Info-Tech Research Group 1Info-Tech Research Group 1
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2015 Info-Tech Research Group Inc.
Vendor Landscape: Security Information
& Event Management (SIEM)
Optimize IT security management & simplify compliance with SIEM tools.
Info-Tech Research Group 2Info-Tech Research Group 2
This Research Is Designed For: This Research Will Help You:
Outcomes of this Research:
Our Understanding of the Problem
IT or Security managers who wish to
implement a Security Information and Event
Management (SIEM) solution at their
organization.
Organizations that want additional security and
visibility into their network activity.
Organizations under stringent compliance
obligations.
A formalized selection process to identify which SIEM solution is best for your organization to gain full
visibility and analyze activity across your network.
An evaluation of the current SIEM products and vendors that can be customized to your organization
through the Vendor Shortlist tool.
A completed selection process through the use of a Request for Proposal (RFP) template and a Vendor
Demo Script to ensure that you are obtaining the correct information.
An implementation plan that includes the overall defining architecture of your final SIEM solution.
Select an appropriate SIEM solution based on
vendor research.
Create an implementation roadmap.
Define your SIEM architecture.
Measure the continued value of your SIEM.
Info-Tech Research Group 3Info-Tech Research Group 3
Resolution
Situation
!
Complication
?
Info-Tech Insight
Executive Summary
• Security threats continue to be more sophisticated and advanced with
each day, with the majority often going completely undetected.
• Organizations are usually scrambling to keep up and implement new
security controls to protect themselves, which adds a new layer of
complexity.
• With the rise of Advanced Persistent Threats (APTs) and insider attacks,
it becomes extremely difficult for security staff to detect all the risks.
• Many IT and IT Security staff are already stretched thin by keeping track
of many different security technologies that already exist.
• SIEM can provide a great deal of visibility into an organization’s networks and identify extremely sophisticated threats that
may have otherwise been hidden.
• By integrating with other security technologies, the SIEM solution can act as a single window into the threats and possible
breaches that your organization is facing.
• SIEM technology is also becoming more advanced with the capability to use advanced correlation engines as well as big
data analytics to provide insightful analysis and forensics into the overall data.
• Use Info-Tech’s research to gain more insight into which vendors and products are appropriate for your business, and
follow our implementation to ensure that you are set up for success.
1. A SIEM isn’t for everyone.
Review your appropriateness and
create a formalized SIEM selection
process to determine your needs.
2. A SIEM is not your only answer.
Proper implementation and ongoing
use is needed in order to maximize the
benefits of a SIEM solution
Info-Tech Research Group 4Info-Tech Research Group 4
SIEM Market Overview
How it got here Where it’s going
• SIEM used to be two separate products: Security
Event Management (SEM) and Security Information
Management (SIM).
• SIEM was created initially as a compliance
management tool. It had the ability to centralize,
review, and report on log activity.
• Soon after, the ability to correlate logs was leveraged
to provide threat detection and advanced intelligence
tools in order to examine IT systems more closely.
• SIEM solutions were initially directed towards large
enterprises with high volumes of data and resources.
This changed as more and more SIEM vendors began
offering products to the small and mid-sized market.
• SIEM products expanded use with integration into
other security technologies in order to provide a holistic
view into the security of an organization with the ability
to push out commands and data to other systems.
• Advanced analytics will change the landscape of
SIEM entirely and allow for the detection of complex
and sophisticated security events.
• Organizations are looking to take advantage of big
data and SIEM vendors are no different. More SIEM
solutions will focus on leveraging and analyzing big
data to provide superior results.
• Managed SIEM providers will continue to increase in
demand for small and large organizations. Smaller
organizations won’t have internal resources or
expertise to staff a SIEM. Larger organizations may
not want to dedicate resources or decide a provider
has the necessary expertise they require.
• As organizations continue to grow larger and more
diverse, the ability to scale in heterogeneous
environments becomes more important as SIEM
products will need to keep up with the advancing
technology systems in organizations.
As the market evolves, capabilities that were once cutting edge become default and new functionality becomes
differentiating. Basic forensic analysis capabilities have become a Table Stakes capability and should no
longer be used to differentiate solutions. Instead focus on advanced detection methods and usability to get the
best fit for your requirements.
Info-Tech Research Group 5Info-Tech Research Group 5
SIEM vendor selection / knock-out criteria: market share,
mind share, and platform coverage
• AlienVault. Provides a robust security management product with an impressive threat intelligence feed.
• EventTracker. While a smaller vendor, EventTracker provides a SIEM product for the resource-constrained.
• HP. One of the largest technology vendors in the market; provides a highly feature-rich SIEM solution in this VL.
• IBM. Provides strong event and log management and threat detection across networks and applications.
• LogRhythm. As a dedicated vendor, LogRhythm offers the most feature-rich product with the ability to adapt to trends.
• Intel Security. As a diverse and competitive vendor, Intel Security offers a strong and reliable SIEM product.
• NetIQ. Has a strong foundational SIEM offering with a competitive price point.
• RSA. Offers a highly advanced SIEM product garnered to large-scale, high-demand security organizations.
• SolarWinds. Offers a robust SIEM for resource-constrained organizations, with potential compliance needs.
• Splunk. As a big data software company, Splunk offers a very strong SIEM for high capacity and unique environments.
Included in this Vendor Landscape:
• SIEM solutions continue to aggregate machine data in real time for risk management through analysis and correlation to
provide network event monitoring, user activity monitoring, compliance reporting, as well as store and report data for
incident response, forensics, and regulatory compliance.
• For this Vendor Landscape, Info-Tech focused on those vendors that offer broad capabilities across multiple platforms
and that have a strong market presence and/or reputational presence among mid- and large-sized enterprises.
Info-Tech Research Group 6Info-Tech Research Group 6
Table Stakes represent the minimum standard; without these,
a product doesn’t even get reviewed
Vendor Landscape Overview
The products assessed in this Vendor
Landscape
TM
meet, at the very least, the
requirements outlined as Table Stakes.
Many of the vendors go above and beyond the
outlined Table Stakes, some even do so in
multiple categories. This section aims to
highlight the products’ capabilities in excess of
the criteria listed here.
The Table Stakes
What does this mean?
Feature:
What it is:
Basic CAN
Collection from firewall and network logs, IDS logs,
Windows server logs, web server logs, and various
syslog sources
Basic Reporting
Availability of a variety of out-of-the-
box reports that can
be customized by the client and run on a scheduled and
ad hoc basis
Basic Alerting
Logging for all correlated events and alerting via
dashboard alert/email/SMS/etc. for those that exceed a
given threshold or meet specific alert criteria
Basic Correlation
Out-of-the-box correlation policies for basic CAN data
and baselining, acting in near real time
Basic Forensic
Analysis
Ability to generate custom data queries through flexible
drill down and pivot capabilities
Basic Data
Management Security
and Retention
Securitization of SIEM data and notable storage
capabilities
If Table Stakes are all you need from your SIEM solution, the only true differentiator for the organization is price.
Otherwise, dig deeper to find the best price to value for your needs.
Info-Tech Research Group 7Info-Tech Research Group 7
Advanced Features are the capabilities that allow for granular
differentiation of market players and use case performance
Vendor Landscape Overview
Info-Tech scored each vendor’s
features on a cumulative four-
point scale. Zero points are
awarded to features that are
deemed absent or
unsatisfactory, one point is
assigned to features that are
partially present, two points are
assigned to features that require
an extra purchase in the
vendor’s product portfolio or
through a third-party, three
points are assigned to features
that are fully present and native
to the solution, and four points
are assigned to the best-of-
breed native feature.
Scoring Methodology
Feature What we looked for:
Advanced Data
Enrichment
Advanced CAN from various log and non-log data sources
(identity, database, application, configuration, netflow,
cloud, file integrity, etc.) with full packet capture ability
Advanced Correlation
Advanced pre-built policies, user-defined policies,
behavioral policies, machine learning style policies, and
host criticality information inclusion
Big Data Analytics
Use of big-data-style analytics through integration into
purpose-built big data tools or native capabilities, all based
on advanced security style analytic methods
Advanced Reporting and
Alerting
Pre-built reporting and alerting libraries, customizable
dashboards, compliance use-case support, various alerting
options, and integration into external reporting and third-
party workflow tools
Forensic Analysis
Support
Advanced query capabilities against all collected data with
pre-built and custom drill down, pivot, and parsing with
export functions and event session reconstruction
Data Management
Security and Retention
Granular access controls to system data, protection of
SIEM data, system access monitoring, external storage
integration and efficient data compression
Info-Tech Research Group 8Info-Tech Research Group 8
Advanced Features are the capabilities that allow for granular
differentiation of market players and use case performance
Vendor Landscape Overview
Info-Tech scored each vendor’s
features on a cumulative four-
point scale. Zero points are
awarded to features that are
deemed absent or
unsatisfactory, one point is
assigned to features that are
partially present, two points are
assigned to features that require
an extra purchase in the
vendor’s product portfolio or
through a third-party, three
points are assigned to features
that are fully present and native
to the solution, and four points
are assigned to the best-of-
breed native feature.
