Review of Top SIEM Solutions - QRADAR, ARCSIGHT, SPLUNK
•Download as PPTX, PDF•
38 likes•21,516 views
QRadar, ArcSight and Splunk comparison
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Review of Top SIEM Solutions - QRADAR, ARCSIGHT, SPLUNK
Similar to Review of Top SIEM Solutions - QRADAR, ARCSIGHT, SPLUNK (20)
Recently uploaded
Recently uploaded (20)
Review of Top SIEM Solutions - QRADAR, ARCSIGHT, SPLUNK
- 2. 1.QRadar • IBM's QRadar Security Intelligence Platform comprises the QRadar Log Manager, Data Node, SIEM, Risk Manager, Vulnerability Manager, QFlow and VFlow Collectors, and Incident Forensics, • The QRadar platform enables collection and processing of security event and log data, NetFlow, network traffic monitoring using deep-packet inspection and full-packet capture, and behavior analysis for all supported data sources. • Combination of flow-based network knowledge , security event correlation , asset-base vulnerability assessment Monitor and display event in real time or perform advance research • QRadar SIEM can import VA information from various third-party scanners.VA information helps QRadar Risk Manager identify active hosts, open ports, and potential vulnerabilities.
- 3. Log activity Network activity Assets Offences Reports Data collection Qradar Capabilities: WEB Interface • Flow search • Offenses • Log activity • Most recent reports • System summary • Risk Monitoring Dashboard • Monitoring policy compliance • Monitoring risk change • Vulnerability Management items • System notification • Internet threat information center QRadar Log Manager – turn key log management solution for Event log collection & storage QRadar SIEM – Integrated Log, Threat & Risk Management solution QRadar Risk Manager – Predictive threat & risk modelling, impact analysis & simulation QRadar QFlow – Network Behavior Analysis & Anomaly detection using network flow data QRadar vFlow – Application Layer monitoring for both Physical & Virtual environment
- 5. Gartner Report about IBM Security • Real-Time Monitoring • Incident Response and Management • Advanced Threat Defense • Business Context and Security Intel • User Monitoring • Data and Application Monitoring • Advanced Analytics • Deployment and Support Simplicity • Use Cases
- 6. STRENGTHS •QRadar provides an integrated view of log and event data, with network flow and packets, vulnerability and asset data, and threat intelligence. •Network traffic behavior analysis can be correlated across NetFlow and log events. •QRadar's modular architecture supports security event and log monitoring in IaaS environments, including native monitoring for AWS CloudTrail and SoftLayer. •QRadar's technology and architectural approach makes it relatively straightforward to deploy and maintain, whether as an all-in-one appliance or a large-tiered, multisite environment. •IBM Security App Exchange provides a framework to integrate capabilities from third-party technologies into the SIEM dashboards and investigation and response workflow. CAUTIONS •Endpoint monitoring for threat detection and response, or basic file integrity requires use of third-party technologies. •Gartner clients report mixed success with the integration of the IBM vulnerability management add-on for QRadar. •Gartner clients report the sales engagement process with IBM can be complex and requires persistence.
- 7. 2. ArcSight Hewlett Packard Enterprise (HPE) sells its ArcSight SIEM platform to midsize organizations, enterprises and service providers. The platform is available in three different variations: the ArcSight Data Platform (ADP), providing log collection, management and reporting; ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments; and ArcSight Express, an appliance-based all-in-one offering that's designed for the midmarket, with preconfigured monitoring and reporting, as well as simplified data management. In 2015, HPE redesigned and simplified the ArcSight SIEM architecture and licensing model. Further enhancements include new features in the analyst user interface allowing more granular control over incoming events and incidents. New module releases included HPE ArcSight UBA; HPE ArcSight DNS Malware Analytics, providing malware detection based on DNS traffic analysis; HPE ArcSight Marketplace, a community exchange for integration with other vendor solutions; and SIEM context such as dashboards and report templates.
