{"global":{"lastError":{},"locale":"en","locales":{"data":[{"id":"de","name":"Deutsch"},{"id":"en","name":"English"}],"loading":false,"error":false},"currency":{"id":49,"name":"EUR"},"currencies":{"data":[{"id":49,"name":"EUR"},{"id":124,"name":"RUB"},{"id":153,"name":"UAH"},{"id":155,"name":"USD"}],"loading":false,"error":false},"translations":{"comparison":{"compare":{"ru":"Сравнить","_type":"localeString","en":"Compare"},"characteristics":{"en":"Characteristics","ru":"Характеристики","_type":"localeString"},"additional_template":{"ru":"Дополнительные характеристики","_type":"localeString","en":"Additional characteristics"},"nothing_to_show":{"_type":"localeString","en":"No data to compare","ru":"Нет данных для отображения"}},"header":{"help":{"en":"Help","de":"Hilfe","ru":"Помощь","_type":"localeString"},"how":{"ru":"Как это работает","_type":"localeString","en":"How does it works","de":"Wie funktioniert es"},"login":{"ru":"Вход","_type":"localeString","en":"Log in","de":"Einloggen"},"logout":{"_type":"localeString","en":"Sign out","ru":"Выйти"},"faq":{"ru":"FAQ","_type":"localeString","en":"FAQ","de":"FAQ"},"references":{"de":"References","ru":"Мои запросы","_type":"localeString","en":"Requests"},"solutions":{"ru":"Возможности","_type":"localeString","en":"Solutions"},"find-it-product":{"_type":"localeString","en":"Selection and comparison of IT product","ru":"Подбор и сравнение ИТ продукта"},"autoconfigurator":{"ru":"Калькулятор цены","_type":"localeString","en":" Price calculator"},"comparison-matrix":{"_type":"localeString","en":"Comparison Matrix","ru":"Матрица сравнения"},"roi-calculators":{"en":"ROI calculators","ru":"ROI калькуляторы","_type":"localeString"},"b4r":{"en":"Bonus for reference","ru":"Бонус за референс","_type":"localeString"},"business-booster":{"ru":"Развитие бизнеса","_type":"localeString","en":"Business boosting"},"catalogs":{"ru":"Каталоги","_type":"localeString","en":"Catalogs"},"products":{"ru":"Продукты","_type":"localeString","en":"Products"},"implementations":{"_type":"localeString","en":"Deployments","ru":"Внедрения"},"companies":{"en":"Companies","ru":"Компании","_type":"localeString"},"categories":{"ru":"Категории","_type":"localeString","en":"Categories"},"for-suppliers":{"en":"For suppliers","ru":"Поставщикам","_type":"localeString"},"blog":{"ru":"Блог","_type":"localeString","en":"Blog"},"agreements":{"_type":"localeString","en":"Deals","ru":"Сделки"},"my-account":{"en":"My account","ru":"Мой кабинет","_type":"localeString"},"register":{"en":"Register","ru":"Зарегистрироваться","_type":"localeString"},"comparison-deletion":{"en":"Deletion","ru":"Удаление","_type":"localeString"},"comparison-confirm":{"en":"Are you sure you want to delete","ru":"Подтвердите удаление","_type":"localeString"},"search-placeholder":{"ru":"Введите поисковый запрос","_type":"localeString","en":"Enter your search term"},"my-profile":{"ru":"Мои данные","_type":"localeString","en":"My profile"},"about":{"_type":"localeString","en":"About Us"},"it_catalogs":{"_type":"localeString","en":"IT catalogs"},"roi4presenter":{"_type":"localeString","en":"Roi4Presenter"},"roi4webinar":{"_type":"localeString","en":"Pitch Avatar"},"sub_it_catalogs":{"_type":"localeString","en":"Find IT product"},"sub_b4reference":{"en":"Get reference from user","_type":"localeString"},"sub_roi4presenter":{"en":"Make online presentations","_type":"localeString"},"sub_roi4webinar":{"_type":"localeString","en":"Create an avatar for the event"},"catalogs_new":{"en":"Products","_type":"localeString"},"b4reference":{"en":"Bonus4Reference","_type":"localeString"},"it_our_it_catalogs":{"en":"Our IT Catalogs","_type":"localeString"},"it_products":{"_type":"localeString","en":"Find and compare IT products"},"it_implementations":{"_type":"localeString","en":"Learn implementation reviews"},"it_companies":{"en":"Find vendor and company-supplier","_type":"localeString"},"it_categories":{"_type":"localeString","en":"Explore IT products by category"},"it_our_products":{"en":"Our Products","_type":"localeString"},"it_it_catalogs":{"_type":"localeString","en":"IT catalogs"}},"footer":{"copyright":{"_type":"localeString","en":"All rights reserved","de":"Alle rechte vorbehalten","ru":"Все права защищены"},"company":{"_type":"localeString","en":"My Company","de":"Über die Firma","ru":"О компании"},"about":{"ru":"О нас","_type":"localeString","en":"About us","de":"Über uns"},"infocenter":{"de":"Infocenter","ru":"Инфоцентр","_type":"localeString","en":"Infocenter"},"tariffs":{"en":"Subscriptions","de":"Tarife","ru":"Тарифы","_type":"localeString"},"contact":{"ru":"Связаться с нами","_type":"localeString","en":"Contact us","de":"Kontaktiere uns"},"marketplace":{"ru":"Marketplace","_type":"localeString","en":"Marketplace","de":"Marketplace"},"products":{"ru":"Продукты","_type":"localeString","en":"Products","de":"Produkte"},"compare":{"_type":"localeString","en":"Pick and compare","de":"Wähle und vergleiche","ru":"Подобрать и сравнить"},"calculate":{"en":"Calculate the cost","de":"Kosten berechnen","ru":"Расчитать стоимость","_type":"localeString"},"get_bonus":{"de":"Holen Sie sich einen Rabatt","ru":"Бонус за референс","_type":"localeString","en":"Bonus for reference"},"salestools":{"de":"Salestools","ru":"Salestools","_type":"localeString","en":"Salestools"},"automatization":{"de":"Abwicklungsautomatisierung","ru":"Автоматизация расчетов","_type":"localeString","en":"Settlement Automation"},"roi_calcs":{"en":"ROI calculators","de":"ROI-Rechner","ru":"ROI калькуляторы","_type":"localeString"},"matrix":{"de":"Vergleichsmatrix","ru":"Матрица сравнения","_type":"localeString","en":"Comparison matrix"},"b4r":{"de":"Rebate 4 Reference","ru":"Rebate 4 Reference","_type":"localeString","en":"Rebate 4 Reference"},"our_social":{"_type":"localeString","en":"Our social networks","de":"Unsere sozialen Netzwerke","ru":"Наши социальные сети"},"subscribe":{"ru":"Подпишитесь на рассылку","_type":"localeString","en":"Subscribe to newsletter","de":"Melden Sie sich für den Newsletter an"},"subscribe_info":{"_type":"localeString","en":"and be the first to know about promotions, new features and recent software reviews","ru":"и узнавайте первыми об акциях, новых возможностях и свежих обзорах софта"},"policy":{"_type":"localeString","en":"Privacy Policy","ru":"Политика конфиденциальности"},"user_agreement":{"en":"Agreement","ru":"Пользовательское соглашение ","_type":"localeString"},"solutions":{"ru":"Возможности","_type":"localeString","en":"Solutions"},"find":{"_type":"localeString","en":"Selection and comparison of IT product","ru":"Подбор и сравнение ИТ продукта"},"quote":{"ru":"Калькулятор цены","_type":"localeString","en":"Price calculator"},"boosting":{"ru":"Развитие бизнеса","_type":"localeString","en":"Business boosting"},"4vendors":{"en":"4 vendors","ru":"поставщикам","_type":"localeString"},"blog":{"en":"blog","ru":"блог","_type":"localeString"},"pay4content":{"en":"we pay for content","ru":"платим за контент","_type":"localeString"},"categories":{"en":"categories","ru":"категории","_type":"localeString"},"showForm":{"_type":"localeString","en":"Show form","ru":"Показать форму"},"subscribe__title":{"en":"We send a digest of actual news from the IT world once in a month!","ru":"Раз в месяц мы отправляем дайджест актуальных новостей ИТ мира!","_type":"localeString"},"subscribe__email-label":{"ru":"Email","_type":"localeString","en":"Email"},"subscribe__name-label":{"en":"Name","ru":"Имя","_type":"localeString"},"subscribe__required-message":{"_type":"localeString","en":"This field is required","ru":"Это поле обязательное"},"subscribe__notify-label":{"ru":"Да, пожалуйста уведомляйте меня о новостях, событиях и предложениях","_type":"localeString","en":"Yes, please, notify me about news, events and propositions"},"subscribe__agree-label":{"ru":"Подписываясь на рассылку, вы соглашаетесь с %TERMS% и %POLICY% и даете согласие на использование файлов cookie и передачу своих персональных данных*","_type":"localeString","en":"By subscribing to the newsletter, you agree to the %TERMS% and %POLICY% and agree to the use of cookies and the transfer of your personal data"},"subscribe__submit-label":{"_type":"localeString","en":"Subscribe","ru":"Подписаться"},"subscribe__email-message":{"en":"Please, enter the valid email","ru":"Пожалуйста, введите корректный адрес электронной почты","_type":"localeString"},"subscribe__email-placeholder":{"_type":"localeString","en":"username@gmail.com","ru":"username@gmail.com"},"subscribe__name-placeholder":{"en":"Last, first name","ru":"Имя Фамилия","_type":"localeString"},"subscribe__success":{"ru":"Вы успешно подписаны на рассылку. Проверьте свой почтовый ящик.","_type":"localeString","en":"You are successfully subscribed! Check you mailbox."},"subscribe__error":{"en":"Subscription is unsuccessful. Please, try again later.","ru":"Не удалось оформить подписку. Пожалуйста, попробуйте позднее.","_type":"localeString"},"roi4presenter":{"de":"roi4presenter","ru":"roi4presenter","_type":"localeString","en":"Roi4Presenter"},"it_catalogs":{"_type":"localeString","en":"IT catalogs"},"roi4webinar":{"_type":"localeString","en":"Pitch Avatar"},"b4reference":{"_type":"localeString","en":"Bonus4Reference"}},"breadcrumbs":{"home":{"ru":"Главная","_type":"localeString","en":"Home"},"companies":{"_type":"localeString","en":"Companies","ru":"Компании"},"products":{"en":"Products","ru":"Продукты","_type":"localeString"},"implementations":{"ru":"Внедрения","_type":"localeString","en":"Deployments"},"login":{"ru":"Вход","_type":"localeString","en":"Login"},"registration":{"ru":"Регистрация","_type":"localeString","en":"Registration"},"b2b-platform":{"en":"B2B platform for IT buyers, vendors and suppliers","ru":"Портал для покупателей, поставщиков и производителей ИТ","_type":"localeString"}},"comment-form":{"title":{"_type":"localeString","en":"Leave comment","ru":"Оставить комментарий"},"firstname":{"en":"First name","ru":"Имя","_type":"localeString"},"lastname":{"en":"Last name","ru":"Фамилия","_type":"localeString"},"company":{"ru":"Компания","_type":"localeString","en":"Company name"},"position":{"ru":"Должность","_type":"localeString","en":"Position"},"actual-cost":{"ru":"Фактическая стоимость","_type":"localeString","en":"Actual cost"},"received-roi":{"ru":"Полученный ROI","_type":"localeString","en":"Received ROI"},"saving-type":{"ru":"Тип экономии","_type":"localeString","en":"Saving type"},"comment":{"ru":"Комментарий","_type":"localeString","en":"Comment"},"your-rate":{"ru":"Ваша оценка","_type":"localeString","en":"Your rate"},"i-agree":{"ru":"Я согласен","_type":"localeString","en":"I agree"},"terms-of-use":{"en":"With user agreement and privacy policy","ru":"С пользовательским соглашением и политикой конфиденциальности","_type":"localeString"},"send":{"en":"Send","ru":"Отправить","_type":"localeString"},"required-message":{"en":"{NAME} is required filed","ru":"{NAME} - это обязательное поле","_type":"localeString"}},"maintenance":{"title":{"_type":"localeString","en":"Site under maintenance","ru":"На сайте проводятся технические работы"},"message":{"_type":"localeString","en":"Thank you for your understanding","ru":"Спасибо за ваше понимание"}}},"translationsStatus":{"comparison":"success"},"sections":{},"sectionsStatus":{},"pageMetaData":{"comparison":{"title":{"ru":"Сравнить продукты","_type":"localeString","en":"Compare products"}}},"pageMetaDataStatus":{"comparison":"success"},"subscribeInProgress":false,"subscribeError":false},"auth":{"inProgress":false,"error":false,"checked":true,"initialized":false,"user":{},"role":null,"expires":null},"products":{"productsByAlias":{},"aliases":{},"links":{},"meta":{},"loading":false,"error":null,"useProductLoading":false,"sellProductLoading":false,"templatesById":{},"comparisonByTemplateId":{}},"filters":{"filterCriterias":{"loading":false,"error":null,"data":{"price":{"min":0,"max":6000},"users":{"loading":false,"error":null,"ids":[],"values":{}},"suppliers":{"loading":false,"error":null,"ids":[],"values":{}},"vendors":{"loading":false,"error":null,"ids":[],"values":{}},"roles":{"id":200,"title":"Roles","values":{"1":{"id":1,"title":"User","translationKey":"user"},"2":{"id":2,"title":"Supplier","translationKey":"supplier"},"3":{"id":3,"title":"Vendor","translationKey":"vendor"}}},"categories":{"flat":[],"tree":[]},"countries":{"loading":false,"error":null,"ids":[],"values":{}}}},"showAIFilter":false},"companies":{"companiesByAlias":{},"aliases":{},"links":{},"meta":{},"loading":false,"error":null},"implementations":{"implementationsByAlias":{},"aliases":{},"links":{},"meta":{},"loading":false,"error":null},"agreements":{"agreementById":{},"ids":{},"links":{},"meta":{},"loading":false,"error":null},"comparison":{"loading":false,"error":false,"templatesById":{"144":{"id":144,"title":"SIEM - Security information and event management","characteristics":[{"id":2877,"title":"Customizable reports","required":0,"type":"binary"},{"id":2879,"title":"Log management","required":0,"type":"binary"},{"id":2881,"title":"Correlation rules","required":0,"type":"binary"},{"id":2883,"title":"Real time application of correlation rules","required":0,"type":"binary"},{"id":2885,"title":"Backup system configuration","required":0,"type":"binary"},{"id":2887,"title":"Events aggregation by type","required":0,"type":"binary"},{"id":2889,"title":"Machine learning","required":0,"type":"binary"},{"id":2891,"title":"Investigations","required":0,"type":"binary"},{"id":2893,"title":"Incident Management and Remediation","required":0,"type":"binary"},{"id":2895,"title":"Support for Cloud services","required":0,"type":"binary"},{"id":2897,"title":"Behavior based anomaly detection","required":0,"type":"binary"},{"id":2899,"title":"Automated workflows","required":0,"type":"binary"},{"id":2901,"title":"Real time alerts and notifications","required":0,"type":"binary"},{"id":2903,"title":"Advanced threat detection","required":0,"type":"binary"},{"id":2905,"title":"Insider threat identification","required":0,"type":"binary"},{"id":2907,"title":"Trial","required":0,"type":"select"}]}},"comparisonByTemplateId":{},"products":[{"id":332,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/alienvault.jpg","logo":true,"schemeURL":"https://old.roi4cio.com/fileadmin/user_upload/AlienVault_Unified_Security_Management_TM_1.png","scheme":true,"title":"AlienVault Unified Security Management™","vendorVerified":0,"rating":"1.00","implementationsCount":0,"suppliersCount":0,"alias":"alienvault-unified-security-managementtm","companyTypes":[],"description":"<p>The AlienVault Unified Security Management (USM) platform provides five essential security capabilities in a single console, giving you everything you need to manage both compliance and threats. Understanding the sensitive nature of IT environments, we include active, passive and host-based technologies so that you can match the requirements of your particular environment.