Next-Gen SIEMs use machine learning and other AI-based techniques to cut down detection time for malicious activity. This is called User and Entity Behavior Analytics (UEBA). This watches all activity on a system to work out what is considered “normal behavior.” Deviations from this standard raise alarms. The strategy uses a triage method in order to focus on potential threats for deeper tracking. Onboard improvements in detection methods speed up the first identification of a zero-day attack. That threat information gets uploaded immediately to the threat intelligence pool and downloaded by other Next Generation SIEMs around the world for immediate action.

Here is our list of the seven best Next-Gen SIEMs:

  • ManageEngine Log360 EDITOR’S CHOICE This on-premises package integrates a threat intelligence feed, which adds next-gen capabilities to this effective threat detection system. Runs on Windows Server. Start a 30-day free trial.
  • Logpoint (GET FREE DEMO) A cloud-based metered log processing SIEM with UEBA and a CTI feed. Access the free demo.
  • Exabeam This enhanced its SIEM system with in-house developed UEBA and the acquisition of SkyFormation, which collects third-party security event data from cloud platforms and creates a CTI from it. This is a cloud-based service.
  • LogRhythm A leading SIEM since 2003, this system has moved to the cloud and gone Next-Gen. You can also get this SIEM as an appliance or as software for installation on Windows Server.
  • Rapid7 Insight Platform Classed as an XDR, this cloud platform has all of the elements of a next-gen SIEM.
  • FireEye Helix A security operations platform that includes SIEM, UEBA, and threat intelligence. This is a cloud-based system.
  • LogSentinel One of the smaller players in the market, this cloud-based next-gen SIEM is strong on standards compliance.

Having already discovered the realities of developing and marketing a Next-Gen SIEM, it should come as no surprise that the best Next-Gen SIEMs are all the products of those big-name cybersecurity brands. Cloud-based SIEMs offer the fastest distribution of threat intelligence and also include the server time needed to process large volumes of log data.

The Best Next-Gen SIEMs

Getting a good Next-Gen SIEM is a time-consuming task. The key elements that make a SIEM “Next-Gen” are its threat intelligence pool and UEBA. However, how do you know whether each implementation is any good? Any software company can put together a central notification system but its power is entirely reliant on the service’s accessibility and the size of its contributing community.

Although there are vendor-neutral open standards for cyber threat intelligence (CTI), non-proprietary databases find it difficult to get off the ground. The major SIEM providers make sure to provide a CTI for their NextGen tools and more or less hard code the CTI access into their service. So, CTI selection is a little tribal and it means that, on balance, the big players in the cybersecurity industry have the edge.

Our methodology for selecting next-gen SIEM systems

We reviewed the market for next-generation SIEM packages and analyzed the options based on the following criteria:

  • A log collection and consolidation service to form a data pool for threat hunting
  • A feed of live network activity
  • User and Entity Behavior Analytics (UEBA) for activity baselining
  • Anomaly detection
  • Increased scrutiny of a suspicious entity (triage)
  • A free trial or a demo package for a pre-purchase no-obligation assessment
  • Value for money from a SIEM that simultaneously provides a log manager

If you don’t have time to fully research the entire Next Generation SIEM sector, go for the big names that evolved from rock-solid SIEMs. The well-established security software providers have invested very large budgets in the development of UEBA. Although often, great leaps forward in technology are driven by innovative entrants in the market, UEBA required a great deal of cash to develop and only the major, established brands could afford that outlay.

1. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 is an on-premises system that performs log collection and consolidation, threat hunting, and threat notification. The system gets a threat intelligence feed from ManageEngine, which makes it a next-generation SIEM.

Key Features:

  • Log management
  • Data loss prevention
  • SIEM
  • User and Entity Behavior Analytics
  • Compliance reporting

The threat intelligence feed is gathered from all over the world. Any new hacker campaign that emerges gets reported to the central pool and ManageEngine packages that into a series of indicators and sends it through to all of the instances of Log360 that are running in the world.

The threat intelligence feed creates prioritized searches. SIEM systems have to constantly search through volumes of data and that task takes time, before all data is examined new records are coming in – they get backed up. The focus on likely attack patterns speeds up threat hunting. This improves its chances of identifying an intruder before any damage or data theft occurs.

