reports.informationweek.com june 2012 $99 it pro ranking:...
TRANSCRIPT
Report ID: R5030612
Next
reports
IT Pro Ranking: SIEMIBM’s Q1 Labs leads our vendor evaluation survey of SIEM vendors,
earning an overall performance rating of 76%. Novell’s SIEM
(now owned by NetIQ) is a close second at 75%. Other
vendors evaluated by IT pros include HP/ArcSight, NetIQ, Quest
Software, Splunk, Symantec and Tripwire. 58% of respondents
are satisfied or very satisfied with their SIEM products, but
complexity tops IT’s challenges with SIEM technology.
By Dean Francis
Rep or ts. InformationWeek.com J u n e 2 0 1 2 $ 9 9
Next
reports
Previous Next
reports
3 Executive Summary4 Research Synopsis5 From Haystack to Needles7 Essential SIEM Features9 Why SIEM?12 Events and Logs14 SIEM Challenges17 Appendix26 Author’s Bio27 Related Reports
Figures
5 Figure 1: SIEM Overall Vendor Performance
6 Figure 2: Importance of Evaluation Criteria
7 Figure 3: Vendor Evaluations, Arrangedby Vendor
8 Figure 4: Importance of SIEM ProductFeatures
9 Figure 5: SIEM Vendor Performance,Features
10 Figure 6: Vendors in Use or Evaluated11 Figure 7: Feature Evaluations, Arranged
by Vendor12 Figure 8: Feature Evaluations, Arranged
by Criterion13 Figure 9: Primary Driver for SIEM Use14 Figure 10: SIEM Integration15 Figure 11: Top Sources of Event Data16 Figure 12: SIEM Challenges17 Figure 13: Replace or Add Vendors?18 Figure 14: Factors Resulting in a
Change in Vendor19 Figure 15: Reasons for Replacing or
Adding a Vendor
20 Figure 16: Vendor Evaluations, Arrangedby Vendor Criterion
21 Figure 17: Satisfaction With SIEM Product22 Figure 18: Job Title23 Figure 19: Revenue24 Figure 20: Industry25 Figure 21: Company Size
CONT
ENTS
reports.informationweek.com
TABLE OF
June 2012 2
S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t
June 2012 3
Previous Next
InformationWeek surveyed 322 business technology professionals who use or have usedor evaluated security information and event management (SIEM) products in the past 12months. We asked respondents to rate these products in two major categories: overallperformance and SIEM-specific capabilities such as real-time alerts, search and log management. Our survey listed 17 vendors; of those, eight received a sufficient number ofresponses to be rated: HP/ArcSight, IBM/Q1 Labs, NetIQ, Novell*, Quest Software, Splunk,Symantec and Tripwire.
Users and evaluators of IBM/Q1 Labs rated it leader for overall performance, with a scoreof 76%. However, Novell and HP/ArcSight are just behind with scores of 75% and 74%, respectively. When it comes to SIEM features, respondents again rated IBM/Q1 Labs asleader, at 84%. Novell was rated 81%. From here, the gap between scores begins to fallmore steeply, with HP/ArcSight rated third at 77%.
Our survey also looks at primary drivers for SIEM use, most important features, chal-lenges that users face with the products and other aspects of SIEM operation. We alsoprovide the mean average ratings for vendors in each of the general performance andfeature-specific criteria used for our scoring.
* Please note that our survey lists Novell and NetIQ as separate vendors. However, Novell’sSIEM product, Sentinel, was taken over by NetIQ in 2011. In addition to Sentinel, NetIQalso offers the NetIQ Security Manager SIEM product. In February 2012, NetIQ announcedSentinel 7, which combines Security Manager and Sentinel into a single platform. WhileNetIQ will continue to support Security Manager and Sentinel as separate products, cus-tomers can choose to upgrade to the unified Sentinel 7 platform.
EXECUTIVE
reports.informationweek.com
reports
SUM
MAR
Y
S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
June 2012 4reports.informationweek.com
Previous Next
RESEARCH
Survey Name InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey
Survey Date April 2012
Region North America
Number of Respondents 322
Purpose To determine preference for vendors supplying security information and eventmanagement products to enterprise IT organizations.
Methodology InformationWeek surveyed business technology decision-makers at NorthAmerican companies. The survey was conducted online, and respondents were recruitedvia an email invitation containing an embedded link to the survey. The email invitationwas sent to qualified InformationWeek subscribers. Individual evaluations were con-ducted for vendors whose products have been used or evaluated in the past 12 monthsby 50 or more respondents. Respondents were asked to evaluate only those vendors/products for which they reported recent use or evaluation.
reports
SYNO
PSIS
S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
ABOUT US
InformationWeek Reports’
analysts arm business technol-
ogy decision-makers with real-
world perspective based on
qualitative and quantitative re-
search, business and technology
assessment and planning tools,
and adoption best practices
gleaned from experience.
To contact us, write to manag-
ing director Art Wittmannat [email protected],
content director
Lorna Gareyat [email protected],
editor-at-large AndrewConry-Murrayat [email protected], and
research managing editor
Heather Vallis at
Find all of our reports at
reports.informationweek.com.
June 2012 5
Security information and event manage-ment products can help security and IT pro-fessionals make sense of the incredibleamounts of data generated by security andnetwork devices. SIEM is a synthesis of two related products: security information management and security event manage-ment. Security information management provides for the collection and processing ofdata and its incorporation, aggregation andanalysis into meaningful information. The datatypically comes from disparate sources, suchas log files or socket connections. Securityevent management focuses on the real-timemanagement of security-related events. Datasources typically include firewalls, switchesand routers, IDS/IPS, application servers, data-base servers, identity management servers,Web servers and workstations.
SIEM blends SIM and SEM functions and addscapabilities such as correlation of various datasources, vulnerability analysis, compliance re-porting, event reporting, anomaly detection
and notification to an internal console or exter-nal element management system. SIEM prod-ucts have a reputation for complexity, in part
because of the many data feeds they get con-nected to, and in part because of the rules andpolicies that IT has to configure for the prod-
Previous Next
Weighted, aggregated score across all 10 evaluation criteria, with maximum possible score of 100%SIEM Overall Vendor Performance
IBM/Q1 Labs
Novell
HP/ArcSight
Quest Software
Symantec
Splunk
NetIQ
Tripwire
Base: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/5
76%
75%
74%
73%
73%
72%
69%
68%
reports.informationweek.com
From Haystack to Needles
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 1
ucts to provide useful information.InformationWeek surveyed 322 business
technology professionals who use or haveused or evaluated SIEM products in the past12 months and asked them to rate theseproducts on general criteria, such as perform-ance and cost, as well as feature-specific criteria, including real-time alerting and logmanagement. Our survey listed 17 vendors; ofthose, eight received a sufficient number ofresponses to be rated.
Q1 Labs, which was acquired by IBM in October 2011, was rated tops by our respon-dents for overall performance, with a score of76% out of a possible 100% (Figure 1). Novellis on Q1’s heels at 75%, and ArcSight, nowowned by Hewlett-Packard, is a close thirdwith 74%. Quest Software, Symantec andSplunk sit in the middle of the pack withscores in the low 70s. NetIQ and Tripwire fin-ished at the bottom with scores of 69% and68%, respectively.
These performance ratings are based on a setof 10 general criteria, the most important ofwhich is product reliability, according to our
Previous Next
How important are the following criteria when evaluating products from SIEM vendors? Please use a scale of 1 to 5, where 1 is “not important” and 5 is “very important.”
Importance of Evaluation Criteria
1 Not important Very important 5
Product reliability
Product performance
Flexibility in meeting your organization’s needs
Operation cost
Quality of postsales support
Acquisition cost
Service innovation
Product innovation
Breadth of product line
Quality of presales support
4.6
4.4
4.3
4.2
4.2
4.2
3.7
3.7
3.7
3.5
Note: Mean average ratingsData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/2
R reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 2
June 2012 6
FAST FACT
76%of respondents rated
Q1 Labs tops for overall
performance.
June 2012 7
Previous Next
survey (Figure 2). Product performance andflexibility in meeting the organization’s needsround out the top three criteria in terms of im-
portance. That reliability topped the list of gen-eral criteria isn’t a surprise; SIEM products playa significant role in an organization’s security
operations, and customers need to be assuredthe product will function well and consistently.
Respondents rated each vendor on thesegeneral performance criteriausing a five-point scale. On theproduct reliability criteria,three vendors scored 4.0 outof 5 points: ArcSight, Q1 and Novell. Splunk and Symantecwere close behind, each witha 3.9 rating. You can see howeach vendor fared individuallyon these criteria in Figure 3.