</p>\r\n<p><strong>Asset Discovery</strong></p>\r\n<p>Find all assets on your network before a bad actor does</p>\r\n<p>Active Network Scanning</p>\r\n<p>Passive Network Monitoring</p>\r\n<p>Asset Inventory</p>\r\n<p>Software Inventory</p>\r\n<p> </p>\r\n<p><strong>Vulnerability Assessment</strong></p>\r\n<p>Identify systems on your network that are vulnerable to exploits</p>\r\n<p>Network Vulnerability Testing</p>\r\n<p>Continuous Vulnerability Monitoring</p>\r\n<p> </p>\r\n<p><strong>Intrusion Detection</strong></p>\r\n<p>Detect malicious traffic on your network</p>\r\n<p>Network IDS</p>\r\n<p>Host IDS</p>\r\n<p>File Integrity Monitoring (FIM)</p>\r\n<p>Threat Detection</p>\r\n<p> </p>\r\n<p><strong>Behavioral Monitoring</strong></p>\r\n<p>Identify suspicious behavior and potentially compromised systems</p>\r\n<p>Netflow Analysis</p>\r\n<p>Service Availability Monitoring</p>\r\n<p>Full packet capture</p>\r\n<p>Behavioral Monitoring</p>\r\n<p> </p>\r\n<p><strong>SIEM</strong></p>\r\n<p>Correlate and analyze security event data from across your network</p>\r\n<p>Log Management</p>\r\n<p>Event Correlation</p>\r\n<p>Incident Response</p>","shortDescription":"The AlienVault Unified Security Management (USM) platform provides five essential security capabilities in a single console, giving you everything you need to manage both compliance and threats.","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":0,"sellingCount":0,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"AlienVault Unified Security Management™","keywords":"сети, угроз, безопасности, AlienVault, действий, соответствие, правил, мониторинг","description":"<p>The AlienVault Unified Security Management (USM) platform provides five essential security capabilities in a single console, giving you everything you need to manage both compliance and threats. Understanding the sensitive nature of IT environments, we incl","og:title":"AlienVault Unified Security Management™","og:description":"<p>The AlienVault Unified Security Management (USM) platform provides five essential security capabilities in a single console, giving you everything you need to manage both compliance and threats. Understanding the sensitive nature of IT environments, we incl","og:image":"https://old.roi4cio.com/fileadmin/user_upload/alienvault.jpg"},"eventUrl":"","translationId":332,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"},{"id":79,"title":"VM - Vulnerability management","alias":"vm-vulnerability-management","description":"Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be confused with a Vulnerability assessment.\r\nVulnerability management is an ongoing process that includes proactive asset discovery, continuous monitoring, mitigation, remediation and defense tactics to protect your organization's modern IT attack surface from Cyber Exposure.\r\nVulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configurations, and susceptibility to malware infections. They may also be identified by consulting public sources, such as NVD, or subscribing to a commercial vulnerability alerting services. Unknown vulnerabilities, such as a zero-day, may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant test cases. Such analysis can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).\r\nCorrecting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating users about social engineering.\r\nNetwork vulnerabilities represent security gaps that could be abused by attackers to damage network assets, trigger a denial of service, and/or steal potentially sensitive information. Attackers are constantly looking for new vulnerabilities to exploit — and taking advantage of old vulnerabilities that may have gone unpatched.\r\nHaving a vulnerability management framework in place that regularly checks for new vulnerabilities is crucial for preventing cybersecurity breaches. Without a vulnerability testing and patch management system, old security gaps may be left on the network for extended periods of time. This gives attackers more of an opportunity to exploit vulnerabilities and carry out their attacks.\r\nOne statistic that highlights how crucial vulnerability management was featured in an Infosecurity Magazine article. According to survey data cited in the article, of the organizations that “suffered a breach, almost 60% were due to an unpatched vulnerability.” In other words, nearly 60% of the data breaches suffered by survey respondents could have been easily prevented simply by having a vulnerability management plan that would apply critical patches before attackers leveraged the vulnerability.","materialsDescription":" <span style=\"font-weight: bold;\">What is vulnerability management?</span>\r\nVulnerability management is a pro-active approach to managing network security by reducing the likelihood that flaws in code or design compromise the security of an endpoint or network.\r\n<span style=\"font-weight: bold;\">What processes does vulnerability management include?</span>\r\nVulnerability management processes include:\r\n<ul><li><span style=\"font-style: italic;\">Checking for vulnerabilities:</span> This process should include regular network scanning, firewall logging, penetration testing or use of an automated tool like a vulnerability scanner.</li><li><span style=\"font-style: italic;\">Identifying vulnerabilities:</span> This involves analyzing network scans and pen test results, firewall logs or vulnerability scan results to find anomalies that suggest a malware attack or other malicious event has taken advantage of a security vulnerability, or could possibly do so.</li><li><span style=\"font-style: italic;\">Verifying vulnerabilities:</span> This process includes ascertaining whether the identified vulnerabilities could actually be exploited on servers, applications, networks or other systems. This also includes classifying the severity of a vulnerability and the level of risk it presents to the organization.</li><li><span style=\"font-style: italic;\">Mitigating vulnerabilities:</span> This is the process of figuring out how to prevent vulnerabilities from being exploited before a patch is available, or in the event that there is no patch. It can involve taking the affected part of the system off-line (if it's non-critical), or various other workarounds.</li><li><span style=\"font-style: italic;\">Patching vulnerabilities:</span> This is the process of getting patches -- usually from the vendors of the affected software or hardware -- and applying them to all the affected areas in a timely way. This is sometimes an automated process, done with patch management tools. This step also includes patch testing.</li></ul>"},{"id":377,"title":"IT Asset Management","alias":"it-asset-management","description":" IT asset management is the set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. Assets include all elements of software and hardware that are found in the business environment.\r\nIT asset management generally uses automation to manage the discovery of assets so inventory can be compared to license entitlements. Full business management of IT assets requires a repository of multiple types of information about the asset, as well as integration with other systems such as supply chain, help desk, procurement and HR systems and ITSM.\r\nHardware asset management entails the management of the physical components of computers and computer networks, from acquisition through disposal. Common business practices include request and approval process, procurement management, life cycle management, redeployment and disposal management. A key component is capturing the financial information about the hardware life cycle which aids the organization in making business decisions based on meaningful and measurable financial objectives.\r\nSoftware Asset Management is a similar process, focusing on software assets, including licenses. Standards for this aspect of data center management are part of ISO/IEC 19770.","materialsDescription":" <span style=\"font-weight: bold;\">What is Information Technology Asset Management?</span>\r\nIT asset management (information technology asset management, or ITAM) is a set of business practices that combines financial, inventory and contractual functions to optimize spending and support lifecycle management and strategic decision-making within the IT environment.\r\n<span style=\"font-weight: bold;\">What is the purpose of IT asset management?</span>\r\nAsset management allows the organization to keep track of all their assets. It can tell where the assets are located, how they are used, and when changes were made to them. The data from the asset management solution can ensure that asset recovery will lead to better returns.\r\n<span style=\"font-weight: bold;\">What are the benefits of asset management?</span>\r\nWith a structure asset management framework in place, organizations will realize these and other benefits:\r\nGood Business Practice. Asset management results in better decisions;\r\n<ul><li>Improved Regulatory Compliance;</li><li>Improved Reliability;</li><li>Long Term System Integrity;</li><li>Cost Savings;</li><li>Eligibility for Federal Funding.</li></ul>\r\n<span style=\"font-weight: bold;\">What are the types of asset management?</span>\r\nThere are 7 types of asset management:\r\n<ul><li>Financial Asset Management.</li><li>Enterprise Asset Management.</li><li>Infrastructure Asset Management.</li><li>Public Asset Management.</li><li>IT Asset Management.</li><li>Fixed Assets Management.</li><li>Digital Asset Management.</li></ul>"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":7968,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":7969,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":7970,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":7971,"characteristicId":2883,"templateId":144,"value":true},"2885":{"id":7972,"characteristicId":2885,"templateId":144,"value":true},"2887":{"id":7973,"characteristicId":2887,"templateId":144,"value":"N/A"},"2889":{"id":7974,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":7975,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":7976,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":7977,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":7978,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":7979,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":7980,"characteristicId":2901,"templateId":144,"value":true},"2903":{"id":7981,"characteristicId":2903,"templateId":144,"value":true},"2905":{"id":7982,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":7983,"characteristicId":2907,"templateId":144,"value":"yes, 14 days"}}}},{"id":3507,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/Helix.png","logo":true,"schemeURL":"https://old.roi4cio.com/fileadmin/user_upload/Helix.JPG","scheme":true,"title":"FireEye Helix Security Platform","vendorVerified":0,"rating":"1.90","implementationsCount":0,"suppliersCount":0,"alias":"fireeye-helix-security-platform","companyTypes":[],"description":"<p><span style=\"color: #616161;\">FireEye Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix. Available with any FireEye solution, FireEye Helix integrates your security tools and augments them with next-generation SIEM, orchestration and threat intelligence capabilities to capture the untapped potential of security investments. Designed by security experts, for security experts, it empowers security teams to efficiently conduct primary functions, such as alert management, search, analysis, investigations and reporting.<br /></span></p>\r\n<p><span style=\"font-weight: bold;\">Advanced features that simplify and improve security:</span></p>\r\n<ul>\r\n<li>Threat Intelligence: Detect, enrich, explore and learn about the latest intelligence threats.</li>\r\n</ul>\r\n<ul>\r\n<li>Security Orchestration: Automate response with pre-built playbooks created by frontline practitioners.</li>\r\n</ul>\r\n<ul>\r\n<li>Next-Generation SIEM: Improve threat and vulnerability detection with advanced user behavioral analytics.</li>\r\n</ul>\r\n<ul>\r\n<li>Workflow Management: Organize, assign, collaborate and action steps through the investigative process through automated and manual workflows.</li>\r\n</ul>\r\n<ul>\r\n<li>Investigative Workbench: Index, archive and search across alert and event data from all sources across the infrastructure to support flexible pivoting and fast hunting.</li>\r\n</ul>\r\n<ul>\r\n<li>Compliance Reporting: Use and customize dashboards and widgets to visually aggregate, present and explore the most important information.</li>\r\n</ul>\r\n<ul>\r\n<li>Simplify Analysis: Collect, store and analyze event data in a single log source with custom rules and alert queues.