reports.informationweek.com june 2012 $99 it pro ranking:...

Report ID: R5030612

Next

reports

IT Pro Ranking: SIEMIBM’s Q1 Labs leads our vendor evaluation survey of SIEM vendors,

earning an overall performance rating of 76%. Novell’s SIEM

(now owned by NetIQ) is a close second at 75%. Other

vendors evaluated by IT pros include HP/ArcSight, NetIQ, Quest

Software, Splunk, Symantec and Tripwire. 58% of respondents

are satisfied or very satisfied with their SIEM products, but

complexity tops IT’s challenges with SIEM technology.

By Dean Francis

Rep or ts. InformationWeek.com J u n e 2 0 1 2 $ 9 9

Next

reports

http://reports.informationweek.com/index

Previous Next

reports

3 Executive Summary4 Research Synopsis5 From Haystack to Needles7 Essential SIEM Features9 Why SIEM?12 Events and Logs14 SIEM Challenges17 Appendix26 Author’s Bio27 Related Reports

Figures

5 Figure 1: SIEM Overall Vendor Performance

6 Figure 2: Importance of Evaluation Criteria

7 Figure 3: Vendor Evaluations, Arrangedby Vendor

8 Figure 4: Importance of SIEM ProductFeatures

9 Figure 5: SIEM Vendor Performance,Features

10 Figure 6: Vendors in Use or Evaluated11 Figure 7: Feature Evaluations, Arranged

by Vendor12 Figure 8: Feature Evaluations, Arranged

by Criterion13 Figure 9: Primary Driver for SIEM Use14 Figure 10: SIEM Integration15 Figure 11: Top Sources of Event Data16 Figure 12: SIEM Challenges17 Figure 13: Replace or Add Vendors?18 Figure 14: Factors Resulting in a

Change in Vendor19 Figure 15: Reasons for Replacing or

Adding a Vendor

20 Figure 16: Vendor Evaluations, Arrangedby Vendor Criterion

21 Figure 17: Satisfaction With SIEM Product22 Figure 18: Job Title23 Figure 19: Revenue24 Figure 20: Industry25 Figure 21: Company Size

CONT

ENTS

reports.informationweek.com

TABLE OF

June 2012 2

S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t



June 2012 3

Previous Next

InformationWeek surveyed 322 business technology professionals who use or have usedor evaluated security information and event management (SIEM) products in the past 12months. We asked respondents to rate these products in two major categories: overallperformance and SIEM-specific capabilities such as real-time alerts, search and log management. Our survey listed 17 vendors; of those, eight received a sufficient number ofresponses to be rated: HP/ArcSight, IBM/Q1 Labs, NetIQ, Novell*, Quest Software, Splunk,Symantec and Tripwire.

Users and evaluators of IBM/Q1 Labs rated it leader for overall performance, with a scoreof 76%. However, Novell and HP/ArcSight are just behind with scores of 75% and 74%, respectively. When it comes to SIEM features, respondents again rated IBM/Q1 Labs asleader, at 84%. Novell was rated 81%. From here, the gap between scores begins to fallmore steeply, with HP/ArcSight rated third at 77%.

Our survey also looks at primary drivers for SIEM use, most important features, chal-lenges that users face with the products and other aspects of SIEM operation. We alsoprovide the mean average ratings for vendors in each of the general performance andfeature-specific criteria used for our scoring.

* Please note that our survey lists Novell and NetIQ as separate vendors. However, Novell’sSIEM product, Sentinel, was taken over by NetIQ in 2011. In addition to Sentinel, NetIQalso offers the NetIQ Security Manager SIEM product. In February 2012, NetIQ announcedSentinel 7, which combines Security Manager and Sentinel into a single platform. WhileNetIQ will continue to support Security Manager and Sentinel as separate products, cus-tomers can choose to upgrade to the unified Sentinel 7 platform.

EXECUTIVE


reports

SUM

MAR

Y

S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents



June 2012 4reports.informationweek.com

Previous Next

RESEARCH

Survey Name InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey

Survey Date April 2012

Region North America

Number of Respondents 322

Purpose To determine preference for vendors supplying security information and eventmanagement products to enterprise IT organizations.

