HI @non-expert
Well I have experienced pre-SIEM situations - watching dropped packets on firewall logs via syslog and analysing the results and analysiing raw syslogs.
Other systems I have dealt with are:
IBM Tivoli Security Information Manager (TSIM) - now redundant and replaced with TSIEM (Tivoli Security Information Event Manager (once again now replaced with Q1Labs, which then became QRadar - which is the current SIEM within my organisation, along with IBM Watson, Vulnerability Manager, Risk Manager, Forensics etc and now it is available via the Cloud in form of QRoC.
How well does your chosen SIEM integrate with other 100's of other vendors or are they proprietary and locked in, this is a key question to ask of Vendors. Plus how much it costs to produce new integration's, if you need them or are they readily available?
In between I have dealt with netForensics, which then was acquisition-ed and became Black Stratus.
Lots of organisations simply love "Splunk" and its capabilities until you want more storage and the subscription fees hot up significantly.
Some organisations are completely sold on McAfee Orchestrator or Cisco Prime or Meracki solutions, with cloud interfaces.
Other like AlienVault and many others.
However, you really need to know exactly what you are collecting, with valid Use Cases, because a human being cannot be expected to deal with 50,000 security events incoming without encountering literally 1,000's of noisy events, which may be spurious and of not value at all. Or they will not be able to Detect, Identify or Respond to relevant events, which may mean the difference between "panic" mode or "controlled" incident handling and lots of cleaning up afterwards, which can be extremely costly.
Regards
Caute_cautim