The records that the SIEM sorts through are gathered y agent programs that come in the package of Log360. There are agents that will run on all of the major operating systems. There are also agents for cloud platforms, including AWS, Azure, and Salesforce.

The log records include operating system logs in the Windows Events and Syslog formats and also data that is extracted from third-party software. The agents can communicate with more than 700 applications.

The agents send collected log messages to the server where they get converted into a neutral format so that they can be searched and stored together. Storing log data for auditing is a requirement of many data security standards and the Log360 package provides compliance reporting for HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA.

ManageEngine Log360 runs on Windows Server and it is available for a 30-day free trial.

Pros:

  • Great dashboard visualizations, ideal for NOCs and MSPs
  • Can integrate multiple threat data steams into the platform
  • Offers robust searching of logs for live and historical event analysis
  • Provides monitoring cross-platform for Windows, Linux, and Unix systems
  • Can monitor configuration changes, preventing privilege escalation

Cons:

  • ManageEngine offers a suite of advanced services and features can time to explore and test out

2. Logpoint (ACCESS FREE DEMO)

EDITOR’S CHOICE

ManageEngine Log360 is our top pick for a next-gen SIEM because this package includes all of the key elements of the next-gen definition – log management, threat hunting, UEBA, and triage for deeper scrutiny. This system also implements Security Orchestration, Automation, and Response (SOAR) to coordinate with third-party packages for data collection and threat remediation. The ManageEngine service also helps you to improve the security of user accounts in Active Directory, it logs user activities, discovers sensitive data, provides file integrity monitoring, and also implements compliance reporting for HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA.

Download: Get a 30-day free trial

Official Site: https://www.manageengine.com/log-management/download.html

OS: Windows Server

Logpoint isn’t as widely used as the top products in our list. However, if the monthly subscription price of Rapid 7 InsightIDR was way out of your league or if you are a small or medium-sized enterprise with relatively low log data volumes, then the metered rate of LogPoint should interest you.

  • Threat intelligence feed
  • Manual data analysis tools
  • Automated threat hunting
  • User and Entity Behavior Analytics

Logpoint recognizes that many businesses with low data processing volumes aren’t going to be interested in a blanket subscription rate for their Next Generation SIEM. Having said that, this SIEM system is deployed by some very large businesses, including Boeing and Airbus.

The Logpoint pricing structure is calculated on a combination of throughput indicators. These are the number of events per second (EPS) and the amount of data processed per day in gigabytes. The company doesn’t publish its rates for these factors. Instead, you need to contact them for a quote.

The Logpoint SIEM has integrated UEBA and its threat hunting is informed by threat intelligence gathered from incidences experienced by all of its customers. More than the other services on this list, LogPoint facilitates manual investigations as well as implementing automated detection processes.

There are automated responses built into the LogPoint system and the service includes “integrations” that enable it to interface with other security products both for data exchanges and for threat mitigation actions. You can book a demo to get a look at how Logpoint works.

  • Offers a flexible metered rate – great for strict budgets

  • Minimalistic interface – easy to navigate and learn

  • Supports a wide range of integrations

  • Supports both automated and manual remediation

  • Better suited for enterprises

Logpoint Register for a FREE Demo

3. Exabeam

Exabeam has been producing SIEM systems since 2013. This means that the company isn’t one of the longest-established businesses in the sector. However, that history was long enough to give it a substantial customer base by the time the NextGen movement arose. The company’s specialization in SIEM also gave it a focus that enabled it to concentrate investment on emerging Next-Gen facilities.

  • AI-based threat detection
  • SOAR
  • SkyFormation threat intelligence

The Exabeam system is a cloud platform – like all of the other products on our list – which makes its delivery a lot simpler than on-premises systems. Customers don’t need to worry about keeping the software up to date because upgrades happen automatically behind the scenes, performed by Exabeam technicians.

Although this is not, strictly speaking, a managed service, the combination of operations staff maintaining the software and the servers that it runs on, expert support advice on-demand, and automated processes within the software means that you don’t need any on-site expertise in order to get a fully operational SIEM system protecting your network.

As it is a cloud-based system, the main performance bottleneck you will experience with Exabeam is your internet connection. All of the log messages generated by your system need to be uploaded to the Exabeam server. For large operations, that can mean a heavy data throughput. However, most business operations these days are heavily reliant on internet connectivity, so keeping your internet connection live and with sufficient capacity is probably already a service priority for your IT team.

