July 11, 2013

Log Management and SIEM Vendors

Category: Log Analysis,Security Information Management,Security Market — Raffael Marty @ 4:12 pm

LogManagement_SIEM_Products.001 (1)

This is a slide I built for my Visual Analytics Workshop at BlackHat this year. I tried to summarize all the SIEM and log management vendors out there. I am pretty sure I missed some players. What did I miss? I’ll try to add them before the training.

Enjoy!

Here is the list of vendors that are on the slide (in no particular order):

Log Management

  • Tibco
  • KeyW
  • Tripwire
  • Splunk
  • Balabit
  • Tier-3 Systems

SIEM

  • HP
  • Symantec
  • Tenable
  • Alienvault
  • Solarwinds
  • Attachmate
  • eIQ
  • EventTracker
  • BlackStratus
  • TrustWave
  • LogRhythm
  • ClickSecurity
  • IBM
  • McAfee
  • NetIQ
  • RSA
  • Event Sentry

Logging as a Service

  • SumoLogic
  • Loggly
  • PaperTrail
  • Torch
  • AlertLogic
  • SplunkStorm
  • logentries
  • eGestalt

Update: With input from a couple of folks, I updated the slide a couple of times.

17 Comments »

  1. LogMatrix is dead … About 2-2.5 years ago, the log management/SIEM product was sold to Nitro (now McAfee). The remaining LogMatrix product is the old NerveCenter tool, which is primarily SNMP type of network monitoring like OpenView or MOM/SCOM.
    Also, Symantec is “back in the picture” (?) with their Security Information Manager (“SSIM”) product. It’s not fantastic, but it’s not bad either.

    Comment by William — July 11, 2013 @ 5:32 pm

  2. Thanks for the comments. Of course, Symantec. Totally forgot them. I will put an updated version together. Thank you!

    Comment by Raffael Marty — July 11, 2013 @ 5:48 pm

  3. Balabit with their SSB products

    Comment by Seb — July 12, 2013 @ 1:17 pm

  4. and you can classified Balabit as Log Management

    Comment by Seb — July 12, 2013 @ 1:19 pm

  5. Surprised that you didn’t include AlienVault in the SIEM list.

    Comment by Dave — July 13, 2013 @ 7:29 am

  6. Seb, added Balabit. And Dave, don’t be surprised. Totally my mistake. Added them in. Along with eGestalt also.

    Comment by Raffael Marty — July 13, 2013 @ 9:06 am

  7. Hi Raffy,
    You have LogLogic in the slide, but not in the list.

    Comment by Steve Lodin — July 22, 2013 @ 9:49 am

  8. Steve, how’s it going? 🙂

    LogLogic is only on the slide in parenthesis because they were bought by Tibco. Tibco is on the list.

    See you at BlackHat?

    Comment by Raffael Marty — July 22, 2013 @ 1:42 pm

  9. I’m curious, where are you drawing the line today between Log Management and SIEM? Many of the LM products include sophisticated correlation engines, visualization capabilities, and event management at least comparable to many of the products listed as SIEM. Is it just how the vendor positions the product?

    I’m finding it difficult to continue applying these labels to today’s products. What was once SIEM is now expected as part of intelligent log management, and SIEM is rapidly being replaced with security’s version of business intelligence and predictive analytics(tackling big data).

    Comment by Jon Speer — July 24, 2013 @ 9:35 am

  10. Thanks for the question, Jon. I have to agree with you. It’s hard to put players into these categories these days. i have to be honest, this is definitely not scientific. I probably have to redo the chart at some point, using some other criteria to differentiate things.
    As to your point of SIEM moving into the BI pendant and predictive analytics, I don’t share that view at all. Quite frankly, I do have no idea what predictive analytics would be in cyber security. You predict new attacks? Tell me, please, how you would do that. Even if you follow the kill chain. No way you can do that. I have thought about that quite a bit lately and haven’t come to a solution. But definitely curious to hear any opinions on that. As far as other BI capabilities go, I haven’t seen much interesting stuff that actually works and is useful in the SIEMs today. Have you? This entire discussion should probably it’s own blog post 😉

    Comment by Raffael Marty — July 26, 2013 @ 11:49 am

  11. Update – Symantec is killing their customer site log management/SIEM product (SSIM – Symantec Security Information Manager). Only offering for log management at this point is going to be cloud hosted, probably MSS and maybe something else.

    Comment by William — July 29, 2013 @ 7:07 am

  12. Hi Raffy,

    You don’t have Tier-3 on the list (www.tier-3.com). They have been selling SIEM solutions to Government and other larger organisations since 1999 – typically selling against HP ArcSight.

    Comment by Adrian — March 11, 2014 @ 7:39 am

  13. Raffy,

    I noticed that EventSentry is not included on your list. EventSentry has been in the log monitoring market for 10+ years and offers a wealth of SIEM-related functionalitycomplimented by other security-relevant monitoring tasks like file checksum monitoring and comprehensive server & workstation monitoring. It’s a proven and reliable product with highly optimized agents which can process 500+ events / sec on a single host.

    Comment by Ingmar Koecher — April 18, 2014 @ 8:14 am

  14. I recently tried a new log management product: OohLaLog (www.oohlalog.com). I highly recommend it. I was able to set up in less than 2 mins. It’s cloud based and has broad support for different languages. Plus I can set up custom counters and alerts. Would be good to have this product included in the list above.

    Comment by Rajesh Bhatia — June 3, 2014 @ 4:04 pm

  15. I know I’m arriving pretty late to the party, but I wanted to suggest a few other additions:

    AccelOps – they were even added to Gartner’s MQ in 2014

    Correlog – fading away, but still around

    Lookwise – previous known as S21sec, mostly in Spain and South America

    Tango/04 – another one focused in Europe & S. America

    Comment by Mike C — July 1, 2014 @ 9:22 pm

  16. I’m surprised that you didn’t include Stackify (stackify.com). I think their unified log and error management tool is better than most if not all the ones you’ve mentioned

    Comment by Jim Richards — February 27, 2015 @ 8:53 am

  17. Old original post, but still not complete. We believe SNARE Open Source Agents to be the most widely use eventlogging (open source) agent worldwide. SNARE Enterprise Agents are replacing Open Source, which are deemed non PCI-compliant. Enterprise Agents are compatible with all 3rd Party SIEM Servers and MSSPs and add value with TCP confirmed delivery, caching, TLS, multicasting, There is also a SNARE SIEM Server/Agent Management Console available.

    Comment by Mark Rieger — October 30, 2015 @ 11:48 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .