Security Information and Event Management (SIEM) Reviews: Roundup from Our Users

On IT Central Station, the SIEM category boasts 30 solutions and is followed by over 6,359 users in our enterprise tech community.

What do users emphasize in their SIEM reviews? Where do users see room for improvement? Continue reading to read their answers and expert feedback.

HPE ArcSight

Improvements to My Organization

LaszloKereszturi

This product gave us a clear picture of the network traffic, including the useless parts. It also allowed us to detect a large range of threats, starting from the malware infected workstations to misconfigured devices.”

Ananth Kumar B Sridhara

HPE ArcSight has helped us gain visibility of the solutions across the organization. We have been constantly identifying anomalous activities both internally as well as externally. These include malware proliferation, data loss, proxy bypass attempts, phishing and spear-phishing, port scans, etc.”

Room for Improvement

ProductS9907

“The main area is the GUI interface. Although a lot of improvements were made on the GUI in the last version (6.9.1), there are still a lot of configurations that need to be done using the console.

The console is not a bad tool to use. I personally like to use it. However, compared to competitive solutions (Splunk, QRadar), it appears to be a weakness.”

Alexander Kuzmin

“The overall complexity of the product can be overwhelming for some. It’s not the type of solution where you just plug it in and it works. Reaping full benefit from it requires quite a lot of custom tuning, qualified IT security personnel, and proper and thorough planning.

Technical support from the vendor can sometimes be quite slow and not very helpful, but it is getting better. The GUI is outdated. Improvements on this are on the way, according to the vendor.”

LogRhythm

Valuable Features

ITDirector685

“It creates a good feedback loop whereby I’m able to scan through and see what off-limits activities users have been doing. I think it improves the organization by letting them know that everything that they’re doing is not invisible. It’s a demonstration to them that they need to do what they say they’re going to do and follow the policies that are in place here.”

Room for Improvement

Ryan Cossette:

“The reporting aspect is difficult to use and very difficult to get your own reports. So far this is it; they have a web UI and we had a recent update which fixed a lot of bugs and added a lot of great features. But the reporting is lackluster.”

AlienVault

Improvements to My Organization

Aaron Baillio

“We’ve been able to professionally generate alerts for IDS, SIEM, and vulnerabilities where we didn’t have those capabilities before.”

Room for Improvement

Jacques Taljaard:

My biggest challenge has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure the product to work at its best, and therefore miss important events. So I see room for improvement in the following –

  • Easy of deployment and configuration
  • Easier way of testing if features are working as designed, e.g. Packet analysis
  • Troubleshooting features that are not working as designed”
Fortinet FortiSIEM

Improvements to My Organization

Randy Olds:

“In large-sized, medium-sized, and small-sized organizations, it improves the ability to quickly drill down into events that occur, perform analysis, and find root causes.  The most value I’ve found in it, quicker time-to-resolution.”

Room for Improvement

Steve Mann:

It lacks a “wizard” that shows a particular user’s activity or particular circumstance. I think the interface is intimidating because there’s so much information there. I’d like to see a better dashboard that pretty. I want to be able to see incidences or stats, depending on what I’m looking for to determine whether we’re healthy, what’s our security posture, SOX-incident problems. So streamlining all that information on the initial interface would be great.”

Read our all of new SIEM reviews, written by real users.

What Real Users are Saying about HPE ArcSight – New Reviews for 2017

IT Central Station community members have contributed 33 detailed user reviews of HPE ArcSight. They discuss the valuable features of the solution, where they see room for improvement, and other solutions they have previously used, as well as the scalability and stability of the solution. HPE ArcSight has a 7.9 rating from our community, and reviews have been viewed over 28,000 times.

We’ve chosen several new user reviews of HPE ArcSight for 2017 — to help you in your purchasing decision.

Valuable Features

Laszlo Kereszturi points to three valuable features of the HPE ArcSight:

  • “Event correlation across multiple device categories: It allows us to have a full picture of what is happening in the environment.
  • Flexible event collection: Besides hundreds of standard devices, you can send custom CEF Syslog prepared with your own scripts.
  • Customization of alerts: Velocity macros allows you to send very clear and user-friendly alerts.”

Amit Kumar Gupta agrees “Correlation and flexibility are the most valuable features. ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.”

Bharath writes “It’s a highly customizable solution. Rules can be customized to a great extent. Session lists, active lists, and global and local variables are pretty unique to the solution.”

Alexander Kuzmin highlights “High performance: The amount of data fed to the solution is huge (100s of millions of events per day). Security incident discovery and mitigation is a matter of hours, rather than days or even months, like it was before.”

User Merana Sadikovic Mandzukic notes the following valuable features:

  • “Collecting logs from many different sources. If you have your own app, you can do logging for it. In addition, you can customize log parsing.
  • Built-in content such as reports, dashboard, compliance, and standard packages.
  • Ready-made content that can be used immediately.
  • Customized business tables can be correlated.”