- 8. Features and benefits: • Data enrichment • Categorization and normalization of data • Multidimensional real-time correlation • Ultra-fast investigations and forensics • Out-of-the-box security use cases • Workflow automation Optional packages: • High availability (HA) • Threat detector • Threat central and reputation security monitor • Compliance packages • Interactive discovery • Risk insight ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to identify security threat in real-time& virtual environments ArcSight Logger: Log storage and Search solution ArcSight Identity View: User Identity tracking/User activity monitoring ArcSight Connectors: For data collection from a variety of data sources ArcSight Auditor Applications: Automated continuous controls monitoring for both mobile& virtual environments
- 9. Built-in dashboards for real-time security analytics: • malware activity • firewall • IPS • endpoint logs • user activity These dashboards help you understand the threats and risks that enable you to make smart decisions about where to focus your security team’s time and attention. Also included are dashboards that monitor critical infrastructure, such as Cisco appliances, Microsoft® Windows®, and Linux® servers to quickly report on business critical infrastructure
- 11. Gartner Report about ArcSight ArcSight SIEM platform to midsize organizations, enterprises and service providers. The platform is available in three different variations: the ArcSight Data Platform (ADP), providing log collection, management and reporting; ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments; and ArcSight Express, an appliance-based all-in-one The ArcSight Data Platform (composed of ArcSight Connectors, ArcSight Management Center and Logger) can be deployed independently as a log management solution, but is also used as the data collection tier for ArcSight ESM deployments. Premium modules, adding capabilities such as user and entity behavior analytics (ArcSight User Behavior Analytics [UBA]), DNS malware detection and threat intelligence, can be used to extend the SIEM's capabilities. HPE ArcSight can be deployed as an appliance, software or virtualized instance, and supports a scalable n-tier architecture with HPE ArcSight Management Center available to manage large and complex deployments. HPE ArcSight Express is available as an appliance only.
- 12. STRENGTHS •ArcSight ESM provides a complete set of SIEM capabilities that can be used to support a large-scale SOC, including a full incident investigation and management workflow, and a dedicated deployment management console. •HPE ArcSight User Behavior Analytics provides full UBA capabilities in conjunction with SIEM. •HPE ArcSight has a wide variety of out-of-the-box third-party technology connectors and integrations. CAUTIONS •HPE ArcSight proposals routinely include more professional services than comparable offerings. •Customer feedback indicates that HPE ArcSight ESM is found to be more complex and expensive to deploy, configure and operate than other leading solutions. •Although ArcSight is among the top four vendors in competitive visibility with Gartner clients, the trend is decreasing visibility for new installs and increasing numbers of competitive replacements. •HPE is undertaking a development effort to redo the core ArcSight technology platform. Customers and prospective buyers should track development plans to ensure the availability of features and functions needed to support existing or planned deployments.
- 13. 3.Splunk The Splunk Security Intelligence Platform is composed of Splunk Enterprise — the core product from Splunk that provides event and log collection, search and visualization using the Splunk query language — and Splunk Enterprise Security (ES), which adds security-specific SIEM features. Data analysis is the primary feature of Splunk Enterprise, and is used for IT operations, application performance management, business intelligence and, increasingly, for security event monitoring and analysis when implemented with Enterprise Security. Splunk Enterprise Security provides predefined dashboards, correlation rules, searches, visualizations and reports to support real-time security monitoring and alerting, incident response, and compliance reporting use cases. Splunk Enterprise and Splunk Enterprise Security can be deployed on-premises, in public or private clouds, or as a hybrid. Both products are also available as a SaaS offering. Splunk's architecture consists of streaming input and Forwarders to ingest data, Indexers that index and store raw machine logs, and Search Heads.
- 14. • Any Machine Data • Security and Administration • Enterprise-Class High Availability and Scale • Splunk base Apps and Add-Ons • Open Development Platform • Enterprise Integration • Splunk Indexer – used to collect and index logs from IT environment • Splunk Search Heads – used to search & report on IT logs • Splunk App for Enterprise Security - used to collect external threat intelligence feeds, parse log sources and provide basic analytics for session monitoring (VPN, Netflow etc.)
