Vendor Landscape Plus: Security Information & Event Management

Transcription

1 Vendor Landscape Plus: Security Information & Event Management Simplify compliance and IT risk management with SIEM tools Info-Tech Research Group 1

2 Introduction Security Information & Event Management (SIEM) vendors approach the market from different perspectives. Understand your organization s requirements for SIEM to ensure that the selected product helps achieve key goals. This Research Is Designed For: IT leaders considering SIEM technology to reduce the cost of meeting ever-increasing compliance requirements. IT leaders looking to enhance the effectiveness of existing IT security operations. Organizations seeking to improve overall risk management processes. This Research Will Help You: Understand the capabilities of SIEM technologies, and their potential use cases. Differentiate between vendor offerings and identify alignments with your organization s requirements. Shortlist vendors, prepare an RFP, and score RFP responses to select a SIEM solution. Develop an implementation strategy and maximize your investment in SIEM. Info-Tech Research Group 2

3 Executive Summary Understand SIEM Trends and Considerations Security Information & Event Management (alternatively known as Security Incident & Event Management) technologies have evolved from point solutions into comprehensive systems that allow organizations to optimize any or all of the following important security-related functions: Collection and management of critical system and network log data. Execution of processes in support of regulatory and policy compliance obligations. Identification of information security threats and response to them. Continuous information security risk management processes. Understand your organization s needs, potential costs, and readiness to undertake a SIEM deployment before taking the leap. Evaluate SIEM Vendors Vendor offerings target these security functions in substantially different ways, based on their SIEM product origins, integration with their broader security solutions, architectural deployment options, and specific market focus. Map your organization s immediate and future requirements for SIEM against vendor and product capabilities, and leverage the tools and templates included in this solution set to accelerate selection of a SIEM technology. Develop a SIEM Implementation Strategy Understand options for managed versus self-staffed SIEM implementations and their pros and cons. Design a deployment architecture and capture additional implementation and operational costs and benefits, based on addressing your organization s specific security and compliance requirements. Develop a plan for a phased implementation of the selected SIEM product and architecture, ensuring that you realize both short and long-term objectives and benefits. Info-Tech Research Group 3

4 Symantec leads the market, but other SIEM vendors offer compelling alternatives to meet specific requirements Info-Tech evaluated ten competitors in the SIEM market, including the following notable performers: Champions: Symantec, with its balance of strong product and vendor capabilities at an excellent price point, leads with a SIEM solution that can deliver benefits to almost any organization. Q1 Labs delivers exceptional reporting capabilities and additional product features that distinguish it from Symantec at a higher, but still competitive, price point. SenSage provides exceptional correlation and forensic capabilities for organizations that can justify the elevated cost. Value Award: Symantec s combination of stable and committed vendor, wellrounded product, and near rock-bottom pricing earns the company the Best Overall Value Award. Innovation Award: NitroSecurity posted the highest score for product capabilities, and may be an appealing option for those seeking premium features and functionality to meet both compliance and event management requirements. Info-Tech Insight 1. Focus on business requirements: Identify the functionality that your organization requires to meet business needs or to justify an investment in SIEM technology. 2. Consider future requirements: Keep in mind all potential benefits of a SIEM deployment, whether you are focused primarily on simplifying compliance, speeding event management and incident response, or reducing overall risk. 3. Go for good enough for you: Align current and future requirements with the capabilities and solution feature-sets of vendors. While Symantec is the leader, its focus on solution breadth over depth underscores the importance of assessing alternative vendors against your organization s needs. Info-Tech Research Group 4

5 Understand SIEM Trends and Considerations What s in this Section: What SIEM is and what it isn t The role of SIEM in managing risk Key decision factors for SIEM Assessing the appropriateness of SIEM Sections: Understand SIEM Trends and Considerations Evaluate SIEM Vendors Develop Your SIEM Implementation Strategy Appendices Info-Tech Research Group 5

6 Understand what SIEM does, and what it doesn t do SIEM technology is no silver bullet, but adds value by extending visibility across existing information security and system management tools. SIEM Tools DO: At a minimum, SIEM tools enable IT security organizations to: Leverage central log management to simplify correlation, alerting, and reporting of security events; Streamline compliance, incident response, and risk management processes; Baseline threat levels and normal network security activity; Increase efficiency and effectiveness of security and system administrators, internal and external auditors, and senior management involved in risk management; Pursue a continuous risk management strategy, prioritizing attention to specific vulnerabilities based on observed threats across multiple control systems. SIEM Tools DO NOT: Contrary to past hype and misconceptions, SIEM tools do not: Eliminate the need for other IT security systems rather, SIEM enhances the value of each of those tools; Prevent compromises instead, SIEM provides the cross-system visibility to identify areas of elevated risk and focus security efforts, and reduces the cost and time for incident response; Eliminate the role of security administration/operations personnel SIEM maximizes the value of such staff. Info-Tech Research Group 6

7 Like every tool, SIEM has limitations; expect too much and be prepared for disappointment SIEM technology is no silver bullet, but adds value by extending visibility across existing information security and system management tools. When clients that are using SIEM solutions were asked about their expectations for the solution, they almost universally indicated that they had very high expectations prior to deployment. Those same clients indicated that in almost every measure their SIEM solution failed to meet expectations. Failure to meet expectations should not be held against the tools as in almost every measurable category, the tools delivered Moderately Significant to Significant positive Impact to the enterprise. The moral: oversetting expectations can lead to let-down even with deployments that are successful and improve enterprise security, compliance, and overall risk management. Info-Tech Research Group 7