Data uploads are managed by an on-site agent program and transmissions are protected by encryption. Upon the server, the Exabeam system receives, consolidates, and indexes all log messages, making throughput statistics available in the system dashboard and compiling live threat data as log messages pass through the cloud-based log server.

Exabeam uses UEBA, so its assessment of baseline activity is different for each customer. It is also able to aggregate its own database of warning signs by pooling the experiences of all of its customers. In 2019, Exabeam bought a company called SkyFormation. That business receives threat detection experience from 30 third-party cloud platforms and uses it to create a CTI database. The SkyFormation threat intelligence supplements the threat indicators collated by Exabeam. This large pool of CTI makes the threat hunting capabilities of Exabeam very powerful.

The fast processing power and large capacity of the Exabeam servers make searching through large volumes of log data very easy. The service deploys triage in its threat hunting strategy, comparing indicators of attack against its established activity baseline for that customer that is constantly adjusted through machine-leaning. When a likely starting point of a threat is identified, this incident is displayed in the dashboard and the focused activity tracking of Exabeam kicks in, looking for the next known action of a typical attack that starts with the detected incident. If that subsequent step is detected, it is also shown in the threat identification screen in the dashboard and the likelihood of an ongoing attack increases.

This staged feedback of Exabeam addresses one of the big problems of the SIEM strategy, which is that reporting on related events that are notified through log messages is a delayed response system. It works on historical data. The threat hunting feature of Exabeam brings that detection method to near-live.

Exabeam also offers Security Orchestration, Automation, and Response (SOAR), which it calls Incident Responder. This will interact with Active Directory, email servers, and firewalls to freeze accounts that seem to have been compromised or block access to communications from suspicious IP addresses.

Exabeam has all of the elements of a successful SIEM but its exception threat intelligence feed pushes it up to number one in our estimation.

Exabeam combines the experience of the Exabeam SIEM service with the innovative SkyFormation threat intelligence feed. Exabeam users benefit from the threat detection contributions of other Exabeam customers plus that of the user community of more than 30 other security platforms. Exabeam evolved its service from an on-premises SIEM system into a cloud-based security platform that gives its customers fast threat detection and automated responses.

  • Supports incidents response workflows, playbooks, and automation

  • Offers usefully query features for filtering large datasets

  • Can be used for compliance reporting and internal audits for HIPAA, PCI DSS, etc.

  • Lacks live network monitoring capabilities

  • Wasn’t initially designed as a SIEM tool

4. LogRhythm

LogRhythm has been producing a SIEM solution since 2003, so the company has deep expertise in the field. Its system is now cloud-based with all of the efficiencies that that implies. It has also acquired UEBA, CTI, and SOAR to make it a Next-Gen SIEM.

  • Cyberthreat intelligence (CTI)
  • User and Entity Behavior Analytics
  • Network Detection and Response (NDR)

LogRhythm includes its own network monitoring module that adds extra detection strategies to the log searches that it conducts. In this service, which LogRhythm terms Network Detection and Response (NDR), the system applies machine-learning to establish a baseline of expected traffic patterns, thus cutting down on false-positive reporting and reducing the volume of data that needs to be uploaded to the LogRhythm server for processing.

LogRhythm calls its platform the XDR Stack – XDR stands for extended detection and response. The layers in this stack are:

  • AnalytiX – The log searching core of the SIEM.
  • DetectX – The application of threat intelligence.
  • RespondX – The SOAR element of the system that shuts down malicious activity.

As well as subscribing to this bundle, customers can choose two add-ons to enhance performance. These are:

  • User XDR – A UEBA module that pre-filters log messages for upload.
  • MistNet – A network-based intrusion detection system.

The cutting edge of LogRhythm’s service lies in its SaaS platform. However, you can also get the system to run on your site. This is available as an appliance pre-loaded with the LogRhythm software or as a software package that loads onto Windows Server. You can request a live demo of the cloud service.

  • Uses simple wizards to setup log collection and other security tasks, making it a more beginner-friendly tool

  • Sleek interface, highly customizable, and visually appealing

  • Leverages artificial intelligence and machine learning for behavior analysis

  • Does an excellent job at live data processing

  • Would like to see a trial option

  • Data correlation could use improvement

5. Rapid7 Insight Platform

Rapid 7’s Insight Platform is a cloud-based SIEM. There are many terms applied to this service, which highlights the confusion over categorizing cyberdefense services. The company calls its service an IDR, which stands for Intrusion Detection and Response. It is also a form of XDR, which stands for Extended Detection and Response – a service that usually evolved out of EDR, which is an advancement on antivirus and stands for Endpoint Detection and Response. There is an EDR element in the Insight IDR package.