- 15. • Collect and index data • Search an investigate • Correlate and analyze using Splunk search processing language (SPL) • Visualize and report • Monitor and alert • Mobility Spunk's architecture consists of streaming input and Forwarders to ingest data, Indexers that index and store raw machine logs, and Search Heads that provide data access via the web-based GUI interface.
- 17. STRENGTHS •Splunk's investment in security monitoring use cases is driving significant visibility with Gartner clients. •Advanced security analytics capabilities are available from both native machine learning functionality and integration with Splunk UBA for more advanced methods, providing customers with the necessary features to implement advanced threat detection monitoring and inside threat use cases. •Splunk's presence, and investment, in IT operations monitoring solutions provides security teams with in-house experience, as well as existing infrastructure and data to build upon when implementing security monitoring capabilities. CAUTIONS •Splunk Enterprise Security provides only basic predefined correlations for user monitoring and reporting requirements, compared with richer content for use cases provided by leading competitors. •Splunk license models are based on data volume in gigabytes indexed per day. Customers report that the solution is costlier than other SIEM products where high data volumes are expected, and recommend sufficient planning and prioritization of data sources to avoid overconsuming licensed data volumes. In the past 12 months, Splunk introduced licensing programs to address high-volume-data users. •Potential buyers of Splunk UBA should plan appropriately, as it requires a separate infrastructure and leverages a license model different from how Splunk Enterprise and Enterprise Security are licensed.
- 18. Comparison It’s a comparison vision to compare most important SIMs
- 19. IBM QRadar Strengths : • Very simple deployment & configuration • Integrated view of the threat environment using NetFlow data , IDS/IPS data & Event logs from the environment • Behavior & Anomaly Detection capabilities for both NetFlow & Log data • Suited for small, medium & large enterprises • Highly Scalable & Available architecture Weakness • Limited customizations capabilities • Limited Multi-tenancy support • Limited capability to perform Advanced Use Case development & analytics
- 20. HP ArcSight Strengths • Extensive Log collection support for commercial IT products & applications • Advanced support for Threat Management, Fraud Management & Behavior Analysis • Mature Event Correlation, Categorization & Reporting • Tight integration with Big data Analytics platform like Hadoop • Highly customizable based on organization’s requirements • Highly Available & Scalable Architecture supporting Multi-tier & Multi-tenancy Weakness • Complex deployment & configuration • Mostly suited for Medium to Large Scale deployment • Requires skilled resources to manage the solution • Steep learning curve for Analysts & Operators
- 21. Splunk Strengths • Extensive Log collection capabilities across the IT environment • Log search is highly intuitive – like Google search Flexible dash boarding & analytics capability • improves Log visualization capabilities • Built-in support for external threat intelligence feeds both open source & commercial • “App Store” based architecture allowing development of Splunk Plugins to suit monitoring & analytics requirements Weakness • Pre-SIEM solution with very limited correlation capabilities • Even though easy to deploy, increasingly difficult to configure for SIEM related functions
Editor's Notes
- SIEM technology is typically deployed to support three primary use cases: Advanced threat detection — Real-time monitoring and reporting of user activity, data access, and application activity, incorporation of threat intelligence and business context, in combination with effective ad hoc query capabilities Basic security monitoring — Log management, compliance reporting and basic real-time monitoring of selected security controls Forensics and incident response — Dashboards and visualization capabilities, as well as workflow and documentation support to enable effective incident identification, investigation and response
- deployed using physical and virtual appliances, and infrastructure as a service (IaaS; such as in public or private cloud services). QRadar is also available in an as-a-service solution (IBM QRadar on Cloud), which is fully managed by IBM along with optional event monitoring provided by the IBM Managed Security Services team.
