IT rates IBM’s Q1 Labs top SIEM performer

Security information and event management, or SIEM, products can help security and IT professionals make sense of the incredible amounts of data generated by security and network devices. They aggregate and correlate events and logs to provide a more complete picture of network activity. Data sources typically include firewalls; switches and routers; intrusion-detection and intrusion-prevention systems; application, database, identity management, and Web servers; and workstations.

While SIEM tools can be useful for security and IT operations, they have a reputation for complexity, partly because of the many data feeds that get connected to SIEM devices, and partly because of the rules and policies that IT has to configure for the products to provide useful information.

InformationWeek asked 322 business technology professionals who use, have used, or have evaluated SIEM products in the past 12 months to rate them on criteria such as performance and cost, as well as feature-specific criteria such as real-time alerting and log management. Their survey listed 17 vendors; of those, eight received a sufficient number of responses to be rated.

The IT pros rated Q1 Labs, which was acquired by IBM in October, top for overall performance, with a score of 76%. Novell is on Q1’s heels at 75%, and ArcSight, now owned by Hewlett-Packard, is a close third with 74%. Quest Software, Symantec, and Splunk sit in the middle of the pack with scores in the low 70s. NetIQ and Tripwire are at the bottom with scores of 69% and 68%, respectively.

These overall performance ratings are based 10 general criteria, the most important of which is product reliability, according to our survey. Product performance and flexibility in meeting customer needs round out the top three criteria in importance. That reliability topped the list of general criteria isn’t a surprise; SIEM products play a significant role in a company’s security operations, and customers need to be assured the product will function well and consistently.

Respondents rated each vendor on these general performance criteria using a five-point scale. On the product reliability criteria, three vendors scored 4.0: ArcSight, Novell, and Q1. Splunk and Symantec were close behind with 3.9 ratings.

Essential Features

In addition to general performance, respondents rated the importance of 11 features found in SIEM products, such as log management and event correlation. Again using a five-point scale, respondents rated real-time analysis for alerts as the most important feature at 4.3, followed by automated log collection from multiple sources at 4.2. Search and root cause analysis and investigation of archived logs were both rated 4.1 for importance.

Our IT pros also rated vendors based on these 11 features. IBM’s Q1 Labs ranked highest at 84%. Novell scored 81%. ArcSight placed third at 77%. The features-based ranking showed the largest spread among vendors, a 13-point difference between Q1 Labs and Tripwire, which was rated 71%.


This report breaks out each vendor’s mean average score for various SIEM features (see chart below)

How Vendors Stack Up


Full article available from: