Page Text: Security incident response: Critical steps for cyberattack recovery (TechRepublic Premium)
What is a SIEM tool?
A SIEM tool analyzes and helps prevent or respond to active security events, usually from a centrally managed console that provides a top-level view into your environment. The comprehensive layers of SIEM software assess end-user systems, servers, network devices, active traffic, resource utilization — everything that entails technological operations, either on premises or remote.
This level of deep protection usually comes at a hefty cost. Companies should consider investments in SIEM software as preventative measures to reduce the risk of further investments in the wake of data or security breaches to remediate attacks, settle lawsuits or pay damages.
There’s no shortage of quality security solutions to choose from – here are 10 of the best SIEM software products. Note that where the information was available, I identify the applicable platforms related to each product.
How do SIEM tools work?
The primary focus of SIEM tools involves device logging capabilities that record activities, access, changes, traffic, resource utilization – everything a device does whether on its own or through user manipulation. These tools gather all aspects of what’s occurring in an environment and present the analysis of what is happening as well as what needs to happen to IT personnel.
Best SIEM software
SolarWinds Security Event Manager
Image: SolarWinds
SolarWinds Security Event Manager (SEM) is a comprehensive security platform that provides a diverse array of protection mechanisms. Highly focused on log aggregation and threat detection (which can be automated to help remediate incidents behind the scenes), SEM provides powerful dashboards to indicate the state of company security at a glance. There are detailed reports available to satisfy compliance requirements and numerous prebuilt connectors to pull data from sources.
A file integrity checker can track access and changes made to files and folders to detect unauthorized or malicious activity. SEM allows you to leverage data encryption, single sign-on and smart card authorization, and powerful control mechanisms to restrict access from IPs, block applications and deny access to removable media such as USB flash drives.
SolarWinds offers a handy guide to 62 specific use cases for SEM.
I’ve worked with SolarWinds networking tools and can attest to the quality and capability put into them. On that vein, SEM is particularly strong with network-related events to maintain security, but it’s also excellent at analyzing per-host activities, such as logons, privilege usage and registry alterations.
You can download a free trial .
Platforms: Windows, Linux and Mac
Price: SolarWinds says the subscription price starts at $2,369, and the perpetual price at $5,144. You can obtain a quote here .
Splunk Enterprise Security
Image: Splunk
I’ve worked with Splunk log monitoring and can attest to the efficacy of their efforts, which are built upon here to offer diverse security monitoring. I’ve relied upon Splunk not just for security-related event notifications but to identify resource bottlenecks, failing hardware, capacity issues and just about any other potential technological warning or event out there.
Splunk’s focus entails events and triggers that respond to logged situations with customized response patterns. At-a-glance details involving individual hosts is one of its superior capabilities — I’ve found it particularly handy in analyzing long-term graphs to see what a standalone host or hypervisor has been up to and where additional capacity or resources are needed.
The product is free for one user with a limit of 500MB per day. You can find the trial version here .
Platforms: Windows, Linux and Mac
Price: The enterprise license will cost $6,000 for 500MB per day for a perpetual license. The term license is also available for $2,000 per year. Splunk recommends contacting it directly for pricing details.
Image: Datadog Docs
I have a special fondness for Datadog products because they’re very customizable, comprehensive and just plain fun, due to their unique level of applicability. Datadog Security Monitoring doesn’t disappoint in any of those categories, either. Datadog is relied upon by tech giants such as Samsung and Comcast for SIEM protection.
It’s easy to see at a glance what’s happening with all sources being analyzed:
Image: Datadog Docs
Over 350 detection rules and more than 500 integrations with log sources provide full visibility into security operations. The product has three modes: free, which provides collection and visualization features for up to five hosts (and is basically a demo version), pro and enterprise.
The pro version offers the same as the free version, on a per-host licensing basis, as well as unlimited alerts, containing monitoring (10 per host), custom metrics (100 per host), custom events (500 per host) and single sign-on with SAML as well as outlier detection.
The enterprise version includes the same as the pro except with more container monitoring, custom metrics and custom events (20 per hosts / 200 / 1,000, respectively) as well as automated insights, correlations, anomaly detection, forecast monitoring, live process and advanced administrative tools.
You can download a free trial .
Platforms: Windows, Linux and Mac
Price: The pro version costs $15 per host per month, and the enterprise version is $23 per host per month.
LogRhythm NextGen
Image: eWeek
LogRhythm’s strength and focus is based upon AI and automation features. Reporting based on queries is easy to configure and the product integrates well with a broad array of security and technological solutions. A “top log source” and “top impacted hosts” segment of the dashboard makes it easy to see where company priorities and concerns lie, and a bird’s-eye global map view can pinpoint where hosts are being impacted and to what extent.
Integration with third-party platforms is one of the key assets of LogRhythm, and the product offers support for many popular cloud services.