
McAfee Enterprise Security Manager
The solution from McAfee is delivered as both physical and virtual devices, and software. It consists of several modules that can be used together or separately. Enterprise Security Manager provides continuous monitoring of corporate IT infrastructure, collects information about threats and risks, allows you to prioritize threats and quickly conduct investigations. For all incoming information, the solution calculates a baseline activity level and generates in advance notifications that will be sent to the administrator if the scope of this activity is violated. The tool also knows how to work with the context, which significantly expands the capabilities of analysis and detection of threats, and also reduces the number of false signals.
McAfee ESM integrates well with third-party products without using APIs, making it compatible with many other popular security solutions. It also has support for the McAfee Global Threat Intelligence platform, which extends traditional SIEM functionality. Thanks to it, ESM receives constantly updated information about threats from around the world. In practice, this makes it possible, for example, to detect events related to suspicious IP addresses.
To improve system performance, the developer offers its customers a set of McAfee Connect tools. These tools contain ready-made configurations to help you handle complex SIEM use cases. For example, the User Behavior Analysis Toolkit allows you to better and faster find latent threats, makes security operations more accurate, and dramatically shortens incident investigations. A package for Windows allows you to monitor the services of this OS to assess their proper use and detect threats. There are over 50 packages available in total for different scenarios, products, and standards compliance.
AlienVault Unified Security Platform
Company AlienVault recently merged with AT & T Business under the brand AT & T Security, but its flagship product is currently sold under the old name. This tool, like most of the other platforms in the review, has more functionality than traditional SIEM. So, in AlienVault USM there are various modules responsible for asset control, full packet capture, etc. The platform is also able to test the network for vulnerabilities, and this can be both a one-time check and continuous monitoring. In the latter case, notifications about the presence of a new vulnerability are received almost simultaneously with their appearance.
Other platform features include an infrastructure vulnerability assessment, which shows how secure the network is and how it is configured to meet security standards. The platform is also able to detect attacks on the network and provide timely notification of them. In this case, administrators receive detailed information about where the intrusion is coming from, which parts of the network were attacked and what methods are used by attackers, as well as what needs to be done to repel it first. In addition, the system is able to detect insider attacks from within the network and notify about them.
With a proprietary AlienApps solution, USM can integrate and effectively complement security solutions from many third-party vendors. These tools also enhance AlienVault USM's security customization and threat response automation capabilities. Thus, almost all information about the security status of the corporate network becomes available directly through the platform interface. These tools also provide the ability to automate and organize response actions when threats are detected, which greatly simplifies and speeds up their detection and response to incidents. For example, if a link is found to a phishing site, an administrator can send data to a third-party DNS protection service to automatically block that address β thusit will become unavailable for visiting from computers within the organization.
Micro Focus ArcSight Enterprise Security Manager
The SIEM platform from Micro Focus , which was developed by HPE until 2017, is a comprehensive tool for discovering, analyzing and managing workflows in real time. The tool provides ample opportunities for collecting information about the state of the network and the processes occurring in it, as well as a large set of ready-made sets of security rules. Many features in ArcSight Enterprise Security Manager are automated, such as threat identification and prioritization. For investigations, this tool can integrate with another proprietary solution - ArcSight Investigate. It can detect unknown threats and perform fast smart searches, as well as visualize data.
The platform is able to process information from a wide variety of types of devices, according to the developers, there are more than 500 of them. Its mechanisms support all common event formats. Information collected from online sources is converted into a universal format for use on the platform. This approach quickly identifies situations that require investigation or immediate action, and helps administrators focus on the most urgent, high-risk threats.
For companies with extensive networks of offices and divisions, ArcSight ESM enables the use of the SecOps model of operation, when remote security teams are united and can exchange reporting, processes, tools and information in real time. So, for all departments and offices, they can apply centralized sets of settings, policies and rules, use unified matrices of roles and access rights. This approach allows you to quickly respond to threats wherever they appear in the company.