Scoring Methodology
Feature What we looked for:
Threat Intelligence Feed
Security threat intelligence feed integration with ability to
update multiple uses and control updating behaviors
Incident Management
and Remediation
Advanced detection and incident management with pre-
built
and customizable remediation capabilities, integration into
workflow systems, and optional automatic remediation
through integration
Full Security Threat
Visibility
Integration with security technologies for monitoring,
incident analysis and data enrichment to support ability to
track and analyze series of related events
Scalability and Network
Performance
The product’s ability to scale horizontally and vertically,
while employing various methods to reduce any latency
impacts from CAN activities
Info-Tech Research Group 9Info-Tech Research Group 9
Vendor scoring focused on overall product attributes and
vendor performance in the market
Vendor Landscape Overview
Product Evaluation Features
Usability
The administrative interfaces are intuitive and
offer streamlined workflow.
Affordability
Implementing and operating the solution is
affordable given the technology.
Architecture
Multiple deployment options, platform support,
and data collection methods are available.
Vendor Evaluation Features
Viability
Vendor is profitable, knowledgeable, and will be
around for the long term.
Focus
Vendor is committed to a target market and the
space with a product and portfolio roadmap.
Reach
Vendor offers tiered global support coverage
that is easily accessible.
Sales
Vendor channel partnering, sales strategies,
and sales process allow for flexible product
acquisition.
Info-Tech Research Group scored each vendor’s
overall product attributes, capabilities, and market
performance.
Features are scored individually as mentioned in
the previous slide. The scores are then modified by
the individual scores of the vendor across the
product and vendor performance features.
Usability, overall affordability of the product, and the
technical features of the product are considered,
and scored on a five-point scale. The score for each
vendor will fall between worst and best in class.
The vendor’s performance in the market is
evaluated across four dimensions on a five-point
scale. Where the vendor places on the scale is
determined by factual information, industry position,
and information provided by customer references,
and/or available from public sources.
Scoring Methodology
Info-Tech Research Group 10Info-Tech Research Group 10
Vendor Landscape use-case scenarios are evaluated based on
weightings of features and vendor/product considerations
Scoring Overview
Use cases were scored around the features identified in the general scoring as being relevant to the functional
considerations and drivers for each scenario.
Calculation Overview
Advanced Features Score X Vendor Multiplier = Vendor Performance for Each Scenario
Please note that both advanced feature scores and vendor multipliers are based on the specific
weightings calibrated for each scenario.
Product and Vendor Weightings Advanced Features Weightings
Info-Tech Research Group 11Info-Tech Research Group 11
Vendor performance for each use-case scenario is documented
in a weighted bar graph
Scoring Overview
Value Score
TM
Each use-case scenario also includes a Value Index that identifies the Value Score for a vendor
relative to their price point. This additional framework is meant to help price-conscious
enterprises identify vendors who provide the best “bang for the buck.”
Vendor Performance
Vendors qualify and rank in each use-case scenario based on
their relative placement and scoring for the scenario.
Vendor Ranking
Champion: The top vendor scored in the scenario
Leaders: The vendors who placed second and third in the
scenario
Players: Additional vendors who qualified for the scenarios
based on their scoring
Info-Tech Research Group 12Info-Tech Research Group 12
The Info-Tech SIEM Vendor Landscape:
Vendor Evaluation
Info-Tech Research Group 13Info-Tech Research Group 13
Balance individual strengths to find the best fit for your
enterprise
Vendor Performance
= Exemplary = Good = Adequate = Inadequate = PoorLegend
AlienVault
EventTracker
HP
IBM
LogRhythm
Intel Security
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
2 3 2 3 3 3 3 2 2
3 3 4 2 3 3 4 2 2
3 3 2 4 3 4 2 3 3
3 3 2 4 4 4 3 4 4
4 4 4 2 3 3 4 3 3
3 4 2 3 3 4 3 4 3
3 3 2 2 3 3 3 3 3
2 4 2 2 3 3 3 4 3
3 3 4 2 3 3 3 3 3
2 3 1 3 3 3 3 3 3
Product
Vendor
NetIQ
RSA
SolarWinds
Splunk
Info-Tech Research Group 14Info-Tech Research Group 14
Balance individual strengths to find the best fit for your
enterprise
Vendor Performance
HP
EventTracker
IBM
LogRhythm
AlienVault
Evaluated Features
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics*
Advanced
Reporting and
Alerting
Forensic
Analysis and
Support
Data Mgmt.