  • Threat intelligence feed
  • User and Entity Behavior Analytics
  • Attacker Behavior Analytics

However, in the interests of simplicity, we will stick with the SIEM classification. In fact, the Insight platform is a Next-Generation SIEM because it includes UEBA and a threat intelligence feed. The Insight Platform includes a number of modules that fit together. However, you only need the InsightIDR service if you just want a NextGen SIEM. The second most interesting service in the Insight Platform that you should also consider is InsightVM, which is a vulnerability manager.

InsightIDR has all of the great features that you expect from a NextGen SIEM. As a cloud service, it includes fast processing power for log management and it also stores the log data for you. The log messages on your system get uploaded to the Rapid 7 servers where a consolidator puts them into a common format and indexes them for rapid searches.

The threat hunting service in InsightIDR is modified by a UEBA feature. This cuts out false positives by adjusting detection for normal behavior. The threat intelligence feed in the tool contributes to an attacker behavior analytics service. This looks through all log messages for indications of compromise.

A really nice added service in Insight IDR that the service’s main rivals don’t offer is its deception technology. The service can set up traps and honeypots for intruders, that draw the miscreants towards fully monitored fake data stores, making them immediately easy to identify.

InsightIDR is a little pricey, starting at $2,157 per month … yes, PER MONTH. That price means that the 30-day free trial of InsightIDR is a very valuable free gift.

  • Both an XDR and a SIEM

  • Deception features to draw intruders out into the open

  • Network traffic analysis

  • Automated incident response

  • One of the most expensive SIEMs on the market

6. FireEye Helix

FireEye is one of the leading cybersecurity solution providers and its SIEM service is called the Helix platform. The FireEye Helix platform is a next-generation SIEM service and it includes a threat intelligence feed that constantly adapts its threat hunting processes in response to evolving attack strategies. As well as UEBA, this service includes lateral movement detection that tracks illogical or abnormal user account activity.

  • Lateral movement detection
  • SOAR
  • User and Entity Behavior Analytics

Like LogPoint, Helix allows a degree of manual intervention. There is more ability in this system to set up your own playbooks and specify precisely how detected incidences should be managed. That means you can feed your own preferences into the automated responses performed by Helix. The screens for the dashboard are also customizable and it is possible to create your own report formats. The system includes automatic tailoring and report formats for standards compliance.

The Helix service includes integrations that allow you to plug in adaptations for data exchange and mitigation actions that coordinate with other security applications. You can take a self-guided tour of the Helix platform.

  • Great interface, the dark theme is great for long-term monitoring in NOCs

  • Subscription-model keeps your database updated with the most recent threats and bad-actors

  • Provides insights for remediation and preventive actions based on recent events

  • Playbooks offer remediation workflows to automatically fix issues

  • Configuration can be challenging

  • Reporting can be cumbersome and difficult to customize

7. LogSentinel

If you want to know more about a newer, leaner SIEM provider that has taken a great leap forward in the NextGen field, then you should consider LogSentinal. This service excels at log management and rapid searches to bring its SIEM service to the forefront of the market. This company specifically aims its services at middle-sized enterprises.

  • Strong log management
  • Web application monitoring
  • Aimed at mid-sized companies

This SaaS system is hot on logfile integrity monitoring and it includes UEBA and a threat intelligence feed, which mark it out as a NextGen SIEM. Extra services in this plan are phishing scans of emails, VPN log file protection, and video conferencing security.

The LogSentinel service isn’t limited to gathering log files from your site. It also includes a web application and website monitoring system that detects script changes and injection attempts.

LogSentinal offers a free trial of its NextGen SIEM and you can ask them for a guided demo. There is also a version of this cloud-based SIEM for use by managed service providers.

  • Great interface – simple and intuitive admin dashboard

  • Offers additional services such as anti-phishing and threat intelligence insights

  • Excellent real-time alerts and reporting

  • Best for medium to large networks

  • Can take time to fully explore the entire platform