Essential SIEM FeaturesIn addition to general per-
formance, we asked our respondents to rate the im-portance of 11 features foundin SIEM products, such as logmanagement and event cor-relation. Using a five-pointscale, respondents rated real-time analysis for alerts as themost important feature at 4.3,
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Vendor Evaluations, Arranged by Vendor HP/ArcSight
Note: Mean average ratingsBase: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/3
4.03.83.8
3.73.73.7
IBM/Q1 Labs
4.03.93.9
3.83.73.7
NetIQ
3.73.6
3.53.53.5
3.4
Novell
4.03.9
3.83.83.8
3.73.6
3.53.53.5
3.73.73.7
3.6
3.43.4
3.33.3
3.73.73.7
3.6
3.93.9
3.73.7
3.63.6
3.93.83.8
3.73.6
3.5
3.93.8
3.73.7
3.63.6
3.63.53.5
3.43.33.3
3.63.6
3.53.5
3.43.43.4
3.3
3.63.53.53.5
3.33.33.3
3.1
Quest Software Splunk Symantec Tripwire
1 Poor/doesn’t meet your needs 2 Doesn’t meet some needs 3 Just meets your needs 4 Meets your needs well 5 Excellent/exceeds expectations
1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5
Product reliabilityProduct performanceFlexibility in meeting needsQuality of presales supportQuality of postsales supportProduct innovationBreadth of product lineService innovationOperation costAcquisition cost
Product reliabilityProduct performanceFlexibility in meeting needsQuality of presales supportAcquisition costBreadth of product lineOperation costProduct innovationQuality of postsales supportService innovation
Product reliabilityFlexibility in meeting needsProduct performanceBreadth of product lineProduct innovationAcquisition costOperation costQuality of postsales supportQuality of presales supportService innovation
Product reliabilityProduct performanceFlexibility in meeting needsOperation costQuality of presales supportQuality of postsales supportAcquisition costService innovationBreadth of product lineProduct innovation
Product performanceProduct reliabilityBreadth of product lineProduct innovationOperation costFlexibility in meeting needsQuality of postsales supportService innovationAcquisition costQuality of presales support
Product reliabilityFlexibility in meeting needsProduct performanceProduct innovationAcquisition costBreadth of product lineService innovationOperation costQuality of postsales supportQuality of presales support
Product reliabilityBreadth of product lineProduct performanceFlexibility in meeting needsOperation costProduct innovationAcquisition costService innovationQuality of presales supportQuality of postsales support
Product performanceProduct reliabilityOperation costQuality of presales supportFlexibility in meeting needsQuality of postsales supportAcquisition costProduct innovationBreadth of product lineService innovation
Figure 3
reports.informationweek.com
followed by automated log collection frommultiple sources at 4.2. Search and root causeanalysis and investigation of archived logswere each rated 4.1 for importance (Figure 4).
These criteria also help paint a picture of avendor’s overall effectiveness, as rated by ourrespondents, in core SIEM functions and capabilities. Our IT pros rated vendors based onthese 11 features. IBM’s Q1 Labs earned thehighest rank for features, at 84% (Figure 5).Novell also scored well, with 81%. ArcSightplaced third at 77%. The features-based ranking showed the largest spread amongvendors, a 13-point difference between Q1Labs and Tripwire, which ranked 71%.
As figure 6 indicates, our survey asked respondents to select up to three out of 17SIEM vendors they have used or evaluated inthe past 12 months. Of those 17, Symantechad three times as many responses than anyother vendor from IT pros. We attribute this toSymantec's position in the security market atlarge. As a brand-name vendor of anti- malware and a wide range of other securityproducts, the company is in an excellent
Previous Next
Please rate the importance of these features in your SIEM system using a scale of 1 to 5, where 1 is “not important” and 5 is “very important.”
Importance of SIEM Product Features
1 Not important Very important 5Real-time analysis for alerts
Automated log collection from multiple sources
Search capabilities
Root cause analysis and investigation of archived logs
Event correlation
Operational dashboard
Secure log management
Event normalization
Support for up to thousands of events per second
Out-of-the-box compliance reports
Compression for efficient log storage
4.3
4.2
4.1
4.1
4.0
4.0
3.9
3.8
3.8
3.8
3.7
Note: Mean average ratingsData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/10
R reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 4
June 2012 8
2012 Strategic Security Survey
When it comes to security andrisk management, don’t try to address every possible threat. Instead, pick your battles: Implement better access control,vet cloud providers, safeguardmobile devices, educate usersand build more secure software,for starters.
DownloadDownload
June 2012 9
position to attract potential SIEM customers.Our report breaks out each vendor’s scores
on individual features (Figure 7). As you cansee, Q1 Labs garnered a rating of 4.0 or higheron every feature, a feat that no other vendorduplicated. This accounts for its overall toprating.