8 Take stock of the serious threats to systems and the business; ensure threats can be contained or costs can be managed The cost of a major and persistent system compromise can be substantial. Standalone security tools provide some visibility; SIEM tools do much more. Several well-publicized breaches in recent years highlight the scale of potential impacts, including: Direct costs for TJX (2007) have exceeded $250M. Heartland Payment Systems (2009) has reported over $140M in direct costs. Sony (2011) has already booked $171M in direct costs. Each of these breaches involved repeated system compromises crossing multiple systems over an extended period precisely the types of activities that are made more visible through SIEM. Total costs (direct and indirect) per compromised customer record continue to rise, and in 2009 averaged over $200 per affected customer. Costs per customer are typically much higher for smaller organizations and smaller-scale breaches than for the massive breaches noted above, as enterprise-wide expenditures are spread across a smaller number of affected accounts. Info-Tech Insight SIEM alone cannot eliminate similar breaches, but enhanced visibility reduces risk exposure in many ways: Identify sophisticated attacks earlier using event data correlated across multiple systems; Support more rapid and more thorough forensics during and after initial incident response; Enable continuous feedback from observed threats into security and system controls to achieve optimal protection and reduce the risk of future compromises. Deployed & operated properly, SIEM can reduce the risk and impact of catastrophic breaches. Info-Tech Research Group 8

9 Determine how and where SIEM will help you manage risk Adopting the right SIEM tool depends on what risk-related focus is most important to your organization. All SIEM tools provide log management functionality collecting, aggregating, and normalizing log data from diverse sources. Whether the enterprise chooses to move further or not, every organization can benefit from Log Management. Many organizations look to SIEM primarily as a way to reduce the cost of meeting internal and external/regulatory compliance requirements: Consolidated logs feed out-of-the-box and custom compliance reports. In some cases, SIEM workflow capabilities add value by tracking mandatory log review processes. Typically, organizations see both compliance and event managementrelated benefits as SIEM is integrated into the risk management toolbox. Other organizations look to SIEM primarily as a means to reduce the effort expended when responding to individual security events and incidents: Correlated events provide earlier visibility into active threats. Consolidated logs allow more rapid and thorough investigation of events either in progress, or after the fact. Many organizations take a final step, leveraging the information provided by the SIEM tool to target specific changes to (or investments in) system security and operational controls as a key component of a continuous risk management program. Info-Tech Research Group 9

10 Compare approaches to managing key information security processes, with or without SIEM Get a sense of how far you intend to go with SIEM to help focus setting your organization s requirements. Look for the SIEM you need, but not more. SIEM Approach No SIEM Basic SIEM (Compliance or Event Focus) Advanced SIEM (Compliance and Event Focus) Log Management Storage, backup, retention, and archival settings must be configured and managed for each key system. Central log management optimizes the time and cost of managing key system logs, enabling greater opportunities for using such data. Security Management Focus Areas Compliance Management Compliance reporting and related log review management is done through manual processes. Compliance management processes can be streamlined with predefined, scheduled, cross-system reporting. Event Management Incident identification & response processes are hampered by lack of cross-system visibility. Visibility into incidents is increased through event correlation; incident response is enhanced by alerting and forensic investigation functionality. Continuous Risk Management Prioritization of security attention across systems is nearly impossible, and may not account for cross-system risks. A more realistic view of risk emerges from increased efficiency in compliance or event management processes, enabling better prioritization. Integrated information from compliance and event management processes provides the most complete view of overall system risks. Staff attention and technology investments can be optimized. Info-Tech Research Group 10

11 Be clear about the impact of SIEM-enhanced security visibility Be prepared for dealing with issues and events that you might have been missing without SIEM. 1. Pre-SIEM: Information risks and associated security management costs increase over time as new threats appear. 2. Immediately Post-SIEM: Increased visibility into extant threats results in increased cost of managing those threats ignorance can no longer justify inaction. Per event/incident costs will decline through earlier detection opportunities and investigation efficiencies provided by the SIEM tool. Since those threats always existed, and are now being acted upon, overall risk begins to decline. As SIEM-based efficiencies are realized, the cost of managing visible threats returns to baseline levels. 3. Long-Term Post-SIEM: Both risk and security costs can be driven down further through feedback from SIEM into technical and procedural controls. SIEM s Impact on Risk and Cost Over Time Info-Tech Research Group 11

12 SIEM may make life harder before it makes it easier; if you can t handle the bump, don t invest in SIEM Improving organizational security stance is not an overnight process; SIEM will help but things will get worse before they get better. 2. As visibility into risk increases, security spend will by necessity increase as new tools or time need to be expended to combat identified risks. Most enterprises don t have unlimited security budgets, so spending initially trails threat exposure. 3. As the most serious threats are addressed, risk tapers off fairly quickly. At this point perceived risk and actual risk are being reduced, though levels are likely to be higher than what was perceived for some time. 1. When first deployed, a SIEM solution will expose the enterprise to all the risk it was missing but that was there anyway. In today s regulated world, if you re not prepared to address that increased risk, you d best just leave your head in the sand In time, and with concentrated effort, SIEM can allow the enterprise to drive risk and spend to lower levels than were previously experienced. As a side benefit, while risk is being addressed, SIEM is also providing compliance reporting benefits that help in other ways Spend remains higher for longer as solution deployments must be rationalized and staffing levels finalized. Spend begins to go down when the costs associated with breaches and other threats are eliminated. Info-Tech Research Group 12

13 Evaluate SIEM Vendors What s in this Section: Info-Tech s Vendor Landscape for ten SIEM vendors Shortlisting SIEM vendors through scenario analysis Developing and executing a SIEM RFP Sections: Understand SIEM Trends and Considerations Evaluate SIEM Vendors Develop Your SIEM Implementation Strategy Appendices Info-Tech Research Group 13

