Security information and event management (SIEM) systems used to be for large organizations only, but they are increasingly adopted by medium-size and even small organizations. Open Source SIEMs are compelling for new adopters because of their low licensing cost and growing feature set. Which open source SIEMs are out there, and how do they compare to the traditional enterprise offerings?
In this post you will learn:
- What is SIEM?
- Open source SIEM vs. enterprise-level SIEM
- Limitations of open source SIEM
- 7 top open source SIEM tools
What is SIEM?
SIEM (security information and event management) is a security and auditing system. It is not a single tool, but rather a ‘toolbox’ of multiple monitoring and analysis components.
SIEMs aggregate data from hundreds of security and IT tools across the organization, uses statistical correlations and rules to convert events and log entries, and turn them into usable information. Security teams use this information to detect threats in real time, manage forensic investigations on security incidents, organize incident response, and prepare compliance audits.
SIEM is now a standard security approach. An increasing number of organizations are adopting SIEM due to the ongoing increase in cyber attacks and stricter security regulations. Changes to regulations like PCI DSS and the European Union’s GDPR have made it imperative that system and application log events are removed from individual servers and stored securely for investigation and action.
Open source SIEM vs. enterprise-grade SIEM
Security information and event management is a foundational system in modern cybersecurity. Other security tools represent information flows, which the SIEM can process and extract value from. Not all SIEMs have the same capabilities; choosing a SIEM that suits the needs of your organization can mean the difference between preventing and missing a catastrophic security breach.
Open source SIEM
Organizations can use open source SIEM tools to reduce software licensing costs and evaluate certain capabilities before extending their product investments. Open source SIEM solutions provide basic capabilities that can suit the needs of smaller organizations that are starting to log and analyze their security event information.
Limitations of open source SIEM
- As an organization grows, open source SIEM software can become labor-intensive.
- An organization may save money on licensing costs, but spend money on continual maintenance.
- Many open source SIEM solutions lack key SIEM capabilities, such as reporting, event correlation, and remote management of log collectors.
- An organization may have to combine open source SIEM with other tools.
- Open source SIEM typically requires a high level of expertise and time to deploy effectively.
- Open source SIEMs typically do not provide or manage storage, a sensitive issue because of the massive volumes of data.
Enterprise SIEM solutions offer improved management of configuration and installation, correlation configurations, filters, and pre-built visualizations for the most prevalent use cases. They enable organizations to monitor large scale data center activities and centrally manage and configure security-relevant applications.
Perhaps most importantly, currently only enterprise SIEM platforms provide the capabilities of next-generation SIEM. Next-gen enterprise SIEMs come with two new technologies that can save time for security teams and dramatically improve incident detection and response:
- User and entity behavior analytics (UEBA) – goes beyond rules and correlations, leveraging AI and machine learning to look at behavioral patterns of users and IT systems and find high-risk anomalies that may indicate threats.
- Security orchestration, automation and response (SOAR) – integrates with enterprise systems and orchestrates them to automate incident response processes, such as mitigating a malware or data exfiltration attack.
For an example of a next-generation enterprise SIEM platform, see Exabeam’s Security Management Platform.
Top open source SIEM tools
|Open source SIEM||Deployment options||Main features||Limitations|
|The ELK Stack
A collection of three open-source products: Elasticsearch, Logstash, and Kibana. These three tools can be used for visualization and analysis of IT events.
|Virtual environments, physical hardware, private cloud, private zone in a public cloud, or public cloud (e.g., Google, Azure, AWS).||– Logging and log analysis
– Process, filter, correlate and enhances log data that it collects
– Indexing and storing time-series data
|– General purpose log analysis – not designed as a SIEM system
– No built-in reporting or alerting capability
– No built-in security rules
A relatively new player in the industry. A security framework that combines multiple open source projects into a single platform.
|It currently works with three data stores: HBase, HDFS, and Elastic Search||– Pluggable framework to add new custom parsers for new data sources
– Stores enriched telemetry data
– Anomaly detection and machine learning algorithms that can be applied in real-time
|– Can only be installed on a limited number of environments and operating systems
– UI is in early development and does not support authentication
Based on open source technology. Available for free and as a paid solution (premium and MSSP multi-tenancy).
|On the cloud using Docker containers, and on VMs and bare metal (Mac, Ubuntu, CentOS, and Debian).||– Threat intelligence processing framework
– ELK Stack used for storage, collection, processing, and visualization
|– Free version does not offer user behavioral analytics, machine learning, HoneyNet and Threat Kill features from the full product
– Missing online documentation
Unifies various other open source tools. It is the open source version of the commercial tool by the same name.
|Linux, OpenBSD, FreeBSD, NetBSD, Sun/Solaris, MacOSX, Tru64, and other UNIX based systems.||– Correlation, filtering, and alerting
– Analysis and visualization capabilities
|– Intended for research, evaluation, and test purpose in very small environments
– According to its makers, Prelude open source performance is considerably lower than the commercial Prelude SIEM product
SIEM platform including event collection, normalization, and correlation.
|On-premises physical and virtual environments.||– Asset discovery
– Vulnerability assessment
– SIEM event correlation
– Intrusion detection
– Behavioral monitoring
|– Performance issues at scale
– Very limited log management
– Can be deployed only for a single server
– No integration with UEBA solutions
– Limited application and database monitoring
– Limited graph database enabling only partial native user analytics
– No support and integration for DAM, CASB, DAP, and DLP tools
Open source benefits vs. costs
Open source SIEMs have matured considerably over the past decades and are deployed successfully in many organizations. However, while the main driver for adoption is reduced license costs, it is well known that license costs are only a fraction of the total cost of ownership of SIEM systems. Additional and possibly larger components include:
- Hardware and storage, especially for medium-to-large enterprises, present a huge cost and management complexity
- Analyst time is the most precious resource in most security teams, and analysts are a must to make any use of SIEM alerts
Exabeam is a next-generation SIEM platform built as an enterprise-grade platform on top of ElasticSearch, which addresses these two pain points and cost centers:
- Provides unlimited cloud-based storage at a fixed cost
- Uses next-gen SIEM capabilities like UEBA and SOAR to dramatically reduce analyst time
Read our detailed SIEM tools buyer’s guide to fully understand the aspects involved in selecting a SIEM system, and whether open source or enterprise SIEM is the best choice for your scenario.