We at Infosecnirvana.com have done several posts on SIEM. After the Dummies Guide on SIEM, we are following it up with a SIEM Product Comparison – 101 deck. So, here it is for your viewing pleasure. Let me know what you think by posting your comments below. The key products compared here are based on Gartner Magic Q which is what Organizations typically use to select SIEM vendors. The Vendors mentioned here in the deck are :
1. HP ArcSight
2. McAfee Nitro
3. IBM QRadar
4. Splunk SIEM
5. RSA Security Analytic
6. LogRhythm.
SIEM Technology Space
SIEM market analysis of the last 3 years suggest:
Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013)Only products with technology maturity and a strong road map have featured in leaders quadrant.HP ArcSight & IBM Q1 Labs have maintained leadership in SIEM industry with continued technology upgradeMcAfee Nitro has strong product features & road map to challenge HP & IBM for leadershipHPArcSight
The ArcSight Enterprise Threat and Risk Management (ETRM) Platform is an integrated set of products for collecting, analysing, and managing enterprise Security Event information.
-
ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to identify security threat in real-time& virtual environments
-
ArcSight Logger: Log storage and Search solution
-
ArcSight IdentityView: User Identity tracking/User activity monitoring
-
ArcSight Connectors: For data collection from a variety of data sources
-
ArcSight Auditor Applications: Automated continuous controls monitoring for both mobile
| Strengths | Weaknesses |
| Extensive Log collection support for commercial IT products & applications | Complex deployment & configuration |
Advanced support for Threat Management, Fraud
Management & Behavior Analysis | Mostly suited for Medium to Large Scale deployment |
| Mature Event Correlation, Categorization & Reporting | Requires skilled resources to manage the solution |
| Tight integration with Big data Analytics platform like Hadoop |
Steep learning curve for Analysts & Operators |
| Highly customizable based on organization’s requirements |
Highly Available & Scalable
Architecture supporting Multi-tier & Multi-tenancy
|
IBM QRadar
The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for collecting, analysing, and managing enterprise Security Event information.
-
QRadar Log Manager – Turn key log management solution for Event log collection & storage
-
-
-
-
| Strengths | Weakness |
| Very simple deployment & configuration | Limited customizations capabilities |
| Integrated view of the threat environment using Netflow data, IDS/IPS data & Event logs from the environment | Limited Multi-tenancy support |
| Behavior & Anomaly Detection capabilities for both Netflow & Log data | Limited capability to perform Advanced Use Case development & analytics |
| Suited for small, medium & large enterprises |
| Highly Scalable & Available architecture |
McAfee Nitro
The McAfee Enterprise Security Management (formerly Nitro Security) Platform is an integrated set of products for collecting, analysing, and managing enterprise Security Event information.
-
McAfee Enterprise Log Manager – turn key log management solution for Event log collection & storage
-
McAfee Event Receiver – collecting log data & native flow data
-
McAfee Database Event Monitor – database transaction & Log monitoring
-
McAfee Application data Monitor – application layer event monitoring
-
McAfee Advanced Correlation Engine – advanced correlation engine for correlating events both historical & real time
| Strengths |
Weaknesses |
| Integrated Application Data monitoring & Deep Packet Inspection |
Very basic correlation capabilities when compared with HP & IBM |
| Integrated Database monitoring without dependence on native audit functions |
Limitations in user interface when it concerns navigation |
| High event collection rate suited for very large scale deployment |
Requires a lot of agent installs for Application & database monitoring thereby increasing management complexity |
| Efficient query performance in spite of high event collection rate |
No Big Data Analytics capability |
|
Limited customization capabilities |
|
Limited support for multi-tier & multi-tenancy architecture |
Splunk
Splunk Enterprise is an integrated set of products that provide Log Collection, management & reporting capabilities using
-
Splunk Indexer – used to collect and index logs from IT environment
-
Splunk Search Heads – used to search & report on IT logs
-
Splunk App for Enterprise Security - used to collect external threat intelligence feeds, parse log sources and provide basic analytics for session monitoring (VPN, Netflow etc.)