Methodology InformationWeek surveyed business technology decision-makers at NorthAmerican companies. The survey was conducted online, and respondents were recruitedvia an email invitation containing an embedded link to the survey. The email invitationwas sent to qualified InformationWeek subscribers. Individual evaluations were con-ducted for vendors whose products have been used or evaluated in the past 12 monthsby 50 or more respondents. Respondents were asked to evaluate only those vendors/products for which they reported recent use or evaluation.

reports

SYNO

PSIS

S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents

ABOUT US

InformationWeek Reports’

analysts arm business technol-

ogy decision-makers with real-

world perspective based on

qualitative and quantitative re-

search, business and technology

assessment and planning tools,

and adoption best practices

gleaned from experience.

To contact us, write to manag-

ing director Art Wittmannat [email protected],

content director

Lorna Gareyat [email protected],

editor-at-large AndrewConry-Murrayat [email protected], and

research managing editor

Heather Vallis at

[email protected].

Find all of our reports at

reports.informationweek.com.



mailto:[email protected]




June 2012 5

Security information and event manage-ment products can help security and IT pro-fessionals make sense of the incredibleamounts of data generated by security andnetwork devices. SIEM is a synthesis of two related products: security information management and security event manage-ment. Security information management provides for the collection and processing ofdata and its incorporation, aggregation andanalysis into meaningful information. The datatypically comes from disparate sources, suchas log files or socket connections. Securityevent management focuses on the real-timemanagement of security-related events. Datasources typically include firewalls, switchesand routers, IDS/IPS, application servers, data-base servers, identity management servers,Web servers and workstations.

SIEM blends SIM and SEM functions and addscapabilities such as correlation of various datasources, vulnerability analysis, compliance re-porting, event reporting, anomaly detection

and notification to an internal console or exter-nal element management system. SIEM prod-ucts have a reputation for complexity, in part

because of the many data feeds they get con-nected to, and in part because of the rules andpolicies that IT has to configure for the prod-

Previous Next

Weighted, aggregated score across all 10 evaluation criteria, with maximum possible score of 100%SIEM Overall Vendor Performance

IBM/Q1 Labs

Novell

HP/ArcSight

Quest Software

Symantec

Splunk

NetIQ

Tripwire

Base: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/5

76%

75%

74%

73%

73%

72%

69%

68%


From Haystack to Needles

reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents

Figure 1



ucts to provide useful information.InformationWeek surveyed 322 business

technology professionals who use or haveused or evaluated SIEM products in the past12 months and asked them to rate theseproducts on general criteria, such as perform-ance and cost, as well as feature-specific criteria, including real-time alerting and logmanagement. Our survey listed 17 vendors; ofthose, eight received a sufficient number ofresponses to be rated.

Q1 Labs, which was acquired by IBM in October 2011, was rated tops by our respon-dents for overall performance, with a score of76% out of a possible 100% (Figure 1). Novellis on Q1’s heels at 75%, and ArcSight, nowowned by Hewlett-Packard, is a close thirdwith 74%. Quest Software, Symantec andSplunk sit in the middle of the pack withscores in the low 70s. NetIQ and Tripwire fin-ished at the bottom with scores of 69% and68%, respectively.

These performance ratings are based on a setof 10 general criteria, the most important ofwhich is product reliability, according to our

Previous Next

How important are the following criteria when evaluating products from SIEM vendors? Please use a scale of 1 to 5, where 1 is “not important” and 5 is “very important.”

Importance of Evaluation Criteria

1 Not important Very important 5

Product reliability

Product performance

Flexibility in meeting your organization’s needs

Operation cost

Quality of postsales support

Acquisition cost

Service innovation

Product innovation

Breadth of product line

Quality of presales support

4.6

4.4

4.3

4.2

4.2

4.2

3.7

3.7

3.7

3.5

Note: Mean average ratingsData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/2

R reports.informationweek.com


Figure 2

June 2012 6

FAST FACT

76%of respondents rated

Q1 Labs tops for overall

performance.



June 2012 7

Previous Next

survey (Figure 2). Product performance andflexibility in meeting the organization’s needsround out the top three criteria in terms of im-

portance. That reliability topped the list of gen-eral criteria isn’t a surprise; SIEM products playa significant role in an organization’s security

operations, and customers need to be assuredthe product will function well and consistently.

Respondents rated each vendor on thesegeneral performance criteriausing a five-point scale. On theproduct reliability criteria,three vendors scored 4.0 outof 5 points: ArcSight, Q1 and Novell. Splunk and Symantecwere close behind, each witha 3.9 rating. You can see howeach vendor fared individuallyon these criteria in Figure 3.

Essential SIEM FeaturesIn addition to general per-

formance, we asked our respondents to rate the im-portance of 11 features foundin SIEM products, such as logmanagement and event cor-relation. Using a five-pointscale, respondents rated real-time analysis for alerts as themost important feature at 4.3,


Vendor Evaluations, Arranged by Vendor HP/ArcSight

Note: Mean average ratingsBase: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/3

4.03.83.8

3.73.73.7

IBM/Q1 Labs

4.03.93.9

3.83.73.7

NetIQ

3.73.6

3.53.53.5

3.4

Novell

4.03.9

3.83.83.8

3.73.6

3.53.53.5

3.73.73.7

3.6

3.43.4

3.33.3

3.73.73.7

3.6

3.93.9

3.73.7

3.63.6

3.93.83.8

3.73.6

3.5

3.93.8

3.73.7

3.63.6

3.63.53.5

3.43.33.3

3.63.6

3.53.5

3.43.43.4

3.3

3.63.53.53.5

3.33.33.3

3.1

Quest Software Splunk Symantec Tripwire

1 Poor/doesn’t meet your needs 2 Doesn’t meet some needs 3 Just meets your needs 4 Meets your needs well 5 Excellent/exceeds expectations

1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5

Product reliabilityProduct performanceFlexibility in meeting needsQuality of presales supportQuality of postsales supportProduct innovationBreadth of product lineService innovationOperation costAcquisition cost

Product reliabilityProduct performanceFlexibility in meeting needsQuality of presales supportAcquisition costBreadth of product lineOperation costProduct innovationQuality of postsales supportService innovation

Product reliabilityFlexibility in meeting needsProduct performanceBreadth of product lineProduct innovationAcquisition costOperation costQuality of postsales supportQuality of presales supportService innovation

Product reliabilityProduct performanceFlexibility in meeting needsOperation costQuality of presales supportQuality of postsales supportAcquisition costService innovationBreadth of product lineProduct innovation

Product performanceProduct reliabilityBreadth of product lineProduct innovationOperation costFlexibility in meeting needsQuality of postsales supportService innovationAcquisition costQuality of presales support

Product reliabilityFlexibility in meeting needsProduct performanceProduct innovationAcquisition costBreadth of product lineService innovationOperation costQuality of postsales supportQuality of presales support

Product reliabilityBreadth of product lineProduct performanceFlexibility in meeting needsOperation costProduct innovationAcquisition costService innovationQuality of presales supportQuality of postsales support

Product performanceProduct reliabilityOperation costQuality of presales supportFlexibility in meeting needsQuality of postsales supportAcquisition costProduct innovationBreadth of product lineService innovation

Figure 3




followed by automated log collection frommultiple sources at 4.2. Search and root causeanalysis and investigation of archived logswere each rated 4.1 for importance (Figure 4).

These criteria also help paint a picture of avendor’s overall effectiveness, as rated by ourrespondents, in core SIEM functions and capabilities. Our IT pros rated vendors based onthese 11 features. IBM’s Q1 Labs earned thehighest rank for features, at 84% (Figure 5).Novell also scored well, with 81%. ArcSightplaced third at 77%. The features-based ranking showed the largest spread amongvendors, a 13-point difference between Q1Labs and Tripwire, which ranked 71%.

As figure 6 indicates, our survey asked respondents to select up to three out of 17SIEM vendors they have used or evaluated inthe past 12 months. Of those 17, Symantechad three times as many responses than anyother vendor from IT pros. We attribute this toSymantec's position in the security market atlarge. As a brand-name vendor of anti- malware and a wide range of other securityproducts, the company is in an excellent

Previous Next

Please rate the importance of these features in your SIEM system using a scale of 1 to 5, where 1 is “not important” and 5 is “very important.”

Importance of SIEM Product Features

1 Not important Very important 5Real-time analysis for alerts

Automated log collection from multiple sources

Search capabilities

Root cause analysis and investigation of archived logs

Event correlation

Operational dashboard

Secure log management

Event normalization

Support for up to thousands of events per second

Out-of-the-box compliance reports

Compression for efficient log storage

4.3

4.2

4.1

4.1

4.0

4.0

3.9

3.8

3.8

3.8

3.7

Note: Mean average ratingsData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/10



Figure 4

June 2012 8

2012 Strategic Security Survey

When it comes to security andrisk management, don’t try to address every possible threat. Instead, pick your battles: Implement better access control,vet cloud providers, safeguardmobile devices, educate usersand build more secure software,for starters.