That said, in looking at individual criteria,other vendors also demonstrate strengths,particularly on those features rated most important by our respondents (Figure 8). Forinstance, on real-time analysis, the most important feature, Novell and ArcSight met orexceeded a 4.0 ranking. In search capabilities,Splunk nearly matched Q1 Labs, earning a 4.2to Q1 Labs’ 4.3. Splunk also tied Q1 Labs in automated log collection. Novell was the onlyvendor to score higher than Q1 Labs on any ofthe feature criteria, earning a 4.2 rating for out-of-the-box compliance reports to Q1 Labs’ 4.0.
Why SIEM?We asked respondents about the top driver
for SIEM use. Forty-four percent of respon-dents chose real-time threat detection (Figure
9). In other words, IT and security teams turnto SIEM to help them identify potential at-tacks or policy violations as they happen. Thisallows for a faster response, which can reduce
the damage from an attack, help the organi-zation recover from an attack more quickly or,in the best case, enable IT and security teamsto neutralize the threat at the outset.
Previous Next
Weighted, aggregated score across all 11 features evaluated, with maximum possible score of 100%SIEM Vendor Performance: Features
IBM/Q1 Labs
Novell
HP/ArcSight
Symantec
Quest Software
Splunk
NetIQ
Tripwire
Base: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/13
84%
81%
77%
76%
76%
75%
75%
71%
R
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 5
June 2012 10
A quarter of respondents choose “meetingcompliance requirements” as the top driverfor SIEM. One prominent compliance mandate is the Payment Card Industry DataSecurity Standard, which sets security require-
ments for companies that accept credit cardpayments or otherwise handle card data. PCIDSS 2.0 requires organizations to review logsdaily, including logs from security productssuch as intrusion- detection systems. SIEM
products with strong log management andreview capabilities can help companies meetthis requirement. Many SIEM products alsoprovide out-of-the-box compliance reportingto address regulations and mandates such asHIPAA.
As a key component of a security and IT operations infrastructure, SIEM products mustintegrate with other element managers, re-porting systems or enterprise managementproducts. Open APIs and software develop-ment kits facilitate interoperability betweenproducts. We asked our respondents aboutthe tools they integrate with SIEM products.The top five responses were network/applica-tion configuration management (47%),help/service desk (46%), performance man-agement (43%), identity and access manage-ment (39%), and network fault management(32%) (Figure 10).
With the need for visibility into patch, policyand compliance information, particularly withregard to vulnerability analyses, it’s not surprising to see configuration managementat the top. Integration with help desk and
Previous Next
Which of the following SIEM vendors are you currently using or evaluating, or have you used or evaluated, within the past 12 months?Vendors in Use or Evaluated
Sym
ante
c
HP/A
rcSi
ght
Splu
nk
IBM
/Q1 L
abs
NetIQ
Ques
t Sof
twar
e
Nove
ll
Trip
wire
RSA/
EMC
Trus
twav
e
LogL
ogic
LogR
hyth
m
Tena
ble N
etw
ork S
ecur
ity
Alie
nVau
lt
netF
oren
sics
TriG
eo
Nitro
Secu
rity
Othe
r
45%
15%
15%
14%
13%
13%
11%
10%
9%
7%
5% 5% 4% 3% 3% 3% 2%
13%
Note: Three responses allowedData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/1
R reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 6
June 2012 11
Previous Next
Feature Evaluations, Arranged by VendorHP/ArcSight
Note: Mean average ratingsBase: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/11
4.04.04.0
3.93.93.9
IBM/Q1 Labs
4.34.34.34.3
4.24.2
NetIQ
3.93.83.83.83.83.8
Novell
4.24.2
4.14.14.14.1
Quest Software4.0
3.93.9
3.83.83.8
Splunk4.3
4.23.9
3.83.8
3.7
Symantec3.93.93.9
3.83.83.8
Tripwire3.73.7
3.63.63.63.6
3.93.83.83.83.8
4.24.2
4.14.1
4.0
3.73.73.7
3.63.6
4.14.0
3.93.93.9
3.83.73.73.7
3.6
3.73.6
3.53.5
3.3
3.83.83.83.8
3.7
3.53.53.53.5
3.4
1 Poor/doesn’t meet your needs 2 Doesn’t meet some needs 3 Just meets your needs 4 Meets your needs well 5 Excellent/exceeds expectations
1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5
Real-time analysis for alertsAutomated log collectionEvent normalizationOperational dashboardSupport for up to 1,000s of events/sec.Compression for efficient log storageEvent correlationCompliance reportsSearch capabilitiesRoot cause analysis of archived logsSecure log management
