Microsoft Sentinel
Microsoft is undeniably a major provider in the information security space, and Microsoft Sentinel is its SIEM solution. Poised to inject, correlate, and analyze events from both on-prem resources and those in the cloud, Sentinel integrates tightly with Microsoft’s suite of tools, but also fully supports workloads hosted in other cloud or on-prem environments.
A recent development with Microsoft Sentinel is the availability of Microsoft Security Copilot. Microsoft Security Copilot allows you to perform analysis and investigate incidents using queries based on natural language.
OpenText ArcSight Enterprise Security Manager
OpenText‘s ArcSight Enterprise Security Manager (ESM) is a full-featured solution that checks all the boxes of an enterprise SIEM. ArcSight ESM supports a range of integrations and customization options, allowing security analysts to perform incident response from a single pane of glass. ArcSight’s Marketplace enables you to leverage new dashboards, reports, or correlation rules with minimal fuss.
ArcSight ESM supports workflow-based automation, allowing analysts to quickly correlate events, referencing them in a case, and respond or escalate as necessary. Each action taken can be audited and reported on to maintain service-level agreement (SLA) compliance and track response time. Integrations with third-party systems allow users to begin remediation, such as disabling ports or accounts, or rule sets can even be created to automate these steps.
RSA NetWitness
RSA NetWitness SIEM has many of the features necessary in an enterprise-level SIEM, including UEBA, automation tools, and architecture flexibility (support for hardware and virtual appliances, software-based options, or cloud deployments). In addition, RSA NetWitness includes the ability to add context from both your business and threat intelligence to incidents based on the asset or user being impacted through integrations with RSA Archer and SecurID.
Encrypted or encoded event data or web traffic can be difficult to incorporate into your SIEM. RSA NetWitness uses a variety of cryptography tools including decryption, decompression, and entropy measurements to surface this information and bring it into your SIEM workflow. This visibility into encrypted traffic can be the difference in determining if the traffic is malicious or legitimate in nature.
SentinelOne Singularity AI SIEM
SentinelOne has built itself into a huge contender in the information security space through innovation and feature delivery, and its Singularity AI SIEM is a case-in-point for their success. With Singularity AI SIEM, Singularity is looking to modernize your SIEM by an order of magnitude, using modern techniques to scale security operations through efficient ingestion and filtering, robust analytics, and intuitive, resilient automation. SentinelOne Singularity SIEM of course integrates tightly with other solutions in SentinelOne’s portfolio, namely the SentinelOne Singularity Data Lake and its endpoint and XDR platforms.
SolarWinds Security Event Manager
SolarWinds is a familiar name to many IT pros, as it has long used a set of free tools and aggressive marketing to earn a place in many small to medium size IT shops. SolarWinds Security Event Manager, its SIEM solution, offers tools to detect and investigate threats, analyze and audit events, and even automate remediation steps.
Security Event Manager does not offer machine-learning-based analytics or the same level of integration with third-party systems you can expect from the enterprise grade tools in this list. SolarWinds does offer USB device monitoring, designed to mitigate the risks posed by USB flash drives to your network, and offers an impressive array of compliance reporting to meet any applicable government or industry standards.
Splunk
Splunk might well be the most well-known entry in this list and is the standard against which SIEM platforms are judged. Splunk offers two versions of its platform:
- Splunk Enterprise may be installed on premises as a server application on a variety of Unix or Windows operating systems, or as a Docker container application.
- Splunk Cloud allows you to realize the benefits of Splunk in a SaaS environment, minimizing infrastructure and maintenance requirements.
Both platform versions support customizable dashboards and reporting, anomaly detection, and a high degree of access control.
Perhaps Splunk’s biggest selling point is Splunkbase, its app store for the Splunk platform. Splunkbase apps can run on either Splunk Enterprise or Splunk Cloud, and add third-party integrations, analytics, or automation capabilities.
Trellix Enterprise Security Manager
Trellix Enterprise Security Manager (ESM) is designed to provide analysts information critical to beginning the triage and incident response process. Events are evaluated in the context of related log entries, and ESM guides users through the process of preliminary investigative steps using actionable alerts.
Flexibility in terms of architecture and integration are key points with Trellix ESM. ESM is available in both physical and virtual appliances in a range of sizes, with virtual appliances supporting a wide array of hypervisors and cloud platforms. Trellix offers content packs that enable monitoring and alerts for specific use cases or partner platforms, and integration partnerships with more than a dozen third-party vendors makes ESM incredibly extensible.