RSA NetWitness Platform
The platform from RSA (one of Dell's divisions) is a set of modules that provide threat visibility based on data from a variety of network sources: endpoints, NetFlow, security devices, information from transmitted packets, etc. For this, a combination of multiple physical and / or virtual devices that process information in real time and issue alerts based on it, as well as store data for future investigations. Moreover, the developer offers an architecture for both small companies and large distributed networks.
NetWitness Platform is able to identify insider threats and works with contextual information about a specific infrastructure, which allows you to prioritize alerts and optimize work in accordance with the specifics of the organization. The platform is also able to compare information about individual incidents, which allows you to determine the full scale of attacks on the network and configure it in such a way as to minimize similar risks in the future.
Developers pay a lot of attention to working with endpoints. So, in the RSA NetWitness Platform there is a separate module for this, which provides their visibility both at the user level and at the kernel level. The tool can detect anomalous activity, block suspicious processes and assess the vulnerability of a particular device. And the collected data is taken into account in the operation of the entire system and also affects the overall assessment of the security of the network.
FireEye Helix Security Platform
FireEye's cloud-based platform allows organizations to control any incidents, from reporting them to correcting the situation. It combines many proprietary tools and can integrate with third-party tools. The Helix Security Platform employs extensive user behavior analytics to recognize insider threats and non-malware attacks.
To counter threats, the tool not only uses notifications from administrators, but also applies predefined rule sets, which number about 400. This minimizes the number of false positives and relieves administrators of constant scanning of threat messages. In addition, the system offers the ability to investigate and search for threats, behavioral analysis, support for multiple resources for obtaining information and easy management of the entire security complex.
The tool does a good job of detecting advanced threats. The Helix Security Platform has the ability to integrate over 300 security tools from both FireEye and third-party vendors. By analyzing the context of other events, these tools provide a high level of detection of covert and disguised attacks.
Rapid7 insightIDR
Company Rapid7 offers customers cloud-SIEM platform, honed by analysis of the behavior. The system conducts in-depth analysis of logs and logs, and also sets up special traps to detect illegal intrusions into the network. InsightIDR tools continuously monitor user activity and correlate them with network events. This not only helps to identify insiders, but also prevents malicious security breaches.
Rapid7 insightIDR continuously monitors endpoints. This makes it possible to see unusual processes, atypical user behavior, strange tasks, etc. If such actions are detected, the system allows you to check whether they are repeated on other computers or remain a local problem. And when problems arise and incidents are investigated, a visual tool is used, which conveniently organizes the accumulated data over time and greatly simplifies the investigation.
To better counter threats, developer experts can independently assess the degree of security of the corporate environment, from equipment to current processes and policies. This allows you to build an optimal network protection scheme from scratch using Rapid7 insightIDR or improve existing schemes.
Fortinet FortiSIEM
Fortinet 's comprehensive and scalable solution is part of the Fortinet Security Fabric platform. The solution comes in the form of physical devices, but can also be used on the basis of a cloud infrastructure or as a virtual device. The tool provides a wide range of information sources - more than 400 devices from other manufacturers are supported. These include endpoints, IoT devices, applications, security tools, and more.
The platform is able to collect and process information from endpoints, including file integrity, registry changes and installed programs and other suspicious events. FortiSIEM has in-depth analysis tools that include real-time and past events search, attribute and keyword searches, dynamically changing watchlists that are used to detect critical violations, and much more.
The tool provides administrators with fully functional, customizable dashboards that dramatically improve the usability of the system. They have the ability to play slideshows to demonstrate system performance, generate a variety of reports and analytics, and use color coding to highlight critical events.
Instead of an afterword
There are a very large number of SIEM solutions on the market, most of which are quite functional. Often their capabilities go beyond the standard SIEM definition and offer clients a wide variety of network management tools. Moreover, many work straight out of the box, requiring minimal intervention during installation and initial configuration. But there is also a catch: they can differ in dozens of small parameters, which are not possible to talk about within one review. Therefore, in each specific case, you need to select a solution not only based on the main needs of the enterprise, but also take into account small details and the future growth of the organization.
We drew your attention to the main points, and testing trial versions of products will help you to scrupulously understand the intricacies and nuances. Fortunately, almost all vendors provide such an opportunity.
Author: Dmitry Onishchenko