If you’re in the market for a security information and event management (SIEM) solution, you may be evaluating AlienVault and Splunk, each of which has distinct strengths.
Both SIEM products are rated highly by analysts and users, but there are important differences between the two in several key areas, including target markets, deployment options and pricing structure.
Both products appear in eSecurity Planet‘s list of top 10 SIEM products. Here we look at each solution’s key features and strengths and weaknesses.
AlienVault and Splunk features and options
The AlienVault Unified Security Management (USM) Appliance is a virtual or hardware appliance-based threat detection and incident response platform that combines SIEM and log management functionality with other security tools, such as asset discovery, vulnerability assessment and intrusion detection. AlienVault USM Anywhere provides similar functionality in a cloud-based SaaS offering. A range of AlienApps are available to add functionality, including integration with Cisco Umbrella, Palo Alto Networks, Carbon Black and others.
Although it is ideally suited for smaller IT security teams (1-20), AlienVault principal product marketing manager Sacha Dawes said USM Anywhere customers are from companies of all sizes, industry and geography. “USM Anywhere integrates essential security capabilities into a single unified platform, offering a simplified approach to security management that allows companies to avoid the headaches of having to integrate and monitor multiple point solutions,” Dawes said.
Splunk Enterprise Security (ES) provides real-time monitoring to give users a clear visual picture of their organization’s security posture, with easily customizable views and the ability to drill down to raw events as needed. The solution’s Security Posture dashboard tracks key security indicators and metrics, and machine learning helps determine whether Splunk can handle an incident on its own or needs human help.
Ad hoc search and static, dynamic and visual correlations help detect malicious activities, and the solution supports multi-step investigations to trace dynamic activities associated with advanced threats. The Splunkbase app store provides access to more than 1,000 apps that can be used with Splunk ES, including Splunk ES Content Update, Splunk Security Essentials for Ransomware, Splunk Security Essentials for Fraud Detection, and others.
Recent SIEM product improvements
AlienVault USM Anywhere is a relatively new offering, introduced in February 2017. AlienApps were added in June 2017, and more recent AlienApp integrations include AlienApp for Spycloud as well as integrations with Cisco Umbrella and McAfee EPO. The product team is continuing to develop new AlienApps to extend the capabilities of the core platform.
In the last year, Splunk has introduced Splunk ES Content Update, a subscription service that provides Splunk ES customers with pre-packaged security content designed to help them detect, investigate and manage threats. The company also launched Booz Allen Hamilton Cyber4Sight for Splunk, which combines security insights from Splunk ES with threat intelligence from Booz Allen Hamilton. Last year also saw the introduction of Splunk UBA 4.0, which lets users create and load their own custom machine learning models.
Strengths and weaknesses: AlienVault
AlienVault USM offers a wide range of integrated security functionality, including asset discovery, vulnerability management and intrusion detection. Customers say the security monitoring technologies included with USM offer more functionality for a lower cost than most competitors, and the pricing model is straightforward and easy to understand.
Still, Gartner notes that there can be some frustrating trade-offs inherent in choosing between USM Appliance and USM Anywhere – for example, capturing NetFlow data is supported by USM Appliance, but not by USM Anywhere, though USM Anywhere can capture VPC flow logs from AWS.
“AlienVault’s target market is midsize enterprises and smaller organizations,” Gartner notes. “As a result, enterprise-oriented features, such as role-based workflow, ticketing integrations, support for multiple threat intelligence feeds and advanced analytics capabilities, lag behind those of competitors that focus on enterprise customers.”
Strengths and weaknesses: Splunk
Splunk offers a range of security event management solutions that allow users to grow into the platform over time, and advanced analytics functionality is available throughout the ecosystem: as part of the core search capabilities, with Machine Learning Toolkit, prepackaged in UBA, and via third-party app providers.
Still, Gartner notes that Splunk doesn’t offer an appliance version of the solution, and clients have raised concerns about the licensing model and overall cost to implement the solution. In response, Splunk has added new licensing options such as the Enterprise Adoption Agreement (EAA).
“Many organizations start implementing Splunk for other use cases, easing the path for security teams looking to add a SIEM solution to their environment as the core infrastructure and event log sources are already in place,” Gartner said.
SIEM users weigh in
rel=”nofollow”>IT Central Stationusers give AlienVault an 8.4 out of 10, with Splunk following close behind at 8.0 out of 10. Gartner Peer Insights users give both solutions a 4.3 out of 5.
AlienVault reviewers said the solution enabled them to “create a SOC on a budget with smaller than usual staff requirements,” and that while “some of the correlation events are false-positive,” the solution offers “powerful threat detection, incident response, and compliance management.”
Splunk users said it gives them “the ability to bring multiple, disparate types of data together, then correlate and report on them,” and that while the “GUI can be improved” and “needs some updating,” the product “makes possible new sorts of correlations that were previously impossible using traditional SIEMs.”
Karl Hart, security operations manager at RoundTower Technologies, wrote that AlienVault’s ease of use and customization are key strengths, adding that “no matter what devices or the number of logs we throw at it, the system processes them in real time, correlates the events, and alerts on only events that need human review.”
Hart’s only real frustration with USM lies with the reports. “Hard to get what you need in a report, and once you do, there is no control over the formatting,” he wrote.
Mark Kline, information architect at a financial services firm, wrote that Splunk provides him with “immediate visibility into key business metrics and new business insights that deliver immediate value,” resulting in a “reduction in mean-time-to-investigate (MTTI) and mean-time-to-resolve (MTTR) production incidents from days to hours.”
Kline’s main issue with the solution is that while Splunk generally listens to customers and incorporates their feedback, he and others at his company “usually have to follow up with technical support on our open cases.”
rel=”nofollow”>Read more reviews written by users of AlienVault and Splunk.
AlienVault USM Appliance is available as a virtual or hardware appliance to be deployed on premises, while AlienVault USM Anywhere is a cloud-based SaaS solution designed to monitor cloud and on-premises environments.
Splunk ES can be deployed as software on premises, via the SaaS solution Splunk Cloud, in a public or private cloud, or in a hybrid deployment.
AlienVault USM Anywhere is sold as a monthly subscription, with three Editions available: Essentials, Standard and Enterprise. Pricing starts at $650 per month for up to five user accounts and one sensor with a maximum monthly data volume of 4TB and 15 days of searchable event storage. AlienVault USM Appliance is sold as a perpetual license, with pricing starting at $5,595.
Splunk’s pricing is based on the number of users and the amount of data ingested per day. A free version is available for a single user and up to 500 MB of data per day. Splunk Light, for up to five users and up to 20 GB of data per day, starts at $75 a month, billed annually. Splunk Enterprise, for unlimited users and up to unlimited amounts of data per day, starts at $150 a month for 1 GB of data a day, with discounts per GB as you increase in volume — 10 GB of data a day costs $83 per GB per month, for example, while 100 GB of data a day costs $50 per GB per month.
For other SIEM product comparisons, see IBM QRadar vs Splunk, ArcSight vs IBM QRadar, LogRhythm vs Splunk, SolarWinds vs Splunk and ArcSight vs Splunk.