The Best Next-Gen SIEM

A SIEM explores log data to identify suspicious activity. The next-gen SIEM sources external data, exploiting the experiences of other IT systems to spot new attack vectors as soon as they start to roll out.

Here is our list of the eight best Next-Gen SIEMs:

1. Heimdal Threat Hunting and Action Center EDITOR’S CHOICE This cloud system gathers activity data from local Heimdal products on premises and searches for threats, which is the classic SIEM strategy. The package sends response instructions to those local systems on the detection of a threat. Get a free demo.
2. ManageEngine Log360 (FREE TRIAL) This on-premises package integrates a threat intelligence feed, which adds next-gen capabilities to this effective threat detection system. Runs on Windows Server. Start a 30-day free trial.
3. Logpoint (GET FREE DEMO) A cloud-based metered log processing SIEM with UEBA and a CTI feed. Access the free demo.
4. Exabeam This enhanced its SIEM system with in-house developed UEBA and the acquisition of SkyFormation, which collects third-party security event data from cloud platforms and creates a CTI from it. This is a cloud-based service.
5. LogRhythm A leading SIEM since 2003, this system has moved to the cloud and gone Next-Gen. You can also get this SIEM as an appliance or as software for installation on Windows Server.
6. Rapid7 Insight Platform Classed as an XDR, this cloud platform has all of the elements of a next-gen SIEM.
7. Trellix Helix A security operations platform that includes SIEM, UEBA, and threat intelligence. This is a cloud-based system.
8. LogSentinel One of the smaller players in the market, this cloud-based next-gen SIEM is strong on standards compliance.

Next-Gen SIEMs use machine learning and other AI-based techniques to cut down detection time for malicious activity. This is called User and Entity Behavior Analytics (UEBA). This watches all activity on a system to work out what is considered “normal behavior.” Deviations from this standard raise alarms. The strategy uses a triage method in order to focus on potential threats for deeper tracking. Onboard improvements in detection methods speed up the first identification of a zero-day attack. That threat information gets uploaded immediately to the threat intelligence pool and downloaded by other Next Generation SIEMs around the world for immediate action.

Having already discovered the realities of developing and marketing a Next-Gen SIEM, it should come as no surprise that the best Next-Gen SIEMs are all the products of those big-name cybersecurity brands. Cloud-based SIEMs offer the fastest distribution of threat intelligence and also include the server time needed to process large volumes of log data.

The Best Next-Gen SIEMs

Getting a good Next-Gen SIEM is a time-consuming task. The key elements that make a SIEM “Next-Gen” are its threat intelligence pool and UEBA. However, how do you know whether each implementation is any good? Any software company can put together a central notification system but its power is entirely reliant on the service’s accessibility and the size of its contributing community.

Although there are vendor-neutral open standards for cyber threat intelligence (CTI), non-proprietary databases find it difficult to get off the ground. The major SIEM providers make sure to provide a CTI for their NextGen tools and more or less hard code the CTI access into their service. So, CTI selection is a little tribal and it means that, on balance, the big players in the cybersecurity industry have the edge.

If you don’t have time to fully research the entire Next Generation SIEM sector, go for the big names that evolved from rock-solid SIEMs. The well-established security software providers have invested very large budgets in the development of UEBA. Although often, great leaps forward in technology are driven by innovative entrants in the market, UEBA required a great deal of cash to develop and only the major, established brands could afford that outlay.

1. Heimdal Threat Hunting and Action Center (GET  DEMO)

Heimdal Threat Hunting and Action Center provides a cloud layer to a multi-level cybersecurity platform. This tool is part of an EDR solution and it implements central threat hunting, based on activity data that is uploaded by on-premises Heimdal systems.

Key Features:

 

• Multi-Layered Security: Enhances protection with multiple security layers in the cloud.
• Seamless Integration: Works in harmony with other Heimdal solutions for streamlined operations.
• Advanced Threat Detection: Employs sophisticated methods to identify threats swiftly.
• In-Depth User Analysis: Scrutinizes user activities to pinpoint security risks.
• Comprehensive Risk Evaluation: Assesses threats thoroughly to prioritize response actions.

Why do we recommend it?

Heimdal Threat Hunting and Action Center provides a central threat detection system for a network of Heimdal endpoint protection installations plus at least two other on-premises Heimdal security systems. The Action Center holds a rule base of playbooks that implement automated responses on the detection of a threat.

The Threat Hunting and Action Center service is not available as a standalone product. It is designed to coordinate between instances of the Heimdal Next-Generation Antivirus (NGAV) system. This package is actually a unified threat management package because it includes a mobile device management (MDM) unit. The MDM allows tracking, locking, and wiping of mobile devices as well as activity monitoring for security threats.