14 SIEM Market Overview How it got here Security Information & Event Management grew from the conjoining of two separate tools: Security Event Management and Security Information Management (which itself grew out of simpler Log Management). Indeed, some vendors still offer separate SEM and SIM products under the SIEM banner. The space was founded just prior to the 2000s but has failed to catch on in any significant way; even the leading vendors claim less than 2,000 clients each. SIEM solutions have typically focused on the largest of enterprises, but recently vendors have begun producing simplified, streamlined all-in-one solutions aimed at the SMB space. Where it s going Two factors combine to drive the awareness and adoption of SIEM: the first is the push into the SMB space that began a few years ago, while the second is the increasing amount of regulatory and industry compliance and its comprehensive auditing demands. Though the space is mostly populated by smaller dedicated players, some larger players are already marketing SIEM solutions. The recent acquisition of market-leader ArcSight by HP is a possible precursor of greater consolidation to come. As security and compliance concerns grow with each new regulation, each failed audit, and each publicized security breach, SIEM will finally begin to draw broader attention in the coming year. As the market evolves, so do the features you need to evaluate. Pay close attention to improving collection, aggregation, and correlation capabilities and the adoption of truly open standards for event data records. Info-Tech Research Group 14

15 SIEM Vendor Landscape inclusion criteria: Market share, mind share, and market consolidation Though over ten years old now, in many ways the SIEM space is still nascent with numerous players, many of them small and independent. However, the landscape may be shifting as evidenced by the recent acquisition of market-leader ArcSight by HP and the merging of NetIQ and Novell product lines. For this Vendor Landscape, Info-Tech focused on those vendors that have a strong market presence and/or reputational presence among small to mid-sized enterprises. Included in the Vendor Landscape: ArcSight. The market leader with enterprise-focused ESM, pushing into SMB with Express. IBM. SIEM marketed under the Tivoli umbrella a single line focused more at the enterprise than SMB. LogLogic. A dedicated SIEM provider with a modular platform that offers flexibility to all enterprises. netforensics. One of the pioneers of SIEM; separate products focused at the enterprise and SMB. NitroSecurity. The most recent entrant to the SIEM market (2007) but a company definitely on the rise. Q1 Labs. The largest independent player remaining; Qradar anchors a capable suite of SIEM tools. RSA. Second in market share, its envision products target both the large (LS line) and SMB (ES line) clients. SenSage. One of the smaller vendors in this evaluation and one still primarily focused on the large enterprise. Symantec. The world s largest security vendor markets a single platform to all clients equally. TriGeo. The only player dedicated to the SMB space; may singly handedly have created this end of the market. Info-Tech Research Group 15

16 SIEM Criteria & Weighting Factors Product Evaluation Features The solution provides basic and advanced feature/functionality. Features 30% 30% Usability Affordability The five-year TCO of the solution is economical. Architecture 20% 20% Affordability Usability Architecture Vendor Evaluation Viability The solution s dashboard and reporting tools are intuitive and easy to use. The delivery method of the solution aligns with what is expected within the space. Vendor is profitable, knowledgeable, and will be around for the long-term. Product 50% 50% Vendor Strategy Vendor is committed to the space and has a future product and portfolio roadmap. Viability 25% 30% Strategy Reach Channel Vendor offers global coverage and is able to sell and provide post-sales support. Vendor channel strategy is appropriate and the channels themselves are strong. Channel 15% 30% Reach Info-Tech Research Group 16

17 The Info-Tech SIEM Vendor Landscape Champions receive high scores for most evaluation criteria and offer excellent value. They have a strong market presence and are usually the trend setters for the industry. Market Pillars are established players with very strong vendor credentials, but with more average product scores. Innovators have demonstrated innovative product strengths that act as their competitive advantage in appealing to niche segments of the market. Emerging players are newer vendors who are starting to gain a foothold in the marketplace. They balance product and vendor attributes, though score lower relative to market Champions. NitroSecurity netforensics LogLogic Q1 Labs SenSage Symantec RSA ArcSight For a complete description of Info-Tech s Vendor Landscape methodology, see the Appendix. TriGeo IBM Info-Tech Research Group 17

18 Balance individual strengths to find the best fit Product Vendor Overall Features Usability Price Platform Overall Viability Strategy Reach Channel ArcSight IBM LogLogic netforensics NitroSecurity Q1 Labs RSA SenSage Symantec TriGeo For an explanation of how Info-Tech Harvey Balls are calculated, please see the appendix. Info-Tech Research Group 18

19 The Info-Tech SIEM Value Index What is a Value Score? The Value Score indexes each vendor s product offering and business strength relative to their price point. It does not indicate vendor ranking. Vendors that score high offer more bang for the buck (e.g. features, usability, stability, etc.) than the average vendor, while the inverse is true for those that score lower. Champion On a relative basis, Symantec maintained the highest Info-Tech Value Score TM of the vendor group. Vendors were indexed against Symantec s performance to provide a complete, relative view of their product offerings. Price-conscious enterprises may wish to give the Value Score more consideration than those who are more focused on specific vendor/product attributes Sources: To calculate the Value Score for each vendor, the affordability raw score was backed out, the product scoring reweighted, and the affordability score multiplied by the product of the Vendor and Product scores. Info-Tech Research Group 19

20 Table Stakes represent the minimum standard; without these a product doesn t even get reviewed The Table Stakes Feature Basic Collection / Aggregation / Normalization (CAN) Basic Correlation Basic Alerting Basic Reporting Description Collection from firewall logs, IDS logs, Windows server logs, web server logs, and syslogs. Canned correlation policies for CAN data that act in near-real time. Logging for all correlated events and alerting via pager/ /text for those that exceed a given threshold. Availability of canned reports that can be run on a scheduled and ad hoc basis. What Does This Mean? The products assessed in this Vendor Landscape TM meet, at the very least, the requirements outlined as Table Stakes. Many of the vendors go above and beyond the outlined Table Stakes, some even do so in multiple categories. This section aims to highlight the products capabilities in excess of the criteria listed here. If Table Stakes are all you need from your SIEM solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price and value for your needs. Info-Tech Research Group 20