</li>\r\n<li>Lightweight Deployment: Enable rapid, scalable, and cost-efficient deployment across cloud, on-premise, and hybrid environments.</li>\r\n</ul>\r\n<p> </p>\r\n<p>FireEye Threat Analytics Platform is now a part of Helix</p>","shortDescription":"FireEye Helix Security Platform is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":18,"sellingCount":12,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"FireEye Helix Security Platform","keywords":"","description":"<p><span style=\"color: #616161;\">FireEye Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix. Available with any FireEye solution, FireEye Helix integrates your security tools and aug","og:title":"FireEye Helix Security Platform","og:description":"<p><span style=\"color: #616161;\">FireEye Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix. Available with any FireEye solution, FireEye Helix integrates your security tools and aug","og:image":"https://old.roi4cio.com/fileadmin/user_upload/Helix.png"},"eventUrl":"","translationId":3508,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":5,"title":"Security Software","alias":"security-software","description":" Computer security software or cybersecurity software is any computer program designed to enhance information security. Security software is a broad term that encompasses a suite of different types of software that deliver data and computer and network security in various forms. \r\nSecurity software can protect a computer from viruses, malware, unauthorized users and other security exploits originating from the Internet. Different types of security software include anti-virus software, firewall software, network security software, Internet security software, malware/spamware removal and protection software, cryptographic software, and more.\r\nIn end-user computing environments, anti-spam and anti-virus security software is the most common type of software used, whereas enterprise users add a firewall and intrusion detection system on top of it. \r\nSecurity soft may be focused on preventing attacks from reaching their target, on limiting the damage attacks can cause if they reach their target and on tracking the damage that has been caused so that it can be repaired. As the nature of malicious code evolves, security software also evolves.<span style=\"font-weight: bold; \"></span>\r\n<span style=\"font-weight: bold; \">Firewall. </span>Firewall security software prevents unauthorized users from accessing a computer or network without restricting those who are authorized. Firewalls can be implemented with hardware or software. Some computer operating systems include software firewalls in the operating system itself. For example, Microsoft Windows has a built-in firewall. Routers and servers can include firewalls. There are also dedicated hardware firewalls that have no other function other than protecting a network from unauthorized access.\r\n<span style=\"font-weight: bold; \">Antivirus.</span> Antivirus solutions work to prevent malicious code from attacking a computer by recognizing the attack before it begins. But it is also designed to stop an attack in progress that could not be prevented, and to repair damage done by the attack once the attack abates. Antivirus software is useful because it addresses security issues in cases where attacks have made it past a firewall. New computer viruses appear daily, so antivirus and security software must be continuously updated to remain effective.\r\n<span style=\"font-weight: bold; \">Antispyware.</span> While antivirus software is designed to prevent malicious software from attacking, the goal of antispyware software is to prevent unauthorized software from stealing information that is on a computer or being processed through the computer. Since spyware does not need to attempt to damage data files or the operating system, it does not trigger antivirus software into action. However, antispyware software can recognize the particular actions spyware is taking by monitoring the communications between a computer and external message recipients. When communications occur that the user has not authorized, antispyware can notify the user and block further communications.\r\n<span style=\"font-weight: bold; \">Home Computers.</span> Home computers and some small businesses usually implement security software at the desktop level - meaning on the PC itself. This category of computer security and protection, sometimes referred to as end-point security, remains resident, or continuously operating, on the desktop. Because the software is running, it uses system resources, and can slow the computer's performance. However, because it operates in real time, it can react rapidly to attacks and seek to shut them down when they occur.\r\n<span style=\"font-weight: bold; \">Network Security.</span> When several computers are all on the same network, it's more cost-effective to implement security at the network level. Antivirus software can be installed on a server and then loaded automatically to each desktop. However firewalls are usually installed on a server or purchased as an independent device that is inserted into the network where the Internet connection comes in. All of the computers inside the network communicate unimpeded, but any data going in or out of the network over the Internet is filtered trough the firewall.<br /><br /><br />","materialsDescription":"<h1 class=\"align-center\"> <span style=\"font-weight: normal; \">What is IT security software?</span></h1>\r\nIT security software provides protection to businesses’ computer or network. It serves as a defense against unauthorized access and intrusion in such a system. It comes in various types, with many businesses and individuals already using some of them in one form or another.\r\nWith the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations. Since more and more businesses are now relying their crucial operations on software products, the importance of security system software assurance must be taken seriously – now more than ever. Having reliable protection such as a security software programs is crucial to safeguard your computing environments and data. \r\n<p class=\"align-left\">It is not just the government or big corporations that become victims of cyber threats. In fact, small and medium-sized businesses have increasingly become targets of cybercrime over the past years. </p>\r\n<h1 class=\"align-center\"><span style=\"font-weight: normal; \">What are the features of IT security software?</span></h1>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Automatic updates. </span>This ensures you don’t miss any update and your system is the most up-to-date version to respond to the constantly emerging new cyber threats.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Real-time scanning.</span> Dynamic scanning features make it easier to detect and infiltrate malicious entities promptly. Without this feature, you’ll risk not being able to prevent damage to your system before it happens.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Auto-clean.</span> A feature that rids itself of viruses even without the user manually removing it from its quarantine zone upon detection. Unless you want the option to review the malware, there is no reason to keep the malicious software on your computer which makes this feature essential.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Multiple app protection.</span> This feature ensures all your apps and services are protected, whether they’re in email, instant messenger, and internet browsers, among others.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Application level security.</span> This enables you to control access to the application on a per-user role or per-user basis to guarantee only the right individuals can enter the appropriate applications.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Role-based menu.</span> This displays menu options showing different users according to their roles for easier assigning of access and control.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Row-level (multi-tenant) security.</span> This gives you control over data access at a row-level for a single application. This means you can allow multiple users to access the same application but you can control the data they are authorized to view.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Single sign-on.</span> A session or user authentication process that allows users to access multiple related applications as long as they are authorized in a single session by only logging in their name and password in a single place.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">User privilege parameters.</span> These are customizable features and security as per individual user or role that can be accessed in their profile throughout every application.</li></ul>\r\n\r\n<ul><li><span style=\"font-weight: bold; \">Application activity auditing.</span> Vital for IT departments to quickly view when a user logged in and off and which application they accessed. Developers can log end-user activity using their sign-on/signoff activities.</li></ul>\r\n<p class=\"align-left\"><br /><br /><br /><br /></p>"},{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"},{"id":824,"title":"ATP - Advanced Threat Protection","alias":"atp-advanced-threat-protection","description":" Advanced threat protection (ATP) refers to a category of security solutions that defend against sophisticated malware or hacking-based attacks targeting sensitive data. Advanced threat protection solutions can be available as software or as managed services. ATP solutions can differ in approaches and components, but most include some combination of endpoint agents, network devices, email gateways, malware protection systems, and a centralized management console to correlate alerts and manage defenses.\r\nThe primary benefit offered by advanced threat protection software is the ability to prevent, detect, and respond to new and sophisticated attacks that are designed to circumvent traditional security solutions such as antivirus, firewalls, and IPS/IDS. Attacks continue to become increasingly targeted, stealthy, and persistent, and ATP solutions take a proactive approach to security by identifying and eliminating advanced threats before data is compromised.\r\nAdvanced threat protection services build on this benefit by providing access to a global community of security professionals dedicated to monitoring, tracking, and sharing information about emerging and identified threats. ATP service providers typically have access to global threat information sharing networks, augmenting their own threat intelligence and analysis with information from third parties. When a new, advanced threat is detected, ATP service providers can update their defenses to ensure protection keeps up. This global community effort plays a substantial role in maintaining the security of enterprises around the world.\r\nEnterprises that implement advanced threat protection are better able to detect threats early and more quickly formulate a response to minimize damage and recover should an attack occur. A good security provider will focus on the lifecycle of an attack and manage threats in real-time. ATP providers notify the enterprise of attacks that have occurred, the severity of the attack, and the response that was initiated to stop the threat in its tracks or minimize data loss. Whether managed in-house or provided as a service, advanced threat protection solutions secure critical data and systems, no matter where the attack originates or how major the attack or potential attack is perceived.","materialsDescription":" <span style=\"font-weight: bold;\">How Advanced Threat Protection Works?</span>\r\nThere are three primary goals of advanced threat protection: early detection (detecting potential threats before they have the opportunity to access critical data or breach systems), adequate protection (the ability to defend against detected threats swiftly), and response (the ability to mitigate threats and respond to security incidents). To achieve these goals, advanced threat protection services and solutions must offer several components and functions for comprehensive ATP:\r\n<ul><li><span style=\"font-weight: bold;\">Real-time visibility</span> – Without continuous monitoring and real-time visibility, threats are often detected too late. When damage is already done, response can be tremendously costly in terms of both resource utilization and reputation damage.</li><li><span style=\"font-weight: bold;\">Context</span> – For true security effectiveness, threat alerts must contain context to allow security teams to effectively prioritize threats and organize response.</li><li><span style=\"font-weight: bold;\">Data awareness</span> – It’s impossible to determine threats truly capable of causing harm without first having a deep understanding of enterprise data, its sensitivity, value, and other factors that contribute to the formulation of an appropriate response.</li></ul>\r\nWhen a threat is detected, further analysis may be required. Security services offering ATP typically handle threat analysis, enabling enterprises to conduct business as usual while continuous monitoring, threat analysis, and response occurs behind the scenes. Threats are typically prioritized by potential damage and the classification or sensitivity of the data at risk. Advanced threat protection should address three key areas:\r\n<ul><li>Halting attacks in progress or mitigating threats before they breach systems</li><li>Disrupting activity in progress or countering actions that have already occurred as a result of a breach</li><li>Interrupting the lifecycle of the attack to ensure that the threat is unable to progress or proceed</li></ul>"},{"id":854,"title":"Security Orchestration and Automation","alias":"security-orchestration-and-automation","description":" SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations. The term, which was coined by the research firm Gartner, can be applied to compatible products and services that help define, prioritize, standardize and automate incident response functions.