Blog

Key Capability

Benefit

Single platform

One product to install and manage, which simplifies operations

Software

Providing cost effective scaling–hardware options can match requirements and expand as needed. Hardware costs are minimized since commodity hardware can be used

Index any data using variety of mechanisms

Fast time-to-value. Customers should realize value from their SIEM in hours or days

Large number of pre-defined data sources

A rich partner ecosystem reduces reliance on SIEM vendor and custom collectors

Flat file data store providing access to all data values and data fields with no schema or normalization

All values and fields from all data sources can be searched, reported on, and correlated as predefined alerts or for ad hoc investigation. All the original data is retained and can be searched, as compared to legacy SIEMs that requires transforming different log formats into single “taxonomy” to facilitate.

Single data store with distributed indexing and searching for scale and speed

Scalability and speed issues are non-existent

Flexible search for automated base-lining and advanced correlations

Enhances the ability to find outliers and anomalies

Visualization of data and incidents in multiple formats and renderings

Ability to use, create and edit existing tables, charts or scatterplots provides much needed flexibility that is suited to diverse customer environment

Out-of-the-box support of APIs and SDKs

Interface with third-party apps to extend the capability of SIEM

Support of common IT use cases such as compliance, fraud, theft and abuse detection, IT operations, service intelligence, application delivery and business analytics

As security teams work in concert with other IT functions, the visibility from other use cases results in a centralized view across the organization with cross-department collaboration and stronger ROI

Operate on-premises, in the cloud and in hybrid environments

Operate a single logical solution that allows users to search, report and operate when data is stored in either on-premises or the cloud

Cloud deployment option (BYOL and SaaS)

Helps you consolidate your business in the cloud

Hybrid deployment with on-premises and cloud options

Optimize your business needs using SaaS or on-premises deployments—without sacrificing visibility

Threat intelligence operationalization

Security teams can quickly and effectively translate threat information into intelligence that can be actionable to detect threats and protect your organization

Risk scoring

Know the relative risk of a device or user in your network environment over time

Ad hoc searching over extended periods of time

Identify breaches and conduct detailed breach analysis by drilling down into machine data to get deep, precise insight

Supports applying the kill chain methodology of investigation

Gain visibility into an attack, understand adversary’s objectives, monitor activities during an attack, record key information and use it to defend your organization

Support analysis of the five styles of advanced threat defense

Helps identify advanced targeted attacks, also known as advanced persistent threats from the network, payload and endpoint, in near real time and post-compromise

Flexibility and architecture of the platform plays a key role in determining if the SIEM can scale to meet the scalability needs. It’s important that the SIEM software is able to quickly index all the original, raw data from any source at massive data volumes. Scalability to several hundreds of terabytes of data indexed per day is another key metric.

Scaling horizontally using commodity hardware provides the flexibility and compute scalability that expensive physical appliances are unable to meet.

Use of distributed index and search technology with fast searches, reporting and analytics enables quick transformation of the results into a wide range of interactive reports and visualizations.