21 Advanced Features are the market differentiators that make or break a product Scoring Methodology Info-Tech scored each vendor s feature offering as a summation of its individual score across the listed advanced features. Vendors were given 1 point for each feature the product inherently provided. Some categories were scored on a more granular scale with vendors receiving half points (see Partial functionality criteria). Advanced Features Feature Log Data Enrichment Advanced Correlation Advanced Alerting Advanced Reporting Forensic Analysis Support Data Management - Security Data Management - Retention What We Looked For Advanced CAN from Net Flow, Identity, Database, Application, Configuration, and File Integrity data sources Advanced canned policies, user-defined policies, and adaptive/heuristic policies Programmable/customizable alerting responses and workflow injection Flexible dashboards, custom reporting capabilities, and ability to export to external reporting infrastructure Ability to generate custom data queries with flexible drill-down capabilities Access controls to SIEM system and SIEM data, encryption of SIEM data (in storage and transmission) Notable storage capacity, data compression, and inherent hierarchical storage management Info-Tech Research Group 21

22 Each vendor offers a different feature set; concentrate on what your organization needs ArcSight Log Data Correlation Alerting Reporting Forensics Security Retention IBM LogLogic netforensics NitroSecurity Q1 Labs RSA SenSage Symantec TriGeo Info-Tech Research Group 22

23 Symantec delivers a solid product with an attractive price Champion Product: Employees: Headquarters: Website: Founded: Presence: Security Information Manager 17,500 Mountain View, CA Symantec.com 1982 NASDAQ: SYMC FY10 Revenue: $6B Overview In contrast to most players in the space, Symantec positions its SIEM solution as a security tool first, and compliance tool second; its integration into other product lines backs this up and makes it a good choice for the security conscious. Strengths Symantec offers the broadest base of deployment types software, hardware, virtual hardware, and managed service offerings, allowing every enterprise to find a fit. Security Information Manager is integrated into Symantec s Global Intelligence Network, meaning system configuration can be adjusted based on more than just local event data. Challenges Priced between $250,000 and $500,000 In many ways, a jack of all trades, master of none solution, Symantec hits with partial marks for almost all Info-Tech identified advanced features, but full marks in hardly any. SIEM gets little exposure within Symantec s ever-expanding product portfolio; a flip-flopping on appliance-based delivery model may indicate lack of understanding of market needs. Info-Tech Recommends: A solid product at an attractive price from a company with a clear commitment to the security space; these factors make Security Information Manager a good choice for organizations with generic SIEM needs. Info-Tech Research Group 23

24 QRadar: a complete product from a vendor dedicated to SIEM Champion Product: Employees: Headquarters: Website: Founded: Presence: QRadar SIEM 250 Waltham, MA Q1Labs.com 2001 Privately Held Overview Q1 Labs is the largest independent player in the SIEM space and supplements its SIEM play with a broad suite of products to allow for comprehensive security management. Strengths The broadest and most comprehensive set of reporting capabilities of any product in this test; its capability is so broad, integration to third-party reporting solutions is unnecessary. Cleanly integrated set of hierarchical products allows enterprises to grow their security management capabilities in an additive, not rip-and-replace manner. Challenges As the biggest independent, and a company experiencing tremendous growth, Q1 Labs may be a target for acquisition as compliance mandates increase the demand for SIEM. Priced between $250,000 and $500,000 Info-Tech Recommends: Whether simple log management with the ability to grow into fully featured SIEM, or a broad-based solution that includes pre-exploit management, Q1 Labs has a solution for every need. Info-Tech Research Group 24

25 SenSage turns security data into business intelligence Champion Product: Employees: Headquarters: Website: Founded: Presence: Event Data Warehouse Redwood City, CA SenSage.com 2000 Privately Held Overview SenSage grew out of traditional log management and is staking its future on Open Security Intelligence, the extension of SIEM into a business-focused decision support system. Strengths Extremely broad correlation capabilities, coupled with Alert Player that allows admins to replay scenario-based events, means SenSage offers BI-like capability for security data. SenSage, despite its size, has built a strong network of highprofile channel partners and backs them with a solid support organization. Challenges With a client base in the mid-hundreds, SenSage is one of the smaller players in this evaluation in terms of overall market share; increasing its client count is imperative. Priced between $250,000 and $500,000 Info-Tech Recommends: Organizations looking to go deeper with their security event data may well find SenSage ideal, but must be prepared to take the risk of dealing with one of the smallest vendors in the space. Info-Tech Research Group 25

26 NitroSecurity ESM: top performance, second-lowest price Innovator Product: Employees: Headquarters: Website: Founded: Presence: NitroView ESM Over 100 Portsmouth, NH NitroSecurity.com 1999 Privately Held Overview NitroSecurity bases all of its security technology solutions on its background in massive-scale data management, meaning its solutions correlate broadly, operate quickly, and report efficiently. Strengths One of the most feature-rich solutions in this roundup, and one of only two solutions to offer truly comprehensive and forwardlooking correlation capabilities. Nitro falls between the pure-play SIEM providers and the broader security vendors, meaning it has good focus on the space, but isn t solely reliant on SIEM sales for its revenue. Challenges Priced between $100,000 and $250,000 Nitro has expanded its product portfolio to include virtual appliances, but these are currently scaled only at smaller enterprises and remote sites; increasing performance will improve applicability. Info-Tech Recommends: With its correlation and forensic analysis capabilities, NitroView ESM can be invaluable to a security manager though internal auditors may find its lack of external reporting integration a little limiting. Info-Tech Research Group 26

