Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar.
Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market.
We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management.
Okay, let’s get started!!!
ArcSight vs QRadar
| Subject | ArcSight | QRadar |
| Product Birth | Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have worked on. In 2011 HP bought them | Year 2004-2005, Q1 Labs entered into the SIEM market modifying their NBAD platform (QFLOW) and in 2012, IBM bought them. |
| Logging Format | CEF – Common Event Format | LEEF – Log Event Extended Format |
| Underlying DB | Oracle till 2012, then combination of MySQL, PSQL etc. | Proprietary based on Ariel Data store and probably Annotation Query Language (AQL) |
| Vendor Support | ArcSight supports more than 400 vendors with their CEF certification program | QRadar supports more than 250 vendors with their LEEF certification program |
| Portfolio | Log Correlation – HP ArcSight ESM Log Management – HP ArcSight Logger Identity Correlation – HP Identity View Intelligence Feeds – HPRepSM Threat Detection – HP ArcSight Threat Detector Response and Action – HP ArcSight TRM | Log Correlation – IBM QRadar Console Log Management – IBM QRadar Log Manager Network Forensics – IBM QRadar NBAD (using QFlow) Intelligence Feeds – IBM X-Force Vulnerability Management – IBM QRadar VM (with dedicated Scanner)Response and Action – IBM QRadar Incident Forensics for Response only |
| Identity monitoring | ArcSight has a separate feature called IdentityView (separate license) to provide the identity perspective of events occurring in ArcSight. It integrates with Identity solutions (AD, Oracle) to keep track of user activity regardless of the account being used. It assigns risk scores to users based on their activity, and can graphically represent this activity and compare it to others with similar roles. | QRadar does not have the capability similar to Identity View, however, it does integrate with Identity solution to provide user information in the offenses created. |
| Network Behavioral Analysis | ArcSight does not natively collect flow data however, it can obtain Netflow data from other devices such as routers, etc. The Netflow data provides visibility only up to layer 4 (no application visibility) | QRadar due to its origin as a NBAD product has powerful Network Behavioral Analysis (NBAD) capability through its QFlow appliance (Network Flows data including Layer 7 flows, Jflow, Netflow, SFlow, and Packeteer’s Flow Data Records can be collected and processed). This would allow us to review application and network flows and assess it for anomalous traffic, persistent threats etc. |
| Vulnerability Management | ArcSight can integrate with Vulnerability scanners and gather Scan reports for correlating vulnerability information with the security events collected. However, it is more of a data aggregator in the case of VM tools. | QRadar has a Vulnerability Management product (QVM). This has all the features comparable to ArcSight, however, IBM has upped the ante in this space by including a Scanner in the product that can actively scan hosts if enabled with QVM license. This provides security analysts to gather real time information if they choose to from the same SIEM console. |
| Dynamic Risk Management | ArcSight does not have any risk management capabilities. However, it can integrate with commercial risk management products to provide basic correlation | QRadar has a Risk Manager (QRM) product that collects Network configuration information and provides a risk modeling capability to assist in understanding the extent of impact of a configuration change in the network. This is akin to Skybox, Algosec or RedSeal and perform in similar capacity |
| Log Collection | Agent Less - Using Connector Appliance. Logger Appliance can also serve as Log receivers Agent Based – Software Install on Servers for all types of log collection | Agent Less – Any QRadar Appliance, Console, All-in-One Combo boxes, Event Collector etc. can collect Logs remotely Agent Based – Connector software available for Windows. For others, Agentless is the only option. Flow Collection – By default any appliance can collect flow data, however, dedicated Flow Collectors are an option in QRadar. |
| Log Management | Separate Log Management Software, Appliance which is different from the ESM appliance. They have a Express version which combines both but in general HP Logger fills the space of a dedicated Log Management appliance | Same software, same appliance can behave as all in one SIEM + Log Manager or dedicated Log Manager or SIEM depending on License added. There is no distinct product differentiation as in ArcSight family. |