The NGAV refers to a local signature database when scanning for malware. This is not the most sophisticated method in the market today but it is enhanced by the SIEM-like actions of the Threat Hunting and Action Center service. The cloud package relies on activity logs uploaded by every NGAV instance on the site.

The NGAV is available for installation on Windows, macOS, and Linux. The MDM system will manage devices running Android and iOS. The Threat Hunting and Action Center won’t operate on the NGAV data alone. You also need to be using at least two other Heimdal products on your site before the cloud service will activate.

The units that the Threat Hunting and Action Center needs, apart from the NGAV, are Network Security, Email Security, Patching & Asset Management, and Endpoint Security.

The Threat Hunting service on the Heimdal platform looks at account activity to identify insider threats and account takeovers. Intrusion is indicated by signs of evasion technology and lateral movements. The threat hunting process is called the XTP Engine – XTP stands for Extended Threat Protection. The Action Center sets up responses that will be triggered automatically upon the detection of specific types of threats.

Who is it recommended for?

This package offers a great way to enhance on-device anti-virus systems with an extra layer of threat detection. This system will implement threat responses through a series of playbooks. As it is intended to coordinate an estate of cybersecurity tools, this isn’t a solution for small businesses but it is good for mid-sized and large organizations.

Heimdal doesn’t offer a free trial and it doesn’t publish a price list. However, you can explore the Heimdal platform by accessing a free demo.

2. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 is an on-premises system that performs log collection and consolidation, threat hunting, and threat notification. The system gets a threat intelligence feed from ManageEngine, which makes it a next-generation SIEM.

Key Features:

• Comprehensive Log Management: Centralizes and simplifies log data handling for enhanced oversight.
• Data Loss Prevention: Actively guards against data breaches, securing sensitive information.
• Integrated SIEM System: Combines log management with advanced threat detection for improved security posture.
• Behavior Analytics: Analyzes user and entity behaviors to detect anomalies and potential threats.
• Regulatory Compliance: Aids in meeting compliance requirements with detailed reporting features.

Why do we recommend it?

ManageEngine Log360 is a large package of system protection tools. The core of the system is a SIEM tool that relies on a log manager that is also integrated into the bundle. This system also provides data loss prevention, cloud protection, and Active Directory auditing. This is an on-premises system for Windows Server.

The threat intelligence feed is gathered from all over the world. Any new hacker campaign that emerges gets reported to the central pool and ManageEngine packages that into a series of indicators and sends it through to all of the instances of Log360 that are running in the world.

The threat intelligence feed creates prioritized searches. SIEM systems have to constantly search through volumes of data and that task takes time, before all data is examined new records are coming in – they get backed up. The focus on likely attack patterns speeds up threat hunting. This improves its chances of identifying an intruder before any damage or data theft occurs.

The records that the SIEM sorts through are gathered y agent programs that come in the package of Log360. There are agents that will run on all of the major operating systems. There are also agents for cloud platforms, including AWS, Azure, and Salesforce.

The log records include operating system logs in the Windows Events and Syslog formats and also data that is extracted from third-party software. The agents can communicate with more than 700 applications.

The agents send collected log messages to the server where they get converted into a neutral format so that they can be searched and stored together. Storing log data for auditing is a requirement of many data security standards and the Log360 package provides compliance reporting for HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA.

ManageEngine Log360 includes all of the key elements of the next-gen definition – log management, threat hunting, UEBA, and triage for deeper scrutiny. This system also implements Security Orchestration, Automation, and Response (SOAR) to coordinate with third-party packages for data collection and threat remediation. The ManageEngine service also helps you to improve the security of user accounts in Active Directory, it logs user activities, discovers sensitive data, provides file integrity monitoring, and also implements compliance reporting for HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA.

Who is it recommended for?

This is an extensive system that could provision an entire security operations center. Log360 is too large for a small business but it could be suitable for a single site mid-sized business and there is a multi-site package for very large organizations. Unify protection for on-site and cloud resources.

ManageEngine Log360 runs on Windows Server and it is available for a 30-day free trial.

ManageEngine Log360 Start a 30-day FREE Trial

3. Logpoint (ACCESS FREE DEMO)

Logpoint isn’t as widely used as the top products in our list. However, if the monthly subscription price of Rapid 7 InsightIDR was way out of your league or if you are a small or medium-sized enterprise with relatively low log data volumes, then the metered rate of LogPoint should interest you.

