Security information and event management, or SIEM, products can help security and IT professionals make sense of the incredible amounts of data generated by security and network devices. They aggregate and correlate events and logs to provide a more complete picture of network activity. Data sources typically include firewalls; switches and routers; intrusion-detection and intrusion-prevention systems; application, database, identity management, and Web servers; and workstations.
While SIEM tools can be useful for security and IT operations, they have a reputation for complexity, partly because of the many data feeds that get connected to SIEM devices, and partly because of the rules and policies that IT has to configure for the products to provide useful information.
InformationWeek asked 322 business technology professionals who use, have used, or have evaluated SIEM products in the past 12 months to rate them on criteria such as performance and cost, as well as feature-specific criteria such as real-time alerting and log management. Our survey listed 17 vendors; of those, eight received a sufficient number of responses to be rated.
The IT pros rated Q1 Labs, which was acquired by IBM in October, tops for overall performance, with a score of 76% out of a possible 100%. Novell is on Q1's heels at 75%, and ArcSight, now owned by Hewlett-Packard, is a close third with 74%. Quest Software, Symantec, and Splunk sit in the middle of the pack with scores in the low 70s. NetIQ and Tripwire are at the bottom with scores of 69% and 68%, respectively.
These overall performance ratings are based 10 general criteria, the most important of which is product reliability, according to our survey. Product performance and flexibility in meeting customer needs round out the top three criteria in importance. That reliability topped the list of general criteria isn't a surprise; SIEM products play a significant role in a company's security operations, and customers need to be assured the product will function well and consistently.
Respondents rated each vendor on these general performance criteria using a five-point scale. On the product reliability criteria, three vendors scored 4.0: ArcSight, Novell, and Q1. Splunk and Symantec were close behind with 3.9 ratings.
Essential Features
In addition to general performance, respondents rated the importance of 11 features found in SIEM products, such as log management and event correlation. Again using a five-point scale, respondents rated real-time analysis for alerts as the most important feature at 4.3, followed by automated log collection from multiple sources at 4.2. Search and root cause analysis and investigation of archived logs were both rated 4.1 for importance.
Our IT pros also rated vendors based on these 11 features. IBM's Q1 Labs ranked highest at 84%. Novell also scored well, with 81%. ArcSight placed third at 77% (see chart below). The features-based ranking showed the largest spread among vendors, a 13-point difference between Q1 Labs and Tripwire, which was rated 71%.
Our report breaks out each vendor's mean average score for various SIEM features (see chart below).
While Q1 Labs earned very high rankings on all the feature criteria, other vendors also demonstrated strengths, particularly on those features rated most important by our respondents. For instance, on real-time analysis, the most important feature, Novell and ArcSight met or exceeded a 4.0 ranking. In search capabilities, Splunk nearly matched Q1 Labs, earning a 4.2 to Q1 Labs' 4.3. Splunk tied Q1 Labs in automated log collection. Novell was the only vendor to score higher than Q1 Labs on any of the feature criteria, earning a 4.2 rating for out-of-the-box compliance reports to Q1 Labs' 4.0.