\r\nSOAR solutions are gaining visibility and real-world use driven by early adoption to improve security operations centers. Security and risk management leaders should start to evaluate how these solutions can support and optimize their broader security operations capabilities.\r\nSecurity orchestration, automation and response (SOAR) defines as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These can be orchestrated via integrations with other technologies and automated to achieve a desired outcome and greater visibility. Additional capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes.\r\nMost SOAR tools are still strongest in their original "home offerings", which are security incident and response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs). Currently, the most common use case for SOAR by an organization is to define incident analysis and response procedures in a digital workflow format — such as plays in a security operations playbook. Additionally, these tools facilitate the use and operationalization of threat intelligence in security operations, which enhances the ability to predict, prevent, detect and respond to the prevailing threat landscape that a company faces.\r\nTo understand the evolving SOAR market, it is necessary to define the specific terms used — namely, orchestration and automation — in the context of security operations:\r\n<ul><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Aggregation:</span></span> The ability to aggregate/ingest data across sources. This may take the form of alerts, signals or other inputs from other technologies such as an alert from a SIEM tool or an email sent to a group mailbox. Other data that is ingested may include user information from an identity and access management (IAM) tool or threat intelligence from multiple sources.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Enrichment:</span></span> Whether after incident identification or during data collection and processing, SOAR solutions can help integrate external threat intelligence, perform internal contextual lookups or run processes to gather further data according to defined actions.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Orchestration:</span></span> The complexity of combining resources involves coordination of workflows with manual and automated steps, involving many components and affecting information systems and often humans as well.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Automation:</span></span> This concept involves the capability of software and systems to execute functions on their own, typically to affect other information systems and applications.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Response:</span></span> Manual or automated response provides canned resolution to programmatically defined activities. This includes activities from a basic level — ticket creation in an IT service desk application — to more advanced activities like applying some form of response via another security control, like blocking an IP address by changing a firewall rule. This functionality is the most impactful but also applies to the most complex use cases.</li></ul>\r\nBuyers are expressing demand for SOAR for several reasons:\r\n<ul><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Staff shortages:</span></span> Due to staff shortages in security operations, clients describe a growing need to automate repeatable tasks, streamline workflows and orchestrate security tasks resulting in operational scale. For instance, if you have a team, SOAR can give them more reach — but this is not a tool to get instead of a team. Also, organizations need the ability to demonstrate to management the organization’s ability to reduce the impact of inevitable incidents.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Continued evolution of threats and increases in volume:</span></span> As organizations consider threats that destroy data and can result in disclosure of intellectual property and monetary extortion, they require rapid, consistent, continuous and more frequent responses with fewer manual steps.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Improving alert triage quality and speed:</span></span> Security monitoring systems (such as SIEMs) are known to cost a significant amount to run and generate a high number of alerts, including many found to be “false positives” or simply not relevant after additional investigation. Security and risk management leaders then treat alert triage in a very manual way, which is subject to mistakes by the analysts. This leaves real incidents ignored. SOAR helps improve the signal-to-noise ratio by automating the repeatable, mundane aspects of incident investigation. This creates a positive situation where analysts can spend more time investigating and responding to an event instead of spending most of their time collecting all the data required to perform the investigation.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Need for a centralized view of threat intelligence:</span></span> A large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly, conversion of intelligence into action.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Reducing time to respond, contain and remediate:</span></span> Organizations are dealing with increasingly aggressive threats, such as ransomware, where rapid response of only minutes at best is required in order to stand a chance of containing the threat that is spread laterally in your environment. This scenario forces organizations to reduce the time they take to respond to those incidents, typically by delegating more tasks to machines. Reducing the response time, including incident containment and remediation, is one of the most effective ways to control the impact of security incidents. Like a brush fire, the sooner you can get to it, the smaller it is, and therefore the easier it is to put out.</li><li><span style=\"font-style: italic; \"><span style=\"font-weight: bold; \">Reducing unnecessary, routine work for the analysts:</span></span> SOC analysts are often working with multiple tools. They are looking at a stream of row and column SIEM console alerts, threat intelligence (TI) service portals for information about the entities involved, and endpoint detection and response (EDR) for context on what is happening on the affected endpoint. They may even be using workflow tools to control the triage and investigation processes.</li></ul>\r\nThe SOAR market is still an emerging market and it is forecast to grow up to $550 million in the five-year (2018-2023) time frame. Many organizations implement SOAR tools with use cases primarily focused on making their SOC analysts more efficient such that they can process more incidents while having more time to apply human analysis and drive response actions much quicker. Historically, they were not aware of the existence of these types of solutions. There are now more clients aware of SOAR solutions, which is fueling further adoption. This awareness is broadening; even SOAR vendors claim to have less work evangelizing about the technology and more conversations about their capabilities and differentiators. However, improving detection and response activities is just one of several opportunities for the use of SOAR tools to support security operations activities.\r\nSince SOAR is often used as an umbrella term that covers security operations, security incident response and threat intelligence, many vendors are driving their existing solutions in the fight for market leadership.","materialsDescription":" <span style=\"font-weight: bold; \">What is SOAR?</span>\r\nCoined by research company Gartner, Security Orchestration, Automation and Response (SOAR) is a term used to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).\r\nSOAR technologies enable organizations to collect and aggregate vast amounts of security data and alerts from a wide range of sources. This assists human and machine-led analysis, as well as the standardization and automation of threat detection and remediation.\r\n<span style=\"font-weight: bold;\">What are the activities of SOAR?</span>\r\nSOAR supports multiple activities for security operations decision making such as, but not limited to, the following:\r\n<ul><li><span style=\"font-style: italic;\"><span style=\"font-weight: bold;\">Prioritizing security operations activities:</span></span> Use of a SOAR solution requires organizations to consider questions about their processes. Which are most critical? Which ones consume the most staff time and resources? Which ones would benefit from automation? Where do we have gaps in our documented procedures? The preparation and planning for SOAR, and its ongoing use, help organizations prioritize and manage where orchestration and automation should be applied and where it can help improve response. This response can then lead to improvements in security operations and showing a demonstrable impact on business operations (e.g., faster time to detect and respond to threats that could impact business operations and optimization of security operations staff and budget).</li><li><span style=\"font-style: italic;\"><span style=\"font-weight: bold;\">Formalizing triage and incident response:</span></span> Security operations teams must be consistent in their responses to incident and threats. They must also follow best practices, provide an audit trail and be measurable against business objectives.</li><li><span style=\"font-style: italic;\"><span style=\"font-weight: bold;\">Automating response:</span></span> Speed is of the essence in today’s threat landscape. Attacks are increasing in speed (e.g., ransomware is now being automated to spread with worm functionality), but security operations are not automated. Having the ability to automate response action offers SOC teams the ability to quickly isolate/contain security incidents. Some responses can be fully automated, but at this time many SOAR users still inject a human to make the final decision. However, even this reduces the mean time to respond for the organization compared to being fully dependent on “human power.”</li></ul>\r\n<span style=\"font-weight: bold;\">SOAR Recommendations</span>\r\nSecurity and risk management leaders overseeing security operations should:\r\n<ul><li>Prepare for their SOAR implementations by having a starting set of defined processes and workflows that can be implemented. Out-of-the-box plays and integrations are a starting point but can rarely be implemented without some customizations.</li><li>Plan for the implementation and the ongoing operation and administration of SOAR tools by using a mix of professional services and internal resources.</li><li>Put a contingency plan in place in the event the SOAR tool is acquired by another vendor. Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.</li></ul>\r\n<span style=\"font-weight: bold;\">Key Findings</span>\r\n<ul><li>The SOAR technology market aims to converge security orchestration and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP) capabilities into single solutions.</li><li>Early adopters of SOAR technologies have been organizations and managed security service providers with mature security operations centers (SOCs) that understood the benefits of incorporating SOAR capabilities into their operations. However, use cases implemented by early adopters have not evolved over the last 12 months and are stuck in a rut, limiting the long-term potential for SOAR in security operations.</li><li>SOAR solutions are not “plug-and-play.” Even though solutions have a library of out-of-the-box use cases and integrations, buyers are reporting multiweek professional services engagements to implement their initial use cases, as every organization’s processes and technologies deployed are different.</li><li>Orchestration and automation are starting to be localized in point security technologies, usually in the form of predefined, automated workflows. This is not the same as a full-featured SOAR solution.<br /></li></ul>"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":11212,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":11213,"characteristicId":2879,"templateId":144,"value":"N/A"},"2881":{"id":11214,"characteristicId":2881,"templateId":144,"value":"N/A"},"2883":{"id":11215,"characteristicId":2883,"templateId":144,"value":"N/A"},"2885":{"id":11216,"characteristicId":2885,"templateId":144,"value":"N/A"},"2887":{"id":11217,"characteristicId":2887,"templateId":144,"value":"N/A"},"2889":{"id":11218,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":11219,"characteristicId":2891,"templateId":144,"value":"N/A"},"2893":{"id":11220,"characteristicId":2893,"templateId":144,"value":"N/A"},"2895":{"id":11221,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":11222,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":11223,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":11224,"characteristicId":2901,"templateId":144,"value":"N/A"},"2903":{"id":11225,"characteristicId":2903,"templateId":144,"value":true},"2905":{"id":11226,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":11227,"characteristicId":2907,"templateId":144,"value":"N/A"}}}},{"id":6655,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/fortinet.png","logo":true,"scheme":false,"title":"FortiSIEM","vendorVerified":0,"rating":"2.00","implementationsCount":0,"suppliersCount":0,"alias":"fortisiem","companyTypes":[],"description":"<h1 class=\"align-center\">FortiSIEM Delivers Next-Generation SIEM Capabilities</h1>\r\nFortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches.\r\nProduct's architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.\r\nIn addition, FortiSIEM UEBA leverages machine learning and statistical methodologies to baseline normal behavior and incorporate real-time, actionable insights into anomalous user behavior regarding business-critical data. By combining telemetry that is pulled from endpoint sensors, network device flows, server and applications logs, and cloud APIs, FortiSIEM is able to build comprehensive profiles of users, peer groups, endpoints, applications, files, and networks. FortiSIEM UEBA behavioral anomaly detection is a low-overhead but high-fidelity way to gain visibility of end-to-end activity, from endpoints, to on-premises servers and network activity, to cloud applications.","shortDescription":"FortiSIEM - Powerful Security Information and Event Management (SIEM) with User and Entity Behavior Analytics (UEBA)","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":0,"sellingCount":0,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"FortiSIEM","keywords":"","description":"<h1 class=\"align-center\">FortiSIEM Delivers Next-Generation SIEM Capabilities</h1>\r\nFortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and securit","og:title":"FortiSIEM","og:description":"<h1 class=\"align-center\">FortiSIEM Delivers Next-Generation SIEM Capabilities</h1>\r\nFortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and securit","og:image":"https://old.roi4cio.com/fileadmin/user_upload/fortinet.png"},"eventUrl":"","translationId":6655,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":17133,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":17134,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":17135,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":17136,"characteristicId":2883,"templateId":144,"value":true},"2885":{"id":17137,"characteristicId":2885,"templateId":144,"value":"N/A"},"2887":{"id":17138,"characteristicId":2887,"templateId":144,"value":true},"2889":{"id":17139,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":17140,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":17141,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":17142,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":17143,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":17144,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":17145,"characteristicId":2901,"templateId":144,"value":"N/A"},"2903":{"id":17146,"characteristicId":2903,"templateId":144,"value":"N/A"},"2905":{"id":17147,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":17148,"characteristicId":2907,"templateId":144,"value":"yes"}}}},{"id":71,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/IBM_Security_QRadar_SIEM1.png","logo":true,"schemeURL":"https://old.roi4cio.com/fileadmin/user_upload/IBM_Security_QRadar_SIEM2.png","scheme":true,"title":"IBM Security QRadar SIEM","vendorVerified":0,"rating":"2.70","implementationsCount":2,"suppliersCount":0,"alias":"ibm-security-qradar-siem","companyTypes":[],"description":"\r\nIBM® QRadar® SIEM consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network. It normalizes and correlates raw data to identify security offenses, and uses an advanced Sense Analytics engine to baseline normal behavior, detect anomalies, uncover advanced threats, and remove false positives. As an option, this software incorporates IBM X-Force® Threat Intelligence which supplies a list of potentially malicious IP addresses including malware hosts, spam sources and other threats. IBM QRadar SIEM can also correlate system vulnerabilities with event and network data, helping to prioritize security incidents.\r\n\r\n<span style=\"font-weight: bold;\">IBM QRadar SIEM:</span>\r\n\r\n<ul> <li>Provides real-time visibility to the entire IT infrastructure for threat detection and prioritization.</li> <li>Reduces and prioritizes alerts to focus security analyst investigations on an actionable list of suspected, high probability incidents.</li> <li>Enables more effective threat management while producing detailed data access and user activity reports.</li> <li>Operates across on-premises and cloud environments.</li> <li>Produces detailed data access and user activity reports to help manage compliance.</li> <li>Offers multi-tenancy and a master console to help managed service providers provide security intelligence solutions in a cost-effective manner.</li> </ul>\r\n\r\n<span style=\"font-weight: bold;\">Provides real-time visibility</span>\r\n<ul> <li>Senses and detects inappropriate use of applications, insider fraud, and advanced low and slow threats that can be lost among millions of daily events.</li> <li>Collects logs and events from several sources including network assets, security devices, operating systems, applications, databases, and identity and access management products.</li> <li>Collects network flow data, including Layer 7 (application-layer) data, from switches and routers.</li> <li>Obtains information from identity and access management products and infrastructure services such as Dynamic Host Configuration Protocol (DHCP); and receives vulnerability information from network and application vulnerability scanners.</li> </ul>\r\n<span style=\"font-weight: bold;\">Reduces and prioritizes alerts</span>\r\n<ul> <li>Performs immediate event normalization and correlation for threat detection and compliance reporting.</li> <li>Reduces billions of events and flows into a handful of actionable offenses and prioritizes them according to business impact.</li> <li>Performs activity baselining and anomaly detection to identify changes in behavior associated with applications, hosts, users and areas of the network.</li> <li>Uses IBM X-Force Threat Intelligence optionally to identify activity associated with suspicious IP addresses, such as those suspected of hosting malware.</li> </ul>\r\n<span style=\"font-weight: bold;\">Enables more effective threat management</span>\r\n<ul> <li>Senses and tracks significant incidents and threats, providing links to all supporting data and context for easier investigation.</li> <li>Performs event and flow data searches in both real-time streaming mode or on a historical basis to enhance investigations.</li> <li>Enables the addition of IBM QRadar QFlow and IBM QRadar VFlow Collector appliances for deep insight and visibility into applications (such as enterprise resource management), databases, collaboration products and social media through deep packet inspection of Layer 7 network traffic.</li> <li>Detects off-hours or unusual use of an application or cloud-based service, or network activity patterns that are inconsistent with historical usage patterns.</li> <li>Performs federated searches throughout large, geographically distributed environments.</li> </ul>\r\n<span style=\"font-weight: bold;\">Delivers security intelligence in cloud environments</span>\r\n<ul> <li>Provides SoftLayer cloud installation capability.</li> <li>Collects events and flows from applications running both in the cloud and on-premises.</li> </ul>\r\n<span style=\"font-weight: bold;\">Produces detailed data access and user activity reports</span>\r\n<ul> <li>Tracks all access to customer data by username and IP address to ensure enforcement of data-privacy policies.</li> <li>Includes an intuitive reporting engine that does not require advanced database and report-writing skills.</li> <li>Provides the transparency, accountability and measurability to meet regulatory mandates and compliance reporting.</li> </ul>\r\n<span style=\"font-weight: bold;\">Offers multi-tenancy and a master console</span>\r\n<ul> <li>Allows managed service providers to cost-effectively deliver security intelligence using a single console to support multiple customers.</li> <li>Leverages either on-premises or cloud-based deployments.</li> </ul>","shortDescription":"IBM Security QRadar SIEM is a Security intelligence and Sense Analytics for protecting assets and information from advanced threats","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":12,"sellingCount":20,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"IBM Security QRadar SIEM","keywords":"data, network, security, from, access, applications, activity, QRadar","description":"\r\nIBM® QRadar® SIEM consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network. It normalizes and correlates raw data to identify security offenses, and uses an advanced Sense Analytics ","og:title":"IBM Security QRadar SIEM","og:description":"\r\nIBM® QRadar® SIEM consolidates log events and network flow data from thousands of devices, endpoints and applications distributed throughout a network. It normalizes and correlates raw data to identify security offenses, and uses an advanced Sense Analytics ","og:image":"https://old.roi4cio.com/fileadmin/user_upload/IBM_Security_QRadar_SIEM1.png"},"eventUrl":"","translationId":91,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":7888,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":7889,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":7890,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":7891,"characteristicId":2883,"templateId":144,"value":true},"2885":{"id":7892,"characteristicId":2885,"templateId":144,"value":true},"2887":{"id":7893,"characteristicId":2887,"templateId":144,"value":true},"2889":{"id":7894,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":7895,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":7896,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":7897,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":7898,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":7899,"characteristicId":2899,"templateId":144,"value":"N/A"},"2901":{"id":7900,"characteristicId":2901,"templateId":144,"value":true},"2903":{"id":7901,"characteristicId":2903,"templateId":144,"value":true},"2905":{"id":7902,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":7903,"characteristicId":2907,"templateId":144,"value":"yes, 60 days"}}}},{"id":79,"logoURL":"https://old.roi4cio.com/fileadmin/content/McAfee_Enterprise_Security_Manager.png","logo":true,"schemeURL":"https://old.roi4cio.com/fileadmin/user_upload/McAfeeEnterpriseSecurityManager.png","scheme":true,"title":"McAfee Enterprise Security Manager (SIEM)","vendorVerified":1,"rating":"2.80","implementationsCount":3,"suppliersCount":0,"alias":"mcafee-enterprise-security-manager","companyTypes":[],"description":"McAfee Enterprise Security Manager delivers a real-time understanding of the world outside—threat data, reputation feeds, and vulnerability status—as well as a view of the systems, data, risks, and activities inside your enterprise.\r\n<p style=\"margin: 0px 10px 15px 0px; padding: 0px; border: 0px; outline: 0px; color: #53565a; font-family: intel_clear_wregular, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px;\">As the foundation of our security information and event management (SIEM) solution, McAfee Enterprise Security Manager delivers the performance, actionable intelligence, and real-time situational awareness required for organizations to identify, understand, and respond to stealthy threats, while the embedded compliance framework simplifies compliance.</p>\r\n<h3 style=\"margin: 0px 10px 5px 0px; padding: 0px; border: 0px; outline: 0px; font-weight: normal; font-family: intel_clear_wbold, Tahoma, Arial, Helvetica, sans-serif; font-size: 15px; line-height: 20px; color: #53565a;\">Advanced threat intelligence</h3>\r\n<p style=\"margin: 0px 10px 15px 0px; padding: 0px; border: 0px; outline: 0px; color: #53565a; font-family: intel_clear_wregular, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px;\">Get actionable information on all collected events with contextual information, such as vendor threat feeds and shared indicators of compromise (IOC), to deliver prioritized, actionable information in minutes.</p>\r\n<h3 style=\"margin: 0px 10px 5px 0px; padding: 0px; border: 0px; outline: 0px; font-weight: normal; font-family: intel_clear_wbold, Tahoma, Arial, Helvetica, sans-serif; font-size: 15px; line-height: 20px; color: #53565a;\">Critical facts in minutes, not hours</h3>\r\n<p style=\"margin: 0px 10px 15px 0px; padding: 0px; border: 0px; outline: 0px; color: #53565a; font-family: intel_clear_wregular, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px;\">Store billions of events and flows, keeping information available for immediate ad hoc queries, forensics, rules validation, and compliance. Access long-term event data storage to investigate attacks, search for indications of advanced persistent threats (APTs) or IOC, and remediate a failed compliance audit.</p>\r\n<h3 style=\"margin: 0px 10px 5px 0px; padding: 0px; border: 0px; outline: 0px; font-weight: normal; font-family: intel_clear_wbold, Tahoma, Arial, Helvetica, sans-serif; font-size: 15px; line-height: 20px; color: #53565a;\">Optimize security management and operations</h3>\r\n<p style=\"margin: 0px 10px 15px 0px; padding: 0px; border: 0px; outline: 0px; color: #53565a; font-family: intel_clear_wregular, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px;\">Centralize the view of your organization’s security posture, compliance status, and prioritized security issues that require investigation. Access hundreds of reports, views, rules, alerts, and dashboards.