Key Features:

• Dynamic Threat Intelligence: Keeps the system updated with the latest threat information for preemptive security measures.
• Hands-On Data Analysis: Offers tools for detailed manual investigation alongside automated detection for comprehensive coverage.
• Proactive Threat Hunting: Utilizes automation to streamline the identification and mitigation of security threats.
• Behavioral Insights: Employs analytics to understand user and entity behaviors, enhancing anomaly detection.

Why do we recommend it?

Logpoint is a SIEM that uses user and entity behavior analytics to spot anomalous behavior. The threat-hunting function is enhanced by a threat intelligence feed that notifies the SIEM of a current attack campaign, which is particularly useful for spotting new viruses and ransomware. The system implements automated responses.

Logpoint recognizes that many businesses with low data processing volumes aren’t going to be interested in a blanket subscription rate for their Next Generation SIEM. Having said that, this SIEM system is deployed by some very large businesses, including Boeing and Airbus.

The Logpoint pricing structure is calculated on a combination of throughput indicators. These are the number of events per second (EPS) and the amount of data processed per day in gigabytes. The company doesn’t publish its rates for these factors. Instead, you need to contact them for a quote.

The Logpoint SIEM has integrated UEBA and its threat hunting is informed by threat intelligence gathered from incidences experienced by all of its customers. More than the other services on this list, LogPoint facilitates manual investigations as well as implementing automated detection processes.

Who is it recommended for?

The important feature of the cloud-based Logpoint SIEM is its metered charge rate. So, its services are within the budgets of all sizes of businesses. This offers a rare opportunity for small businesses to get the full bells and whistles type of threat detection system that the big corporations enjoy.

There are automated responses built into the LogPoint system and the service includes “integrations” that enable it to interface with other security products both for data exchanges and for threat mitigation actions. You can book a demo to get a look at how Logpoint works.

Logpoint Register for a FREE Demo

4. Exabeam

Exabeam has been producing SIEM systems since 2013. This means that the company isn’t one of the longest-established businesses in the sector. However, that history was long enough to give it a substantial customer base by the time the NextGen movement arose. The company’s specialization in SIEM also gave it a focus that enabled it to concentrate investment on emerging Next-Gen facilities.

Key Features:

• AI-Driven Detection: Leverages artificial intelligence for precise threat identification and response.
• Integrated SOAR: Streamlines incident response with automated workflows and playbooks.
• SkyFormation Intelligence: Enriches threat detection with extensive third-party cloud platform insights.

Why do we recommend it?

Exabeam is a cloud-based SIEM that integrates a log manager. The Exabeam package installs agents on your site and cloud accounts to forward log messages into the integrated Exabeam log manager. This forms the source data for the threat hunting module in the service.

The Exabeam system is a cloud platform – like all of the other products on our list – which makes its delivery a lot simpler than on-premises systems. Customers don’t need to worry about keeping the software up to date because upgrades happen automatically behind the scenes, performed by Exabeam technicians.

Although this is not, strictly speaking, a managed service, the combination of operations staff maintaining the software and the servers that it runs on, expert support advice on-demand, and automated processes within the software means that you don’t need any on-site expertise in order to get a fully operational SIEM system protecting your network.

As it is a cloud-based system, the main performance bottleneck you will experience with Exabeam is your internet connection. All of the log messages generated by your system need to be uploaded to the Exabeam server. For large operations, that can mean a heavy data throughput. However, most business operations these days are heavily reliant on internet connectivity, so keeping your internet connection live and with sufficient capacity is probably already a service priority for your IT team.

Data uploads are managed by an on-site agent program and transmissions are protected by encryption. Upon the server, the Exabeam system receives, consolidates, and indexes all log messages, making throughput statistics available in the system dashboard and compiling live threat data as log messages pass through the cloud-based log server.

Exabeam uses UEBA, so its assessment of baseline activity is different for each customer. It is also able to aggregate its own database of warning signs by pooling the experiences of all of its customers. In 2019, Exabeam bought a company called SkyFormation. That business receives threat detection experience from 30 third-party cloud platforms and uses it to create a CTI database. The SkyFormation threat intelligence supplements the threat indicators collated by Exabeam. This large pool of CTI makes the threat hunting capabilities of Exabeam very powerful.

The fast processing power and large capacity of the Exabeam servers make searching through large volumes of log data very easy. The service deploys triage in its threat hunting strategy, comparing indicators of attack against its established activity baseline for that customer that is constantly adjusted through machine-leaning. When a likely starting point of a threat is identified, this incident is displayed in the dashboard and the focused activity tracking of Exabeam kicks in, looking for the next known action of a typical attack that starts with the detected incident. If that subsequent step is detected, it is also shown in the threat identification screen in the dashboard and the likelihood of an ongoing attack increases.