Security &
Retention
Threat
Intelligence
Feed**
Incident Mgmt.
and
Remediation
Full Security
Threat Visibility
Scalability and
Network
Performance
= Feature is absent
= Feature is fully present in its native solution
= Feature is present at additional cost
Legend
= Feature is best in its class
= Feature is partially present
Intel Security
* Yellow denotes additional functionality has to be added at cost to accept big data functionality. Yellow DOES NOT
denote additional cost for big data functionality, as this is true for all vendors.
** Yellow denotes an additional functionality has to be added to accept a threat intelligence feed. It DOES NOT
denote additional cost for threat intelligence, as this is the case for all vendors.
Info-Tech Research Group 15Info-Tech Research Group 15
Balance individual strengths to find the best fit for your
enterprise
Vendor Performance
SolarWinds
RSA
Splunk
NetIQ
Evaluated Features
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics*
Advanced
Reporting and
Alerting
Forensic
Analysis and
Support
Data Mgmt.
Security &
Retention
Threat
Intelligence
Feed**
Incident Mgmt.
and
Remediation
Full Security
Threat Visibility
Scalability and
Network
Performance
= Feature is absent
= Feature is fully present in its native solution
= Feature is present at additional cost
Legend
= Feature is best in its class
= Feature is partially present
* Yellow denotes additional functionality has to be added at cost to accept big data functionality. Yellow DOES NOT
denote additional cost for big data functionality, as this is true for all vendors.
** Yellow denotes an additional functionality has to be added to accept a threat intelligence feed. It DOES NOT
denote additional cost for threat intelligence, as this is the case for all vendors.
Info-Tech Research Group 16Info-Tech Research Group 16
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
Security Intelligence Platform
450
Boulder, CO
logrhythm.com
2003
Privately held
LogRhythm has consistently improved its product offering to
become a dominant choice for mid-market organizations
• LogRhythm is a dedicated SIEM security vendor offering a
solution geared towards providing simplified monitoring and
management of its modular platform. Recent focus on reduced
complexity and improved usability, in addition to historical focus on
advanced analytics, has spurred high growth for LogRhythm.
Overview
• LogRhythm’s unified Security Analytics platform, which combines
SIEM, log management, FIM, and machine analytics, provides
enhanced threat visibility and management.
• Advanced correlation and pattern recognition is provided by
LogRhythm’s Advanced Intelligence (AI) Engine.
• Faster than typical deployment timeframes.
• A recent capability, the Identity Inference Engine, can infer missing
identity information from analyzed event data.
Strengths
• LogRhythm uses less than mature machine learning style
correlation policies.
• As a dedicated SIEM vendor, there is little possibility of
LogRhythm being a strategic vendor in which value from multiple
product purchases can be realized.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 6, between $50,000 and $100,000
$1 $1M+
Pricing solicited from the vendor
Info-Tech Research Group 17Info-Tech Research Group 17
LogRhythm’s ability to dedicate itself has garnered a fully
featured, yet uncomplicated, product
Info-Tech Recommends:
With one of the best feature offerings paired
with a surprisingly low price tag, all
organizations should potentially shortlist
LogRhythm.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
4 4 4 2 3 3 4 3 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
2
1
Threat
Management
1
1
Compliance
Management
1
1
Mgmt. of
Security Events
1
1
SIEM Small
Deployment
1
1
Risk
Management
Info-Tech Research Group 18Info-Tech Research Group 18
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
AlienVault Unified Security
Management (USM)
175
San Mateo, CA
alienvault.com
2007, SIEM market in 2011
Privately held
The USM platform offers traditional SIEM functionality with
other major security capabilities built into the product
• AlienVault’s USM is an all-in-one platform that combines several
security capabilities (asset discovery, threat detection, vulnerability
assessment, behavioral monitoring, in addition to SIEM) with
integrated expert threat intelligence.
