It has been
so long since the last time I have written about SIEM solutions in this blog!
How long exactly? Well, since the last blog, I have changed 2 companies, 4
functions and relocated in another country type of long.
SIEM and
Log Management topics are always very dear to me, although my focus on IT and
Information Security has widened, to the point to include Information Risk
Management as well.
I am going
to resume the landscape in SIEM area in the last 3 years with the main actors
involved.
HP ArcSight
became Microfocus ArcSight with HP’s spin-off from the software business. The
decision seems to be taken a long time ago already. The ambiguity in the way merger/selling
operations were dealt between HP and Microfocus pushed the customers to look
for alternatives. The acquisition of HP Software division including ArcSight
product family by MicroFocus was announced on the 7th of September
2016 and was completed officially on the 1st of September 2017. But
people close to the subject know that long before the acquisition announcement,
product development activities were severely slowed down if not completely
stopped.
HP ArcSight
was already having some difficulties addressing long term storage of data on
the platform itself other than lacking advanced features proposed by competitors.
Running even simple queries on the old-fashioned Logger was taking ages, even
when tried on the command line with scripts.
The
problems were since addressed ArcSight Data Platform (I will later provide a dedicated post on that) and some advanced features are presented to the customers
such as User Entity and Behavior Analysis (UEBA) but the damage I think is done. ArcSight
has lost an important part of its customers other than the big accounts which
really invested too much on the solution to leave it.
The arch-rival
of ArcSight was IBM QRadar at the time we left. QRadar was somehow less
customizable comparing to ArcSight but was a strong competitor in regards to
the integrations it had such as Network Packet Flow Analysis (QFlow) being the
most important. Other than this, platform was and still is, capable of indexing
all log fields comparing to limited indexing capability of ArcSight, which can
be considered as a huge advantage.
Moreover,
architecture-wise, QRadar supported scaling out (increasing the performance/capacity
by adding new devices), therefore allowing a much better retention of logs
online, without sending logs to external storage while since recently ArcSight’s
Logger only supported scaling up (increasing the performance/capacity by
increasing system resources).
Relative
simplicity of IBM QRadar also helped the solution’s overall stability, which
on ArcSight’s side required a separate management appliance (ArcSight
Management Center) and sometimes some 3rd party appliances for
connector health management.
Another
advantage of QRadar is its integrated additional capabilities, such as the
User Behavior Analysis module which is not as efficient as a full blown UEBA
solution from Exabeam for example to compare with but still does the essentials
for enriching the bare log data. When talking about data enrichment ability to
consume Vulnerability Management data also should not be left behind.
IBM QRadar
seems, in my humble opinion, the best option for large environments and for on
premise use.
McAfee ESM
used to be the 3rd major actor behind ArcSight and Q-Radar. McAfee
had the advantage of being simpler to configure and to license solution within
a vendor-controlled package. Not much has changed since other than providing a
big-data approach to McAfee ESM’s architecture, transforming the front-end to
HTML5. McAfee’s SIEM solution was and is one of the least appealing SIEM
solutions for me as it never got the attention it deserved from the
organization, always lagging behind McAfee’s flagship products.
It can be
advised to small-to-medium size organizations having with strong relations to
McAfee.
Hi,
ReplyDeleteThanks for your sharing!
Do you think Arcsight team will have some big changes in the future to improve the searching capability?
Regards,
Lap