IBM QRadar and Splunk are two of the top security information and event management (SIEM) solutions, but each product offers distinct benefits to potential buyers.
Both SIEM solutions were featured in eSecurity Planet's list of top 10 SIEM products. Both companies offer strong core SIEM products, but differ in intelligence features and integration with third-party and other security tools. What follows are some key features and analysis of each solution.
QRadar and Splunk features and options
IBM QRadar SIEM leverages automation to detect sources of security log data and new network flow traffic resulting from additional assets appearing on the network. It also uses an advanced correlation rules engine and behavioral profiling technology to reduce millions or billions of data points into a manageable list of required investigations. The solution ships with more than 400 support modules, and dozens more are available on the IBM Security App Exchange.
"By chaining together multiple security events into known patterns of malicious behaviors, QRadar can pinpoint network breaches, data exfiltrations and anomalistic conditions occurring on an organization's network," IBM Security program director Patric Vandenberg told eSecurity Planet. "This core capability is richly supported by vulnerability management, network forensics tools, and an integrated incident response solution in the same workbench."
Splunk Enterprise Security (ES) provides a clear visual picture of an organization's security posture, with the ability to customize views and drill down to raw events as needed. Continuous security monitoring along with case management and incident response functionality allow users to conduct rapid investigations using ad hoc search and static, dynamic and visual correlations to detect threats.
The Splunkbase app store provides access to more than 600 apps that can be used with Splunk security solutions, including Splunk Security Essentials for Ransomware, Splunk Security Essentials for Fraud Detection, Cisco Networks App for Splunk, and Splunk App for PCI Compliance. Splunk's Adaptive Response Initiative, a security collective with over 30 partners, also helps integrate technologies such as next-generation firewalls, endpoint security and threat intelligence.
Recent SIEM product improvements
In the past year, IBM has enhanced QRadar with the addition of IBM QRadar with Watson, which combines the capabilities of Watson with the QRadar Security Analytics Platform; IBM QRadar User Behavior Analytics, which analyzes user behavior to detect malicious activity; and IBM QRadar Network Insights, which analyzes network data in real time to detect attacks and security threats. IBM QRadar Cloud Security has also been improved with the ability to secure AWS, Azure and O365 cloud services.
New additions to Splunk's offering over the past year include Splunk ES Content Update, a subscription service that offers pre-packaged security content to help customers detect, investigate and manage specific threats, as well as Booz Allen Hamilton Cyber4Sight for Splunk, which provides customers with access to actionable security intelligence from Booz Allen's threat intelligence service. The company also launched Splunk User Behavior Analytics (UBA) 4.0, which enables customers to create and load their own machine learning models to identify custom anomalies and threats.
Strengths and weaknesses: IBM
QRadar is a good fit for midsize and large enterprises that need core SIEM functionality, says Gartner, as well as those seeking a unified platform capable of managing a wide range of security monitoring and operational technologies.
Still, there are some shortcomings. While IBM offers the BigFix solution for endpoint monitoring, Gartner says its clients have shown very little interest in it and have turned instead to third-party solutions. The firm also reports that QRadar's UBA functionality lags behind other vendors, and the IBM Resilient incident response tool doesn't offer native integration with the QRadar platform.
Workflow and incident response and management capabilities are better than average, but full orchestration and automation is only available through IBM's Resilient Incident Response Platform premium solution, Gartner notes. Threat-hunting capabilities also come at a premium, through IBM's i2 Analyst's Notebook.
Strengths and weaknesses: Splunk
Splunk offers a full range of solutions that enable users to grow into the solution over time, with advanced analytics available throughout the platform. A wide range of partners offer integration services, and apps are available through the Splunkbase app store.
Still, Gartner reports that some of its clients have raised concerns about the licensing model and the overall cost of implementation. Splunk has introduced new licensing options to address those concerns. Additionally, since Splunk doesn't offer an appliance version of the solution, companies that want an on-premises appliance have to turn to a third-party provider.
Splunk is mainly focused on core SIEM capabilities, and lacks specific advanced threat detection solutions, Gartner said. Splunk Stream (included with Splunk Enterprise) can collect network traffic for analysis, and the Splunk Universal Forwarder can be used as a lightweight agent for endpoint analysis, the firm said.
SIEM users weigh in
Users of both SIEM products have their own views.
Colt Rogers, an infrastructure engineer at IT services company Zirous, wrote that Splunk has been "extremely useful in the proactive monitoring of clients' hardware, networking, and security operations."
Among other use cases, Zirous uses Splunk for proactive account lockouts based on machine learning of a typical person's average number of failed login attempts. This came in handy when a network breach was contained nearly immediately thanks to auto-logout policies.
One security engineering and operations director praises IBM QRadar's ability to correlate data across a global enterprise in near-real time, third-party solution integration, and machine learning features such as Watson integration and indicators of compromise. Incidents have been detected in real-time, he notes.
IBM QRadar and Splunk SIEM solutions compared
|Splunk Enterprise Security||Highly-regulated industries||Most users ingest several petabytes daily||Integrates with Splunk UBA & machine learning toolkit||Software or cloud||Based on max daily data volume; starts at $1,800/GB/day|
|IBM Security Qradar||Enterprises and regulated industries||4oo+ sources, scales to millions of events per second||UBA, forensics, packet inspection, Watson integration||Cloud or hardware, software or virtual appliance||Cloud starts at, $800/month; on- premises at $10,400|
QRadar is available as on-premises hardware or software or in the cloud. Smaller customers can offload all the deployment and maintenance to an IBM cloud-based solution, while larger firms can choose either an on-premises deployment, or adopt a hybrid approach collecting data from local and cloud-based applications, Vandenberg said.
Splunk ES can be deployed as software on premises, via the SaaS solution Splunk Cloud, in a public or private cloud, or in a hybrid deployment. "Many of Splunk's customers have a growing interest in leveraging Splunk ES in the cloud," Splunk director of product marketing Girish Bhat told eSecurity Planet by email. "Today, many customers are changing their overall security model from on-premises to hybrid models, enabling them to drive security analytics both locally and in the cloud."
IBM QRadar pricing is based on events per second (EPS) and flows per second (FPS). The on-premises solution starts at $10,400, including 12 months of support, while the cloud-based solution starts at $800 per month on an annual term. The IBM QRadar Community Edition, a low-memory, low-EPS version of QRadar, is available for free.
Splunk's pricing is based on the number of users and the amount of data ingested per day. A free version is available for a single user and up to 500 MB of data per day. Splunk Light, for up to five users and up to 20 GB of data per day, starts at $75 a month, billed annually. Splunk Enterprise, for unlimited users and up to unlimited amounts of data per day, starts at $150 a month for 1 GB of data a day, with discounts per GB as you increase in volume — 10 GB of data a day costs $83 per GB per month, for example, while 100 GB of data a day costs $50 per GB per month.
With machine data growing at 50 times the rate of traditional business data, Bhat said, Splunk is seeing customers significantly increasing their data ingestion into double-digit terabytes. "This also means more data sources are being ingested, giving security analysts a more complete view of their security posture," he said.