Overview
• Combining strong detection, monitoring and continuously updated
threat intelligence, AlienVault USM has shown to provide robust
data enrichment and advanced event correlation.
• In particular, AlienVault has an extensive threat intelligence feed
that is regularly updated from open sources, as well as its own
research lab.
Strengths
• The AlienVault USM lacks native integration to big data integration,
which is a step that many SIEM providers have been taking
advantage of in the past year.
• AlienVault as a vendor does not have a great deal of international
support in varying countries and has a lack of different languages.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 8, between $250,000 and $500,000
$1 $1M+
Pricing provided by vendor
Info-Tech Research Group 19Info-Tech Research Group 19
The USM platform is designed so that mid-market
organizations can defend themselves under one pane of glass
Info-Tech Recommends:
Organizations with mid-level threat concerns and preference to unified
management tools should shortlist Alien Vault.
Although often not identified as a SIEM product, AlienVault USM is a shortlist
candidate for any organization seeking a threat management use case. AlienVault
can be configured to send information to a purpose-built big data repository.
AlienVault Labs’ threat research team provides customers with regular updates
(approx. every 30 minutes) of real-time threat data, including patterns and
definitions of new threats and how to remediate those threats.
AlienVault places a high importance on the ease of use of the product and the initial
deployment. This makes the USM an ideal fit for mid-market organizations that are
resource-constrained in budget and staffing, but still need to protect against
advanced threats.
Features
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
2 3 2 3 3 3 3 2 2
Product Vendor
Use-Case Scenario Performance
Value
Index
Scenario
Performance
8
th
7
th
Threat
Management
Info-Tech Research Group 20Info-Tech Research Group 20
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
EventTracker Enterprise
96
Columbia, MD
eventtracker.com
2000, SIEM market in 2001
Privately held
Aimed at the small to mid market, EventTracker has a quick
time to value with multiple out-of-the-box features
• While EventTracker may be a smaller vendor, EventTracker
Enterprise has proven to be a simplified SIEM that is focused on
helping small to medium organizations that are often resource-
constrained.
Overview
• EventTracker enables customers to take advantage of a tailored
RunBook that details the regular activities that must be carried out.
• With a strong focus on legal and regulatory compliance,
EventTracker enables customers to pass audits and meet
requirements.
Strengths
• Because it is a smaller organization, EventTracker does not have
a large international support presence, which may be desirable for
customers with worldwide offices.
• Limited data collection and enrichment narrowing network visibility.
• No integration into third-party reporting tools or ticket/workflow
tools limits full reporting capabilities often required by
organizations.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 6, between $50,000 and $100,000
$1 $1M+
Pricing provided by vendor
Info-Tech Research Group 21Info-Tech Research Group 21
Basic detection and monitoring capabilities are supported by
strong operations, reporting, and usability
Info-Tech Recommends:
EventTracker has a very short deployment
time, allowing organizations to realize a
quick time to value. Designed for resource-
constrained organizations, the graphic
interface is a simplistic model that allows
users to easily customize and define
dashboards. EventTracker uniquely
receives the data by the virtual collection
point where data is indexed and detection
analysis performed. The data is then
stored and is only normalized when it is
queried. This is a “fast in” model, but limits
detection to only known incidents. Small to
mid-sized organizations that require log
management and compliance
management with limited major threats
should shortlist EventTracker.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
3 3 4 2 3 3 4 2 2
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
4
th
2
nd
Compliance
Management
3
2
nd
SIEM Small
Deployment
Info-Tech Research Group 22Info-Tech Research Group 22
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
ArcSight Enterprise Security
Manager (ESM)
317,500
Palo Alto, CA
arcsight.com
2000
NASDAQ:HPQ (Hewlett
Packard)
Although the ESM product is still best suited for large scale
use, HP offers other SIEM products for smaller deployments
• ArcSight ESM is one of the log management solutions for HP’s
Enterprise Security Products (ESP). ArcSight offers a variety of
SIEM solutions that vary for SME to enterprise businesses.
Overview
• Threat intelligence is provided by HP’s own feed and by third-party
feeds, providing fast and robust up-to-date threat knowledge.
• ArcSight Threat Response Manager (ArcSight TRM) allows
automated remediation of threats based on actionable events.