| Event Transmission | Events from the source are sent in clear text to the SmartConnectors, however, all further upstream communication happens encrypted. Compression and Aggregation can also be employed in the ArcSight ecosystem from the connectors onwards. | Events from the source are sent in clear text, however, communication between QRadar Appliances happen using encrypted SSH tunnels. However, compression happens on Appliance at event storage level and does not happen in event transit. |
| Handling EPS bursts | ArcSight uses large buffers to cache events in case of an EPS burst. Once the buffer is filled, the Queue starts to fill. Once the queue overflows, events get dropped. But the burst EPS can be sustained for longer periods of time compared to QRadar. | In QRadar, Each event type has a memory buffer, once the EPS exceed the licensed level and the buffer is filled, all new events are queued and processed on a best effort basis. However, this burst EPS is not sustainable for longer periods of time as with ArcSight. So even though it can take burst EPS during times of attack, it is not sustainable. |
| Filtering | ArcSight provides the ability to filter or modify events at the collection and logging level to eliminate the events that are not of security value. This can be as close to event source as possible using SmartConnectors | QRadar provides capability to filter using Routing rules. However, for field based filtering (where only one field from the log needs to be omitted during parsing) can’t be done in QRadar. |
| Aggregation | Log Aggregation can be done based on any field combination. This is really useful when it comes to toning down on the high volume logs of network firewalls and proxies etc. | Log Aggregation or Coalescing in QRadar terminology happens at the event collection layer based on the source IP and user only and not on customizable field combinations |
| Data obfuscation | ArcSight allows for obfuscating any field at the log collection level using SmartConnectors. This is very powerful when monitoring confidential data in logs. | QRadar does provide Obfuscation abilities using a custom Regex Based, Key Based Obfuscation config. This will allow for encrypting a field, based on the Regex Match when event is processed. |
| Custom Log Collection | Require development of customized configuration files. However, ArcSight Flex Connector SDK is a very powerful tool to build custom connectors and parsers. Also, the ArcSight community shares knowledge about custom connectors and hence more help available in case you want to develop on your own. | QRadar has two parts of custom log collection capability. For supported logs or generic logs, it can update/develop parsers using the “Extract Custom Property” feature. However, if a new log source is to be integrated, then it is through customized configuration files which is much harder to create, test and maintain. Also, help to develop on your own is scarce so Professional services is mandatory. |
| Scalability | ArcSight is really scalable such that it can support multi-tier Correlation Engines, multi-tier Loggers, and Connectors etc. and also have effective peering. | QRadar scales very well horizontally at the Log Collection layer, however at the Correlation layer it does not scale as well as ArcSight. This is a challenge in large and distributed environments. |
| High Availability | One of the long standing issues of ArcSight is HA. It does not have a true HA capability. It supports fail-over routing at the Collection layer but does not have any thing at the correlation layer. | QRadar has the most simple to setup HA configuration ever. This allows sync of two Appliances in true HA style. |
| Multi-Tenancy | ArcSight has always been one of the leading SIEM solutions for MSSP vendors. The main reason being the ability of the product to delineate events based on customers so that monitoring can be efficiently performed in a MSSP environment. It maps IP addresses to customer names and network zones to avoid overlap. | QRadar did not have the feature until recently (I think v7.2 and above) and was one of the reasons it had very poor Multi-Tenancy support. However, the new feature with “Domain” based categorization provides ability to support MSSP environments. Maturity is yet to be achieved but it’s a step in the right direction. |
| Out-of-the-box use cases | ArcSight’s out-of-the-box use cases are very light compared to and only include limited Multi-Device/Event correlation use cases. | QRadar comes with a comprehensive set of basic out-of-the-box use cases for various threat types such as malware, recon, dos, authentication and access control, etc. Also, several of these use cases are Multi-Device/Event types. |