Real-time analysis for alertsAutomated log collectionSupport for up to 1,000s of events/sec.Search capabilitiesRoot cause analysis of archived logsEvent correlationCompression for efficient log storageOperational dashboardEvent normalizationSecure log managementCompliance reports
Real-time analysis for alertsSecure log managementCompression for efficient log storageAutomated log collectionSupport for up to 1,000s of events/sec.Event normalizationEvent correlationOperational dashboardSearch capabilitiesRoot cause analysis of archived logsCompliance reports
Compliance reportsAutomated log collectionReal-time analysis for alertsSecure log managementSearch capabilitiesSupport for up to 1,000s of events/sec.Operational dashboardEvent normalizationCompression for efficient log storageEvent correlationRoot cause analysis of archived logs
Automated log collectionCompression for efficient log storageCompliance reportsReal-time analysis for alertsRoot cause analysis of archived logsOperational dashboardSecure log managementSearch capabilitiesEvent correlationSupport for up to 1,000s of events/sec.Event normalization
Automated log collectionSearch capabilitiesCompression for efficient log storageSupport for up to 1,000s of events/sec.Real-time analysis for alertsSecure log managementRoot cause analysis of archived logsEvent normalizationOperational dashboardEvent correlationCompliance reports
Secure log managementAutomated log collectionSearch capabilitiesEvent normalizationSupport for up to 1,000s of events/sec.Operational dashboardCompression for efficient log storageReal-time analysis for alertsEvent correlationCompliance reportsRoot cause analysis of archived logs
Root cause analysis of archived logsOperational dashboardReal-time analysis for alertsSupport for up to 1,000s of events/sec.Event normalizationSecure log managementEvent correlationSearch capabilitiesCompliance reportsCompression for efficient log storageAutomated log collection
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 7
June 2012 12
service products is also to be expected, asevents and investigations triggered by a SIEMproduct are likely to be logged as tickets
within these systems. However, performancemanagement is a bit surprising and may indicate an interesting trend for growth and
convergence in the SIEM market.Integration with vulnerability scanning
tools and a program of routine scans canalso be an effective, proactivemeans of detecting threats.Fur thermore, suppor t forwell-known and proven hard-ening methodologies anddatabases, such as the Na-tional Vulnerability Databaseor Security Technical Imple-mentation Guides, can fur-ther round out a thoroughsecurity posture.
Events and LogsEvents and log data from a
variety sources feed SIEMproducts. According to respondents, the top threesources of event data are firewalls, application serversand database servers (Figure11). We were surprised to seeIDS/IPS products listed sixth,
Previous Next
Feature Evaluations, Arranged by CriterionAutomated log collection from multiple sources
Note: Mean average ratingsBase: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/12
4.04.3
3.84.2
4.04.3
Compression for efficient log storage
3.94.2
3.83.93.93.9
Event correlation
3.94.2
3.73.9
3.73.5
Event normalization
4.04.1
3.84.0
3.63.6
3.93.4
3.83.5
3.83.5
3.83.6
1 Poor/doesn’t meet your needs 2 Doesn’t meet some needs 3 Just meets your needs 4 Meets your needs well 5 Excellent/exceeds expectations
1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5Operational dashboard
3.94.2
3.74.1
3.83.5
3.83.7
1 Poor 3 Excellent 5
Out-of-the-box compliance reports
Real-time analysis for alertsRoot cause analysis and investigation of archived logs Search capabilities Secure log management
Support for up to thousands of events per second
3.84.0
3.64.2
3.93.3
3.83.5
4.04.3
3.94.1
3.83.8
3.84.2
3.63.9
3.83.7
3.84.3
3.74.1
3.74.2
3.84.1
3.84.1
3.83.7
3.83.6
3.73.7
3.93.5
3.93.6
3.94.3
3.84.1
3.73.83.8
3.6
1 Poor 3 Excellent 5
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 8
June 2012 13
as these products are a fire hose of alarms, no-tifications and other data. In fact, SIEMemerged partly as a response to the difficul-ties that IT and security teams were having inextracting actionable data from reams of IDSand IPS events. One explanation may be thatrespondents selected “firewalls” as a stand-infor security devices such as unified threatmanagement systems that combine multiplecapabilities into a single appliance.