- Log activity Investigate event data (real tome or not) Search events Monitor log activity by using configurable time-series charts Network activity Investigate communication sessions between hosts investigate the flow and monitor flow Monitor network activity by using configurable time-series charts Assets : automatically create asset profiles by using passive flow and vulnerability data Search asset and view all learned asset and their information Tune false positive vulnerabilities QRadar SIEM automatically discovers and classifies servers in your network, and also you can add manually or modify server .You can save specified flow search criteria for future use. You can create a dashboard item by using saved flow search criteria. Offences :you can investigate offenses to determine the root cause of a network issue. Investigate offenses, source and destination IP addresses, network behaviors, and anomalies on your network. Correlate events and flows that are sourced from multiple networks to the same destination IP address Navigate the various pages of the Offenses tab to investigate event and flow details. Determine the unique events that caused an offense Reports: you can customize the reports Create, distribute, and manage reports Combine security and network information into a single report Use or edit preinstalled report templates Publish reports in various formats Data collection: Collected data is categorized into three major sections: events, flows, and vulnerability assessment information. Syslog SNMP Java™ database Connectivity (JDBC) Security Device Event Exchange (SDEE) Flow search You can display a custom dashboard item that is based on saved search criteria from the Network Activity tab. Offenses You can add several offense-related items to your dashboard. Log activity The Log Activity dashboard items will allow you to monitor and investigate events in real time. Most recent reports The Most Recent Reports dashboard item displays the top recently generated reports. System summary The System Summary dashboard item provides a high-level summary of activity within the past 24 hours. Risk Monitoring Dashboard You use the Risk Monitoring dashboard to monitor policy risk and policy risk change for assets, policies and policy groups. Monitoring policy compliance Create a dashboard item that shows policy compliance pass rates and policy risk score for selected assets, policies, and policies groups. Monitoring risk change Create a dashboard item that shows policy risk change for selected assets, policies, and policies groups on a daily, weekly, and monthly basis. Vulnerability Management items Vulnerability Management dashboard items are only displayed when IBM® Security QRadar® Vulnerability Manager is purchased and licensed. System notification The Systems Notification dashboard item displays event notifications that are received by your system. Internet threat information center The Internet Threat Information Center dashboard item is an embedded RSS feed that provides you with up-to-date advisories on security issues, daily threat assessments, security news, and threat repositories.
- IBM Security's QRadar Security Intelligence is a multi-feature security monitoring platform that provides log management, SIEM, NetFlow, application monitoring, vulnerability scanning, full packet capture and risk analysis. The platform is designed to be deployed as an all-in-one appliance, as discrete components that can be scaled horizontally for distributed and larger environments, or in an IBM SoftLayer-hosted SIEM as a service option. IBM's acquisition of Resilient Systems and the introduction of the IBM Security App Exchange further extend the capabilities of the QRadar platform. Real-Time Monitoring The QRadar platform provides an integrated view across an organization's environment. Threat detection is performed by leveraging a combination of statistical and correlation rules that can also use other nonevent data sources, such as asset details (e.g., vulnerability scans and installed application), historical behavior patterns, and configuration details. Incident Response and Management QRadar provides native workflow functionality for incident response and management, including automatic contextual enhancement for incidents, as well as the ability to perform forensic analyses (if that module is deployed). Buyers can also leverage QRadar Resilient Response, which is integrated via a QRadar App, to extend incident response capabilities to include response playbooks, incident timeline visualization, breach and compliance management, incident response and handling coordination, and automated remediation actions. Advanced Threat Defense The QRadar platform uses a combination of capabilities to detect and respond to advanced threats. For example, QFlow can be used in combination with NetFlow data and the Network Behavior Anomaly Rules Engine to correlate network and event data to detect anomalous traffic that matches activity associated with malware command and control communications. Forensic analysis is available to analyze the session associated with an incident. QRadar rules can also be run against historical data to look for past activity, leveraging recent threat intelligence. Business Context and Security Intel Asset information, which includes OSs, open ports, installed applications and vulnerability details, are maintained by the QRadar platform, and can be leveraged in both correlation rules as well as information enrichment for detected incidents. Automated threat intelligence feeds are provided by IBM X-Force, and third-party feeds are also supported. IBM also introduced the X-Force Exchange threat intelligence sharing service as another means of sharing threat intelligence. QRadar supports threat intelligence sharing formats such as STIX and TAXII. User Monitoring User monitoring is provided through integration with Active Directory, other LDAP directories, and leading IAM and web access solutions (on-premises and SaaS), including IBM's Security Identity Manager (SIM) and Security Access Manager (SAM). Out-of-the-box correlation rules and reports leverage event data and