27 LogLogic: modular platform is powerful, but complex Innovator Product: Employees: Headquarters: Website: Founded: Presence: LX, ST, SEM appliances Not available San Jose, CA LogLogic.com 2002 Privately Held Overview LogLogic approaches the SIEM space with a clear focus on compliance first and foremost using its Get-See-Use philosophy to improve not just compliance, but also security and even operational performance. Strengths The most feature-rich solution in the round-up and the only one to fully address system configuration data as an input source. Coupled with the cleanest interface, this is the solution that delivers the most SIEM capability. Challenges Priced between $250,000 and $500,000 LogLogic is one of the smaller vendors in this review and is focused on the enterprise space with 70% of its business coming from enterprises with more than $1B in revenues; continued growth may be a challenge without more midmarket focus as the large enterprise market niche saturates. Architecturally complex, leading to a higher than average price. Info-Tech Recommends: A well integrated line of capable products, but LogLogic s clear focus on the enterprise market may limits its appeal to smaller businesses, and the appeal of those businesses to LogLogic. Info-Tech Research Group 27

28 ArcSight Express brings the power of ESM to the SMB Market Pillar Product: Employees: Headquarters: Website: Founded: Presence: Express 324,600 (HP as a whole) Palo Alto, CA ArcSight.com 2000 NASDAQ: HPQ FY09 Revenue: $126B Overview Recently acquired by HP to become the most valuable asset in that company s focused security strategy, ArcSight is the largest player in the SIEM space and has recently expanded its portfolio to be more applicable to the mid-market. Strengths An architecturally sound solution allowing for widely varying deployment models; the ability to mix and match Collectors and Loggers with a core Express device offers great flexibility. Offers the ability to tightly correlate security events to users via IdentityView, an add-on capability that monitors user activity across all accounts, applications, and systems. Challenges Priced between $250,000 and $500,000 ArcSight has trimmed its impressive enterprise-focused ESM solution to build Express but may have left out some differentiating capabilities. HP and ArcSight representatives are all saying the right things in regards to the recent acquisition, but only time will tell if the union will represent a win for existing and future clients. Info-Tech Recommends: Express represents a well-rounded solution but one that is less exceptional than its flagship ESM; feature reduction combined with one of the highest prices limits overall appeal. Info-Tech Research Group 28

29 envision integration with DLP and GRC a boon to RSA shops Market Pillar Product: Employees: Headquarters: Website: Founded: Presence: envision 40,000+ (EMC as a whole) Bedford, MA RSA.com 1982 NYSE: EMC FY10 Revenue: $17B Overview RSA, the security division of EMC, plots a careful course with its SIEM solution envision, delivering just enough capability to meet market needs without pushing the envelope to drive the future of the space. Strengths Very broad-based collection/aggregation/normalization capabilities, coupled with strong reporting, gives good coverage for both the security and compliance conscious. RSA has taken a holistic view of security management and the integration of three security management platforms (SIEM, DLP, egrc) is visionary. Challenges Priced between $250,000 and $500,000 envision is solid but unspectacular in the areas of correlation and alerting when compared with its peers; in a fast-moving market, these shortcomings need to be addressed. While the ES line can be cost effective, the LS line (evaluated here) is the most expensive solution in the roundup. Info-Tech Recommends: The integration of envision with RSA s DLP and egrc solutions underlines the company s efforts to become the security management provider; current RSA clients will benefit from those synergies. Info-Tech Research Group 29

30 Weak correlation capabilities limit the value of Tivoli SIEM Market Pillar Product: Employees: Headquarters: Website: Founded: Presence: Tivoli SIEM 400,000 Armonk, NY IBM.com 1911 NYSE: IBM FY10 Revenue: $95.8B Overview IBM is a truly global player in almost every aspect of Information Technology. Its security management solutions sit under its Tivoli systems management umbrella. Strengths Management of Tivoli SIEM through the common Tivoli admin interface those familiar with the Tivoli suite will find the learning curve remarkably flat. Tivoli SIEM is IBM s integrated solution for basic SIM, SEM, and log management; advanced SEM/SOC functionality is available in Tivoli Security Operations Manager (TSOM). Challenges Priced between $250,000 and $500,000 Correlation capabilities in Tivoli SIEM so minimal that it is almost a stretch to label them as such events from differential sources cannot be linked to create analysis patterns. Info-Tech Recommends: Lack of feature-functionality and limited architectural deployment models make it difficult to recommend Tivoli SIEM; TSOM may meet broader needs, but was not reviewed by Info-Tech. Info-Tech Research Group 30

31 netforensics offers dual solutions which may split focus Emerging Player Product: Employees: Headquarters: Website: Founded: Presence: nfx Cinxi One Not available Edison, NJ netforensics.com 1999 Privately Held Overview netforensics is one of the pioneers of the SIEM space, having first come on the scene in Since then a significant number of players have entered the market, and many have surpassed netforensics in capability and market share. Strengths netforensics is exclusively focused on the SIEM space, a position it reinforced by acquiring High Tower Software and with it the Cinxi (later Cinxi One) product line. Challenges Priced between $100,000 and $250,000 The primary target of its solutions is the Managed Service Provider via the nfx SIM One solution. Though it offers a midmarket solution (Cinxi One), its clear focus on the highest end of the market likely limits its applicability to mid-sized businesses. Info-Tech Recommends: netforensics declined to brief for this review and available product details are limited, so a detailed recommendation cannot be made at this time. Info-Tech Research Group 31

