Security information and event management (SIEM) tools grant IT security professionals intuitive, at-a-glance summations of security systems. They can detect anomalous, possibly threatening trends, and issue automated responses that can stave off disaster.
There are dozens of such tools on the market, from familiar names such as IBM, Microsoft, and McAfee. Here, we dive into SolarWinds’ Security Event Management solution:
SIEM Today
The SIEM market is largely predicted to grow by close to $4 billion over the next few years, reflecting a 12% expansion over its current state. Much of that is fueled by the increase in cyber crimes, particularly as state actors mount more aggressive attacks against each other. Over a quarter of that growth is expected to occur in North America alone.
Besides SolarWinds, some of the major vendors in the market include Broadcom, Dell Technologies, Hewlett Packard Enterprise, and Splunk. Government agencies are one of the largest consumers of SIEM technologies to safeguard sensitive data, along with health care, telecom, and energy.
Where SolarWinds Fits In
SIEM tools are a combination of security information management (SIM) tools and security event management (SEM) tools. All three categories tend to get blurred, but historically SIM tools consolidate and analyze log files from a central repository. Moreover, SIM systems are log-focused first and foremost. Comparatively, SEM tools function more in real time, looking for events such as suspicious traffic or account activity across the network.
This gets even more complicated, as SolarWinds Security Event Manager is specifically focused on analyzing logs — the traditional purview of an SIM rather than an SEM. A former iteration of SolarWinds SEM, then called Log Event Manager, contained the network activity detection capabilities, but the company has refocused its software on log analysis and management.
As a point of distinction, that may nudge SolarWinds SEM into the more apt title, SolarWinds SIM, but in either case, SEM and SIM tools are threat detectors in their own rights.
Features
SolarWinds Security Event Manager is under active development and still adding features. Some of its key features include:
Centralized Log Management: Provides an intuitive, simple display to manage and analyze logs across the IT infrastructure. The log manager is able to analyze events, perform event correlation, track metrics, scan for changes, run customized reports, and detect suspicious log patterns that may be a prelude to a cyber attack.
Threat Detection: SEM comes with a threat database, and compares real-time, system-wide log data against the database to find corollaries to a potential attack. SEM catalogs bad IPs, malicious actors, potentially infected hosts, botnets, and spammers and provides reports of access attempts from these sources. SEM also contains a botnet detection tool, which performs analytic inspections on data packets across its servers to find anomalous patterns and unusual behaviors.
Automated Response: SEM will kill suspicious processes, log off users, quarantine machines, block IPs, and even block USB devices, per admin configuration. Further, it can be configured to dispatch email notifications to team members, alerting everyone of a potential breach.
Compliance Management: Real-time monitoring and auditing to detect IT compliance violations. SEM will issue automated responses to compliance violations, such as blocking IPs, resetting passwords, and sending alerts. It will also generate compliance reports to match regulatory standards, such as HIPAA or SOX.
Event Correlation Engine: Ingests log data from numerous sources such as servers, firewalls, third-party cloud providers, and security applications. This data is normalized and presented in a unified format, improving data visualization and enabling IT security teams to quickly find trends.
Cross-Site Scripting Attack Detection: Examines logs from multiple sources to detect and respond to XSS attacks.
Post-Breach Reports: Creates visualizations to aid forensic analysis and auditing.
Insider Threat Detection: Privileged accounts can cause a lot of damage if in the wrong hands. SolarWinds SEM can create a historical baseline of predictable user activity, then flag real-time activity that might be anomalous or malicious.
High Degree of Customizability: Individual users can configure the system with their own alerts, triggers, keywords, notifications, filters, reports, and searches. While the system is designed to capture all logs from everywhere, the scope can be limited to monitor only certain sources.
Use Cases
SolarWinds SEM exists primarily to encapsulate all logged information and present it in a clear and consistent manner in real time. Older logs are compressed and archived while more recent logs are available and searchable.
User accounts are also easily monitored using SolarWinds SEM. Admins can view which accounts are logged in and from where and also gain information on what types of devices are being used or whether a user is logged in from a remote desktop.
File integrity monitoring prevents bad actors from hiding any traces of their activities. Similar to user account monitoring, SEM’s file integrity tool establishes a record of all access attempts to protected files and creates an audit chain, so damage can be tracked, undone, or isolated.
Differentiators
SolarWinds SEM aims to distinguish itself on two key grounds. The first is that it’s fairly simple to set up, with little complicated configuration required for it to function out of the box.
And for the second, while it isn’t the cheapest option on the market, SolarWinds has provided an SEM solution that is largely cheaper than its primary competitors. It also runs on a simpler, more transparent pricing scheme, beginning at $2,639 to purchase the product outright, but subscriptions are also an option.
Ratings
Past and present users of SolarWinds SEM rate the product a collective 4 out of 5 stars on G2. Many reviewers note satisfaction with the competitive pricing of the product and praised the simplicity of product deployment.
Reviewers are pleased with the ease of understanding of the licensing terms compared to competitors with more obtuse plans. The dashboard is also widely praised for its ease of use, and customer service is seen as responsive and helpful.
Interestingly, while many customers find SolarWinds SEM to be user friendly, a few had difficulties configuring the service for their specific requirements. Scalability was also seen as limited.
Conclusions
This is a crowded market, and while SolarWinds SEM is competitive on pricing, it may not be as full-featured or scalable as some customers would like.
For customers at large enterprises seeking an SIEM tool designed to detect advanced persistent threats through a combination of log analysis and tracking network events, there are dozens of robust, powerful, and far more expensive options out there.
For more modestly-sized companies with more limited budgets, SolarWinds SEM is a powerful, capable security tool that may be ideal for their needs.