ArcSight and IBM QRadar are two of the top security information and event management (SIEM) solutions. Both made eSecurity Planet's list of top 10 SIEM products, and both offer strong core SIEM functionality, but differ in several ways, including target markets and ease of use.
While ArcSight is feature-rich and highly customizable, it comes with a steep learning curve. And while QRadar can be easier to use out of the box, several features require the purchase of additional tools.
What follows are some key features and analysis of each solution.
ArcSight and QRadar features and options
ArcSight Enterprise Security Manager (ESM), which Micro Focus acquired from HPE in September 2017, is a SIEM, data management and analytics platform that combines open architecture for security data, real-time correlation, and an analytics-driven approach. The solution is comprised of three key layers: ArcSight ESM for threat detection, ArcSight Data Platform (ADP) for data collection/distribution, and ArcSight Investigate for investigation/analytics.https://o1.qnsr.com/log/p.gif?;n=203;c=204660769;s=9477;x=7936;f=201812281319310;u=j;z=TIMESTAMP;a=20394213;e=i
Sonny Dasgupta, Micro Focus product marketing lead for security operations, calls ArcSight ESM "a complete SIEM solution, which collects data at enterprise scale, enriches data with security expertise, uses analytics to find unknown threats and detects threats as they start to occur."
IBM QRadar SIEM automatically detects all sources of security log data and new network traffic resulting from the arrival of new assets on the network, and reduces millions of data points into a manageable list of needed investigations with the help of an advanced correlation rules engine and behavioral profiling technology. QRadar ships with over 400 support modules, with more available on the IBM Security App Exchange.
IBM director of security intelligence offering management and strategy Chris Meenan said by email that the company sees QRadar's time to value and ease of operation as key differentiators. "The solution is quick and easy to deploy, making the value more immediately impactful for teams," he said. "The ease of use also means it is a resource-conscious solution that requires less people to run the solution, so they can focus on other critical tasks."
Recent SIEM product improvements
ArcSight Investigate was launched in 2017, leveraging built-in analytics to empower level 1 analysts to participate in the investigation process while supporting advanced hunt capabilities for level 4 hunters. ArcSight ESM also now supports distributed correlation, enabling the deployment of multiple instances of correlators and aggregators to increase processing speed and provide failover processing.
Recent additions to QRadar include IBM QRadar with Watson, which merges the functionality of Watson with the QRadar Security Analytics Platform; IBM QRadar User Behavior Analytics, which analyzes user behavior to detect malicious activity; and IBM QRadar Network Insights, which offers real-time network data analysis. IBM QRadar Cloud Security has also been enhanced with the ability to secure AWS, Azure and Office 365 cloud services.
Strengths and weaknesses: ArcSight
Prior to Micro Focus' acquisition, ArcSight already had a large installed base of customers and a wide range of third-party professional services and support available for the product. The solution is highly customizable and can be integrated into a wide variety of SOC environments.
Still, Gartner notes that the product is undergoing several changes with the introduction of ADP, Investigate, and other components, in some cases resulting in duplication of data. Additionally, licensing can be complicated, with volume-based pricing for ADP, velocity-based pricing for ESM and user-based pricing for UBA.
Customers converting from older licensing models to new licenses and the ADP architecture told the research firm they've experienced challenges with the complexity and cost of license conversion. In response, Micro Focus has made changes to its licensing model, including the addition of a pricing option with no data restrictions.
Strengths and weaknesses: IBM QRadar
QRadar can be a good match for midsize and large enterprises seeking core SIEM functionality, Gartner says, as well as those looking for a unified platform capable of managing a wide range of security monitoring and operational technologies.
The research firm says its clients haven't shown much interest in IBM's BigFix solution for endpoint monitoring, and have instead turned to third-party solutions. Similarly, Gartner says QRadar's UBA functionality lags behind other vendors, and the IBM Resilient incident response tool doesn't integrate natively with QRadar.
While QRadar's workflow and incident response and management capabilities are above average, Gartner says, full orchestration and automation are only available through the premium IBM Resilient incident response tool – and threat-hunting functionality also comes at a premium through IBM's i2 Analyst's Notebook.
SIEM users weigh in
While acknowledging that every SIEM solution has its strengths, both ArcSight and QRadar have passionate supporters among their user base.
Regarding ArcSight, Dutch security consultant Karlo Luiten wrote that while his company also considered both Splunk and LogRhythm – and all three solutions have their benefits – "for large scale installations with multiple users and (sub) companies, ArcSight is the best option."
Still, Luiten said, ArcSight has a very steep learning curve. "If you get to know the product well, it is the most powerful product that I have worked with. It would be nice if new users could start using the product more easily," he wrote.
Senior security consultant Damian Scott wrote that while some UI enhancements to QRadar would be welcome, his customers who transition from another SIEM solution to QRadar are often pleasantly surprised by the number of issues being caught soon after implementation, just using the out-of-the-box rules enabled by default.
ArcSight can support both centralized and distributed deployments, and can be deployed on-premises as an appliance or as software, or in the cloud.
QRadar is available as on-premises hardware or software, or in the cloud.
A variety of pricing and licensing models are available for ArcSight, from ingestion-based pricing to an all-you-can-eat model.
IBM QRadar is available as an on-premises solution starting at $10,400 (including 12 months of support) , or a cloud-based solution starting at $800 per month on an annual term. Pricing is based on events per second (EPS) and flows per second (FPS). The IBM QRadar Community Edition, a low-memory, low-EPS version of QRadar, is available for free.