DownloadDownload



June 2012 9

position to attract potential SIEM customers.Our report breaks out each vendor’s scores

on individual features (Figure 7). As you cansee, Q1 Labs garnered a rating of 4.0 or higheron every feature, a feat that no other vendorduplicated. This accounts for its overall toprating.

That said, in looking at individual criteria,other vendors also demonstrate strengths,particularly on those features rated most important by our respondents (Figure 8). Forinstance, on real-time analysis, the most important feature, Novell and ArcSight met orexceeded a 4.0 ranking. In search capabilities,Splunk nearly matched Q1 Labs, earning a 4.2to Q1 Labs’ 4.3. Splunk also tied Q1 Labs in automated log collection. Novell was the onlyvendor to score higher than Q1 Labs on any ofthe feature criteria, earning a 4.2 rating for out-of-the-box compliance reports to Q1 Labs’ 4.0.

Why SIEM?We asked respondents about the top driver

for SIEM use. Forty-four percent of respon-dents chose real-time threat detection (Figure

9). In other words, IT and security teams turnto SIEM to help them identify potential at-tacks or policy violations as they happen. Thisallows for a faster response, which can reduce

the damage from an attack, help the organi-zation recover from an attack more quickly or,in the best case, enable IT and security teamsto neutralize the threat at the outset.

Previous Next

Weighted, aggregated score across all 11 features evaluated, with maximum possible score of 100%SIEM Vendor Performance: Features

IBM/Q1 Labs

Novell

HP/ArcSight

Symantec

Quest Software

Splunk

NetIQ

Tripwire

Base: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/13

84%

81%

77%

76%

76%

75%

75%

71%

R



Figure 5



June 2012 10

A quarter of respondents choose “meetingcompliance requirements” as the top driverfor SIEM. One prominent compliance mandate is the Payment Card Industry DataSecurity Standard, which sets security require-

ments for companies that accept credit cardpayments or otherwise handle card data. PCIDSS 2.0 requires organizations to review logsdaily, including logs from security productssuch as intrusion- detection systems. SIEM

products with strong log management andreview capabilities can help companies meetthis requirement. Many SIEM products alsoprovide out-of-the-box compliance reportingto address regulations and mandates such asHIPAA.

As a key component of a security and IT operations infrastructure, SIEM products mustintegrate with other element managers, re-porting systems or enterprise managementproducts. Open APIs and software develop-ment kits facilitate interoperability betweenproducts. We asked our respondents aboutthe tools they integrate with SIEM products.The top five responses were network/applica-tion configuration management (47%),help/service desk (46%), performance man-agement (43%), identity and access manage-ment (39%), and network fault management(32%) (Figure 10).

With the need for visibility into patch, policyand compliance information, particularly withregard to vulnerability analyses, it’s not surprising to see configuration managementat the top. Integration with help desk and

Previous Next

Which of the following SIEM vendors are you currently using or evaluating, or have you used or evaluated, within the past 12 months?Vendors in Use or Evaluated

Sym

ante

c

HP/A

rcSi

ght

Splu

nk

IBM

/Q1 L

abs

NetIQ

Ques

t Sof

twar

e

Nove

ll

Trip

wire

RSA/

EMC

Trus

twav

e

LogL

ogic

LogR

hyth

m

Tena

ble N

etw

ork S

ecur

ity

Alie

nVau

lt

netF

oren

sics

TriG

eo

Nitro

Secu

rity

Othe

r

45%

15%

15%

14%

13%

13%

11%

10%

9%

7%

5% 5% 4% 3% 3% 3% 2%

13%

Note: Three responses allowedData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/1



Figure 6



June 2012 11

Previous Next

Feature Evaluations, Arranged by VendorHP/ArcSight


R5030612/11

4.04.04.0

3.93.93.9

IBM/Q1 Labs

4.34.34.34.3

4.24.2

NetIQ

3.93.83.83.83.83.8

Novell

4.24.2

4.14.14.14.1

Quest Software4.0

3.93.9

3.83.83.8

Splunk4.3

4.23.9

3.83.8

3.7

Symantec3.93.93.9

3.83.83.8

Tripwire3.73.7

3.63.63.63.6

3.93.83.83.83.8

4.24.2

4.14.1

4.0

3.73.73.7

3.63.6

4.14.0

3.93.93.9

3.83.73.73.7

3.6

3.73.6

3.53.5

3.3

3.83.83.83.8

3.7

3.53.53.53.5

3.4


1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5

Real-time analysis for alertsAutomated log collectionEvent normalizationOperational dashboardSupport for up to 1,000s of events/sec.Compression for efficient log storageEvent correlationCompliance reportsSearch capabilitiesRoot cause analysis of archived logsSecure log management