</p>","shortDescription":"McAfee Enterprise Security Manager delivers real-time visibility into all activity on systems, networks, databases, and applications","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":18,"sellingCount":13,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"McAfee Enterprise Security Manager (SIEM)","keywords":"compliance, information, security, McAfee, data, actionable, Security, Enterprise","description":"McAfee Enterprise Security Manager delivers a real-time understanding of the world outside—threat data, reputation feeds, and vulnerability status—as well as a view of the systems, data, risks, and activities inside your enterprise.\r\n<p style=\"margin: 0px 10px","og:title":"McAfee Enterprise Security Manager (SIEM)","og:description":"McAfee Enterprise Security Manager delivers a real-time understanding of the world outside—threat data, reputation feeds, and vulnerability status—as well as a view of the systems, data, risks, and activities inside your enterprise.\r\n<p style=\"margin: 0px 10px","og:image":"https://old.roi4cio.com/fileadmin/content/McAfee_Enterprise_Security_Manager.png"},"eventUrl":"","translationId":84,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":7920,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":7921,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":7922,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":7923,"characteristicId":2883,"templateId":144,"value":true},"2885":{"id":7924,"characteristicId":2885,"templateId":144,"value":true},"2887":{"id":7925,"characteristicId":2887,"templateId":144,"value":true},"2889":{"id":7926,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":7927,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":7928,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":7929,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":7930,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":7931,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":7932,"characteristicId":2901,"templateId":144,"value":true},"2903":{"id":7933,"characteristicId":2903,"templateId":144,"value":"N/A"},"2905":{"id":7934,"characteristicId":2905,"templateId":144,"value":"N/A"},"2907":{"id":7935,"characteristicId":2907,"templateId":144,"value":"yes"}}}},{"id":434,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/Micro_Focus.png","logo":true,"scheme":false,"title":"Micro Focus ArcSight Enterprise Security Manager (ESM)","vendorVerified":0,"rating":"2.50","implementationsCount":3,"suppliersCount":0,"alias":"micro-focus-esm","companyTypes":[],"description":"ArcSight ESM analyzes and correlates every event that occurs across the organization--every login, logoff, file access, database query--to deliver accurate prioritization of security risks and compliance violations. ArcSight Enterprise Security Manager (ESM) provides a Big Data analytics approach to enterprise security, transforming Big Data into actionable intelligence. ArcSight ESM is a market-leading solution for collecting, correlating, and reporting on security event information. ArcSight ESM helps you with:<br /><br />\r\n<ul> <li>Correlate data from any source in real time to detect incidents before they become a breach.</li> </ul>\r\n<ul> <li>Resolve issues faster: Answer who did what? Where? When? And how?</li> </ul>\r\n<ul> <li>Collect, store, and analyze any event from any source and anytime.</li> </ul>\r\n<ul> <li>Optional compliance packs enabled packaged reports for PCI, SOX, and IT Governance</li> </ul>\r\n<ul> <li>Build and maintain security operation center (SOC) through big data security analytics.</li> </ul>\r\n<ul> <li>Integrate SOC across IT with network operations, service desk, CMDB, business intelligence, Hadoop, email security, application security, threat feeds, etc.</li> </ul>\r\n<ul> <li>Unmatched breadth, depth, and speed of event collection with patented log management tools</li> </ul>\r\n<ul> <li>ArcSight ESM provides a central point for analysis of daily business operations. Armed with all this data, the real-time correlation capabilities of ArcSight ESM can detect unusual or unauthorized activities as they occur. Finally, the visualization and reporting capabilities of ArcSight ESM support personalized dashboards and on-demand or scheduled reports for administrators, managers, or auditors.</li> </ul>","shortDescription":"Micro Focus ArcSight ESM is a comprehensive security information and event management solution that identifies and prioritize threats in real time so you can respond and remediate quickly.","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":13,"sellingCount":14,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"Micro Focus ArcSight Enterprise Security Manager (ESM)","keywords":"with, data, most, search, that, simple, investigation, threats","description":"ArcSight ESM analyzes and correlates every event that occurs across the organization--every login, logoff, file access, database query--to deliver accurate prioritization of security risks and compliance violations. ArcSight Enterprise Security Manager (ESM) p","og:title":"Micro Focus ArcSight Enterprise Security Manager (ESM)","og:description":"ArcSight ESM analyzes and correlates every event that occurs across the organization--every login, logoff, file access, database query--to deliver accurate prioritization of security risks and compliance violations. ArcSight Enterprise Security Manager (ESM) p","og:image":"https://old.roi4cio.com/fileadmin/user_upload/Micro_Focus.png"},"eventUrl":"","translationId":435,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":7936,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":7937,"characteristicId":2879,"templateId":144,"value":"N/A"},"2881":{"id":7938,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":7939,"characteristicId":2883,"templateId":144,"value":true},"2885":{"id":7940,"characteristicId":2885,"templateId":144,"value":true},"2887":{"id":7941,"characteristicId":2887,"templateId":144,"value":true},"2889":{"id":7942,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":7943,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":7944,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":7945,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":7946,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":7947,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":7948,"characteristicId":2901,"templateId":144,"value":true},"2903":{"id":7949,"characteristicId":2903,"templateId":144,"value":"N/A"},"2905":{"id":7950,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":7951,"characteristicId":2907,"templateId":144,"value":"yes"}}}},{"id":2136,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/Rapid7-InsightIDR.png","logo":true,"scheme":false,"title":"Rapid7 insightIDR","vendorVerified":0,"rating":"2.30","implementationsCount":2,"suppliersCount":0,"alias":"rapid7-insightidr","companyTypes":[],"description":"Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats, and highlights suspicious activity so you don’t have to weed through thousands of data streams.\r\nInsightIDR combines the full power of endpoint forensics, log search, and sophisticated dashboards into a single solution. It is a Software as a Service (SaaS) tool that collects data from your existing network security tools, authentication logs, and endpoint devices. InsightIDR then aggregates the data at an on-premises Collector or a dedicated host machine that centralizes your data.\r\nUse this Collector to gather and transmit your logs securely to AWS, which hosts customer databases and the web interface. Rapid7 runs analytics on this data to correlate users, accounts, authentications, alerts, and privileges. The analysis provides insight into user behavior while searching for known indicators of compromise.\r\nRapid7 recommends keeping dedicated Collectors on-premises to collect event data, log data, and endpoint data.\r\nWhen you connect all of the various data streams to InsightIDR, you can take advantage of all the following built-in features made with users in mind:\r\n<ul> <li>Unify your data into a single security view</li> <li>Analyze raw logs, endpoint data, and network traffic</li> <li>Receive alerts for suspicious activity</li> <li>Prioritize events</li> <li>Investigate events</li> </ul>\r\n<span style=\"font-weight: bold;\">Unify your data into a single security view</span>\r\nTrack user network resources, their devices, and their visited cloud services. InsightIDR normalizes network data and attributes it to users, so you know the origin, owner, and time of event.\r\n<span style=\"font-weight: bold;\">Analyze raw logs, endpoint data, and network traffic</span>\r\nInsightIDR collects data streams from every possible place, and brings them together in one convenient place for you to analyze. Sift through raw logs, visualize your endpoint data, or organize your network traffic from users.\r\n<span style=\"font-weight: bold;\">Receive alerts for suspicious activity</span>\r\nWhether or not suspicious activity is happening on your network, InsightIDR sets up traps that alert you of security gaps.\r\n<span style=\"font-weight: bold;\">Prioritize events</span>\r\nBecause traffic and data is normalized, InsightIDR automatically prioritizes network events and brings notable events to your attention. InsightIDR filters out non-critical events so you focus on the important ones.\r\n<span style=\"font-weight: bold;\">Investigate events</span>\r\nIn the event of a breach, security teams will have contextual information of compromised data, time of event, and possible next actions of the intruder.","shortDescription":"Rapid7 InsightIDR is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster.","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":7,"sellingCount":14,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"Rapid7 insightIDR","keywords":"","description":"Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats, and highlights suspicious activity so you don’t h","og:title":"Rapid7 insightIDR","og:description":"Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR identifies unauthorized access from external and internal threats, and highlights suspicious activity so you don’t h","og:image":"https://old.roi4cio.com/fileadmin/user_upload/Rapid7-InsightIDR.png"},"eventUrl":"","translationId":2137,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"},{"id":465,"title":"UEBA - User and Entity Behavior Analytics","alias":"ueba-user-and-entity-behavior-analytics","description":"Developments in UBA technology led Gartner to evolve the category to user and entity behavior analytics (UEBA). In September 2015, Gartner published the Market Guide for User and Entity Analytics by Vice President and Distinguished Analyst, Avivah Litan, that provided a thorough definition and explanation. UEBA was referred to in earlier Gartner reports but not in much depth. Expanding the definition from UBA includes devices, applications, servers, data, or anything with an IP address. It moves beyond the fraud-oriented UBA focus to a broader one encompassing "malicious and abusive behavior that otherwise went unnoticed by existing security monitoring systems, such as SIEM and DLP." The addition of "entity" reflects that devices may play a role in a network attack and may also be valuable in uncovering attack activity. "When end users have been compromised, malware can lay dormant and go undetected for months. Rather than trying to find where the outsider entered, UEBAs allow for quicker detection by using algorithms to detect insider threats."\r\nParticularly in the computer security market, there are many vendors for UEBA applications. They can be "differentiated by whether they are designed to monitor on-premises or cloud-based software as a service (SaaS) applications; the methods in which they obtain the source data; the type of analytics they use (i.e., packaged analytics, user-driven or vendor-written), and the service delivery method (i.e., on-premises or a cloud-based)." According to the 2015 market guide released by Gartner, "the UEBA market grew substantially in 2015; UEBA vendors grew their customer base, market consolidation began, and Gartner client interest in UEBA and security analytics increased." The report further projected, "Over the next three years, leading UEBA platforms will become preferred systems for security operations and investigations at some of the organizations they serve. It will be—and in some cases already is—much easier to discover some security events and analyze individual offenders in UEBA than it is in many legacy security monitoring systems."","materialsDescription":"<span style=\"font-weight: bold;\">What is UEBA?</span>\r\nHackers can break into firewalls, send you e-mails with malicious and infected attachments, or even bribe an employee to gain access into your firewalls. Old tools and systems are quickly becoming obsolete, and there are several ways to get past them.\r\nUser and entity behavior analytics (UEBA) give you more comprehensive way of making sure that your organization has top-notch IT security, while also helping you detect users and entities that might compromise your entire system.\r\nUEBA is a type of cybersecurity process that takes note of the normal conduct of users. In turn, they detect any anomalous behavior or instances when there are deviations from these “normal” patterns. For example, if a particular user regularly downloads 10 MB of files every day but suddenly downloads gigabytes of files, the system would be able to detect this anomaly and alert them immediately.\r\nUEBA uses machine learning, algorithms, and statistical analyses to know when there is a deviation from established patterns, showing which of these anomalies could result in, potentially, a real threat. UEBA can also aggregate the data you have in your reports and logs, as well as analyze the file, flow, and packet information.