Home

SIEMs - Who are the vendors? What are the differences?

Eric McIntyre - March 4, 2021

If you’re in the WithYouWithMe Cyber Defender pathway, or you’re just looking to get into cybersecurity, chances are you’ve heard of Security Information and Event Management (SIEM) tools. 

If you aren’t familiar with the concept, SIEM systems are enterprise security technologies that intake vast amounts of logs and event data from sources across an environment (network devices, security infrastructure, applications, endpoints) and collate this data in a centralised space. Cyber Security Analysts then utilise this information to identify and respond to security events. 

The SIEM is the budding analysts best friend in the SOC, as its ability to filter through data on a large scale and prioritise security events for action greatly assists in the performance in many of our tasks and responsibilities as a Cyber Security Analyst. 

Another reason SIEMs are so instrumental in security analytics is that they’re capable of having an enormous amount of security features implemented into their systems, and acting as a hub for all of our security data. Most SIEM systems integrate the following security capabilities into their product, and manage the data associated with these services:

  • Intrusion detection and prevention (IDPS)
  • Endpoint detection and response (EDR)
  • Advanced threat detection
  • Advanced analytics
  • Automated risk prioritisation
  • Threat intelligence integration
  • Automated response
  • Database monitoring
  • Network monitoring
  • Application monitoring
  • Email monitoring 
  • IoT monitoring 
  • Forensics
  • Compliance reporting

And that’s just the tip of the iceberg. 

If you’re looking to get into, or heading into a cybersecurity role, chances are you are going to be using and interacting with a SIEM. Across your WithYouWithMe training, you may have interacted with one or two different SIEMs, and heard of plenty more. Like all security products, SIEM products have a lot of competition in the market. In this article, we’re going to take a look at a couple of SIEM products from prominent vendors that you may come across as you continue to traverse through the cyber industry, and have a look at what some of the major differences are between these providers. 

QRadar by IBM

IBM’s QRadar is a highly regarded SIEM tool across industry, due to its wide range of features right out of the box, ease of use, and ease of deployment. For reference, not all vendors provide a vast array of services with their standard SIEM product - many features are often provided as add-ons or additional features that can be integrated into the SIEM upon acquiring a license for these features. 

However, QRadar lacks native endpoint detection and response (EDR), and investigation and incident management integration comes as an additional service. Both of these features come stock standard with other SIEM vendors.  

QRadar’s ease of deployment and multitude of features makes it popular across enterprises of all sizes, but especially in the small-medium range. 

Splunk Enterprise Security

Chances are if you’ve started to dabble in any area of tech you’ve heard of Splunk. In regards to SIEM products, they’re one of the big-dogs in terms of functionality and capabilities, but also in regards to cost. 

Splunk is known to provide top-notch security services with Splunk Enterprise Security, powered by their machine learning and data management services. These services can also be deployed in any which way - as software, cloud hosted, or infrastructure as a service - or any combination of the three. Splunk is also renowned for their response and reporting capabilities due to powerful and efficient alerting, log monitoring, data analytics and visualisation features. 

Most of the drawbacks with Splunk have to do with the scale of the product itself - as pricing for Splunk Enterprise Security can be quite intimidating. Also, the useability of Splunk’s features can be a barrier to entry, as there is training required for analysts to be able to effectively use Splunk’s systems.

Splunk provides sophisticated security services, but due to the immense cost of both time and money to get their systems operational, you’re more likely to see Splunk Enterprise Security implemented in large enterprises, or enterprises who are already fluent in Splunk.

McAfee Enterprise Security Manager

Everyone’s favorite home security provider McAfee offers a progressive SIEM solution that is leaning on automation to conduct incident response and triage. 

McAfee’s enterprise security is known for its accessibility and ease of use, whilst not sacrificing functionality for even the most advanced security teams. The deployment of McAfee’s SIEM system is also notably simple, but their SIEM is being recognised across industry for its use of automated incident response, which is an area most other SIEMs are only just starting to incorporate into their services. 

However, there are a few shortcomings in what tend to be baseline requirements for any modern SIEM product, as functionality for IDPS, EDR, and file integrity monitoring all come as additional services.

McAfee’s Enterprise Security Manager is a SIEM product that fits for enterprises looking to lean heavily into automation, whilst also looking for a platform that is easy to jump into.

Microsoft Azure Sentinel

Often regarded as one of the biggest security companies in the world, Microsoft has been quite late to the SIEM game with their release of Sentinel as part of their Azure cloud services. Sentinel is a cloud-native SIEM service that can be integrated with both on-premises and cloud based assets. 

The biggest strength for Sentinel is being able to use it in collaboration with other Microsoft and Azure services, utilising common tools like Windows Defender for EDR, and Azure Firewall as a piece of security infrastructure. This integration isn’t limited to Microsoft’s security services, as Sentinel has built in data analytics, visualisation, and automation features that are derived from other Azure services. 

The biggest roadblock to using Sentinel is whether an enterprise has chosen to invest resources into Azure as their cloud provider. Sentinel works best as a SIEM system when other Azure services are being leveraged in effectively. 

Cloud-based security platforms are a massive growth space in the Cyber industry, and Azure Sentinel is an interesting SIEM option for those looking to continue to break into cloud infrastructure as the foundational infrastructure for their enterprises. 

As we can see by looking at these four SIEM systems, each vendor is going to provide different services and configurations with their products. By having a look at IBM’s QRadar, Splunk’s Enterprise Security, McAfee’s Enterprise Security Manager, and Microsoft’s Azure Sentinel we can start to form an understanding of the different specialisations and limitations SIEM systems will bring to our secure environments.

If you want to learn more about cyber security at WithYouWithMe, check out our Cyber Defender Pathway here: https://rallypoint.withyouwithme.com/cyber/

If you want to get in touch with me to ask about our cyber training, job opportunities, or anything else, feel free to reach out:

Via email: eric@withyouwithme.com

On LinkedIn: https://www.linkedin.com/in/ericjmcintyre/ 

On Discord: Eric McIntyre#0578

Or book an online call with me: https://meetings.hubspot.com/eric455

Join our community

We have a Discord server where you’ll be able to chat with your instructors and cohort. Stay active in your learning!
Join discord