| Strengths | Weakness |
| Extensive Log collection capabilities across the IT environment | Pre-SIEM solution with very limited correlation capabilities |
| Log search is highly intuitive – like Google search | Even though easy to deploy, increasingly difficult to configure for SIEM related functions |
| Flexible dash boarding & analytics capability improves Log visualization capabilities |
| Built-in support for external threat intelligence feeds both open source & commercial |
| “App Store” based architecture allowing development of Splunk Plugins to suit monitoring & analytics requirements |
RSA Security
RSA Security Analytics is an integrated set of products that provide Network Forensics, Log Collection, management & reporting capabilities using
-
Capture Infrastructure
-
RSA Security Analytics Decoder – Real time capture of Network Packet and log data with Analysis and filtering capabilities
-
RSA Security Analytics Concentrator – Aggregates metadata from the Decoder
-
RSA Security Analytics Broker Server – For reporting, management and administration of capture data
-
Analysis & Retention Infrastructure
-
Event Stream Analysis – Correlation Engine
-
Archiver – Long term retention, storage, security & compliance reporting
-
RSA Security Analytics Warehouse – Big Data Infrastructure for Advanced Analytics
| Strengths | Weakness |
| Great Analytics using Event Log Data & Network Packet Capture | New Product release from RSA, hence advanced Security correlation support is poor |
| Network forensics, Big Data (Parallel Computing) are cornerstones in SIEM world | Security Analytics Warehouse is a new capability with very little real world use cases |
| Tightly Integrates with RSA ecosystem for Threat Intelligence, Fraud Detection, Malware Analysis etc. (each requires separate RSA Tools) | Suited only for large enterprises with need for complex deployment and management resources. Poor deployment options for small and midsize customers |
LogRhythm
The LogRhythm SIEM 2.0 Security Intelligence Platform is an integrated set of products for collecting, analysing, and managing enterprise Security Event information.
-
Log Manager – high performance, distributed and redundant log collection and management appliance
-
-
| Strengths | Weakness |
| Well balanced log management, reporting, event management, privileged user monitoring and File integrity monitoring capabilities | Suitable for Security event data only, as Operational data sets cause slowing performance for searches and reports |
| Fast deployment with minimal configuration because of appliance form factor | No Support for Active Directory integration for Role- Based Access Control |
| Quarterly Health Check programs post-deployment offers great After sales-Service experience | Suited best for small and mid size companies with basic security, regulatory compliance and reporting needs. Not scalable for very large deployments. |
A Summary scoring sheet for SIEM Vendors based on their Core capabilities is given below
| Capability | RSA Security Analytics | Log Rhythm | Splunk | McAfee Nitro | IBM Qradar | HP ArcSight |
| Real-time Security Monitoring | 3.1 | 3.2 | 2.5 | 3.9 | 4.2 | 4.4 |
| Threat Intelligence | 3.7 | 2.5 | 3.0 | 2.8 | 3.5 | 4.5 |
| Behavior Profiling | 2.5 | 2.3 | 3.0 | 3.0 | 5.0 | 4.0 |
| Data & End User Monitoring | 3.6 | 3.5 | 1.7 | 3.6 | 3.5 | 4.0 |
| Application Monitoring | 3.8 | 3.5 | 1.8 | 3.7 | 3.3 | 3.8 |
| Analytics | 2.5 | 2.5 | 3.8 | 4.5 | 3.5 | 4.0 |
| Log Management & Reporting | 3.5 | 3.8 | 3.5 | 3.8 | 3.9 | 4.0 |
| Deployment & Support Simplicity | 3.0 | 4.0 | 2.5 | 3.5 | 3.5 | 3.0 |
| Total (Weighted Score) | 25.7 | 25.3 | 21.8 | 28.8 | 30.4 | 31.7 |
1.0 = Low level of capability
5.0 = High level of capability
SIEM Vendors – Use Cases Score Card
| Use Cases |
RSA Security Analytics |
Log Rhythm |
Splunk |
McAfee Nitro |
IBM Qradar |
HP ArcSight |
| Overall Use Cases |
3.2 |
3.2 |
2.7 |
3.6 |
3.8 |
4.0 |
| Compliance Use Cases |
3.3 |
3.7 |
3.0 |
3.7 |
3.8 |
3.8 |
| Threat Monitoring |
3.1 |
3.1 |
2.9 |
3.8 |
3.7 |
4.0 |
| SIEM |
3.2 |
3.4 |
2.8 |
3.6 |
3.8 |
3.9 |
| Total (Weighted Score) |
12.8 |
13.4 |
11.4 |
14.7 |
15.1 |
15.7 |
1.0 = Low level of capability
5.0 = High level of capability
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cost/License should also be part of the criteria, because the capabilities of these solutions depends on how much EPS it is allowed to process. A lot of "events" goes down the drain if its beyond the EPS that customer license so therefore giving it a incomplete view of the network. Some remarketer of these solutions have crimped their proposal just to make a sale. Just my 2 cents.