This staged feedback of Exabeam addresses one of the big problems of the SIEM strategy, which is that reporting on related events that are notified through log messages is a delayed response system. It works on historical data. The threat hunting feature of Exabeam brings that detection method to near-live.

Exabeam also offers Security Orchestration, Automation, and Response (SOAR), which it calls Incident Responder. This will interact with Active Directory, email servers, and firewalls to freeze accounts that seem to have been compromised or block access to communications from suspicious IP addresses.

Exabeam has all of the elements of a successful SIEM but its exception threat intelligence feed pushes it up to number one in our estimation.

Who is it recommended for?

The remarkable feature of Exabeam is its ability to process very large amounts of data very quickly. Therefore, the full capabilities of the system are suitable for use by very large organizations. Mid-sized businesses wouldn’t take advantage of the service’s full capabilities and it is too big for small businesses.

Exabeam combines the experience of the Exabeam SIEM service with the innovative SkyFormation threat intelligence feed. Exabeam users benefit from the threat detection contributions of other Exabeam customers plus that of the user community of more than 30 other security platforms. Exabeam evolved its service from an on-premises SIEM system into a cloud-based security platform that gives its customers fast threat detection and automated responses.

5. LogRhythm

LogRhythm has been producing a SIEM solution since 2003, so the company has deep expertise in the field. Its system is now cloud-based with all of the efficiencies that that implies. It has also acquired UEBA, CTI, and SOAR to make it a Next-Gen SIEM.

Key Features:

• Comprehensive CTI: Incorporates cyber threat intelligence for informed security decision-making.
• UEBA Capabilities: Utilizes analytics to detect unusual behaviors and potential security incidents.
• Advanced NDR: Employs network detection and response strategies for additional threat identification avenues.

Why do we recommend it?

LogRhythm is a very similar system to Exabeam. It is a cloud-based SIEM with an integrated log manager. The service can gather log messages from cloud platforms as well as your sites. The full platform includes a user and entity behavior analytics service for anomaly detection and a network detection and response unit.

LogRhythm includes its own network monitoring module that adds extra detection strategies to the log searches that it conducts. In this service, which LogRhythm terms Network Detection and Response (NDR), the system applies machine-learning to establish a baseline of expected traffic patterns, thus cutting down on false-positive reporting and reducing the volume of data that needs to be uploaded to the LogRhythm server for processing.

LogRhythm calls its platform the XDR Stack – XDR stands for extended detection and response. The layers in this stack are:

AnalytiX – The log searching core of the SIEM.

DetectX – The application of threat intelligence.

RespondX – The SOAR element of the system that shuts down malicious activity.

As well as subscribing to this bundle, customers can choose two add-ons to enhance performance. These are:

User XDR – A UEBA module that pre-filters log messages for upload.

MistNet – A network-based intrusion detection system.

Who is it recommended for?

LogRhythm is a similar service to Exabeam and it is also a suitable service for a large organization that wants to set up a central security operations center. This system is very good at detecting threats on cloud platforms as well as sites and it can interact with third-party security tools for automated responses.

The cutting edge of LogRhythm’s service lies in its SaaS platform. However, you can also get the system to run on your site. This is available as an appliance pre-loaded with the LogRhythm software or as a software package that loads onto Windows Server. You can request a live demo of the cloud service.

6. Rapid7 Insight Platform

Rapid 7’s Insight Platform is a cloud-based SIEM. There are many terms applied to this service, which highlights the confusion over categorizing cyberdefense services. The company calls its service an IDR, which stands for Intrusion Detection and Response. It is also a form of XDR, which stands for Extended Detection and Response – a service that usually evolved out of EDR, which is an advancement on antivirus and stands for Endpoint Detection and Response. There is an EDR element in the Insight IDR package.

Key Features:

• Comprehensive Threat Intel: Accesses a vast threat intelligence feed for preemptive security measures.
• Behavioral Analytics: Utilizes UEBA and ABA to detect anomalies and potential threats based on user and entity behaviors.
• Deception Technology: Implements honeypots and traps to identify attackers by luring them into monitored environments.

Why do we recommend it?

Rapid7 Insight Platform is a high-end SIEM system that comes from the managers of the Metasploit penetration testing tool. The platform includes a vulnerability manager, called InsightVM, and a SIEM tool, which is called InsightIDR. This package gathers event data from endpoints, networks, and cloud platforms.