Log management has also emerged as afeature that is now part of many SIEM prod-ucts. Log management is not intended forreal-time analysis. Instead, it provides amethod for forensic analysis of incidentsthrough a normalization of different datasources. Log management also provides acentral repository for logs to be stored andarchived. While SIEM products may offer somelog management capabilities, a variety ofproducts also are dedicated specifically to logmanagement. According to our survey, logmanagement fell somewhere in the middle ofthe pack in regard to important features (seeFigure 4). This may indicate that many organ-
izations handle log management separatelyfrom SIEM products.
The event and log data being gathered andsearched by SIEM is likely being stored in adatabase. Some products use mainstream relational databases, while others have created customized versions of commercialdatabases. Proprietary databases are another
option, often optimized for speed, but possibly with a database schema that is notopen or published. Additionally, vendors maychoose nondatabase methods (such asSplunk) that are, again, optimized to facilitatethe speed of analysis and correlation neces-sary for SIEM. With many customers keepingsecurity data for years, SIEM installations and
Previous Next
Which of the following best describes the primary driver behind your organization's use of an SIEM tool?
1%6%
10%
13%
26%
44%
Primary Driver for SIEM Use
Conduct real-time threat detection and response
Conduct post-incidentinvestigation and forensics
Meet contractual or customer requirementsOther
Meet compliance requirements
Manage growing volumes of log data
Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/14
R
FAST FACT
44%of respondents chose
real-time threat detection
as the driver behind their
use of SIEM tools.
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 9
June 2012 14
integrations can even cross over into the datawarehousing realm. IT and security pros evaluating SIEM products should examine theunderlying database technologies being used to ensure that they are the right fit forthe organization.
SIEM ChallengesWhile SIEM products can be useful, they can
also be complex to deploy and operate. IT andsecurity teams have to set up links betweenthe SIEM products and the devices that willfeed events and log data. They also need tobuild and refine the correlation rules that govern how the SIEM system will respond tothe information it gathers and analyzes. Andof course, IT or security staff must monitor thesystem and investigate the alerts and notifi-cations generated by the product.
These difficulties are reflected in our survey.When asked about the main challenges ITfaces with SIEM, the top response was managing the general complexity of theproduct (Figure 12). Respondents also cited alack of integration with other network man-
agement tools and building correlation rules.For organizations evaluating SIEM products,don’t underestimate operational complexity.For instance, look for products that offer auser interface that is intuitive and easy to understand and traverse.
Cost can also be a concern with SIEM prod-
ucts. Many SIEM products are expensive, butthe full cost isn’t just the software or hardware. These products require extensivesystem integration to realize their potential.That means you must account for staff hours(or pay consultants) for installation and configuration, as well as integration with
Previous Next
What other tools does, or will, your SIEM system integrate with?SIEM Integration
Configuration management (network or application)
Help desk or service desk
Network performance management
Identity and access management systems
Network fault management
Enterprise service bus or middleware
Other
Note: Multiple responses allowedData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/16
47%
46%
43%
39%
32%
21%
4%
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 10
Like This Report?
Rate It!Something we could dobetter? Let us know.
RateRate
June 2012 15
other products. SIEM products rely on databases for event and log analysis, whichmeans database administrator resourcesmust also be considered, not only for the ini-tial configuration of the product but also on-going maintenance and tuning. And ofcourse, IT and security teams will need to betrained to use the product. These factors af-fect your total SIEM cost. As one respondentsaid, “Total cost of acquisition and operatingis elusive. When you purchase a SIEM solution,the work is just beginning.”
Of our survey respondents who use SIEMproducts, 49% say they have no plans to adda vendor or replace a vendor (Figure 13). Yetwhen asked what it would take to get themto replace a vendor, the top two factors aresubstantial savings in capital and operationalcosts (Figure 14). In other words, all otherthings being equal, a vendor that can producea less-expensive product will likely earn aclose look from IT shops.
And what about the 51% who are consider-ing replacing or adding a vendor? Their toppriorities are better per formance and
Previous Next
What are, or will be, the top sources of event data for your SIEM?Top Sources of Event Data
Firewalls
Application servers
Database servers
PCs and laptops
Web servers
IDS/IPS
Switches and routers
Malware gateway devices
SANs
NAS devices
Other
Note: Three responses allowedData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/15
61%
53%
48%
28%
22%
22%
20%
15%
4%
4%
2%
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 11
LikeLike TweetTweetTweet
ShareShare
Like This Report?
Share it!