• IdentifyView and ThreatDetector provide advanced behavior
analysis functionality.
• ESM Version 6, with the Correlation Optimized Retention and
Retrieval (CORR) Engine, improved EPS capacity and complexity.
Strengths
• Even with the CORR Engine reducing complexity, ArcSight EMS
continues to be highly complex during deployment and operation.
• HP lacks some basic forensic analysis capabilities.
• Limited integration to third-party technologies for remediation
actions limit its ability to shorten time to incident resolution.
• Correlation profiling and detection is done on historical data only.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 8, between $250,000 and $500,000
$1 $1M+
Pricing solicited from public sources
Info-Tech Research Group 23Info-Tech Research Group 23
Once a dominant player, ArcSight is now comparable to many
other SIEM products
Info-Tech
Recommends:
ArcSight provides
strong detection by
tying activity
monitoring to
contextual events.
ArcSight is a SEM-
focused product.
Although a strong
product, a high price
tag and stagnant
product
development is of
concern. Threat
management and
fraud detection use
cases should
shortlist ArcSight.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
3 3 2 4 3 4 2 3 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
4
th
6
th
Threat
Management
6
th
6
th
Mgmt. of
Security Events
7
th
7
th
SIEM Small
Deployment
4
th
6
th
Risk
Management
Info-Tech Research Group 24Info-Tech Research Group 24
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
QRadar SIEM
400,000+
Waltham, MA
ibm.com
2001 (Q1 Labs)
NASDAQ:IBM
QRadar continues to be one of the strongest SIEM products in
the market with a tightly integrated platform
• QRadar SIEM provides log, event, and incident management
across heterogeneous IT environments. IBM’s vast IT and security
offerings, with QRadar’s technology consolidation, make it a
shortlist candidate for any information security need.
Overview
• Its exceptional anomaly detection capabilities allow for the
detection of internal misuse or fraud prevention within the
organization, which can be extended to discover APTs.
• By commonly establishing baselines of your applications, users,
and access profiles, QRadar is able to identify when something
abnormal is occurring within your network.
• Simplified deployment through auto detection of all log sources
and passive Netflow monitoring to detect network assets.
Strengths
• QRadar lacks the ability to provide automated remediation
capabilities as part of the native SIEM function.
• Limited on-premise deployment to segmented servers limits
clients’ ability to scale the product in more than one way.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 7, between $100,000 and $250,000
$1 $1M+
Pricing provided by vendor
Info-Tech Research Group 25Info-Tech Research Group 25
Robust log and event management, and simple usability are all
supported by strong detection capabilities
Info-Tech Recommends:
APT, compliance management, and high
capacity use cases are best suited for
QRadar.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
3 3 2 4 4 4 3 4 4
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
3
5
th
Threat
Management
2
7
th
Compliance
Management
3
5
th
Mgmt. of
Security Events
6
th
6
th
SIEM Small
Deployment
3
5
th
Risk
Management
Info-Tech Research Group 26Info-Tech Research Group 26
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
McAfee Enterprise Security
Manager (ESM)
7,923
Santa Clara, CA
intelsecurity.com
1987
NASDAQ: INTC (Intel)
Intel Security continues to realize value from embedding
McAfee security into computing architecture and platforms
• As one of the largest security technology companies, Intel Security
offers a robust SIEM solution with add-on product functionality.
• McAfee’s ESM scales from medium to enterprise size, with
historical focus on high security demanding organizations.
Overview
• Correlation is distributed via Event Receivers or the Advanced
Correlation Engine (ACE), which can run correlation rules in real
time or against historical data.
• Intel Security allows for real-time monitoring of internal and
external threats and ad hoc query capabilities of logs.
• Real-time information on searchable data is provided allowing the
ability to limit queries to highly relevant data.
• McAfee Global Threat Intelligence is a reputable threat source.
Strengths
• Despite having high ingest rates and high query performance, the
lack of efforts to minimize latency from event normalization is of
concern.