32 TriGeo is the only provider solely focused on SMB clients Emerging Player Product: Employees: Headquarters: Website: Founded: Presence: Security Information Manager Not available Post Falls, ID TriGeo.com 2001 Privately Held Overview TriGeo is the only SIEM solution provider targeting the midmarket specifically; its turn-key appliance-based approach has defined mid-market SIEM and led most other players to release competitive solutions. Strengths TriGeo SIEM is the only product truly built for the mid-market; this is not some enterprise-grade solution that has been trimmed of capability, and shoe-horned into a smaller box. It may not offer the same complexity as many competing solutions, but it offers unmatched efficiency and ease of operations. Challenges SIEM, though clearly of value to the mid-market, has traditionally been an enterprise play and the lack of products for that space has limited TriGeo s size and reach. *TriGeo s rankings were affected by its inability to provide Info-Tech with pricing for the SIEM solution. Info-Tech Recommends: TriGeo declined to brief for this review and available product details are limited so a detailed recommendation cannot be made at this time. Info-Tech Research Group 32

33 Streamline monitoring, alerting, and incident response processes to minimize the cost of individual security events Security Event Management relies on strong correlation and deep forensic analysis. Exemplary Performers 1 Management of Security Events 2 Reduction of Compliance Complexity Viable Performers 3 Enhancement of Overall Risk Management Adequate Performers 4 Info-Tech Research Group 33

34 Reduce the cost of demonstrating regulatory and policy compliance by simplifying reporting and log review functions Compliance capabilities are defined by broad and deep reporting. 1 Management of Security Events Exemplary Performers 2 Reduction of Compliance Complexity Viable Performers 3 Enhancement of Overall Risk Management Adequate Performers 4 Info-Tech Research Group 34

35 Ensure the reduction of enterprise risk by bringing broadbased collection, aggregation, and response abilities to bear The broadest possible feature-functionality is required for true Risk Reduction. Exemplary Performers 1 Management of Security Events 2 Reduction of Compliance Complexity Viable Performers 3 Enhancement of Overall Risk Management Adequate Performers 4 Info-Tech Research Group 35

36 Identify leading candidates with the SIEM Vendor Shortlist Tool Info-Tech s Security Information & Event Management Vendor Shortlist Tool is designed to generate a customized shortlist of vendors based on your key priorities. This tool offers the ability to modify: Overall Vendor vs. Product Weightings Top-level weighting of product vs. vendor criteria Individual product criteria weightings: Features Usability Affordability Architecture Individual vendor criteria weightings: Viability Strategy Reach Channel Info-Tech Research Group 36

37 Issue an RFP to ensure that SIEM vendors fit your needs, and not the other way around Use Info-Tech s Security Information & Event Management RFP Template to conduct this critical step in your vendor selection process. Info-Tech s SIEM RFP Template is populated with critical elements, including: The Statement of Work Proposal Preparation Instructions Scope of Work Functional Requirements Technical Specifications Operations & Support Sizing & Implementation Vendor Qualifications & References Budget & Estimated Pricing Vendor Certification Info-Tech Research Group 37

38 To get the most value out of the RFP process, use the SIEM RFP Scoring Tool A standard & transparent process for scoring individual vendor RFP responses will help ensure that internal team biases are minimized. Use Info-Tech s SIEM RFP Scoring Tool to: Evaluate RFP Responses The Security Information & Event Management RFP Scoring Tool is pre-built with essential criteria complementing the SIEM RFP Template from the previous slide. Accelerate Procurement Use the tool to drive the meeting with your procurement department. Info-Tech Research Group 38

39 Take charge of vendor finalist demonstrations with a Vendor Demonstration Script An onsite product demonstration will help enterprise decision-makers better understand the capabilities and constraints of various solutions. This tool is designed to provide vendors with a consistent set of instructions for demonstrating key scenarios for the SIEM implementation. The Security Information & Event Management Vendor Demo Script covers: Standard and advanced log source and log management/retention configurations. Canned and custom event correlation and alerting capabilities. Canned and custom reporting functionality. Forensic log analysis and incident management tools. Custom dashboard and granular system access features. Info-Tech Research Group 39

40 Develop Your SIEM Implementation Strategy What s in this Section: SIEM implementation architectures Assessing the total cost of SIEM Moving forward with your SIEM implementation Sections: Understand SIEM Trends and Considerations Evaluate SIEM Vendors Develop Your SIEM Implementation Strategy Appendices Info-Tech Research Group 40

41 Getting to a SIEM implementation strategy Get a handle on overall costs, understand the resource implications, and develop a plan to realize immediate and long-term benefits of SIEM. Hard implementation costs: Design and size a SIEM solution that meets operational requirements. Include the costs of additional hardware components. Soft implementation costs: Identify and track the resources consumed in system implementation and training. Ongoing staffing costs: Understand the immediate and ongoing impact on existing compliance and security management staffing. Getting approval and moving ahead: Stay attuned to the tone from the top, and grow use of the SIEM tool methodically. Info-Tech Research Group 41

42 Consider the available SIEM hardware platform options SIEM is not a toaster, but SIEM appliance models have undeniable merits. Platform Pros Cons Hardware Appliance Virtual Appliance Simplified management maximizes focus on SIEM operations. Simplified support no vendor concerns about underlying hardware. Leverages existing server virtualization and shared storage (SAN) investments. Dedicated onboard storage is unavailable for other uses. Scalability limited by appliance capabilities. High-performance requirements consume virtual server resources. Scalability and resiliency limited only by those environments. Requires additional virtual server management. Software-only Solutions Allows wider choice of hardware. Requires dedicated server hardware and ongoing server management. Elevates risk of HW vs. SW fingerpointing during support calls. Regardless of the platform selection, don t forget to plan for log data backup to meet regulatory and internal policy requirements. Info-Tech Research Group 42