June 2012 16
operational cost savings (Figure 15). That said,incumbent vendors enjoy some protectionfrom displacement. That’s because SIEM products are tightly woven into a larger security management infrastructure andwould be difficult to disentangle.
Previous Next
What are the main challenges you face, or expect to face, with your SIEM system?SIEM Challenges
Managing general complexity of the product
Lack of integration with other network management tools
Building correlation rules
Difficulty of searching for data
Normalizing data
Meeting the performance and hardware requirements to run it
Meeting storage requirements for event and log data
Poor adoption among IT users
Scaling the system to match our event stream
Other
Note: Three responses allowedData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/17
34%
30%
37%
44%
23%
20%
18%
14%
12%
3%
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Figure 12
June 2012 17
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t
APPE
NDIX
Table of Contents
Would you consider replacing one of your current SIEM vendors or adding another vendor?
15%
12%
49%
24%
Replace or Add Vendors?
Yes, we’re considering replacing one of our secondary vendors
Yes, we’re considering replacing our primary vendor
Yes, we’re considering adding another vendor
No
Base: 270 respondents at organizations using an SIEM productData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/7
R
Figure 13
June 2012 18
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
What would it take to replace your existing SIEM vendor with another?Factors Resulting in a Change in Vendor
Substantial capital cost savings
Substantial operational cost savings
Substantial performance gains
Clear technology advantage compared with current vendor
Bad experience with current vendor
Enabling new services or applications
Clearly superior vision compared with current vendor
Robust integration points via APIs with management systems
Enabling advanced architectures/features
Other
Nothing could make us replace our existing vendor
Note: Multiple responses allowedBase: 132 respondents not considering replacing or adding a vendorData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/9
62%
61%
51%
47%
27%
26%
25%
19%
17%
10%
4%
Figure 14
June 2012 19
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Why are you considering replacing your current SIEM vendor or adding another vendor?Reasons for Replacing or Adding a Vendor
Performance gains
Operational cost savings
Want advanced architectures/features
Want to enable new services or applications
Capital cost savings
Clear technology advantage compared with current vendor (superior tech/products)
Want robust integration via APIs with management systems
Part of normal capital project bid process
Clear vision compared with current vendor (vendor road maps, plans, direction)
Bad experience with current vendor
Other
Note: Multiple responses allowedBase: 138 respondents considering replacing or adding a vendorData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/8
59%
48%
43%
42%
41%
24%
18%
18%
13%
9%
3%
Figure 15
June 2012 20
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Vendor Evaluations, Arranged by Evaluation Criterion
Acquisition cost
Note: Mean average ratingsBase: VariesData: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/4
3.53.7
3.43.7
3.53.6
Breadth of product line
3.63.7
3.53.73.7
3.5
Flexibility in meeting your organization’s needs
3.83.9
3.63.8
3.63.8
Operation cost
3.53.7
3.43.8
3.63.4
Product innovation
3.73.7
3.53.63.73.7
3.63.3
3.83.3
3.73.3
3.63.5
3.63.3
Product performance3.83.9
3.53.93.9
3.8
Product reliability4.04.0
3.74.0
3.93.9
Quality of presales support3.73.8
3.33.8
3.53.3
Quality of postsales support3.73.7
3.43.7
3.63.4
Service innovation3.53.6
3.33.7
3.63.4
3.73.6
3.93.5
3.53.4
3.53.3
3.53.1
1 Poor/doesn’t meet your needs 2 Doesn’t meet some needs 3 Just meets your needs 4 Meets your needs well 5 Excellent/exceeds expectations
1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5 1 Poor 3 Excellent 5
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
HP/ArcSightIBM/Q1 LabsNetIQNovellQuest SoftwareSplunkSymantecTripwire
Figure 16
June 2012 21
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
What is your level of satisfaction with your current SIEM product or products?
16% 11%
23%47%
3%
Satisfaction With SIEM Product
Very satisfied
Satisfied
Does not apply; we are stillevaluating SIEM products
Unsatisfied
Somewhat satisfied
Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/6
R
Figure 17
June 2012 22
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Which of the following best describes your job title?
14%
1% 6% 2% 13%
30%
34%
Job Title
Executive IT management (C-level/VP)
IT director/manager
Non-IT executive management (C-level/VP)
Line-of-business managementConsultant
Other
IT/IS staff
Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/18
R
Figure 18
June 2012 23
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Which of the following dollar ranges includes the annual revenue of your entire organization?