• Currently, ESM does not offer Netflow de-duplication or support for
sFlow.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 7, between $100,000 and $250,000
$1 $1M+
Pricing solicited from public sources
Info-Tech Research Group 27Info-Tech Research Group 27
Improved technology integration across Intel Security
products enhances strategic vendor value
Info-Tech Recommends:
McAfee should be a shortlist candidate for
most use cases as it will predictably continue
to offer strong products and will fight for
market leadership.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
3 4 2 3 3 4 3 4 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
1
2
nd
Threat
Management
3
5
th
Compliance
Management
2
3
rd
Mgmt. of
Security Events
4
th
5
th
SIEM Small
Deployment
2
2
nd
Risk
Management
Info-Tech Research Group 28Info-Tech Research Group 28
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
Sentinel
4,500+
Houston, TX
netiq.com
1995
Privately held
Strong identity security offerings and enhanced cross-product
integration makes NetIQ a strategic vendor
• NetIQ, a recent acquisition and now principal brand of the Micro
Focus Group, offers a broad portfolio of IT solutions and services.
Sentinel is the blend of change and identity management
functionality now offering a flexible SIEM solution.
Overview
• Sentinel is able to provide an architecture that is very flexible and
works in almost every environment. This is ideal for security
architects looking for a great deal of customization.
• The SIEM product is easy to deploy and begins to collect data,
identify devices, and manage threats almost immediately.
• Fully customizable data management policies allow for breadth of
retention and storage needs.
• Sentinel offers customizable indexing and compression.
Strengths
• NetIQ supports third-party threat intelligence as a source of
context, but is limited with the types of uses of that information
when compared to other vendors.
• Sentinel has fewer pre-packed remediation capabilities than other
vendors evaluated, limiting competitiveness on time to incident
resolution.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 6, between $50,000 and $100,000
$1 $1M+
Pricing provided by vendor
Info-Tech Research Group 29Info-Tech Research Group 29
NetIQ provides strong compliance documentation and data
management for regulatory use cases
Info-Tech Recommends:
An overall strong feature scoring enhanced
by an attractive price point means mid-
market organizations should shortlist and
watch for developments from the acquisition.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
3 3 2 2 3 3 3 3 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
7
th
3
rd
Threat
Management
5
th
4
th
Compliance
Management
7
th
2
nd
Mgmt. of
Security Events
5
th
4
th
SIEM Small
Deployment
6
th
3
rd
Risk
Management
Info-Tech Research Group 30Info-Tech Research Group 30
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
RSA Security Analytics (SA)
60,000 (EMC)
Bedford, MA
rsa.com
1982, SIEM market 2006
NYSE: EMC
RSA Security Analytics provides event management, threat
detection, and incident investigation for high demand use cases
• RSA, the security division of EMC, is recognized as a leading
security vendor. Having evolved from a SIEM product, Security
Analytics is the next generation monitoring product from RSA,
focusing on monitoring and investigation capabilities.
Overview
• RSA’s Security Analytics combines SIEM and network monitoring
with forensic analysis into its offering as a single solution.
• With a unique architecture, large sums of data can be consumed,
analyzed and investigated while it can correlate various pieces of
data such as packets, logs, Netflow, and endpoint data.
• Comprehensive data analysis can be done on the Warehouse
component that is based on Pivotal, a Hadoop system.
Strengths
• RSA is primarily focused on security monitoring deployments for
mid-size and large with organizations that are security-focused.
• RSA Security Analytics is a modular solution that increases in
complexity as the requirement for data ingestion, analysis, and
investigation increases.
• Due to SA’s focus on advanced monitoring and forensic
investigations, it lacks any comparable incident remediation.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 8, between $250,000 and $500,000
$1 $1M+
Pricing solicited from public sources
Info-Tech Research Group 31Info-Tech Research Group 31
With support for high capacity, heterogeneous network
security use cases, smaller organizations should be wary
Info-Tech
Recommends:
Security Analytics is
a modular product
with a focus on
detection and
investigation that’s
paired with high
scalability. Large
enterprises with high
security demands
that already have
SOC style
capabilities in-house
or have large
staffing resources to
dedicate should
shortlist RSA.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
2 4 2 2 3 3 3 4 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
6
th
4
th
Threat
Management
7
th
6
th
Compliance
Management
4
th
4
th
Mgmt. of
Security Events
7
th
4
th
Risk
Management
Info-Tech Research Group 32Info-Tech Research Group 32
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
Log & Event Manager (LEM)
1,600+
Austin, TX
solarwinds.com
1999, SIEM market 2011
NASDAQ: SWI
• SolarWinds traditionally serves the mid-market by providing a
simple SIEM solution for IT departments that are resource-
constrained, and integrates with other security technologies to
provide a holistic security view.