43 Identify constraints for your SIEM architecture Consider performance, capacity, and regulatory inputs in your design process. SIEM vendors offer a variety of centralized and distributed deployment options sometimes the best design is a mix of both. Centralized components typically include log collectors, event correlation engines, and functions including alerting, reporting, and incident management tools. Whether all in one or separate but adjacent devices, deploying these components centrally reduces the management burden for SIEM. Distributed designs may include single-purpose collectors and combination collector/correlation devices, which can support: Regulatory requirements (e.g. EU Safe Harbour) that restrict offshore movement of private/sensitive data. Performance and scalability needs by aggregating data from log sources at remote sites and offloading event correlation processing. Info-Tech Insight Cloud-based SIEM solutions (aka SIEMaaS) are emerging, but remain scarce. Regulatory restrictions may limit the applicability of such services. In contrast, managed security service provider (MSSP) solutions, in which a third party maintains and monitors a SIEM system housed on customer premises, offer greater promise today: Customer control over sensitive data. Shared access to 24x7 monitoring at a fraction of the cost. Info-Tech Research Group 43

44 Optimize the SIEM solution design Understand your current IT environment in order to size the SIEM solution properly and minimize WAN impact. SIEM deployments are sized based on two key factors: logging rate and storage capacity. Logging rates, or the number of log records that the system can process, are measured in events or messages per second (eps or MPS): Collectors must be sized to handle the peak number of events per second, or risk losing critical log records. Peak eps requirements for a SIEM solution are determined by summing the peak logging rates of all source devices. Though it is unlikely that all devices will hit peak rates simultaneously, this provides the capacity to handle elevated logging demands from extraordinary events such as denial of service attacks and malware outbreaks. Storage capacity requirements depend on logging rates, but with a twist: All SIEM solutions perform some level of log file compression, typically ranging between a 20 to 40-fold reduction in log file sizes. Total storage capacity requirements can be calculated by summing the average daily log file size of each source device, multiplying by the required retention period, and dividing by the SIEM compression rate. Some SIEM solutions allow retention periods to be defined by device (or group of devices), while others establish a single, default retention period. Info-Tech Insight For multi-site deployments, look to distributed components to optimize SIEM and network performance: Distributed log collectors: Spread the peak eps load across multiple devices. Compress log data before forwarding on to a central collector, saving considerably on WAN traffic. Info-Tech Research Group 44

45 Account for implementation resource costs Success with SIEM involves more than just the Security team. Make sure all the right parties are engaged up front. Project Team Composition Security, network, and system administrators all have substantial involvement: Identifying and configuring log data sources. Defining event severity levels; monitoring, alerting & escalation processes; and reporting formats & schedules. Internal auditors and other compliance personnel also play a key role: Designing dashboards and reports to simplify compliance management efforts. Specifying elevated requirements for regulated systems architectural or procedural. Training Considerations Training is critical for project team members and the groups they represent. System training is necessary for all those who use SIEM directly (e.g. security operators, compliance auditors); process training is appropriate for those who only use SIEM outputs. Info-Tech Research Group 45

46 Understand the ongoing staffing impact Examine compliance management savings and increased monitoring costs. The rest is just noise. For incident response staff and supporting system administrators, SIEM is a double-edged sword: Increased response efficiencies are countered by increased events visibility, until and unless SIEM-driven improvements are made to key security and system controls. Organizations facing regular and/or diverse regulatory requirements can reduce the associated reporting burden substantially: Required reports can be generated automatically and consistently across multiple systems, without burdening the system admins. Where needed, internal SIEM activity can be reported on to demonstrate compliance with log review requirements. Real-time event monitoring can be a huge cost driver for SIEM: For organizations lacking a dedicated Security Operations Center, adding a dedicated 24x7 monitoring capability could equate to 5 FTEs. Consider adding a best effort event monitoring responsibility to existing security staff a 10-20% rise in staffing levels could enable much better incident response outcomes. Info-Tech Insight SIEM monitoring through an MSSP can provide cost-effective alternatives for real-time event monitoring: MicroAge, an IT services firm, opted for an MSSP to provide on-premise SIEM equipment and remote monitoring services. For a monthly fee, MicroAge avoided the capital cost of a SIEM solution supporting 120 log sources. In the same monthly fee, MicroAge receives 24x7 real-time event monitoring, with serious events escalated to internal IT staff, at a small fraction of the cost of staffing such a capability internally. You get an alarm system for your network, but you don't get the cops to go with it. - Perry Kuhnen, IT Manager, MicroAge (about SIEM without real-time monitoring) Info-Tech Research Group 46

47 Factor decision-makers concerns into the SIEM proposal Perspective matters: position initial SIEM plans based on what s most important to leadership, and focus on relevant cost reduction opportunities. Where leadership has a strong focus on information risk management, pitching event-focused SIEM is easier: Even without 24x7 monitoring, eventfocused SIEM enables risk reduction simply through enhanced visibility. Reducing incident-related costs can offset SIEM investments. Where that strong risk focus is missing, compliance-focused SIEM may be the more effective route to approval: Reducing the costs of demonstrating compliance can offset SIEM investments. Leverage enhanced visibility to elevate information risk to a leadership level, and evolve SIEM toward a greater focus on event and risk management. Info-Tech Research Group 47

48 Start modestly, but keep the final objective in mind Don t try to execute the whole SIEM vision at once. Learn from early stages, and build capabilities & benefits incrementally. Embarking on a SIEM initiative requires a serious investment of time and money. Implementation can be phased in two distinct, but complementary, ways. Phased by SIEM function: Start with a compliance management focus, but explore the benefits of enhanced event visibility, or Start with an event management focus, but take advantage of compliance reporting for internal purposes. Once both are implemented, look at continuous risk management opportunities demonstrated benefits from past experiences might even outweigh the cost of adding 24x7 monitoring. Phased by source system: Start with the most critical systems (key applications, core infrastructure, regulated environments). Expand to other log data sources as the benefits of SIEM are demonstrated for those key assets. Mix and match these approaches to minimize initial costs, maximize the benefits delivered, and build additional support for broader SIEM deployments: Later stages may not deliver the same magnitude of benefits, but they involve lower equipment and configuration costs, as they leverage initial investments made in earlier stages. Info-Tech Research Group 48