\r\nIn UEBA, you do not track security events or monitor devices; instead, you track all the users and entities in your system. As such, UEBA focuses on insider threats, such as employees who have gone rogue, employees who have already been compromised, and people who already have access to your system and then carry out targeted attacks and fraud attempts, as well as servers, applications, and devices that are working within your system.\r\n<span style=\"font-weight: bold;\">What are the benefits of UEBA?</span>\r\nIt is the unfortunate truth that today's cybersecurity tools are fast becoming obsolete, and more skilled hackers and cyber attackers are now able to bypass the perimeter defenses that are used by most companies. In the old days, you were secure if you had web gateways, firewalls, and intrusion prevention tools in place. This is no longer the case in today’s complex threat landscape, and it’s especially true for bigger corporations that are proven to have very porous IT perimeters that are also very difficult to manage and oversee.\r\nThe bottom line? Preventive measures are no longer enough. Your firewalls are not going to be 100% foolproof, and hackers and attackers will get into your system at one point or another. This is why detection is equally important: when hackers do successfully get into your system, you should be able to detect their presence quickly in order to minimize the damage.\r\n<span style=\"font-weight: bold;\">How Does UEBA Work?</span>\r\nThe premise of UEBA is actually very simple. You can easily steal an employee’s user name and password, but it is much harder to mimic the person’s normal behavior once inside the network.\r\nFor example, let’s say you steal Jane Doe’s password and user name. You would still not be able to act precisely like Jane Doe once in the system unless given extensive research and preparation. Therefore, when Jane Doe’s user name is logged in to the system, and her behavior is different than that of typical Jane Doe, that is when UEBA alerts start to sound.\r\nAnother relatable analogy would be if your credit card was stolen. A thief can pickpocket your wallet and go to a high-end shop and start spending thousands of dollars using your credit card. If your spending pattern on that card is different from the thief’s, the company’s fraud detection department will often recognize the abnormal spending and block suspicious purchases, issuing an alert to you or asking you to verify the authenticity of a transaction.\r\nAs such, UEBA is a very important component of IT security, allowing you to:\r\n1. Detect insider threats. It is not too far-fetched to imagine that an employee, or perhaps a group of employees, could go rogue, stealing data and information by using their own access. UEBA can help you detect data breaches, sabotage, privilege abuse and policy violations made by your own staff.\r\n2. Detect compromised accounts. Sometimes, user accounts are compromised. It could be that the user unwittingly installed malware on his or her machine, or sometimes a legitimate account is spoofed. UEBA can help you weed out spoofed and compromised users before they can do real harm.\r\n3. Detect brute-force attacks. Hackers sometimes target your cloud-based entities as well as third-party authentication systems. With UEBA, you are able to detect brute-force attempts, allowing you to block access to these entities.\r\n4. Detect changes in permissions and the creation of super users. Some attacks involve the use of super users. UEBA allows you to detect when super users are created, or if there are accounts that were granted unnecessary permissions.\r\n5. Detect breach of protected data. If you have protected data, it is not enough to just keep it secure. You should know when a user accesses this data when he or she does not have any legitimate business reason to access it."},{"id":838,"title":"Endpoint Detection and Response","alias":"endpoint-detection-and-response","description":"Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats. It is a subset of endpoint security technology and a critical piece of an optimal security posture. EDR differs from other endpoint protection platforms (EPP) such as antivirus (AV) and anti-malware in that its primary focus isn't to automatically stop threats in the pre-execution phase on an endpoint. Rather, EDR is focused on providing the right endpoint visibility with the right insights to help security analysts discover, investigate and respond to very advanced threats and broader attack campaigns stretching across multiple endpoints. Many EDR tools, however, combine EDR and EPP.\r\nWhile small and mid-market organizations are increasingly turning to EDR technology for more advanced endpoint protection, many lack the resources to maximize the benefits of the technology. Utilizing advanced EDR features such as forensic analysis, behavioral monitoring and artificial intelligence (AI) is labor and resource intensive, requiring the attention of dedicated security professionals.\r\nA managed endpoint security service combines the latest technology, an around-the-clock team of certified CSOC experts and up-to-the-minute industry intelligence for a cost-effective monthly subscription. Managed services can help reduce the day-to-day burden of monitoring and responding to alerts, enhance security orchestration and automation (SOAR) and improve threat hunting and incident response.","materialsDescription":"<span style=\"font-weight: bold; \">What is Endpoint detection and response (EDR)?</span>\r\nEndpoint detection and response is an emerging technology that addresses the need for continuous monitoring and response to advanced threats. One could even make the argument that endpoint detection and response is a form of advanced threat protection.\r\n<span style=\"font-weight: bold;\">What are the Key Aspects of EDR Security?</span>\r\nAccording to Gartner, effective EDR must include the following capabilities:\r\n<ul><li>Incident data search and investigation</li><li>Alert triage or suspicious activity validation</li><li>Suspicious activity detection</li><li>Threat hunting or data exploration</li><li>Stopping malicious activity</li></ul>\r\n<span style=\"font-weight: bold;\">What to look for in an EDR Solution?</span>\r\nUnderstanding the key aspects of EDR and why they are important will help you better discern what to look for in a solution. It’s important to find EDR software that can provide the highest level of protection while requiring the least amount of effort and investment — adding value to your security team without draining resources. Here are the six key aspects of EDR you should look for:\r\n<span style=\"font-weight: bold;\">1. Visibility:</span> Real-time visibility across all your endpoints allows you to view adversary activities, even as they attempt to breach your environment and stop them immediately.\r\n<span style=\"font-weight: bold;\">2. Threat Database:</span> Effective EDR requires massive amounts of telemetry collected from endpoints and enriched with context so it can be mined for signs of attack with a variety of analytic techniques.\r\n<span style=\"font-weight: bold;\">3. Behavioral Protection:</span> Relying solely on signature-based methods or indicators of compromise (IOCs) lead to the “silent failure” that allows data breaches to occur. Effective endpoint detection and response requires behavioral approaches that search for indicators of attack (IOAs), so you are alerted of suspicious activities before a compromise can occur.\r\n<span style=\"font-weight: bold;\">4. Insight and Intelligence:</span> An endpoint detection and response solution that integrates threat intelligence can provide context, including details on the attributed adversary that is attacking you or other information about the attack.\r\n<span style=\"font-weight: bold;\">5. Fast Response:</span> EDR that enables a fast and accurate response to incidents can stop an attack before it becomes a breach and allow your organization to get back to business quickly.\r\n<span style=\"font-weight: bold;\">6. Cloud-based Solution:</span> Having a cloud-based endpoint detection and response solution is the only way to ensure zero impact on endpoints while making sure capabilities such as search, analysis and investigation can be done accurately and in real time."}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":7952,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":7953,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":7954,"characteristicId":2881,"templateId":144,"value":"N/A"},"2883":{"id":7955,"characteristicId":2883,"templateId":144,"value":"N/A"},"2885":{"id":7956,"characteristicId":2885,"templateId":144,"value":"N/A"},"2887":{"id":7957,"characteristicId":2887,"templateId":144,"value":"N/A"},"2889":{"id":7958,"characteristicId":2889,"templateId":144,"value":"N/A"},"2891":{"id":7959,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":7960,"characteristicId":2893,"templateId":144,"value":"N/A"},"2895":{"id":7961,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":7962,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":7963,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":7964,"characteristicId":2901,"templateId":144,"value":true},"2903":{"id":7965,"characteristicId":2903,"templateId":144,"value":"N/A"},"2905":{"id":7966,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":7967,"characteristicId":2907,"templateId":144,"value":"yes"}}}},{"id":3581,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/RSA_logo.png","logo":true,"scheme":false,"title":"RSA NetWitness Endpoint","vendorVerified":0,"rating":"1.40","implementationsCount":0,"suppliersCount":0,"alias":"rsa-netwitness-endpoint","companyTypes":[],"description":"Enter RSA NetWitness Endpoint, endpoint detection and response solution that leverages unique, continuous endpoint behavioral monitoring and advanced machine learning to dive deeper into endpoints and more accurately and rapidly identify targeted, unknown and non-malware attacks that other endpoint security solutions miss entirely. With RSA NetWitness Endpoint, security teams gain the unparalleled endpoint visibility they need to more quickly detect threats they couldn’t see before and investigate them more thoroughly. \r\nRSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints — on and off your network — so that you can:\r\n<ul> <li>Continuously monitor endpoints and immediately receive prioritized alerts</li> <li>Drastically reduce dwell time by rapidly detecting and identifying new, unknown and non-malware attacks</li> <li>Increase resolution rate and cut the cost, time and scope of incident response</li> </ul>","shortDescription":"RSA NetWitness Endpoint provides deep visibility beyond basic endpoint security solutions by monitoring and collecting activity across all of your endpoints — on and off network.","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":8,"sellingCount":9,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"RSA NetWitness Endpoint","keywords":"","description":"Enter RSA NetWitness Endpoint, endpoint detection and response solution that leverages unique, continuous endpoint behavioral monitoring and advanced machine learning to dive deeper into endpoints and more accurately and rapidly identify targeted, unknown and ","og:title":"RSA NetWitness Endpoint","og:description":"Enter RSA NetWitness Endpoint, endpoint detection and response solution that leverages unique, continuous endpoint behavioral monitoring and advanced machine learning to dive deeper into endpoints and more accurately and rapidly identify targeted, unknown and ","og:image":"https://old.roi4cio.com/fileadmin/user_upload/RSA_logo.png"},"eventUrl":"","translationId":3582,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"},{"id":838,"title":"Endpoint Detection and Response","alias":"endpoint-detection-and-response","description":"Endpoint Detection and Response (EDR) is a cybersecurity technology that addresses the need for continuous monitoring and response to advanced threats. It is a subset of endpoint security technology and a critical piece of an optimal security posture. EDR differs from other endpoint protection platforms (EPP) such as antivirus (AV) and anti-malware in that its primary focus isn't to automatically stop threats in the pre-execution phase on an endpoint. Rather, EDR is focused on providing the right endpoint visibility with the right insights to help security analysts discover, investigate and respond to very advanced threats and broader attack campaigns stretching across multiple endpoints. Many EDR tools, however, combine EDR and EPP.\r\nWhile small and mid-market organizations are increasingly turning to EDR technology for more advanced endpoint protection, many lack the resources to maximize the benefits of the technology. Utilizing advanced EDR features such as forensic analysis, behavioral monitoring and artificial intelligence (AI) is labor and resource intensive, requiring the attention of dedicated security professionals.\r\nA managed endpoint security service combines the latest technology, an around-the-clock team of certified CSOC experts and up-to-the-minute industry intelligence for a cost-effective monthly subscription. Managed services can help reduce the day-to-day burden of monitoring and responding to alerts, enhance security orchestration and automation (SOAR) and improve threat hunting and incident response.","materialsDescription":"<span style=\"font-weight: bold; \">What is Endpoint detection and response (EDR)?</span>\r\nEndpoint detection and response is an emerging technology that addresses the need for continuous monitoring and response to advanced threats. One could even make the argument that endpoint detection and response is a form of advanced threat protection.\r\n<span style=\"font-weight: bold;\">What are the Key Aspects of EDR Security?