based on nearly 300 real user experiences.
SolarWinds Log & Event Manager and Splunk Enterprise Security are popular security information and event management (SIEM) solutions, with each product’s customers voicing enthusiastic support for their offerings.
Still, there are several key differentiators between the two, particularly in deployment options and target markets: SolarWinds is only available as a virtual appliance, while Splunk doesn’t offer an appliance version of its solution; and SolarWinds is particularly well suited for SMBs, with robust features out of the box and straightforward licensing, while Splunk targets companies of all sizes.
Both SIEM solutions made eSecurity Planet‘s list of top 10 SIEM products. Here we look at both products’ key features and examine their respective strengths and weaknesses.
SolarWinds and Splunk features and options
SolarWinds Log & Event Manager (LEM) is designed to detect suspicious activity and send automated responses, enabling efficient investigation of security events for mitigation and compliance. SolarWinds LEM offers out-of-the-box compliance rules and reports with templates for regulated industries, a comprehensive audit trail of log and event data, and quick identification of policy violations.
“SolarWinds LEM is targeted at tightly resourced, budget-conscious security teams, which can typically be found in organizations with 0 to 10,000+ employees,” SolarWinds Head Geek Destiny Bertucci told eSecurity Planet by email. “Tightly resourced security departments are looking for technology that is affordable, quick to deploy, easy to use/maintain, and provides immediate value.”
Splunk Enterprise Security (ES) gives users a security-specific view of data to increase detection capabilities and optimize incident response. The solution provides a clear visual picture of an organization’s security posture, allowing users to customize views and drill down to raw events. The Splunkbase app store provides access to more than 1,000 apps that can be used with Splunk security solutions.
“While Splunk ES offers traditional SIEM use cases such as logging, alerting, reporting, compliance and monitoring, many of our customers have moved beyond those traditional use cases to use Splunk as their security nerve center,” Splunk director of product marketing Girish Bhat said by email. “We are seeing significant interest in expanded SIEM use cases such as advanced threat detection and incident response.”
Recent SIEM product improvements
The most recent version of SolarWinds LEM, v6.3.1, was released on February 20, 2017. New features included single sign-on, management console updates, the ability to access the LEM manager using SSH port 22 or port 32022, Oracle Java 8 for enhanced security and improved agent integration for systems running Windows 10, and a “What’s New” widget in the Ops Center to describe new features and improvements.
Recent additions to Splunk include version 4.0 of Splunk User Behavior Analytics (UBA), which enables customers to create and load their own machine learning models to identify custom threats and anomalies. Splunk ES Content Update was also launched in 2017, offering pre-packaged security content to Splunk ES customers to help them detect, investigate and manage specific threats.
Strengths and weaknesses: SolarWinds
SolarWinds LEM offers a well-integrated solution that’s a particularly good fit for SMBs, Gartner reports, thanks to its simple architecture, easy licensing, and robust out-of-the-box content and features. It supports a variety of event sources, and offers some threat containment and quarantine control functionality that isn’t available from competing SIEMs.
Still, the research firm notes that SolarWinds LEM is a closed ecosystem, making it challenging to integrate with third-party security solutions such as advanced threat detection, threat intelligence feeds and UEBA tools. “Integrations with service desk tools are also limited to one-way connectivity via email and SNMP,” the analyst firm said.
Monitoring of SaaS isn’t supported, and monitoring of IaaS is limited, the research firm adds. Customers who want to extend monitoring to networks and applications must purchase other SolarWinds solutions.
Strengths and weaknesses: Splunk
Splunk’s large partner ecosystem provides integration and Splunk-specific content through the Splunkbase app store. Splunk’s full suite of solutions also makes it easy for users to grow into the platform over time, and advanced analytics capabilities are available in a variety of ways throughout the Splunk ecosystem.
Still, Splunk doesn’t offer an appliance version of the solution, and Gartner clients have raised concerns about the licensing model and cost of implementation – in response, Splunk has introduced new licensing approaches, including the Enterprise Adoption Agreement (EAA).
“Splunk UBA is visible on shortlists of Splunk users seeking to add UEBA features, but competes with other UEBA solutions, some of which also offer SIEM functionality,” the research firm notes. “Buyers considering using Splunk for SIEM and a third-party solution for UEBA must validate the degree of integration of the solutions and assess the commitment of the respective vendors to continued integration.”
SIEM users weigh in
users give SolarWinds a 9 out of 10 and Splunk an 8 out of 10 – but Gartner Peer Insights users reverse the order, giving Splunk a 4.3 out of 5 and SolarWinds a 4 out of 5.
Jeffrey Robinette, system engineer at Foxhole Technology, wrote that SolarWinds’ out-of-the-box reports and dashboard are a key strength, noting, “It allows us to monitor access and pull cyber reports quickly. No more searching through logs on each server.”
In comparison to Splunk, Robinette said, SolarWinds doesn’t require much customization and its pricing is lower, while with Splunk, he wrote, “you need a PhD on customizing the reports.”
Raul Lapaz, senior IT security operations at Roche, wrote that while Splunk isn’t cheap, the ease of use, scalability, stability, speed of the search engine, and compatibility with a wide variety of data sources make it worth it.
Lapaz noted a few shortcomings, including the fact that cluster management can only be done via command line, and that permissions aren’t very flexible – “it would be nice to have more granular options, such as double factor authentication,” he wrote.
SolarWinds LEM is deployed as a hardened virtual appliance that can run on VMware ESC or Microsoft Windows Hyper-V.
Splunk can be deployed as software on premises, via the SaaS solution Splunk Cloud, in a public or private cloud, or in a hybrid deployment.
SolarWinds LEM is priced by the node, starting at 30 nodes for $4,995.
Splunk’s pricing is based on the number of users and the amount of data ingested per day. A free version is available for a single user and up to 500 MB of data per day. Splunk Light, for up to five users and up to 20 GB of data per day, starts at $75 a month, billed annually. Splunk Enterprise, for unlimited users and up to unlimited amounts of data per day, starts at $150 a month for 1 GB of data a day, with discounts per GB as you increase in volume — 10 GB of data a day costs $83 per GB per month, for example, while 100 GB of data a day costs $50 per GB per month.
For other SIEM product comparisons, see IBM QRadar vs Splunk, ArcSight vs IBM QRadar, ArcSight vs Splunk, AlienVault vs Splunk and LogRhythm vs Splunk.