49 Appendices What s in this Section: Vendor Landscape methodology SIEM survey demographics Sections: Understand SIEM Trends and Considerations Evaluate SIEM Vendors Develop Your SIEM Implementation Strategy Appendices Info-Tech Research Group 49

50 Vendor Evaluation Methodology Info-Tech Research Group s Vendor Landscape market evaluations are a part of a larger program of vendor evaluations which includes Solution Sets that provide both Vendor Landscapes and broader Selection Advice. From the domain experience of our analysts, as well as through consultation with our clients, a vendor/product shortlist is established. Product briefings are requested from each of these vendors, asking for information on the company, products, technology, customers, partners, sales models, and pricing. Our analysts then score each vendor and product across a variety of categories, on a scale of 0-10 points. The raw scores for each vendor are then normalized to the other vendors scores to provide a sufficient degree of separation for a meaningful comparison. These scores are then weighted according to weighting factors that our analysts believe represent the weight that an average client should apply to each criteria. The weighted scores are then averaged for each of two high level categories: vendor score and product score. A plot of these two resulting scores is generated to place vendors in one of four categories: Champion, Innovator, Market Pillar, and Emerging Player. For a more granular category by category comparison, analysts convert the individual scores (absolute, non-normalized) for each vendor/product in each evaluated category to a scale of zero to four whereby exceptional performance receives a score of four and poor performance receives a score of zero. These scores are represented with Harvey Balls, ranging from an open circle for a score of zero to a filled in circle for a score of four. Harvey Ball scores are indicative of absolute performance by category but are not an exact correlation to overall performance. Individual scorecards are then sent to the vendors for factual review, and to ensure no information is under embargo. We will make corrections where factual errors exist (e.g. pricing, features, technical specifications). We will consider suggestions concerning benefits, functional quality, value, etc.; however, these suggestions must be validated by feedback from our customers. We do not accept changes that are not corroborated by actual client experience or wording changes that are purely part of a vendor s market messaging or positioning. Any resulting changes to final scores are then made as needed, before publishing the results to Info-Tech clients. Vendor Landscapes are refreshed every 12 to 24 months, depending upon the dynamics of each individual market. Info-Tech Research Group 50

51 Value Index Ranking Methodology Info-Tech Research Group s Value Index is part of a larger program of vendor evaluations which includes Solution Sets that provide both Vendor Landscapes and broader Selection Advice. The Value Index is an indexed ranking of value per dollar as determined by the raw scores given to each vendor by analysts. To perform the calculation, Affordability is removed from the Product score and the entire Product category is reweighted to represent the same proportions. The Product and Vendor scores are then summed, and multiplied by the Affordability raw score to come up with Value Score. Vendors are then indexed to the highest performing vendor by dividing their score into that of the highest scorer, resulting in an indexed ranking with a top score of 100 assigned to the leading vendor. The Value Index calculation is then repeated on the raw score of each category against Affordability, creating a series of indexes for Features, Usability, Viability, Strategy and Support, with each being indexed against the highest score in that category. The results for each vendor are displayed in tandem with the average score in each category to provide an idea of over and under performance. The Value Index, where applicable, is refreshed every 12 to 24 months, depending upon the dynamics of each individual market. Info-Tech Research Group 51

52 Product Pricing Scenario & Methodology Info-Tech Research Group provided each vendor with a common pricing scenario to enable normalized scoring of Affordability, calculation of Value Index rankings, and identification of the appropriate solution pricing tier as displayed on each vendor scorecard. Vendors were asked to provide list costs for SIEM appliances and/or SIEM software licensing to address the needs of a reference organization described in the pricing scenario. For non-appliance solutions (i.e. software-only and virtual appliance architectures), physical or virtual hardware requirements were requested in support of comparing as-installed costs. Additional consulting, deployment, and training services were explicitly out of scope of the pricing request, as was the cost of enhanced support options, though vendors were encouraged to highlight any such items included with the base product acquisition. The annual software/hardware maintenance rate was also requested, along with clarity on whether or not the first year of maintenance was included in the quoted appliance/software costs, allowing a three-year total acquisition cost to be calculated for each vendor s SIEM solution. This three-year total acquisition cost is the basis of the solution pricing tier indicated for each vendor. Finally, the vendors three-year total acquisition costs were normalized to produce the Affordability raw scores and calculate Value Index ratings for each solution. Key elements of the common pricing scenario provided to SIEM vendors included: A three-site organization with 2200 employees located at a US head office facility, a second US satellite office, and a European satellite office. IT functions, including 3 dedicated IT security professionals, are located primarily at the US head office, with a small proportion of IT staff and systems located at the European site, which also acts as a DR facility. The firm is interested in reducing the effort associated with monitoring, alerting, and responding to security events at the Endpoint, Network, and Data Center levels: The volume & complexity of ad hoc queries against logged and correlated event data is fairly small, driven primarily by incident response efforts and gaps in canned compliance reports. The SIEM product would be used regularly by four IT staff across the US head office and European satellite site, with additional dashboard-/report-level access for another four users in compliance/audit and IT management/executive roles. 200 devices were identified as log data sources for a SIEM solution, including network components, security systems, and both physical and virtual servers. Windows Domain, Oracle databases, MS Exchange and SharePoint, and BES and VOIP environments were explicitly identified in the scenario, and the peak logging volume was specified at 5000 events per second (eps). Info-Tech Research Group 52

53 SIEM Survey Demographics Info-Tech Research Group 53

54 Industry Info-Tech Research Group 54

55 Country Info-Tech Research Group 55

56 Revenue Info-Tech Research Group 56

57 FTEs Info-Tech Research Group 57

58 IT Employees Info-Tech Research Group 58