Real-time analysis for alertsAutomated log collectionSupport for up to 1,000s of events/sec.Search capabilitiesRoot cause analysis of archived logsEvent correlationCompression for efficient log storageOperational dashboardEvent normalizationSecure log managementCompliance reports

Real-time analysis for alertsSecure log managementCompression for efficient log storageAutomated log collectionSupport for up to 1,000s of events/sec.Event normalizationEvent correlationOperational dashboardSearch capabilitiesRoot cause analysis of archived logsCompliance reports

Compliance reportsAutomated log collectionReal-time analysis for alertsSecure log managementSearch capabilitiesSupport for up to 1,000s of events/sec.Operational dashboardEvent normalizationCompression for efficient log storageEvent correlationRoot cause analysis of archived logs

Automated log collectionCompression for efficient log storageCompliance reportsReal-time analysis for alertsRoot cause analysis of archived logsOperational dashboardSecure log managementSearch capabilitiesEvent correlationSupport for up to 1,000s of events/sec.Event normalization

Automated log collectionSearch capabilitiesCompression for efficient log storageSupport for up to 1,000s of events/sec.Real-time analysis for alertsSecure log managementRoot cause analysis of archived logsEvent normalizationOperational dashboardEvent correlationCompliance reports

Secure log managementAutomated log collectionSearch capabilitiesEvent normalizationSupport for up to 1,000s of events/sec.Operational dashboardCompression for efficient log storageReal-time analysis for alertsEvent correlationCompliance reportsRoot cause analysis of archived logs

Root cause analysis of archived logsOperational dashboardReal-time analysis for alertsSupport for up to 1,000s of events/sec.Event normalizationSecure log managementEvent correlationSearch capabilitiesCompliance reportsCompression for efficient log storageAutomated log collection



Figure 7



June 2012 12

service products is also to be expected, asevents and investigations triggered by a SIEMproduct are likely to be logged as tickets

within these systems. However, performancemanagement is a bit surprising and may indicate an interesting trend for growth and

convergence in the SIEM market.Integration with vulnerability scanning

tools and a program of routine scans canalso be an effective, proactivemeans of detecting threats.Fur thermore, suppor t forwell-known and proven hard-ening methodologies anddatabases, such as the Na-tional Vulnerability Databaseor Security Technical Imple-mentation Guides, can fur-ther round out a thoroughsecurity posture.

Events and LogsEvents and log data from a

variety sources feed SIEMproducts. According to respondents, the top threesources of event data are firewalls, application serversand database servers (Figure11). We were surprised to seeIDS/IPS products listed sixth,

Previous Next

Feature Evaluations, Arranged by CriterionAutomated log collection from multiple sources


R5030612/12

4.04.3

3.84.2

4.04.3

Compression for efficient log storage

3.94.2

3.83.93.93.9

Event correlation

3.94.2

3.73.9

3.73.5

Event normalization

4.04.1

3.84.0

3.63.6

3.93.4

3.83.5

3.83.5

3.83.6


1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5Operational dashboard

3.94.2

3.74.1

3.83.5

3.83.7

1 Poor 3 Excellent 5

Out-of-the-box compliance reports

Real-time analysis for alertsRoot cause analysis and investigation of archived logs Search capabilities Secure log management

Support for up to thousands of events per second

3.84.0

3.64.2

3.93.3

3.83.5

4.04.3

3.94.1

3.83.8

3.84.2

3.63.9

3.83.7

3.84.3

3.74.1

3.74.2

3.84.1

3.84.1

3.83.7

3.83.6

3.73.7

3.93.5

3.93.6

3.94.3

3.84.1

3.73.83.8

3.6

1 Poor 3 Excellent 5

HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire













Figure 8



June 2012 13

as these products are a fire hose of alarms, no-tifications and other data. In fact, SIEMemerged partly as a response to the difficul-ties that IT and security teams were having inextracting actionable data from reams of IDSand IPS events. One explanation may be thatrespondents selected “firewalls” as a stand-infor security devices such as unified threatmanagement systems that combine multiplecapabilities into a single appliance.