user data to monitor and report on user activity. IBM has also released native, lightweight UEBA capabilities via a free add-on app to QRadar, providing UBA capabilities focused on the threat detection, rather than the fraud monitoring use case. QRadar integrates with Exabeam's, Securonix, and E8 UEBA solutions via apps on the IBM Security App Exchange. Apps by other UEBA vendors are scheduled for release. Data and Application Monitoring QRadar supports all major DLP, FIM and DAM vendors to monitor for data and application specific incidents, as well as provide additional data sources for event correlation. DLP-like functionality can be provided using the network monitoring functions, such as QFlow, in the QRadar platform. Leading ERP systems are also supported via third-party solution providers. Advanced Analytics QRadar leverages a variety of analytic approaches, such as statistical, predictive and behavior anomaly detection. Big data platforms, such as Hadoop, including commercial versions such as IBM BigInsights and Cloudera, are supported out of the box. Deployment and Support Simplicity IBM's QRadar Security Intelligence Platform has multiple deployment options ranging from on-premises, all-in-one appliances to cloud-based SIEM as a service. QRadar can be deployed via dedicated appliances, virtual appliance, or user installable software. Customer feedback indicates that the technology is relatively straightforward to deploy and maintain across the various deployment options. Use Cases QRadar can support a wide set of threat management and compliance use cases for smaller, all-in-one to large-scale, distributed deployments. The QRadar platform supports security-oriented use cases that benefit from network flow analysis, threat detection via broad-scope network and application behavior analysis, and integrated incident response capabilities.
- ArcSight Express should be considered for midsize SIEM deployments requiring extensive third-party connector support. HPE ArcSight ESM is a good fit for large-scale deployments and for organizations seeking to build a dedicated SOC.
- Data enrichment We enhance the security data by adding context data at the time of collection, which is critical for understanding the impact of an event ArcSight ESM enriches the data with user and asset and network information. It gives you the situational and content awareness you need to make an informed, relevant decision during investigation and to accelerate the remediation process. Categorization and normalization of data Categorization and normalization convert collected original logs into a universal format for use inside the SIEM product. We use CEF, a de facto industry standard developed by ArcSight from expertise gained over a decade of building more than 230 connectors across 30 different security and network technology categories. Multidimensional real-time correlation ArcSight ESM has rule-based, statistical, or algorithmic correlation, as well as other methods that include relating different events to each other and events to contextual data Our correlation engine filters out irrelevant noise while zeroing in on threat risks that matter most. We have the most intelligent and flexible correlation engine with the largest number of correlation algorithms in the industry. The correlation engine helps you quickly identify indicators of compromise (IOCs), and situations that require investigation or immediate action helping you focus your attention on most urgent, high-risk threats Ultra-fast investigations and forensics You can rapidly search terabytes of data using a simple search interface. This feature enables needle-in-the-haystack queries of both active and historical data with a simple search interface .The investigation and forensic tools help you obtain the right information at the right time. You can track situations as they develop and query both active and historical data to investigate possible threats. Out-of-the-box security use cases ArcSight ESM also comes with standardized templates to build your own advanced queries, correlation rules, and reports customized for your environment. It provides comprehensive and timely content to security professionals like you, so you can implement your security posture, deploy your SIEM solution quickly, and rapidly realize a return on your investment (ROI). Workflow automation Events of interest can be manually or automatically escalated to the right people in the right time frame. The robust workflow framework comes with built in case management and can integrate with your existing processes and systems. Optional packages High availability (HA)—stateful, active or passive HA Provides backup ESM machine with automatic failover capability should the primary ArcSight ESM machine experience any communication or operational problems. Threat detector—pattern discovery for automatic pattern detection Scans for new patterns to stay ahead of new exploitive behavior; instantly uncovers zero-day worms and complex attacks and detect misconfigurations of network devices, systems, and applications so you can triage proactively. Threat central and reputation security monitor—threat intelligence feeds Respond to threats based on actionable threat analysis and reputation intelligence from the cloud-based, standards-compliant sharing platform. Compliance packages—compliance automation and reporting Easily meet a broad set of regulatory compliance requirements and can ease the cost and complexity of identifying critical issues, helping you avoid risks, prepare for audits and improve productivity and operational efficiency. Interactive discovery—powerful visual and extensive algorithmic analytics Explore, correlate, slice, and animate security data across intrusion detection systems (IDS), firewalls, applications, and any other type of security data source, in ways never before possible. Risk insight—executive level scorecard with insight to security priorities Combine security intelligence with business risk through rich built-in or customizable dashboards, reports, KPIs, and a heat map capable of showing top priority threats among billion security events.