</span>\r\nAccording to Gartner, effective EDR must include the following capabilities:\r\n<ul><li>Incident data search and investigation</li><li>Alert triage or suspicious activity validation</li><li>Suspicious activity detection</li><li>Threat hunting or data exploration</li><li>Stopping malicious activity</li></ul>\r\n<span style=\"font-weight: bold;\">What to look for in an EDR Solution?</span>\r\nUnderstanding the key aspects of EDR and why they are important will help you better discern what to look for in a solution. It’s important to find EDR software that can provide the highest level of protection while requiring the least amount of effort and investment — adding value to your security team without draining resources. Here are the six key aspects of EDR you should look for:\r\n<span style=\"font-weight: bold;\">1. Visibility:</span> Real-time visibility across all your endpoints allows you to view adversary activities, even as they attempt to breach your environment and stop them immediately.\r\n<span style=\"font-weight: bold;\">2. Threat Database:</span> Effective EDR requires massive amounts of telemetry collected from endpoints and enriched with context so it can be mined for signs of attack with a variety of analytic techniques.\r\n<span style=\"font-weight: bold;\">3. Behavioral Protection:</span> Relying solely on signature-based methods or indicators of compromise (IOCs) lead to the “silent failure” that allows data breaches to occur. Effective endpoint detection and response requires behavioral approaches that search for indicators of attack (IOAs), so you are alerted of suspicious activities before a compromise can occur.\r\n<span style=\"font-weight: bold;\">4. Insight and Intelligence:</span> An endpoint detection and response solution that integrates threat intelligence can provide context, including details on the attributed adversary that is attacking you or other information about the attack.\r\n<span style=\"font-weight: bold;\">5. Fast Response:</span> EDR that enables a fast and accurate response to incidents can stop an attack before it becomes a breach and allow your organization to get back to business quickly.\r\n<span style=\"font-weight: bold;\">6. Cloud-based Solution:</span> Having a cloud-based endpoint detection and response solution is the only way to ensure zero impact on endpoints while making sure capabilities such as search, analysis and investigation can be done accurately and in real time."}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":11196,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":11197,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":11198,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":11199,"characteristicId":2883,"templateId":144,"value":"N/A"},"2885":{"id":11200,"characteristicId":2885,"templateId":144,"value":true},"2887":{"id":11201,"characteristicId":2887,"templateId":144,"value":true},"2889":{"id":11202,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":11203,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":11204,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":11205,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":11206,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":11207,"characteristicId":2899,"templateId":144,"value":"N/A"},"2901":{"id":11208,"characteristicId":2901,"templateId":144,"value":true},"2903":{"id":11209,"characteristicId":2903,"templateId":144,"value":true},"2905":{"id":11210,"characteristicId":2905,"templateId":144,"value":true},"2907":{"id":11211,"characteristicId":2907,"templateId":144,"value":"yes"}}}},{"id":345,"logoURL":"https://old.roi4cio.com/fileadmin/user_upload/Splunk_Enterprise.png","logo":true,"scheme":false,"title":"Splunk Enterprise","vendorVerified":0,"rating":"1.80","implementationsCount":0,"suppliersCount":0,"alias":"splunk-enterprise","companyTypes":[],"description":" Splunk Enterprise makes it simple to collect, analyze, and act upon the value of the big data generated by technology infrastructure, security systems and business applications-- giving the insights to drive operational performance and business results. \r\n\r\nThe Platform for Operational Intelligence\r\nBy monitoring and analyzing everything from customer clickstreams and transactions to security events and network activity, Splunk Enterprise helps you gain valuable Operational Intelligence from your machine-generated data. And with a full range of powerful search, visualization and pre-packaged content for use-cases, any user can quickly discover and share insights. Just point your raw data at Splunk Enterprise and start analyzing your world.\r\n\r\nCollects and indexes log and machine data from any source\r\nPowerful search, analysis and visualization capabilities empower users of all types\r\nApps provide solutions for security, IT ops, business analysis and more\r\nEnables visibility across on premise, cloud and hybrid environments\r\nDelivers the scale, security and availability to suit any organization\r\nAvailable as a software or SaaS solution","shortDescription":"Splunk Enterprise takes valuable machine data and turns it into powerful operational intelligence.","type":null,"isRoiCalculatorAvaliable":false,"isConfiguratorAvaliable":false,"bonus":100,"usingCount":13,"sellingCount":15,"discontinued":0,"rebateForPoc":0,"rebate":0,"seo":{"title":"Splunk Enterprise","keywords":"Splunk, Enterprise, data, your, security, business, Intelligence, Operational","description":" Splunk Enterprise makes it simple to collect, analyze, and act upon the value of the big data generated by technology infrastructure, security systems and business applications-- giving the insights to drive operational performance and business res","og:title":"Splunk Enterprise","og:description":" Splunk Enterprise makes it simple to collect, analyze, and act upon the value of the big data generated by technology infrastructure, security systems and business applications-- giving the insights to drive operational performance and business res","og:image":"https://old.roi4cio.com/fileadmin/user_upload/Splunk_Enterprise.png"},"eventUrl":"","translationId":346,"dealDetails":null,"roi":null,"price":null,"bonusForReference":null,"templateData":[],"testingArea":"","categories":[{"id":45,"title":"SIEM - Security Information and Event Management","alias":"siem-security-information-and-event-management","description":"<span style=\"font-weight: bold; \">Security information and event management (SIEM)</span> is an approach to security management that combines SIM (security information management) and SEM (security event management) functions into one security management system. \r\n The underlying principles of every SIEM system is to aggregate relevant data from multiple sources, identify deviations from the norm and take appropriate action. At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEM products have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR). \r\nThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:\r\n<ul><li><span style=\"font-weight: bold;\">Log management:</span> Focus on simple collection and storage of log messages and audit trails.</li><li><span style=\"font-weight: bold;\">Security information management (SIM):</span> Long-term storage as well as analysis and reporting of log data.</li><li><span style=\"font-weight: bold;\">Security event manager (SEM):</span> Real-time monitoring, correlation of events, notifications and console views.</li><li><span style=\"font-weight: bold;\">Security information event management (SIEM):</span> Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.</li><li><span style=\"font-weight: bold;\">Managed Security Service (MSS) or Managed Security Service Provider (MSSP):</span> The most common managed services appear to evolve around connectivity and bandwidth, network monitoring, security, virtualization, and disaster recovery.</li><li><span style=\"font-weight: bold;\">Security as a service (SECaaS):</span> These security services often include authentication, anti-virus, anti-malware/spyware, intrusion detection, Penetration testing and security event management, among others.</li></ul>\r\nToday, most of SIEM technology works by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment, as well as specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console where security analysts sift through the noise, connecting the dots and prioritizing security incidents.\r\nSome of the most important features to review when evaluating Security Information and Event Management software are:\r\n<ol><li><span style=\"font-weight: bold; \">Integration with other controls:</span> Can the system give commands to other enterprise security controls to prevent or stop attacks in progress?</li><li><span style=\"font-weight: bold; \">Artificial intelligence:</span> Can the system improve its own accuracy by through machine and deep learning?</li><li><span style=\"font-weight: bold; \">Threat intelligence feeds:</span> Can the system support threat intelligence feeds of the organization's choosing or is it mandated to use a particular feed?</li><li><span style=\"font-weight: bold; \">Robust compliance reporting:</span> Does the system include built-in reports for common compliance needs and the provide the organization with the ability to customize or create new compliance reports?</li><li><span style=\"font-weight: bold; \">Forensics capabilities:</span> Can the system capture additional information about security events by recording the headers and contents of packets of interest? </li></ol>\r\n\r\n\r\n","materialsDescription":"<h1 class=\"align-center\"> Why is SIEM Important?</h1>\r\nSIEM has become a core security component of modern organizations. The main reason is that every user or tracker leaves behind a virtual trail in a network’s log data. SIEM software is designed to use this log data in order to generate insight into past attacks and events. A SIEM solution not only identifies that an attack has happened, but allows you to see how and why it happened as well.\r\nAs organizations update and upscale to increasingly complex IT infrastructures, SIEM has become even more important in recent years. Contrary to popular belief, firewalls and antivirus packages are not enough to protect a network in its entirety. Zero-day attacks can still penetrate a system’s defenses even with these security measures in place.\r\nSIEM addresses this problem by detecting attack activity and assessing it against past behavior on the network. A security event monitoring has the ability to distinguish between legitimate use and a malicious attack. This helps to increase a system’s incident protection and avoid damage to systems and virtual property.\r\nThe use of SIEM also helps companies to comply with a variety of industry cyber management regulations. Log management is the industry standard method of auditing activity on an IT network. SIEM management provides the best way to meet this regulatory requirement and provide transparency over logs in order to generate clear insights and improvements.\r\n<h1 class=\"align-center\">Evaluation criteria for security information and event management software:</h1>\r\n<ul><li>Threat identification: Raw log form vs. descriptive.</li><li>Threat tracking: Ability to track through the various events, from source to destination.</li><li>Policy enforcement: Ability to enforce defined polices.</li><li>Application analysis: Ability to analyze application at Layer 7 if necessary.</li><li>Business relevance of events: Ability to assign business risk to events and have weighted threat levels.</li><li>Measuring changes and improvements: Ability to track configuration changes to devices.</li><li>Asset-based information: Ability to gather information on devices on the network.</li><li>Anomalous behavior (server): Ability to trend and see changes in how it communicates to others.</li><li>Anomalous behavior (network): Ability to trend and see how communications pass throughout the network.</li><li>Anomalous behavior (application): Ability to trend and see changes in how it communicates to others.</li><li>User monitoring: User activity, logging in, applications usage, etc.</li></ul>\r\n\r\n"}],"characteristics":[],"concurentProducts":[],"jobRoles":[],"organizationalFeatures":[],"complementaryCategories":[],"solutions":[],"materials":[],"useCases":[],"best_practices":[],"values":[],"implementations":[],"valuesByTemplateId":{"144":{"2877":{"id":7904,"characteristicId":2877,"templateId":144,"value":true},"2879":{"id":7905,"characteristicId":2879,"templateId":144,"value":true},"2881":{"id":7906,"characteristicId":2881,"templateId":144,"value":true},"2883":{"id":7907,"characteristicId":2883,"templateId":144,"value":"N/A"},"2885":{"id":7908,"characteristicId":2885,"templateId":144,"value":true},"2887":{"id":7909,"characteristicId":2887,"templateId":144,"value":true},"2889":{"id":7910,"characteristicId":2889,"templateId":144,"value":true},"2891":{"id":7911,"characteristicId":2891,"templateId":144,"value":true},"2893":{"id":7912,"characteristicId":2893,"templateId":144,"value":true},"2895":{"id":7913,"characteristicId":2895,"templateId":144,"value":true},"2897":{"id":7914,"characteristicId":2897,"templateId":144,"value":true},"2899":{"id":7915,"characteristicId":2899,"templateId":144,"value":true},"2901":{"id":7916,"characteristicId":2901,"templateId":144,"value":"N/A"},"2903":{"id":7917,"characteristicId":2903,"templateId":144,"value":"N/A"},"2905":{"id":7918,"characteristicId":2905,"templateId":144,"value":"N/A"},"2907":{"id":7919,"characteristicId":2907,"templateId":144,"value":"yes"}}}}],"selectedTemplateId":144},"presentation":{"type":null,"company":{},"products":[],"partners":[],"formData":{},"dataLoading":false,"dataError":false,"loading":false,"error":false},"catalogsGlobal":{"subMenuItemTitle":""}}