 

Room for Improvement

However, Shane Lawrence finds room for improvement “I’ve had stability issues, particularly with SmartConnectors. They sometimes crash. Worse still, they often report that they’re working fine but completely stop listening for events.”

David Hourani would like to see improvement in HPE ArcSight’s “Ease of use, access and simplicity: ArcSight can be quite complicated to use for “non-IT” user.”

Sorin Brici agrees, “Making the FlexConnector configuration less complex. You need development skills in order to do your job in creating/configuring agents and connectors. The cost for this work, via HPE consultancy, is huge.”

According to Associatb8eb, “The correlation and storage have to be improved. The correlation works fine, if we have less amount of rules being written, but it becomes slow if we have more than 200 rules written for any correlation.”

Mandzukic would like to see:

  • “Ease of changing the product underneath. For example, instead of Juniper routers, we started to use Check Point routers.
  • Component accessibility: Components are managed in different places; console, web console, and administration web. It would be nice to have easier access.
  • Better UX: I would like to see a better user experience with the web client. Sometimes, it is very slow and not very intuitive.”

Read new reviews from 2017 for the Top SIEM Solutions on IT Central Station here.

Security Information and Event Management (SIEM) Reviews — Best of 2016

What do enterprise tech professionals recommend when choosing a Security Information and Event Management software?

The IT Central Station review community is made up of 190,462 enterprise tech professionals who provide expert reviews and feedback on enterprise solutions.

All product reviews, ratings, and software comparisons are written by real users, and validated by our triple authentication process.

Our community of 6,053 real users that follow Security Information and Event Management have given feedback based on their experiences with the solutions, and here are the top 5, as shown below:

siem reviews

Splunk

“Imagine a scenario with an application environment where a couple of modules are based at a different servers. There is a system issue and a check needs to be completed in a timely manner. Traditionally, engineers would have to login to the servers, navigate to different folders and load the log files to check for errors. Splunk can give this at a glance for all of the systems at once!” writes Applications Specialist Hristo Damyanov.   

For Integration Architect Enrico Mazzarella, another one of Splunk’s most valuable features is its “operational intelligence: fast availability of operational data spread across several servers to prevent or react faster to outages or performance decreases.”

Damyanov also emphasizes Splunk’s stronghold on “performance, scalability and most importantly the innovative way of collecting and presenting data.”

Room for Improvement

Enterprise Risk Consultant Vinod Shankar sees room for improvement in Splunk’s operational workflow, use case framework, and ticketing systems. Another bonus would be “to make it suitable for SOC environments”, writes Shankar.

siem solutions

LogRhythm

“The most valuable feature is the AI engine, as well as the usual SIEM product stuff. The ability to have all of our logs in one place is a big thing for me.” shares Information Security Analyst Ryan Cossette.

Cossette adds that LogRhythm has “brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.”

Room for Improvement

“The reporting aspect is difficult to use and very difficult to get your own reports” continues Cossette.

“So far, this is it; they have a web UI and we had a recent update which fixed a lot of bugs and added a lot of great features. But the reporting is lackluster.”

 

HPE ArcSight

HPE ArcSight “reduces the amount of time required to perform an investigation because of the correlation and aggregation of all the events. From what I’ve seen for our network, it’s the best at ingestion of events” writes Security Response Engineer Joseph Loveland.

“ArcSight saved time and effort responding to security incidents with one centralized console and helped to meet compliance requirements for log collection.” shares Amit Kumar Gupta, an Information Security Specialist.

Room for Improvement

“The technical support needs to be improved” argues Loveland.

Amit Kumar Gupta “would like to see improvement in the complexity involved to create a custom connector (flex). Other SIEM solutions, like QRadar, have addressed this.”

 

AlienVault

“AV USM is definitely a great addition to organizations who want cost effective, quick and easy SIEM solutions” shares AlienValut consultant Vinod Shankar.

Security Consultant Jacques Taljaard shares that his organization “runs this product on our network 24/7 and it has helped identify many important events. We take the security of our network very seriously, and this helps to quickly identify and lock down any potential vulnerabilities or events that could escalate.”

Room for Improvement

“My biggest challenge” continues Taljaard, “has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure the product to work at its best, and therefore miss important events.

So I see room for improvement in the following:

  • Ease of deployment and configuration
  • Easier way of testing if features are working as designed, e.g. Packet analysis
  • Troubleshooting features that are not working as designed.”
Fortinet FortiSIEM (AccelOps)

Director of IT Howard Griffith shares that “with the online-based monitoring we’ve set up, we’ve been able to watch trends of attempted attacks on our network. We’re also able to monitor our account issues internally as attackers attempt to log into our accounts. We fall under HIPAA so security is key.”

Room for Improvement

Griffith would like to see improvements in the product configuration, arguing that “You really have to have their help to configure the product. When hands are off and it’s in maintenance mode, it’s difficult to configure unless you’re totally engrossed in the product on a day-to-day basis.”

Have more questions or inquiries about Security Information and Event Management?
Check out the full Top Security Information and Event Management of 2016 with peer reviews.