Log management has also emerged as afeature that is now part of many SIEM prod-ucts. Log management is not intended forreal-time analysis. Instead, it provides amethod for forensic analysis of incidentsthrough a normalization of different datasources. Log management also provides acentral repository for logs to be stored andarchived. While SIEM products may offer somelog management capabilities, a variety ofproducts also are dedicated specifically to logmanagement. According to our survey, logmanagement fell somewhere in the middle ofthe pack in regard to important features (seeFigure 4). This may indicate that many organ-

izations handle log management separatelyfrom SIEM products.

The event and log data being gathered andsearched by SIEM is likely being stored in adatabase. Some products use mainstream relational databases, while others have created customized versions of commercialdatabases. Proprietary databases are another

option, often optimized for speed, but possibly with a database schema that is notopen or published. Additionally, vendors maychoose nondatabase methods (such asSplunk) that are, again, optimized to facilitatethe speed of analysis and correlation neces-sary for SIEM. With many customers keepingsecurity data for years, SIEM installations and

Previous Next

Which of the following best describes the primary driver behind your organization's use of an SIEM tool?

1%6%

10%

13%

26%

44%

Primary Driver for SIEM Use

Conduct real-time threat detection and response

Conduct post-incidentinvestigation and forensics

Meet contractual or customer requirementsOther

Meet compliance requirements

Manage growing volumes of log data

Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/14

R

FAST FACT

44%of respondents chose

real-time threat detection

as the driver behind their

use of SIEM tools.



Figure 9



June 2012 14

integrations can even cross over into the datawarehousing realm. IT and security pros evaluating SIEM products should examine theunderlying database technologies being used to ensure that they are the right fit forthe organization.

SIEM ChallengesWhile SIEM products can be useful, they can

also be complex to deploy and operate. IT andsecurity teams have to set up links betweenthe SIEM products and the devices that willfeed events and log data. They also need tobuild and refine the correlation rules that govern how the SIEM system will respond tothe information it gathers and analyzes. Andof course, IT or security staff must monitor thesystem and investigate the alerts and notifi-cations generated by the product.

These difficulties are reflected in our survey.When asked about the main challenges ITfaces with SIEM, the top response was managing the general complexity of theproduct (Figure 12). Respondents also cited alack of integration with other network man-

agement tools and building correlation rules.For organizations evaluating SIEM products,don’t underestimate operational complexity.For instance, look for products that offer auser interface that is intuitive and easy to understand and traverse.

Cost can also be a concern with SIEM prod-

ucts. Many SIEM products are expensive, butthe full cost isn’t just the software or hardware. These products require extensivesystem integration to realize their potential.That means you must account for staff hours(or pay consultants) for installation and configuration, as well as integration with

Previous Next

What other tools does, or will, your SIEM system integrate with?SIEM Integration

Configuration management (network or application)

Help desk or service desk

Network performance management

Identity and access management systems

Network fault management

Enterprise service bus or middleware

Other

Note: Multiple responses allowedData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/16

47%

46%

43%

39%

32%

21%

4%



Figure 10

Like This Report?

Rate It!Something we could dobetter? Let us know.

RateRate



http://reports.informationweek.com/abstract/21/8901/Security/it-pro-ranking-siem.html?cid=rpt_like_linkR5030612

June 2012 15

other products. SIEM products rely on databases for event and log analysis, whichmeans database administrator resourcesmust also be considered, not only for the ini-tial configuration of the product but also on-going maintenance and tuning. And ofcourse, IT and security teams will need to betrained to use the product. These factors af-fect your total SIEM cost. As one respondentsaid, “Total cost of acquisition and operatingis elusive. When you purchase a SIEM solution,the work is just beginning.”

Of our survey respondents who use SIEMproducts, 49% say they have no plans to adda vendor or replace a vendor (Figure 13). Yetwhen asked what it would take to get themto replace a vendor, the top two factors aresubstantial savings in capital and operationalcosts (Figure 14). In other words, all otherthings being equal, a vendor that can producea less-expensive product will likely earn aclose look from IT shops.

And what about the 51% who are consider-ing replacing or adding a vendor? Their toppriorities are better per formance and

Previous Next

What are, or will be, the top sources of event data for your SIEM?Top Sources of Event Data

Firewalls

Application servers

Database servers

PCs and laptops

Web servers

IDS/IPS

Switches and routers

Malware gateway devices

SANs

NAS devices

Other


R5030612/15

61%

53%

48%

28%

22%

22%

20%

15%

4%

4%

2%



Figure 11

LikeLike TweetTweetTweet

ShareShare

Like This Report?

