Organizations looking to purchase a security information and event management (SIEM) solution really can’t go wrong with either Micro Focus ArcSight or Splunk. Customers rate both solutions highly, and analysts have also given them favorable reviews.
But while Splunk gets high marks for ease of use, deploying it at scale can be a challenge. And while ArcSight offers an open architecture and provides its users with an unusual degree of detail, some users have expressed frustration with its learning curve.
Both were featured in eSecurity Planet‘s list of top 10 SIEM products. This article takes a look at some key features of each solution and delves into their respective strengths and weaknesses.
ArcSight and Splunk features and options
Micro Focus purchased ArcSight Enterprise Security Manager (ESM) from HPE in 2017. The solution, which can collect and correlate data from up to 75,000 events per second (EPS), combines an open architecture for security data, real time correlation, and an analytics-driven approach. ArcSight is comprised of three key layers: ArcSight ESM for threat detection, ArcSight Data Platform (ADP) for data collection/distribution, and ArcSight Investigate for investigation/analytics.
“ArcSight differentiates from the competition by combining the power of open architecture for security data, real time correlation, and an analytics-driven approach to hunt and investigation, which helps leading companies stay ahead of cyber threats,” Micro Focus product marketing lead for security operations Sonny Dasgupta told eSecurity Planet.
Splunk Enterprise Security (ES) gives users a security-specific view of data, enhancing detection capabilities and optimizing incident response. The Security Posture Dashboard provides clear situational awareness by tracking key security indicators and security metrics. All aspects of data source, key indicators and visual displays are customizable to meet the user’s needs.
The Splunkbase app store library includes more than 1,000 apps and add-ons from Splunk, the company’s partners, and the user community, including Splunk Security Essentials for Ransomware, G Suite for Splunk, Splunk Security Essentials for Fraud Detection, and Splunk App for PCI Compliance. The Adaptive Response Initiative, a Splunk-led security collective with more than 30 partners, also helps integrate technologies such as cloud security, endpoint security and threat intelligence.
Recent SIEM product improvements
In October 2016, ArcSight launched a new open architecture security data model with its intelligent Event Broker solution, which provides users with clean, enriched security data for third party analytics and machine learning tools. The intuitive security hunt and investigation solution ArcSight Investigate was launched in 2017. ArcSight ESM also now supports a distributed correlation mode, allowing the deployment of multiple instances of correlators and aggregators to increase processing speed.
In the past year, Splunk has introduced Booz Allen Hamilton Cyber4Sight for Splunk, which combines data from Booz Allen’s threat intelligence service with analytics-driven security insights from Splunk ES. The subscription service Splunk ES Content Update was also launched in 2017, providing dynamic new security content on an ongoing basis. And Splunk User Behavior Analytics (UBA) 4.0, launched in 2017, allows users to create and load their own machine learning models to identify custom threats.
Strengths and weaknesses: ArcSight
ArcSight is able to ingest data from a wide variety of sources – and its open platform enables structured data to be used outside the ArcSight solution. Its API allows for extensive integration in SOC environments, Gartner reports, and the solution can be fully customized to support threat management and compliance-focused use cases.
Still, the research firm notes that several elements of ArcSight’s architecture were being updated prior to the Micro Focus acquisition, so prospective users should make sure Micro Focus will continue to meet those commitments regarding functionality improvements and support.
Some of those changes have involved the introduction of ADP, Investigate and other components to support richer analytics, while still supporting legacy functionality. “As a result, customer choices regarding the deployment of some elements of the solution can result in duplication of data,” Gartner advises.
Strengths and weaknesses: Splunk
Splunk users have access to advanced analytics functionality in several ways – built into the core search capabilities, with the Machine Learning Toolkit, prepackaged in UBA, and from third-party app providers – and Gartner notes that Splunk’s large partner ecosystem offers a wide range of integration services and additional content.
Still, Gartner says its clients who have implemented Splunk consistently express concern about the licensing model and the cost of implementation. Additionally, while Splunk UBA is attractive to Splunk users who want to add UBA functionality, it competes with other UEBA solutions, some of which also offer SIEM features.
“Buyers considering using Splunk for SIEM and a third-party solution for UEBA must validate the degree of integration of the solutions and assess the commitment of the respective vendors to continued integration,” the research firm suggests.
SIEM users weigh in
users give Splunk an average rating of 8 out of 10, with ArcSight a close second at 7.9 out of 10. And while Gartner Peer Insights users give Splunk a rating of 4.3 out of 5, ArcSight gets 3.9 out of 5.
Splunk reviewers said the solution “makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar,” and said that while the licensing model might seem expensive, “with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price.”
ArcSight users said the product has “really sped up disclosure of inappropriate activity in information systems and on the network,” and that while there is a significant upfront cost to buy the product, “it enables us to speed our time to resolution.”
Joshua Biggley, engineer for infrastructure applications at Cardinal Health, wrote that the breadth of data sources Splunk can work with is impressive, and it does a great job at handling both structured and unstructured data.
“The initial setup was done without any prior experience and was up and running, including ingesting data, within a few hours,” Biggley wrote.
Still, Biggley said, deploying Splunk at scale isn’t easy. “It requires a significant amount of relatively complex architecture once you push past the single server instance,” he wrote, noting that with Splunk expertise in high demand, finding talented engineers to pull off a large-scale implementation can be hard.
Karthik Velli, delivery consultant for security solutions at Paladion Networks, wrote that while ArcSight is more expensive than many other SIEM solutions, he believes the price is fully justified.
“ArcSight gives you a platform to onboard out-of-the-box devices with a more accurate way of collecting desired logs/events,” Velli wrote, noting that while competitors offer something similar, ArcSight provides significantly more detail.
Still, Velli said, administration of ArcSight isn’t an easy job. “The admin needs to be well experienced in it to identify the root cause and fix it,” he wrote.
ArcSight supports both centralized and distributed deployments, and can be deployed on premises as an appliance or as software, or in the cloud.
Splunk ES can be deployed as software on premises, via the SaaS solution Splunk Cloud, in a public or private cloud, or in a hybrid deployment.
A variety of pricing and licensing models are available for ArcSight, from ingestion-based pricing to an all-you-can-eat model.
Splunk’s pricing is based on the number of users and the amount of data ingested per day. A free version is available for a single user and up to 500 MB of data per day. Splunk Light, for up to five users and up to 20 GB of data per day, starts at $75 a month, billed annually. Splunk Enterprise, for unlimited users and up to unlimited amounts of data per day, starts at $150 a month for 1 GB of data a day, with discounts per GB as you increase in volume — 10 GB of data a day costs $83 per GB per month, for example, while 100 GB of data a day costs $50 per GB per month.
For other SIEM product comparisons, see IBM QRadar vs Splunk, ArcSight vs IBM QRadar, AlienVault vs Splunk, SolarWinds vs Splunk and LogRhythm vs Splunk.