What is SIEM and SOC?
Security information and Event Management (SIEM), is the process of real time analysis of security alerts generated from applications and network hardware. This is done by incorporating SIM/SEM under one framework. Security assessment is done by collecting and monitoring machine-generated data.
SOC, or the Security Operations Center, is a facility that houses a team security experts that monitors and safeguards the organization’s security. The SOC covers many sectors such as SIEM, GRC and VAPT tools, IDS and IPS. SIEM is an integral component of the Security Operation Center.
We will be discussing two SIEM products: Splunk, and IBM QRadar.
Comparison Key Factors
Histories of Products
Gartner’s Magic Quadrant 2020
Deployment & Target Industry
Fundamental Comparison (Pricing and Intelligence, Metrics, and Pricing)
Splunk’s pros and cons
Pros and cons of IBM QRadar
1. Histories of Products
Splunk: Splunk was established in 2003 and is the first global data-to-everything platform.
QRadar: Qradar was created by Q1 Labs, and was acquired by IBM in 2011. IBM announced that it would acquire Qradar in order to help clients better secure their business by using analytics to connect data from security domains and create security dashboards for their businesses.
2. Gartner’s Magic Quadrant 2020
Gartner is a well-known research and advisory firm that has clients in 77% the world’s top 500 companies. Their research on information security and information technology is released on an annual basis. We are looking at one such summary. The image in question is Gartner’s Magic Quadrant 2020 for the category of SIEM.
The quadrant is divided in four sections:
3. Niche Players,
Gartner examines SIEM products based on key attributes of comparison, importance and summarizes their report with the Magic Quadrant or Critical Capabilities.
Gartner reviews the following attributes of products:
Monitoring in Real-Time
Reviewer Demographics by reviewer size
These are the attributes that were used in QRadar/s Splunk this year.
3. Deployment & Target Industry
Splunk: Splunk was designed to be used on-premise, as a SaaS solution in Splunk cloud. It can be deployed on private or public cloud, and even Hybrid Cloud (a combination of public and private cloud).
Splunk is used primarily in highly regulated industries. E.g., Oil and Gas; Financial services; Healthcare, Banks, Airline and Railways; Nuclear plants, space research organisations, etc.
QRadar: QRadar can be used on-premises or in the cloud. Smaller customers can outsource all maintenance and deployment to an IBM cloud-based solution. Larger companies can choose an on-premises deployment, or a hybrid approach that collects data from both local and cloud-based apps.
QRadar can be used in enterprises and industries that are moderately regulated. E.g., Small to large private IT corporations.
4. Fundamental Comparison (Pricing and Intelligence, Metrics, and Pricing)
We have seen that QRadar can be used in medium-sized to large organizations, while Splunk can be used in small-scale businesses. We’ll be looking at detailed analyses of both these products, based on:
These components are for Splunk, and QRadar.
Metric: Based upon the number of users and data ingested each day. (Several petabytes/day)
Intelligence: Integration with Splunk User Behaviour Analysis, (UBA), and Machine Le