| Customizable dashboards and reports | ArcSight reporting system includes over 350 standard report templates that address common compliance and risk requirements. The report design system is similar to what you would find in a BI solution, though not as complex. Support for charts and graphs is available, and templates can be customized through Velocity. Reports can be scheduled and distributed automatically by e-mail. | QRadar provides over 2000 report templates relevant to specific roles, devices, compliance regulations and vertical industries. Only basic report customization is available. However, if advanced report customization is required, QRadar reporting seems limited. However, majority of the customers using QRadar are happy with the out-of-the box reports. |
| Case management | ArcSight has a built-in case management system that allows the association of events to cases, limited workflow, and the ability to launch investigation tools (anything that can run from a command-line) directly from the console. Cases can contain analyst notes and customizable fields. | QRadar provides a rudimentary case management capability through its Offense Management. Offense Management provides basic features such as open, close, assign, and add notes. Additional events cannot be added to Offenses. This is in stark contrast to ArcSight which has full blown case management system built in. |
| User portal | ArcSight requires a java client to provide most of its functionality, but also provides a web interface primarily for business users. | Provides all functionalities for security event monitoring and threat content development through web based GUI |
| User licenses | Individual console licenses should be purchased for each user to perform investigation/monitoring | Additional user licenses are not required to be purchased |
| Pricing | Pricing is based on number of log sources and total log size per day | Pricing is based on EPS. Linear incremental cost for scaling the solution is based on tier based EPS licensing. |
Updates: This section is for posting differences based on reader feedback. So readers, feel free to add on.
| Pattern Discovery | ArcSight has something called a Threat Detector tool. It basically runs a set of search queries on real time data and provides patterns detected. If interesting monitoring patterns are detected, they can quickly be converted to Use Cases. This is basically useful if you want to create new use cases and you don’t know where to start | QRadar does not have anything similar to Pattern discovery. |
| Compliance | ArcSight has compliance packages that can be purchased to aid in providing compliance specific alerting, reporting etc. However, these are priced separately. | QRadar has more than 2000 reports grouped based on Compliance requirement which should mostly satisfy compliance needs |
I think the list can still be improved based on your feedback. Please feel free to add them in the comments section below and the feedback will be incorporated.
IBM Qradar is
IBM Qradar has great data reduction. We have several hundred million log records arrive on various of the platforms daily and have been able to tune them to alert on important things well. Very few false positives.
Like any SIEM product at a very base level the system is a pattern matcher. Looking for patterns in single log messages or looking for patterns in multiple logs messages combined with flow data. It has a primary focus of Security Event Management but you can look for anything in the information flowing through the system and can alert on it. So it can be used - and we do - as a general IT event management/monitoring system.
Room for improvement - IBM Qradar:
3.5 years
I have used several versions of the Qradar system. Both the IBM version and the Juniper STRM OEM version.
IBM I rate as 7.5/10
STRM at 7/10
No real issues with deploy. What it is doing is exactly what we expected. It does have a few wrinkles but that is more about where we are collecting logs from.
No stability issues yet.
No scalability issues yet. We have sized the latest system to cope with up to 10000 eps and or only at about 4000 at the moment. Scaling is simply adding extra license as required at the moment. Easy.
Generally excellent.
Technical Support:Generally excellent.
Simple:
Occasionally the documentation did not reflect what was happening so did need to access tech support a few times.
We implemented it ourselves. Initial seat of pants approach. Worked. I got my Redhat builder to spin up the two VM servers off the supplied image, licensed them, gave them the appropriate IP addresses, created the deployment (the Java 7 bit) and the system started receiving logs from the 1200 CISCO routers.
We are fulfilling a government contract. Install and move to BAU has been done and it came in under the estimated budget…..so All Good.
I am taking IBM Security Qradar exam c2150-400 early Aug 2015.
The event collector, flow collector, PCAP and SOAR are valuable.
