In my previous article, Why We Should Use SIEM Technology In SOC, I introduced about SIEM Technology. In this week, I would like to discuss about SIEM Products based on SIEM Technology.
Nowadays, SIEM products such as Splunk, LogRhythm and AlienVault that are currently being deployed or selected to deploy in some banking and telecom industries in Myanmar will be discussed based on 2018 Magic Quadrant Chart for Security Information and Event Management Report.
➡ Splunk is a top vendor in Gartner’s leader board quadrant. Splunk’s Security Intelligence Platform is composed of Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, event search and visualizations for various uses in IT operations and some security use cases. The premium ES solution delivers most of the security monitoring speciﬁc capabilities, including security speciﬁc queries, visualizations and dashboards and incident response capabilities. UBA adds ML-driven and suitable for advanced analytics. Phantom provides SOAR capabilities.
➡ The main difference between Splunk and other SIEM vendors is additional applications in SplunkBase site that supports to integrate with third-party devices. Splunk can be deployed not only as On-premise software but also as Splunk cloud SaaS solution hosted on AWS infrastructure. Splunk Enterprise and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures. Splunk is licensed based on the amount of data ingested into the platform. ES is also licensed by gigabytes per day whereas UBA is licensed by the number of user accounts in an organization. Phantom is priced by the number of events on which users take action.
➡ Thoma Bravo completed its acquisition of a majority interest in LogRhythm in July 2018. LogRhythm’s SIEM solution is branded as LogRhythm NextGen SIEM Platform. In LogRhythm NextGen SIEM Platform, core features such as large (LogRhythm Enterprise) and midsize (LogRhythm XM) enterprises are provided. Add-on components are System Monitor SysMon Lite and Pro), Network Monitor (NetMon and NetMon Freemium), and CloudAI. LogRhythm’s SIEM can be deployed as software, a physical appliance or a virtual appliance. It’s one difference between LogRhythm and other SIEM products that SIEM feature can be delivered as hardware appliance.
➡ The XM solution is an all-in-one appliance composed of three components like Log Management, Event Management and Advanced Intelligence Engine. LogRhythm Enterprise and XM are licensed based on message per second (MPS). If the organization would like to implement each component, System Monitor is priced per agent and Network Monitor is priced per gigabits per second (throughput). UEBA is priced according to the number of identities monitored.
➡ AlienVault was acquired by the AT& T company in August 2018 and is part of AT&T’s newly created Cybersecurity Solutions division. The AlienVault SIEM product, Uniﬁed Security Management (USM) Anywhere, is delivered as SaaS. It includes several components for asset discovery, vulnerability assessment, and Intrusion Detection System (IDS) for network, host and cloud as well as for core SIEM capabilities. USM Appliance (an On-premises software deployment) is still supported, but the vendor’s emphasis is on the Anywhere SaaS offering.
➡ Additional offerings include the Open Threat Exchange (OTX) feature which supports threat intelligence sharing capability and OTX Endpoint Threat Hunter service. Both services are no-cost services. AlienVault also offers Open Source Security Information Management (OSSIM). According to Gartner Research, AlienVault has provided monitoring of Google G Suite and Ofﬁce 365 SaaS, an API to support application integrations.
According to the suggestion of the Gartner’s Report, we got these followings.
☑ Midsize organizations seeking an SIEM-as-a-Service delivery model with bundled security controls, but with little need for extensive database or application monitoring, should consider AlienVault.
☑ Organizations seeking SIEM with native network monitoring, endpoint agent, and cloud-based analytics should consider LogRhythm.
☑ If Organizations would like to integrate third-party devices within infrastructure with SIEM and are seeking the scalable solution from basic log management through advanced analytics and response, should consider Splunk.
As our NEX4 SI, we are providing a better solution in implementing SIEM Features with our skillful professionals.Moreover, NEX4 also provides User and Admin Awareness Trainings to get easier understanding in implementing this edge technology.
Don’t forget to share this post!