Choosing the Right SIEM: A Comparative Guide to Solutions

All these areas make virtually everyone vulnerable to cyber threats these days. One of the pillars of the fight against cyber threats are SOC (Security Operation Center) teams, whose task is to detect and respond to cyber-attacks on systems or individuals. One of the types of tools used by SOCs are SIEM (Security Information and Event Management) class systems. The main task of this type of solution is:

• real-time collection of data from various IT and OT areas, including event logs, security systems (firewalls, AV software, IPS/IDS systems), applications and endpoint devices (employee workstations),
• data correlation and analysis,
• threat reporting.

SOC teams, using SIEM systems, have increased visibility into what is happening in the infrastructure of the institutions they protect, can automate some detection and response tasks, and in some cases are able to prevent more advanced attacks, detecting them at the reconnaissance stage.

There are many SIEM-class systems on the market. Some of them are paid, while others can be used completely free of charge. Among the systems of this type available on the market are:

• Splunk,
• Elastic Stack,
• FortiSIEM,
• OpenSearch,
• Wazuh SIEM,
• Log2Logic.

Splunk is one of the leaders in SIEM solutions. It is software created by Splunk Inc. headquartered in the United States. Recently, this company was bought, by another American company: Cisco Systems, Inc. This software contains all the functionality that a SIEM-class system should have: it is a log aggregator, allows you to view logs both historically and in real time, has the ability to trigger correlation queries and generate alerts based on them, has a module that allows you to record and handle incidents, provides the ability to enrich logs with information from external sources, and a fairly extensive list of ready-to-use views for SIEM provided by solution vendors. Splunk allows granularity of user privileges - restricting access to system functionality, but also restricting users from accessing logs from specific systems. The system also allows the use of Machine Learning. Splunk allows the generation of charts, data aggregation tables, dashboards and reports. This SIEM system allows licensing based on the amount of data written per day, the number of queries or the number of sources the logs provide.

Elastic Stack is a solution created in 2010 by Elastic NV. The main components of the solution are the search engine: Elasticsearch, a data visualization interface: Kibana, and a log collection interface: Logstash - hence the solution initially functioned under the name ELK Stack (Elasticsearch Logstash Kibana Stack). Elastic Stack is available in a free version (lacking by default many functionalities allowing to call this solution a SIEM system, but allowing to get around this limitation with additional, free extensions), and a paid version (having all functionalities of a SIEM-class system). It has a number of ready-to-use, official parsers, allowing you to extract specific information from logs and save it in a key-value form. In the absence of support for a solution, a wide community of users of solutions based on Elastic Stack willingly provides their parsers. The free version of the solution does not include such functionalities as auditing for operations performed by users, integration of system logging with SSO systems, report generation, sending event alerts or Machine Learning. Currently, the solution is being developed by a company headquartered in the United States. In 2021 (starting with version 7.11), the solution changed its licensing rules, which meant that many existing implementations of the solution had to switch from a free to a paid version. At this time, Elastic Stack is licensed based on the resources being used - the licensing model applies to both cloud and on-premise deployments. Because of its open code, many other SIEM-class solutions are based on Elastic Stack code.

FortiSIEM is a solution from American company Fortinet, completing the organization's portfolio with a SIEM-class security system as well. The system is delivered in a paid license. You can license the number of agents that provide data to the system, or the number of events per second. As part of the system, the manufacturer provides an extensive database of correlation rules, parsers, log enrichment feeds and scenarios for detecting specific attacks. In addition to the standard modules responsible for finding information, generating reports, or sending alerts about events, the user also gets a module for managing events generated by correlation rules. This eliminates the need for the SOC team to install additional software in which analysts will review the alerts generated by the SIEM.

OpenSearch is a solution that was created by cloning (fork) Elasticsearch and Kibana in 2021 (a clone of the last version of Elasticsearch licensed the old way - 7.10.2) made by Amazon. Since then it has been developed as a standalone product consisting of OpenSearch - a search engine - and Opensearch Dashboard - a data visualization interface. The solution is maintained as a free, open source code. During development, most of the functionality that was only available in the paid version in Elastic Stack was added to OpenSearch. Thus, using OpenSearch, we have access to generate and send alerts on detected events, Machine Learning or audit logs. The solution is a good alternative for SOC teams looking for a free SIEM solution.

WazuhSIEM is a solution that initially functioned as a plug-in for Kibana allowing to manage Wazuh HIDS from Kibana and providing pre-defined dashboards for Wazuh. After the creation of OpenSearch, American company Wazuh Inc. decided to migrate to OpenSearch and publish it as its own product. In terms of functionality, the product is practically identical to OpenSearch. By using Wazuh HIDS agents, Wazuh SIEM also gains XDR functionality. The solution is recommended for SOC teams that base monitoring on the Wazuh HIDS solution.

Log2Logic is an OpenSearch-based solution created by a Polish company. It has all the functionality that OpenSearch provides. Due to the development of the product in parallel to OpenSearch and dedicated support, the product is paid. Log2Logic is licensed by the amount of data written per day. The solution is a good combination of the benefits of free solutions and paid ones.

The availability of various types of SIEM solutions on the market makes it may seem difficult to choose the right one. However, in reality, most of them have a similar range of functionality, and the differences come from what the graphical interface looks like, how independent the administrator of this system can be, and how well a given system supports other solutions. With such variety, you can be confident that after proper analysis of the needs of the team and the environment it is supposed to monitor, everyone will find the right system for them.

Author: Paweł Kopeć, AGH University of Kraków, #SOCCERproject