Evaluating and Selecting SIEM Tools - A Buyer’s Guide

A Security Information and Event Management system (SIEM) is a foundation of the modern Security Operations Center (SOC). It collects logs and events from security tools and IT systems across the enterprise, parses the data and uses threat intelligence, rules and analytics to identify security incidents.

Selecting, purchasing and implementing a SIEM is no small task. SIEMs were traditionally very expensive systems, both from a licensing and a hardware perspective. They also have high operating expenses, as they require trained security staff to interpret alerts and identify security incidents.

Modern SIEMs have reduced both types of costs, by offering cloud-hosted and SIEM as a service, by leveraging advanced low cost storage technology, and by making it much easier for analysts to sift through, interpret and operationalize SIEM data.

In this buyer’s guide to modern SIEM solutions you will learn:

Needs, Use Cases and Required Capabilities of SIEM Products - 5 core areas in which a SIEM can help your organization
What Does a Next-Generation SIEM Include? Next-gen components in the new, expanded SIEM model proposed by Gartner, including UEBA and SOAR
SOC Pains and Required Capabilities of Modern SIEM Solutions - top 4 issues experienced in the modern SOC and how SIEMs can alleviate them
SIEM Comparisons - open source vs. commercial vs. home grown and in-house vs. managed
SIEM Total Cost of Ownership - licensing models, hardware costs and sizing, storage costs, and in-house analyst costs
Compliance and security considerations

Needs, Use Cases and Required Capabilities of SIEM Products

User Monitoring

The need: Monitoring user activity within and outside the network

Capabilities

Monitoring user activity
Privileged User Monitoring
Baselining user activity and identifying anomalies

Threat Detection

The need: Specialized tools to monitor, analyze and detect threats

Capabilities

Detecting known attack patterns, signatures, and correlations indicating an attack.
Detect unknown attack chains via machine learning and advanced analytics.

Security Analysis

The need: Deriving more insights into security data from multiple sources

Capabilities

Statistical analysis and correlation rules
Machine learning to establish baselines of normal activity and detect anomalies

Incident Management

The need: An organized way to address and manage security incidents and alerts

Capabilities

Incident prioritization – understanding which incidents are particularly abnormal or dangerous
Automated collection of evidence for investigators
Automated response

Compliance and Security Reporting

The need: Automatically verifying regulatory requirements and generating audit reports, managing data privacy and governance

Capabilities

PCI DSS compliance
HIPAA compliance
SOX compliance
GDPR compliance
Other standards and regulations

What Does a Next-Generation SIEM Include?

According to Gartner’s Critical Capabilities for SIEM 2017 report, next-generation SIEMs must incorporate additional technologies alongside the traditional log management, statistical analysis, alerting and reporting capabilities. New SIEMs must include:

User Event Behavioral Analytics (UEBA) – technology that models standard behavior for users, endpoints and network devices, establishing a baseline and intelligently identifying anomalies, via advanced analytics and machine learning techniques.

Security Orchestration, Automation and Response (SOAR) – technology that collects security data, prioritizes incidents, and encodes incident response in a digital workflow format, enabling automation of some or all incident response stages.

Next-Gen SIEM Components

Threat Intelligence
Combines internal data with third-party threat intelligence feeds on threats and vulnerabilities.
Data Aggregation
Collects and aggregates data from security systems and network devices.
Correlation, Security Monitoring and Alerts
Links events and related data into security incidents, threats or forensic findings, analyzes events and sends alerts to notify security staff of immediate issues.
Advanced Analytics
Uses statistical models and machine learning to identify anomalies and detect advanced threats, detect unknown threats, detect lateral movements within a network, and enrich the context of security alerts to make it easier to investigate and detect elusive threats.
Dashboards
Creates visualizations to let staff review event data, identify patterns and anomalies
Search, Data Exploration and Reporting
Search vast amounts of security data without reviewing raw data and without data science expertise, active explore data to discover patterns and hunt for threats, create and schedule reports on important data points.
Compliance
Gathers log data for standards like HIPAA, PCI/DSS, HITECH, SOX and GDPR and generates compliance reports. Helps to meet compliance and security regulations requirements, for example by alerting about security conditions for protected data.
Retention
Stores long-term historical data, useful for compliance and forensic investigations. Built in data lake technology facilitate unlimited, low cost, long-term storage.
Forensic Analysis
Enables exploration of log and event data to discover details of a security incident, with automated attachment of additional evidence organized in a situation timeline.
Threat Hunting
Enables security staff to run queries on log and event data, and freely explore data to proactively uncover threats. Once a threat is discovered, automatically pulls in relevant evidence for investigation.
Incident Response Support
Helps security teams identify and respond to security incidents automatically, bringing in all relevant data rapidly and providing decision support.
SOC Automation
Automatically responds to incidents but automating and orchestrating security systems, known as Security Orchestration and Response (SOAR).

SOC Pains and Required Capabilities of Modern SIEM Solutions

SIEMs have been a fundamental infrastructure of the Security Operations Center (SOC) for over two decades. However, SOC analysts experience several pains that traditional SIEMs can’t solve. Below we show how next-generation SIEM technology can solve these pains.