Overview
• SolarWinds LEM provides advanced reporting that contains
multiple different reports that can be customized to view historical
and compliance data.
• SolarWinds LEM provides advanced correlation rules out-of-the-
box that offer insights into suspicious behavior, insider abuse, and
change management.
• High usability, easy implementation, and pre-packed content
ensure a quick time to value realization.
Strengths
• SolarWinds does not have an automated threat intelligence feed
as it needs to be manually imported by users,
• The product does not officially expose any APIs that can be
leveraged by other applications and middleware for the purpose of
integration.
• Limited data collection sources can impede full network visibility.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 6, between $50,000 and $100,000
$1 $1M+
Pricing provided by vendor
LEM offers traditional SIEM capabilities with embedded log
management, file integrity monitoring, and active response
Info-Tech Research Group 33Info-Tech Research Group 33
A strong focus on usability and deployment limits additional
costs for consulting, training, or internal resource dedication
Info-Tech Recommends:
SolarWinds LEM focuses on being easy to
deploy and use – perfect for resource-
constrained organizations that will not want
to spend extra on consulting or training.
Many out-of-the-box features such as
threat intelligence deliver a quick time to
value. USB access is blocked with its USB
Defender, making LEM suited for
organizations concerned with removable
media data theft. The LEM offers
traditional SIEM functionality plus other
functions such as automated remediation
capabilities and file integrity monitoring.
SolarWinds is a good fit for small to mid-
sized companies that require a SIEM with
easy deployment and easy operations, and
at the lower price end.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
3 3 4 2 3 3 3 3 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
6
th
3
rd
Compliance
Management
2
3
rd
SIEM Small
Deployment
Info-Tech Research Group 34Info-Tech Research Group 34
Product:
Employees:
Headquarters:
Website:
Founded:
Presence:
Splunk Enterprise
1,700
San Francisco, CA
splunk.com
2004
NASDAQ: SPLK
Splunk has developed all of its product capabilities rapidly in
recent years, but it is still extremely complex and costly
• Splunk is known for its ability to enhance IT operations through
analytics, but it can be dedicated and used for SIEM-related tasks
and help to provide advanced threat detection. Security is now a
major focus of Splunk in contrast to earlier solutions and efforts.
Overview
• Splunk’s wide offerings and add-ons allow it to move beyond just a
simple SIEM function, but can affect many different business
operations and capabilities.
• With flexible and customizable analytics, Splunk proves to be one
of the leaders in advanced correlation.
• Splunk is one of the few vendors that provides hybrid deployments
that examine the cloud and on-premise hardware.
Strengths
• Splunk Enterprise can be complex and time consuming to
implement, especially as there is a great deal of customization
needed.
Challenges
Vendor Landscape
3 year TCO for this solution falls into pricing
tier 8, between $250,000 and $500,000
$1 $1M+
Pricing provided by vendor
Pricing provided is based on a security pricing scenario,
pricing factoring in use cases that are commonly supported
by the Splunk platform will potentially lead to lower tiers.
Info-Tech Research Group 35Info-Tech Research Group 35
Splunk is best suited for heterogeneous, high capacity,
security-demanding organizations with unstructured data
Info-Tech Recommends:
Splunk offers some of the industry’s best
query capabilities. Splunk doesn’t use a
relational database that allows all the data
that is indexed to have all fields available
for query quickly. This fast query is best
suited for organizations concerned with a
quick incident and breach response time.
Originally not designed for security, Splunk
can offer business intelligence capabilities
providing a multi-purposed solution. Splunk
is deployed by operations teams to support
log management, correlation analysis, and
incident or breach investigations. With high
staffing and cost deployment,
organizations looking to shortlist Splunk
should consider also taking advantage of
Spunk’s non-security products.
Features
Vendor Landscape
Overall Usability Afford. Arch. Overall Viability Focus Reach Sales
2 3 1 3 3 3 3 3 3
Product Vendor
Advanced Data
Enrichment
Advanced
Correlation
Big Data
Analytics
Reporting and
Alerting
Forensic
Analysis
Data Mgmt. and
Retention
Threat
Intelligence
Incident Mgmt.
& Remediation
Full Security
Threat Visibility
Scalability and
Performance
Use-Case Scenario Performance
Value
Index
Scenario
Performance
5
th
8
th
Threat
Management
5
th
7
th
Mgmt. of
Security Events
5
th
7
th
Risk
Management