13%21%
10%10%5%
7%
9%
8%17%
Revenue
Less than $6 million
$50 million to $99.9 million
$6 million to $49.9 million
Government/nonprofit
Don’t know/decline to say
$1 billion to $4.9 billion
$5 billion or more
$500 million to $999.9 million
$100 million to $499.9 million
Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/19
R
Figure 19
June 2012 24
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
What is your organization’s primary industry?Industry
Cons
truct
ion/
engi
neer
ing
Cons
ultin
g an
d bu
sines
s ser
vice
s
Educ
atio
n
Elec
troni
cs
Finan
cial s
ervi
ces
Food
/bev
erag
e
Gove
rnm
ent
Heal
thca
re/m
edica
l
Insu
ranc
e/HM
Os
IT ve
ndor
s
Logi
stics
/tran
spor
tatio
n
Man
ufac
turin
g/in
dust
rial, n
onco
mpu
ter
Med
ia/e
nter
tain
men
t
Nonp
rofit
Reta
il/e-
com
mer
ce
Tele
com
mun
icatio
ns/IS
Ps
Utili
ties
Othe
r
2%
10%
12%
2%
9%
2%
13%
6%
2%
7%
2%
6%
3%
2%
4%
5%
2%
11%
Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012 R5030612/20
R
Figure 20
June 2012 25
Previous Next
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t Table of Contents
Approximately how many employees are in your organization?
15% 21%
7%
16%
8%
23%10%
Company Size
Fewer than 50
50-99
100-499
10,000 or more
5,000-9,999
1,000-4,999
500-999
Data: InformationWeek 2012 Security Information and Event Management Vendor Evaluation Survey of 322 business technology professionals, April 2012
R5030612/21
R
Figure 21
June 2012 26
Previous Next
© 2012 InformationWeek, Reproduction Prohibited
reports
reports.informationweek.com
S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t
Dean Francis is an enterprise architect at Fusion PPT, a technology solutions firmbased in Vienna, Va. He has more than 22 years of experience providing IT solutionsto federal (Army, Navy, DLA, DHS, DOJ, FBI, etc.) and commercial clients. At Fusion,Dean is a member of the Service Assurance practice, where he provides technicalteam leadership and hands-on solutions to customers.
Prior to joining Fusion, Dean worked for small, medium and large corporations toprovide technical solutions in the areas of operational support systems, informa-tion assurance, enterprise architecture, network and systems engineering, and net-work management systems.
Dean is also able to leverage more than two decades of design and implementa-tion experience to provide innovative solutions in the areas of application integra-tion, configuration management, orchestration, virtualization and cloud comput-ing. He is certified in corporate process management, technology deployment andtechnology training. Dean earned his Bachelor of Science in electrical engineeringfrom Princeton University.
Dean FrancisInformationWeek Reports
Table of Contents
FollowFollowFollowFollow
Want More?
Never Miss a Report!
June 2012 27
Previous
reports.informationweek.com
reports S e c u r i t y I n f o r m a t i o n a n d E v e n t M a n a g e m e n t
MOR
ELIKE THIS
Want More Like This?
InformationWeek creates more than 150 reports like this each year, and they’re all free toregistered users. We’ll help you sort through vendor claims, justify IT projects and implement newsystems by providing analysis and advice from IT professionals. Right now on our site you’ll find:
How to Pick Endpoint Protection: When it comes to protecting PCs and laptops, IT puts toomuch emphasis on malware detection. You’ll get better results by focusing on performance, management and—most importantly—how users and the security software interact. This reporttells you how to evaluate endpoint security software based on what really matters.
IT Pro Ranking: Endpoint Antivirus/Anti-malware: Kaspersky Lab and Sophos top our IT evaluations of nine antivirus/anti-malware vendors. Upstart Malwarebytes scores a 4.3 out of 5 formalware removal, the highest score in that category. Symantec and McAfee are the most widelyused vendors, but 46% of respondents are considering replacing or adding a vendor. Lucky forthem, choices abound in this market.
2012 InformationWeek Salary Survey: Security: Our 2012 InformationWeek Salary Survey showsthat, while IT security pros may still find themselves in a position of defending their roles, they’realso in a good spot when it comes to salary and overall compensation. We heard from 725 securityrespondents and found that the median base salary for staffers is up a tidy $7,000 this year; man-agers also got a bump.
PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek 500 andthe annual State of Security report; full issues; and much more.
Table of Contents
SubscribeSubscribe
Newsletter
Want to stay current on all newInformationWeek Reports? Subscribe to our weeklynewsletter and never miss a beat.