Share it!



http://www.facebook.com/sharer/sharer.php?u=http://reports.informationweek.com/abstract/21/8901/Security/it-pro-ranking-siem.html

http://www.linkedin.com/shareArticle?title=security+information+and+event+management&mini=true&url=http://reports.informationweek.com/abstract/21/8901/Security/it-pro-ranking-siem.html

June 2012 16

operational cost savings (Figure 15). That said,incumbent vendors enjoy some protectionfrom displacement. That’s because SIEM products are tightly woven into a larger security management infrastructure andwould be difficult to disentangle.

Previous Next

What are the main challenges you face, or expect to face, with your SIEM system?SIEM Challenges

Managing general complexity of the product

Lack of integration with other network management tools

Building correlation rules

Difficulty of searching for data

Normalizing data

Meeting the performance and hardware requirements to run it

Meeting storage requirements for event and log data

Poor adoption among IT users

Scaling the system to match our event stream

Other


R5030612/17

34%

30%

37%

44%

23%

20%

18%

14%

12%

3%



Figure 12



June 2012 17

Previous Next


reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t

APPE

NDIX

Table of Contents

Would you consider replacing one of your current SIEM vendors or adding another vendor?

15%

12%

49%

24%

Replace or Add Vendors?

Yes, we’re considering replacing one of our secondary vendors

Yes, we’re considering replacing our primary vendor

Yes, we’re considering adding another vendor

No

Base: 270 respondents at organizations using an SIEM productData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/7

R

Figure 13



June 2012 18

Previous Next



What would it take to replace your existing SIEM vendor with another?Factors Resulting in a Change in Vendor

Substantial capital cost savings

Substantial operational cost savings

Substantial performance gains

Clear technology advantage compared with current vendor

Bad experience with current vendor

Enabling new services or applications

Clearly superior vision compared with current vendor

Robust integration points via APIs with management systems

Enabling advanced architectures/features

Other

Nothing could make us replace our existing vendor

Note: Multiple responses allowedBase: 132 respondents not considering replacing or adding a vendorData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/9

62%

61%

51%

47%

27%

26%

25%

19%

17%

10%

4%

Figure 14



June 2012 19

Previous Next



Why are you considering replacing your current SIEM vendor or adding another vendor?Reasons for Replacing or Adding a Vendor

Performance gains

Operational cost savings

Want advanced architectures/features

Want to enable new services or applications

Capital cost savings

Clear technology advantage compared with current vendor (superior tech/products)

Want robust integration via APIs with management systems

Part of normal capital project bid process

Clear vision compared with current vendor (vendor road maps, plans, direction)

Bad experience with current vendor

Other

Note: Multiple responses allowedBase: 138 respondents considering replacing or adding a vendorData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012

R5030612/8

59%

48%

43%

42%

41%

24%

18%

18%

13%

9%

3%

Figure 15



June 2012 20

Previous Next



Vendor Evaluations, Arranged by Evaluation Criterion

Acquisition cost


R5030612/4

3.53.7

3.43.7

3.53.6

Breadth of product line

3.63.7

3.53.73.7

3.5

Flexibility in meeting your organization’s needs

3.83.9

3.63.8

3.63.8

Operation cost

3.53.7

3.43.8

3.63.4

Product innovation

3.73.7

3.53.63.73.7

3.63.3

3.83.3

3.73.3

3.63.5

3.63.3

Product performance3.83.9

3.53.93.9

3.8

Product reliability4.04.0

3.74.0

3.93.9

Quality of presales support3.73.8

3.33.8

3.53.3

Quality of postsales support3.73.7

3.43.7

3.63.4

Service innovation3.53.6

3.33.7

3.63.4

3.73.6

3.93.5

3.53.4

3.53.3

3.53.1


1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5











Figure 16



June 2012 21

Previous Next



What is your level of satisfaction with your current SIEM product or products?

16% 11%

23%47%

3%

Satisfaction With SIEM Product

Very satisfied

Satisfied

Does not apply; we are stillevaluating SIEM products

Unsatisfied

Somewhat satisfied


R5030612/6

R

Figure 17



June 2012 22

Previous Next



Which of the following best describes your job title?

14%

1% 6% 2% 13%

30%

34%

Job Title

Executive IT management (C-level/VP)

IT director/manager

Non-IT executive management (C-level/VP)

Line-of-business managementConsultant

Other

IT/IS staff


R5030612/18

R

Figure 18



June 2012 23

Previous Next



Which of the following dollar ranges includes the annual revenue of your entire organization?