Whenever we connect the span port, its device and health status increase the capacity level. So I suggest the mitigation of that part for IBM. Otherwise, it's a good product. We also continuously have issues with technical support because they do not have a prompt response time.
We have been using IBM QRadar for the last five years.
I rate the stability a nine out of ten.
I rate the scalability an eight out of ten. We deploy to many customers and have completed many POCs. We have a four-person team.
The technical support is good, but they are not prompt. I rate them a five out of ten.
Neutral
I rate the initial setup a ten out of ten. It is deployed on-premises and takes about two to three days to deploy the full environment readiness. But the device integration, rules screening and log onboarding take too long, about three to four months. The deployment was completed in-house.
The solution is expensive compared to other products, and I rate the pricing a five out of ten.
I rate this solution a nine out of ten.
First, I used the manual to learn, then I tried to merge it with my company's needs, and there weren't any problems.
I like the graphical interface. It's so good and easy.
Integration could be better. They should make it easy to integrate with other solutions.
I have been using IBM QRadar Advisor with Watson for three or four years.
IBM QRadar Advisor with Watson is a stable solution.
I think IBM QRadar Advisor with Watson is scalable.
We didn't use technical support as the community was very helpful.
The initial setup was difficult the first time, but it got easier after that.
I think my company pays for the license yearly.
I would advise potential users to read the manual or the workbook before going forward with the deployment. Try to match the requirements with the company's needs to avoid facing issues in the future. But if you get stuck, you can always ask the community for help.
On a scale from one to ten, I would give IBM QRadar Advisor with Watson a nine.
This product helps to build a strong architecture, which is important to avoid problems.
I think the QDI is very good.
The biggest drawback of this solution is the price.
The threat detection needs improvement, they have many false positives.
It is important to have good architecture. If you have problems and you don't have a strong architecture you, will have trouble with this solution.
I have been using IBM QRadar for three years.
We are using version 7.4.3
It's a stable solution.
We have many interactions with L2 support when we needed L3 support. I would rate technical support an eight out of ten.
The initial setup is straightforward. We had no problems.
It took approximately a month to deploy.
This price is a little high, so it's an expensive product. It is a good solution but not a cheap one.
I would rate IBM QRadar a nine out of ten.
IBM QRadar is typically deployed in a SOC environment for security monitoring. It is used for log and packet capturing. It has some supporting technology, such as data leakage prevention and data encryption.
I have found visibility very helpful for analytics.
This solution is on-premise and many customers are moving to the cloud base solution.
I have been using this solution for approximately one year.
I have not had any complaints from my clients about the stability of the solution.
The solution is scalable. Our customers that are using this solution are mainly large-sized companies, such as the government.
The technical support is very good.
Nowadays cloud stack security is very good. Some of my customers are planning to build their data center over the cloud, or implement cloud-based services using some of the beneficial services, such as threat intelligence services.
I rate IBM QRadar a ten out of ten.
The most valuable feature is user behavior analytics (UBA).
The EPS and FPS graphs are helpful.
The collecting of logs and processes is very good.
The support process needs to be improved.
Every SIEM solution has issues with plugins, as they have to connect to different log systems. It can affect security, infrastructure, and other things. IBM should continue to expand its database and cover as many systems as possible.
I have been using IBM QRadar for about one year.
QRadar is a very stable product.
The whole process for support is something that needs to be improved. You have to create a case, export the log and attach it to the case, then an engineer will clarify what you need to export and attach it to the ticket or support case, and so on. When you're working with a system that does not have good bandwidth, it makes it even more stressful. It is a lot of work and it should be easier to do.
My colleague has worked more with support and the feedback that I have heard is that they are quite good. It's the process that I am complaining about.
The initial setup is pretty straightforward. We had several logs to integrate so it took a week and perhaps a few days.
I would rate this product a nine out of ten.
Thanks a lot for your information. I am looking for any comparison between Qradar and (Arcsight or Logrhythm). Could u tell me how can I get some comparision reports written in 2016?