Key Capability
|
Benefit
|
Single platform
|
One product to install and manage, which simplifies operations
|
Software
|
Providing cost effective scaling–hardware options can match requirements and expand as needed. Hardware costs are minimized since commodity hardware can be used
|
Index any data using variety of mechanisms
|
Fast time-to-value. Customers should realize value from their SIEM in hours or days
|
Large number of pre-defined data sources
|
A rich partner ecosystem reduces reliance on SIEM vendor and custom collectors
|
Flat file data store providing access to all data values and data fields with no schema or normalization
|
All values and fields from all data sources can be searched, reported on, and correlated as predefined alerts or for ad hoc investigation. All the original data is retained and can be searched, as compared to legacy SIEMs that requires transforming different log formats into single “taxonomy” to facilitate.
|
Single data store with distributed indexing and searching for scale and speed
|
Scalability and speed issues are non-existent
|
Flexible search for automated base-lining and advanced correlations
|
Enhances the ability to find outliers and anomalies
|
Visualization of data and incidents in multiple formats and renderings
|
Ability to use, create and edit existing tables, charts or scatterplots provides much needed flexibility that is suited to diverse customer environment
|
Out-of-the-box support of APIs and SDKs
|
Interface with third-party apps to extend the capability of SIEM
|
Support of common IT use cases such as compliance, fraud, theft and abuse detection, IT operations, service intelligence, application delivery and business analytics
|
As security teams work in concert with other IT functions, the visibility from other use cases results in a centralized view across the organization with cross-department collaboration and stronger ROI
|
Operate on-premises, in the cloud and in hybrid environments
|
Operate a single logical solution that allows users to search, report and operate when data is stored in either on-premises or the cloud
|
Cloud deployment option (BYOL and SaaS)
|
Helps you consolidate your business in the cloud
|
Hybrid deployment with on-premises and cloud options
|
Optimize your business needs using SaaS or on-premises deployments—without sacrificing visibility
|
Threat intelligence operationalization
|
Security teams can quickly and effectively translate threat information into intelligence that can be actionable to detect threats and protect your organization
|
Risk scoring
|
Know the relative risk of a device or user in your network environment over time
|
Ad hoc searching over extended periods of time
|
Identify breaches and conduct detailed breach analysis by drilling down into machine data to get deep, precise insight
|
Supports applying the kill chain methodology of investigation
|
Gain visibility into an attack, understand adversary’s objectives, monitor activities during an attack, record key information and use it to defend your organization
|
Support analysis of the five styles of advanced threat defense
|
Helps identify advanced targeted attacks, also known as advanced persistent threats from the network, payload and endpoint, in near real time and post-compromise
|
Flexibility and architecture of the platform plays a key role in determining if the SIEM can scale to meet the scalability needs. It’s important that the SIEM software is able to quickly index all the original, raw data from any source at massive data volumes. Scalability to several hundreds of terabytes of data indexed per day is another key metric.
|
Scaling horizontally using commodity hardware provides the flexibility and compute scalability that expensive physical appliances are unable to meet.
Use of distributed index and search technology with fast searches, reporting and analytics enables quick transformation of the results into a wide range of interactive reports and visualizations.
|