Security Operations Center Pain

How a Next-Generation SIEM can Help

Alert fatigue – too many alerts to review and incidents to investigate

Next-generation SIEMs generate less alerts for security analysts to review [explain how facilitated by behavioral profiling]

They can also categorize incidents based on risk reasons, incident type, and priority, enabling analysts to filter and prioritize based on risk scores and business impact.

Analyst fatigue due to mundane tasks

Next-generation SIEMs provide security automation via playbooks. They integrate with IT systems and security tools to automatically attach more evidence to incidents and aid investigators in closing incidents quickly.

Takes too long to investigate incidents

Next-generation SIEMs create a timeline that pulls together all the evidence related to a specific incident, across multiple users and organizational systems. This allows analysts to view the entire scope of an incident and its potential risks on one pane of glass.

Lack of skilled analysts – need to quickly train and on-board new staff

Next-generation SIEMs are easier to use and provide easy to interpret incidents packaged with ancillary information. They also allow easy ways to query and explore security data, without requiring analysts to become SQL experts or data scientists. This allows even junior analysts to assess risks, prioritize incidents, and push confirmed incidents to a next-tier analyst.

SIEM Comparisons

There are three main options for procuring a SIEM platform. Following are some of their pros and cons.

1. Building an open source SIEM

Open source tools such as OSSIM, OSSEC and Apache Metron can provide many SIEM capabilities including event collection, processing, correlation and alerting. Some open source solutions also provide Intrusion Detection System (IDS) capabilities.

Pros
No upfront expense, simpler to implement an open source SIEM than traditional SIEM solutions.

Cons
Ongoing maintenance costs can outweigh the saving in license costs. Open Source SIEMs are not fully featured, mainly suitable for smaller deployments. No next-gen SIEM features.

2. Leveraging a commercial SIEM tool

Traditional SIEM tools from players like HPE, IBM and McAfee (now Intel Security) were the common choice of large organizations building a SOC to centralize security activity and incident response.

In recent years, new lightweight SIEM solutions have emerged, which are powerful, less expensive and much faster to implement. Three of these solutions have been featured in the Gartner SIEM Magic Quadrant 2018: Exabeam, Rapid7 and Securonix.

Pros
Enterprise grade, proven technology, most products have at least some next-gen SIEM capabilities.

Cons
License costs, SOC procedures are built around a specific solution’s processes, leading to vendor lock in.

3. Building a SIEM platform in-house

The ELK stack – ElasticSearch, Logstash and Kibana – is a great starting point for building your own SIEM solution. In fact, most of the new contenders in the SIEM market are based on this stack. Can be suitable for very large organizations who need tailored capabilities, and want to integrate with previous investments in threat intelligence, monitoring or analytics.

Pros
Complete customization of all SIEM capabilities, easier integration with legacy systems and in-house security feeds.

Cons
Very high upfront expense and an ongoing development cost to support changes and maintenance.

In-House vs. Managed SIEM

SIEMs provided and managed by Managed Security Service Providers (MSSP) are a growing trend. Managed SIEMs are making it possible for smaller organizations, which do not have sufficient full time security staff, to enter the SIEM game.

There are four common SIEM hosting models:

Self Hosted, Self Managed – SIEM is purchased or build, then hosted in local data center and run by dedicated security staff.
Self-Hosted, Hybrid-Managed – a SIEM is deployed in-house, typically a legacy investment, and run together by local security staff and MSSP experts.
Cloud SIEM, Self-Managed – a SIEM is run by an MSSP but ongoing security operations managed by in-house staff.
SIEM as a Service – the SIEM runs in the cloud, including data storage, with local security staff managing security processes leveraging SIEM data.

For more details on SIEM hosting models, see our guide to SIEM Architecture.

Evaluating SIEM Total Cost of Ownership

Procuring a SIEM involves several different costs, some of which are capital expenditures and some are operating expenditures.

A SIEM Costing Model

SIEM CAPEX Budget Items

Licenses
Development and integration
Training
Hardware and storage equipment (for on-premise SIEM)
Periodic scaling up of hardware or storage equipment (for on-premise SIEM)

SIEM OPEX Budget Items

Dedicated/outsourced security analysts
IT maintenance and resource provisioning (for on-premise SIEM)
Ongoing integration with new organizational systems
Cloud storage and cloud-based compute resources (for hosted SIEM)

Licensing Models

Your SIEM solution will likely use one of these three license models:

Volume licensing – payment based on number of messages per second, events ingested, etc. For large organizations can drive up license costs significantly.
User based pricing – SIEM is priced based on number of “seats” without respect to the volume of data. In most organizations this will provide the lowest cost, even as data volumes grow, and without respect to the amount of historic data retained.
SaaS pricing – SIEM is paid as a subscription based on actual usage.

Hardware Costs and Sizing

Organizations adopting SIEM on-premise will have to provision hardware to run the SIEM. To determine how much hardware is needed, you should first estimate the number of events the SIEM needs to handle:

The number and type of servers needed is defined by event volume, as well as the storage format, your decision whether to store data locally on in the cloud, the ratio of log compression, encryption requirements, and quantity of short-term data vs. long-term data retention.

For more details on SIEM hardware sizing, see our guide on SIEM Architecture.

Storage Costs and Sizing

The same calculation of Events Per Day can be used to determine the SIEM’s storage requirements. The cost of storage will depend on your SIEM deployment model:

For on-premise SIEM, you will either need to setup storage infrastructure independently, and scale it up as data volumes grow. Or purchase an appliance from the SIEM vendor, but when you scale beyond the appliance’s capacity, you’ll have to manager storage yourself.
For cloud-based SIEM, there is typically a charge per data volume, to compensate the vendor for the cost of cloud storage. Check for how many days the SIEM permits you to retain data, and if there are additional retention costs.

Number of In-House Analysts

A SIEM is not valuable without security analysts who can receive and act upon its alerts. Security. Analysts are needed to:

Review alerts and decide which are actual security incidents
Investigate incidents by pulling together relevant information, and escalating to a higher-tier analyst for action

Analysts must be skilled and trained, preferably with a relevant security certification.

If you use a Managed Security Service Provider (MSSP), analysts will be outsourced by the service provider, or work will be divided between in-house staff and external suppliers.

If you use a SIEM with AI or machine learning capabilities, the tool’s intelligence is not a substitute for human analysts. You will still need analysts, but effective AI processing of security data can substantially reduce false positives, help security analysts get the data they need faster, substantially reducing analyst labor.

Compliance and security considerations

When purchasing a SIEM, consider which standards or regulations your organization as a whole needs to comply with (across all departments – because SIEM is a cross-organizational infrastructure.

Important to consider:

Review the standard and map out sections which might be related to SIEM capabilities – for example, logging and reporting on failed login attempts.
Ensure your SIEM deployment and customization makes it easy to fulfill these requirements.
Check which compliance and audit reports you need to submit which the SIEM can generate automatically – and whether your SIEM solution of choice can generate them.
What are the compliance requirements on the SIEM itself, e.g., which data can be saved according to GDPR?
How will the SIEM be secured – different depending on deployment model – on-premise, cloud, MSSP.

Exabeam - Next Generation SIEM with Unlimited Storage, Advanced Analytics and Automated Incident Response

Exabeam provides next-generation Security Management Platform, a modern SIEM that combines end-to-end data collection, analysis, monitoring, threat detection and automated response in a single management and operations platform.

Exabeam Next-Gen SIEM Capabilities

Exabeam is a modern SIEM platform that provides all the next-gen SIEM capabilities defined in Gartner’s model:

Advanced Analytics and Forensic Analysis

Exabeam provides threat identification with behavioral analysis based on machine learning. It creates behavioral baselines and intelligently identifies anomalies. Exabeam can also dynamically group peers of entities to identify suspicious individuals, and detect lateral movement across different computer systems and user accounts. To enable forensic analysis, Exabeam automatically collects all the evidence related to an incident and constructs timelines to visualize security incidents.

Data Exploration, Reporting and Retention

Exabeam provides unlimited log data retention with flat pricing, leveraging modern data lake technology. It provides context-aware log parsing and presentation that helps security analysts quickly find what they need, and makes it possible to build rules and queries using natural language. Analysts can quickly explore, slice and dice security data without requiring expert knowledge of data science or SQL. Like traditional SIEM platforms, Exabeam also provides prebuild compliance reports for PCI-DSS, SOX, GDPR, and more.

Incident Response and SOC Automation

Exabeam provides customizable case management designed for security incidents. It provides a centralized approach to incident response, gathering data from hundreds of tools and orchestrating a response to different types of incidents, via tools like email servers, active directory and firewalls, using security playbooks. Playbooks can automate investigations, containment, and mitigation.

Threat Hunting

Exabeam provides a point-and-click interface that lets anyone in the SOC easily create complex queries on security data. When an incident is identified, it collects evidence and organizes it into a complete incident timeline. Analysts can also enter an Alert ID from an anti malware or DLP tool, and immediately view a timeline of all related security events.

Exabeam SIEM: Addressing SOC Pain Points

Exabeam’s next-generation capabilities can help resolve the most common pain points in the modern SOC:

Alert fatigue – Exabeam reduces fatigue by leveraging UEBA technology. It focuses analysts on alerts that represent anomalies, compared to behavioral baselines of users and network entities, and helps prioritize incidents based on organizational context.
Analyst fatigue due to mundane tasks – Exabeam integrates with security tools and executes automated security playbooks when specific types of security incidents occur.
Takes too long to investigate incidents – Exabeam automatically pulls in all evidence relevant to a security incident, and lays it out on an incident timeline. This provides an instant look of the incident, across multiple IT systems, users and credentials.
Lack of skilled analysts – Exabeam automatically prioritizes incidents via behavioral analysis, and allows users to construct complex queries on security data using a simple drag-and-drop interface, with no need for data science or SQL expertise. This allows even junior analysts to identify important incidents and conduct in-depth investigation.