- Built-in dashboards for real-time security analytics: You can get built-in reports for malware activity, firewall, IPS, endpoint logs, and user activity. These dashboards help you understand the threats and risks that enable you to make smart decisions about where to focus your security team’s time and attention. Also included are dashboards that monitor critical infrastructure, such as Cisco appliances, Microsoft® Windows®, and Linux® servers to quickly report on business critical infrastructure
- Any Machine Data Using no predefined schema, Splunk Universal Forwarders and collection methods such as syslog, HTTP direct API, scripted inputs, and the mobile SDK can index unstructured data from sources such as applications, sensors, endpoint devices, mainframes, industrial systems and network packet streams. Splunk can also combine your machine data with data in your relational databases, data warehouses, and Hadoop and NoSQL data stores. Security and Administration A robust security model provides secure data transfer, granular role-based access controls, LDAP integration and single sign-on, auditability and data integrity. Every transaction is authenticated, whether through the web and mobile interfaces, command line interface or the Splunk Enterprise API Enterprise-Class High Availability and Scale Multi-site clustering and automatic load balancing scale to support hundreds of terabytes of data per day, optimize response times and provide continuous availability. Search Head Clustering provides support for a virtually unlimited number of concurrent users and searches. The High Performance Analytics Store and other acceleration technologies enable you to generate reports on big data at lightning fast speeds. Splunk base Apps and Add-Ons Apps from Splunk, our partners and our community enhance and extend the power of the Splunk platform. Optimize data collection and analysis from your favorite sources. Empower users with pre-built visualizations and functions for security, IT management, business analysis and more. Open Development Platform The Splunk platform makes it easy to customize Splunk Enterprise to meet the needs of any project. Developers can build custom Splunk applications or integrate Splunk data into other applications by using the Splunk REST API or SDKs for JavaScript, JSON, Java, Python, Ruby and PHP. Your custom applications can leverage the rich functionality of the Splunk platform as well as existing applications available in the Splunk applications library. Enterprise Integration Embed Splunk reports and data in any application. Enrich your relational databases and reports with Splunk insights, trigger actions in ticketing or other systems, or use our ODBC integrations to access Splunk Operational Intelligence in familiar applications such as Microsoft Excel or Tableau.
- . Spunk's architecture consists of streaming input and Forwarders to ingest data, Indexers that index and store raw machine logs, and Search Heads that provide data access via the web-based GUI interface.
- In mid-2015, Splunk added native UEBA functionality with the acquisition of Caspida, which was rebranded Splunk UBA (Splunk works with a number of other UEBA products, as well). Tighter integration between the Enterprise Security and UBA products was introduced in early 2016. Additional improvements were made to incident management and workflow capabilities; and for lower data storage requirements, improved visualizations and expansion of monitoring to additional IaaS and SaaS providers.