However, in the interests of simplicity, we will stick with the SIEM classification. In fact, the Insight platform is a Next-Generation SIEM because it includes UEBA and a threat intelligence feed. The Insight Platform includes a number of modules that fit together. However, you only need the InsightIDR service if you just want a NextGen SIEM. The second most interesting service in the Insight Platform that you should also consider is InsightVM, which is a vulnerability manager.

InsightIDR has all of the great features that you expect from a NextGen SIEM. As a cloud service, it includes fast processing power for log management and it also stores the log data for you. The log messages on your system get uploaded to the Rapid 7 servers where a consolidator puts them into a common format and indexes them for rapid searches.

The threat-hunting service in InsightIDR is modified by a UEBA feature. This cuts out false positives by adjusting detection for normal behavior. The threat intelligence feed in the tool contributes to an attacker behavior analytics service. This looks through all log messages for indications of compromise.

A really nice added service in Insight IDR that the service’s main rivals don’t offer is its deception technology. The service can set up traps and honeypots for intruders, that draw the miscreants towards fully monitored fake data stores, making them immediately easy to identify.

Who is it recommended for?

This tool is a good choice for a mid-sized company. The availability of other security systems, such as the vulnerability manager, on the same platform provides the opportunity to source all of your security systems from one provider. The InsightIDR provides automated responses and it can also draw intruders into the open with deception technology.

InsightIDR is a little pricey, starting at $2,157 per month … yes, PER MONTH. That price means that the 30-day free trial of InsightIDR is a very valuable free gift.

7. Trellix Helix

Trellix is one of the leading cybersecurity solution providers and its SIEM service is called the Helix platform. The Trellix Helix platform is a next-generation SIEM service and it includes a threat intelligence feed that constantly adapts its threat-hunting processes in response to evolving attack strategies. As well as UEBA, this service includes lateral movement detection that tracks illogical or abnormal user account activity.

Key Features:

• Advanced Movement Tracking: Monitors for lateral movements to detect unauthorized access and abnormal activities.
• Integrated SOAR: Automates responses to threats, enhancing efficiency and effectiveness.
• Behavioral Insight: Employs UEBA for nuanced detection of anomalies in user and entity behaviors.

Why do we recommend it?

Trellix Helix is a cloud-based system and it is able to interact with third-party tools as well as its own on-site agents. This orchestration works for both threat detection and response options. The platform can even pass threat alerts from one tool into notification systems in another tool.

Like LogPoint, Helix allows a degree of manual intervention. There is more ability in this system to set up your own playbooks and specify precisely how detected incidences should be managed. That means you can feed your own preferences into the automated responses performed by Helix. The screens for the dashboard are also customizable and it is possible to create your own report formats. The system includes automatic tailoring and report formats for standards compliance.

Who is it recommended for?

This is a system that is suitable for large organizations. It will appeal to those businesses that have already invested in on-premises cybersecurity tools but need to enhance them with a centralized threat-hunting service. Automated responses also maximize the value of existing on-premises security tools.

The Helix service includes integrations that allow you to plug in adaptations for data exchange and mitigation actions that coordinate with other security applications. You can take a self-guided tour of the Helix platform.

8. LogSentinel

If you want to know more about a newer, leaner SIEM provider that has taken a great leap forward in the NextGen field, then you should consider LogSentinal. This service excels at log management and rapid searches to bring its SIEM service to the forefront of the market. This company specifically aims its services at middle-sized enterprises.

Key Features:

• Robust Log Management: Specializes in comprehensive management and rapid analysis of log data.
• Web Application Security: Monitors web applications for security breaches and injection attempts.
• SME-Focused: Tailored specifically for the needs and scale of mid-sized businesses.

Why do we recommend it?

LogSentinal is a cloud-based system that includes a log manager and integrates a user and entity behavior analytics system for anomaly-based threat detection. A threat intelligence feed also speeds up threat detection. Fast identification of suspicious behavior triggers a response action that is automatically selected from a library of playbooks.

This SaaS system is hot on logfile integrity monitoring and it includes UEBA and a threat intelligence feed, which mark it out as a NextGen SIEM. Extra services in this plan are phishing scans of emails, VPN log file protection, and video conferencing security.

The LogSentinel service isn’t limited to gathering log files from your site. It also includes a web application and website monitoring system that detects script changes and injection attempts.

Who is it recommended for?

LogSentinal provides a package of security systems, not just its SIEM. It also includes a phishing detection system for emails and protection for video streams. The service includes a compliance manager for GDPR, SOX, and HIPAA, among other standards. This is a good choice fo mid-sized businesses.

LogSentinal offers a free trial of its NextGen SIEM and you can ask them for a guided demo. There is also a version of this cloud-based SIEM for use by managed service providers.