Establishing Digital Trust: Don't Sacrifice Security for Convenience
If you're in the market for a security information and event management (SIEM) soluti0n, both LogRhythm and Splunk have a lot to offer, with strong support from customers and industry analysts.
Still, while LogRhythm provides an integrated user experience with a support team that consistently gets rave reviews, the solution comes with a steep learning curve. And while Splunk is highly customizable, some users have expressed frustration with the cost of implementation.
Both solutions appear in eSecurity Planet's list of top 10 SIEM products. What follows is a closer look at key features of each product, with an examination of their strengths and weaknesses.
LogRhythm and Splunk features and options
LogRhythm's SIEM solution combines enterprise log management, security analytics, user entity and behavioral analytics (UEBA), network traffic and behavioral analytics (NTBA) and security automation and orchestration. The product is built on a machine analytics/data lake technology foundation that's designed to scale easily, with an open platform that allows for integration with enterprise security and IT infrastructure.https://o1.qnsr.com/log/p.gif?;n=203;c=204651317;s=9477;x=7936;f=201802121810550;u=j;z=TIMESTAMP;a=20394213;e=i
That integrated approach can make for efficient security operations, from threat detection to incident response.
Splunk's core product offering, Splunk Enterprise, works alongside the SIEM solution Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). It provides a clear visual picture of an organization's security posture, with the ability to customize views and drill down to raw events as needed. It's useful for ongoing monitoring as well as for troubleshooting security incidents, helping streamline the detection and investigation processes.
Splunk offers a dashboard, pre-built reports, custom visualizations and an adaptive response capability that leverages machine learning to determine whether the solution can handle a particular incident on its own or if it needs human assistance. More than 1,000 apps and add-ons are available through the Splunkbase app store.
Recent SIEM product improvements
The introduction last year of LogRhythm 7.3 added collection support for additional cloud infrastructure and SaaS providers, more than doubled the solution's per-node data processing and indexing throughput, and added TrueIdentity data enrichment features to improve user-based threat detection. The company also introduced the analytics-as-a-service offering CloudAI, which uses machine learning to model a wide variety of user behaviors for detection of user-based threats, as well as a standalone LogRhythm UEBA offering, which allows users of third-party SIEM solutions to leverage LogRhythm for UEBA.
Recent enhancements from Splunk include the launch of the subscription service Splunk ES Content Update, which offers pre-packaged security content to Splunk ES customers to help them detect, investigate and manage specific threats. Booz Allen Hamilton Cyber4Sight for Splunk was also recently introduced, combining cyber insights and security intelligence from Booz Allen's threat intelligence service with security insights from Splunk ES; and version 4.0 of Splunk UBA was launched, enabling customers to create and load their own machine learning models to identify custom anomalies and threats.
Strengths and weaknesses: LogRhythm
LogRhythm is a good fit for companies seeking a contained platform that includes core SIEM functionality as well as complementary host and network monitoring capabilities, Gartner reports, noting that the product is also a good match for organizations that need to monitor the security of their ICS/SCADA or OT environments, or that seek to merge security event monitoring of IT and OT environments.
Still, the research firm notes that while LogRhythm has a partner program to help facilitate custom integrations, the company doesn't offer an app store like many competitors do, and its APIs are less open to third partners. Similarly, Gartner says companies with third-party threat intelligence feeds should be sure to confirm support with LogRhythm, as it supports a limited number of feeds out of the box.
The research firm also reports that some customers have expressed concerns about LogRhythm's ability to scale to support very high event volume environments, and advisers that potential buyers should validate LogRhythm's ability to support their event and data volumes.
Strengths and weaknesses: Splunk
Splunk offers a full suite of security event management solutions that allow users to grow into the platform over time, starting with Core, then adding ES and UBA, and Splunk's app store leverages the company's large partner ecosystem to provide a wide range of integration and Splunk-specific content.
Still, Gartner notes that Splunk doesn't offer an appliance version of the solution, so companies that want an on-premises appliance will have to work with a partner that can provide integration on supported hardware. Gartner clients have also expressed concerns about Splunk's licensing model and the overall cost of implementation – Splunk has introduced new licensing options to address those concerns.
Splunk UBA is on shortlists of Splunk users seeking to add UEBA features, but competes with other UEBA solutions, some of which also offer SIEM functionality, the research firm said.
SIEM users weigh in
IT Central Station users give LogRhythm an average rating of 8.7 out of 10, with Splunk following close behind at 8.0 out of 10. Similarly, Gartner Peer Insights users give LogRhythm an average of 4.4 out of 5, and Splunk an average of 4.3 out of 5.
Splunk reviewers said the ability to view a wide range of logs and drill down into specific times or data sources "has proved to be the greatest aspect in decreasing our troubleshooting overhead time." One reviewer said scalability was particularly issue-free, noting, "It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster."
LogRhythm users said the most valuable feature of the solution is "the ability to correlate logs throughout many different log sources." The company's support team also gets rave reviews, with one user saying it's the "best support services I have ever seen from a company," with "prompt response to issues."
Paul Gilowey, foundation technology specialist at Santam, wrote that thanks to Splunk, "MTTR is drastically reduced, because the developers and other IT support staff have instant access to log events," and personnel costs are reduced "by not having to involve the domain developers from multiple teams when tracing a problem that spans multiple platforms."
Still, Gilowey said official training can be so expensive that most people aren't able to get certified, forcing users to stick to basic functionality. Similarly, he said, "Splunk Enterprise becomes extremely expensive after the 20GB/month license, but if you take care of what you log, i.e. by not logging excessive application events, then that license will get you a long way."
Reno Thomas, senior security engineer at Augeo Marketing, wrote that LogRhythm is an excellent fit for small to medium-sized companies, and provides him with the visibility he needs into the network. "We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients," he wrote.
Thomas said getting started was a challenge, however. "When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up that it's almost impossible to do it on your own as an enterprise security engineer," he wrote. "I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging."
LogRhythm's SIEM can be purchased as an appliance or as software, and deployments can be on premises, cloud or hybrid. Third-party providers offer fully hosted and managed solutions as well.
Splunk is available as software that can be run on-premises, in IaaS, and as a hybrid model, as well as via the Splunk-hosted SaaS solution Splunk Cloud.
LogRhythm's SIEM begins at $28,000, with subscription options also available.
Splunk's pricing is based on the amount of data ingested, measured in gigabytes per day. Pricing for ES is structured in the same way, while UBA's pricing is based on the number of user accounts.