13%21%

10%10%5%

7%

9%

8%17%

Revenue

Less than $6 million

$50 million to $99.9 million


Government/nonprofit

Don’t know/decline to say

$1 billion to $4.9 billion

$5 billion or more




R5030612/19

R

Figure 19



June 2012 24

Previous Next



What is your organization’s primary industry?Industry

Cons

truct

ion/

engi

neer

ing

Cons

ultin

g an

d bu

sines

s ser

vice

s

Educ

atio

n

Elec

troni

cs

Finan

cial s

ervi

ces

Food

/bev

erag

e

Gove

rnm

ent

Heal

thca

re/m

edica

l

Insu

ranc

e/HM

Os

IT ve

ndor

s

Logi

stics

/tran

spor

tatio

n

Man

ufac

turin

g/in

dust

rial, n

onco

mpu

ter

Med

ia/e

nter

tain

men

t

Nonp

rofit

Reta

il/e-

com

mer

ce

Tele

com

mun

icatio

ns/IS

Ps

Utili

ties

Othe

r

2%

10%

12%

2%

9%

2%

13%

6%

2%

7%

2%

6%

3%

2%

4%

5%

2%

11%

Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012 R5030612/20

R

Figure 20



June 2012 25

Previous Next



Approximately how many employees are in your organization?

15% 21%

7%

16%

8%

23%10%

Company Size

Fewer than 50

50-99

100-499

10,000 or more

5,000-9,999

1,000-4,999

500-999


R5030612/21

R

Figure 21



June 2012 26

Previous Next

© 2012 InformationWeek, Reproduction Prohibited

reports


S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t

Dean Francis is an enterprise architect at Fusion PPT, a technology solutions firmbased in Vienna, Va. He has more than 22 years of experience providing IT solutionsto federal (Army, Navy, DLA, DHS, DOJ, FBI, etc.) and commercial clients. At Fusion,Dean is a member of the Service Assurance practice, where he provides technicalteam leadership and hands-on solutions to customers.

Prior to joining Fusion, Dean worked for small, medium and large corporations toprovide technical solutions in the areas of operational support systems, informa-tion assurance, enterprise architecture, network and systems engineering, and net-work management systems.

Dean is also able to leverage more than two decades of design and implementa-tion experience to provide innovative solutions in the areas of application integra-tion, configuration management, orchestration, virtualization and cloud comput-ing. He is certified in corporate process management, technology deployment andtechnology training. Dean earned his Bachelor of Science in electrical engineeringfrom Princeton University.

Dean FrancisInformationWeek Reports

Table of Contents

FollowFollowFollowFollow

Want More?

Never Miss a Report!



https://twitter.com/#!/IW_Reports

http://www.facebook.com/pages/InformationWeek-Reports/149825495070501

June 2012 27

Previous


reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t

MOR

ELIKE THIS

Want More Like This?

InformationWeek creates more than 150 reports like this each year, and they’re all free toregistered users. We’ll help you sort through vendor claims, justify IT projects and implement newsystems by providing analysis and advice from IT professionals. Right now on our site you’ll find:

How to Pick Endpoint Protection: When it comes to protecting PCs and laptops, IT puts toomuch emphasis on malware detection. You’ll get better results by focusing on performance, management and—most importantly—how users and the security software interact. This reporttells you how to evaluate endpoint security software based on what really matters.

IT Pro Ranking: Endpoint Antivirus/Anti-malware: Kaspersky Lab and Sophos top our IT evaluations of nine antivirus/anti-malware vendors. Upstart Malwarebytes scores a 4.3 out of 5 formalware removal, the highest score in that category. Symantec and McAfee are the most widelyused vendors, but 46% of respondents are considering replacing or adding a vendor. Lucky forthem, choices abound in this market.

2012 InformationWeek Salary Survey: Security: Our 2012 InformationWeek Salary Survey showsthat, while IT security pros may still find themselves in a position of defending their roles, they’realso in a good spot when it comes to salary and overall compensation. We heard from 725 securityrespondents and found that the median base salary for staffers is up a tidy $7,000 this year; man-agers also got a bump.

PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek 500 andthe annual State of Security report; full issues; and much more.

Table of Contents

SubscribeSubscribe

Newsletter

Want to stay current on all newInformationWeek Reports? Subscribe to our weeklynewsletter and never miss a beat.



http://links.techwebnewsletters.com/servlet/SignUpForm?f=491839



reports.informationweek.com june 2012 $99 it pro ranking:...

Documents