SIEM Comparison

7/23/2019 SIEM Comparison

1/10

SIEM Product Comparison


2/10

SIEM Technology Space

SIEM market analysis of the last 3 years suggest:

Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013) Only products with technology maturity and a strong road map have featured in leaders

quadrant.

HP ArcSight & IBM Q1 Labs have maintained leadership in SIEM industry with continued

technology upgrade

McAfee Nitro has strong product features & road map to challenge HP & IBM for leadership

2011 2012 2013


3/10

HP ArcSight

Strengths Weakness

Extensive Log collection support for commercial IT

products & applications

Complex deployment & configuration

Advanced support for Threat Management, Fraud

Management & Behavior Analysis

Mostly suited for Medium to Large Scale deployment

Mature Event Correlation, Categorization & Reporting Requires skilled resources to manage the solution

Tight integration with Big data Analytics platform like

Hadoop

Steep learning curve for Analysts & Operators

Highly customizable based on organizations

requirements

Highly Available & Scalable Architecture supporting

Multi-tier & Multi-tenancy

The ArcSight Enterprise Threat and Risk Management (ETRM) Platform is an integrated set of

products for collecting, analysing, and managing enterprise Security Event information.

ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used toidentify security threat in real-time

ArcSight Logger: Log storage and Search solution

ArcSight IdentityView: User Identity tracking/User activity monitoring

ArcSight Connectors: for data collection from a variety of data sources

ArcSight Auditor Applications: automated continuous controls monitoring for both mobile

& virtual environments


4/10

IBM QRadar

Strengths Weakness

Very simple deployment & configuration Limited customizations capabilities

Integrated view of the threat environment using

Netflow data , IDS/IPS data & Event logs from the

environment

Limited Multi-tenancy support

Behavior & Anomaly Detection capabilities for bothNetflow & Log data

Limited capability to perform Advanced Use Casedevelopment & analytics

Suited for small, medium & large enterprises

Highly Scalable & Available architecture

The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for

collecting, analysing, and managing enterprise Security Event information.

QRadar Log Manager turn key log management solution for Event log collection & storage QRadar SIEM Integrated Log, Threat & Risk Management solution

QRadar Risk Manager Predictive threat & risk modelling, impact analysis & simulation

QRadar QFlow Network Behaviour Analysis & Anomaly detection using network flow data

QRadar vFlow Application Layer monitoring for both Physical & Virtual environment


5/10

McAfee Nitro

The McAfee Enterprise Security Management (formerly Nitro Security) Platform is an integrated

set of products for collecting, analysing, and managing enterprise Security Event information.

McAfee Enterprise Log Manager turn key log management solution for Event log

collection & storage McAfee Event Receiver collecting log data & native flow data

McAfee Database Event Monitor database transaction & Log monitoring

McAfee Application data Monitor application layer event monitoring

McAfee Advanced Correlation Engine advanced correlation engine for correlating events

both historical & real time

Strengths Weakness

Integrated Application Data monitoring & Deep Packet

Inspection

Very basic correlation capabilities when compared

with HP & IBM

Integrated Database monitoring without dependence

on native audit functions

Limitations in user interface when it concerns

navigation

High event collection rate suited for very large scale

deployment

Requires a lot of agent installs for Application &

database monitoring thereby increasing managementcomplexity

Efficient query performance in spite of high event

collection rate

No Analytics capability both Big Data & Risk based

Limited customization capabilities

Limited support for multi-tier & multi-tenancy

architecture


6/10

Splunk

Strengths Weakness

Extensive Log collection capabilities across the ITenvironment

Pre-SIEM solution with very limited correlationcapabilities

Log search is highly intuitive like Google search Even though easy to deploy, increasingly difficult to

configure for SIEM related functions

Flexible dash boarding & analytics capability

improves Log visualization capabilities

Built-in support for external threat intelligence feedsboth open source & commercial

App Store based architecture allowing development

of Splunk Plugins to suit monitoring & analytics

requirements

Splunk Enterprise is an integrated set of products that provide Log Collection, management &

reporting capabilities using

Splunk Indexer used to collect and index logs from IT environment Splunk Search Heads used to search & report on IT logs

Splunk App for Enterprise Security - used to collect external threat intelligence feeds,

parse log sources and provide basic analytics for session monitoring (VPN, Netflow etc.)


7/10

RSA Security Analytics

Strengths Weakness

Great Analytics using Event Log Data & Network

Packet Capture

New Product release from RSA, hence advanced

Security correlation support is poorNetwork forensics, Big Data (Parallel Computing) are

cornerstones in SIEM world

Security Analytics Warehouse is a new capability with

very little real world use cases

Tightly Integrates with RSA ecosystem for Threat

Intelligence, Fraud Detection, Malware Analysis etc.

(each requires separate RSA Tools)

Suited only for large enterprises with need for

complex deployment and management resources.

Poor deployment options for small and midsize

customers

RSA Security Analytics is an integrated set of products that provide Network Forensics, Log

Collection, management & reporting capabilities using

Capture Infrastructure

RSA Security Analytics Decoder Real time capture of Network Packet and log datawith Analysis and filtering capabilities

RSA Security Analytics Concentrator Aggregates metadata from the Decoder

RSA Security Analytics Broker Server For reporting, management and

administration of capture data

Analysis & Retention Infrastructure

Event Stream Analysis Correlation Engine Archiver Long term retention, storage, security & compliance reporting

RSA Security Analytics Warehouse Big Data Infrastructure for Advanced Analytics


8/10

LogRhythm

Strengths Weakness

Well balanced log management, reporting, event

management, privileged user monitoring and File

integrity monitoring capabilities

Suitable for Security event data only, as Operational

data sets cause slowing performance for searches and

reports

Fast deployment with minimal configuration because

of appliance form factor

No Support for Active Directory integration for Role-

Based Access Control

Quarterly Health Check programs post-deployment

offers great After sales-Service experience

Suited best for small and mid size companies with

basic security, regulatory compliance and reporting

needs. Not scalable for very large deployments.

The LogRhythm SIEM 2.0 Security Intelligence Platform is an integrated set of products for

collecting, analysing, and managing enterprise Security Event information.

Log Manager high performance, distributed and redundant log collection and managementappliance

Event Manager provide centralized event management and administration for a

LogRhythm deployment

Network Monitor provide full visibility into network traffic, identifying applications via

deep packet inspection, providing real-time unstructured search access to all metadata and

packet captures


9/10

CapabilityRSA

Security

Analytics

Log

RhythmSplunk

McAfee

Nitro

IBM

QRadar

HP

ArcSight

Real-time Security Monitoring 3.1 3.2 2.5 3.9 4.2 4.4

Threat Intelligence 3.7 2.5 3.0 2.8 3.5 4.5

Behavior Profiling 2.5 2.3 3.0 3.0 5.0 4.0

Data & End User Monitoring 3.6 3.5 1.7 3.6 3.5 4.0

Application Monitoring 3.8 3.5 1.8 3.7 3.3 3.8

Analytics 2.5 2.5 3.8 4.5 3.5 4.0

Log Management & Reporting 3.5 3.8 3.5 3.8 3.9 4.0

Deployment & Support

Simplicity3.0 4.0 2.5 3.5 3.5 3.0

Total (Weighted Score) 25.7 25.3 21.8 28.8 30.4 31.7

SIEM Vendors Critical Capabilities Score Card

1.0 Low level of Capability5.0 High Level of Capability

A Summary scoring sheet for SIEM Vendors based on their Core capabilities is given

below:


10/10

Use Cases

RSA

SecurityAnalytics

Log

Rhythm Splunk

McAfee

Nitro

IBM

QRadar

HP

ArcSight

Overall Use Cases 3.2 3.2 2.7 3.6 3.8 4.0

Compliance Use Cases 3.3 3.7 3.0 3.7 3.8 3.8

Threat Monitoring 3.1 3.1 2.9 3.8 3.7 4.0

SIEM 3.2 3.4 2.8 3.6 3.8 3.9

Total (Weighted Score) 12.8 13.4 11.7 14.7 15.1 15.7

SIEM Vendors Use Cases Score Card

1.0 Low level of Capability5.0 High Level of Capability

SIEM Comparison

Documents

Transcript of SIEM Comparison