4 December 2020

QRADAR / SPLUNK Be or not to be a SIEM ? that is the question

Introduction

Whether it’s in your team, over a coffee, during a soc-exchange event or as part of a SIEM solution deployment project, you’ve probably heard somewhere the name of QRadar or Splunk, two of the best products in the Gartner Magic Quadrant for Security Information and Event Management (SIEM).

However, even today, the SIEM designation divides the cybersecurity professionals when it refers to one of the most popular and used tools in the world, SPLUNK.

We will see in my very first article specially written for educational purpose, that what is true for one is not quite true for the other, what makes them different and so why, compared to QRADAR, its biggest competitor in this category, Splunk is regularly seen as a SEM rather than a SIEM.

It’s therefore not intended to say that one product is better than another but rather to try to find answers to a question that is often debating and insist on the importance to transmit the good information to its various interlocutors whatever their job or knowledge.

What is a SIEM

A SIEM (Security Information and Event Management) type tool is an approach of the security management. It combines the SIM (Security Information Management) and SEM (Security Event Management) functions into a single security management system.

In few words, it is a key enterprise security solution that provides you real-time visibility and enables threat intelligence capabilities for your enterprise. This includes:

  • Ingestion of data from multiple sources
  • Analyse and interpret data in real-time
  • Prepare reports on data in the form of threat intelligence feeds
  • Profiling
  • Automation and activity management

QRadar? Splunk? What is it?

What is the IBM QRadar?

IBM QRadar is an Enterprise Security, Information, and Event Management system (SIEM). It collects information from the devices of an organization such as host assets, network devices, operating systems, and from various aspects such as vulnerabilities, user activities, and behaviours. IBM QRadar acts as a guard to the information and monitors every activity that occurs in the organization, and if it detects any malicious activity, it prevents it very quickly and minimises the risk factor to the organization.

What is SPLUNK > ?

Splunk INC is a multinational software platform based company whose software (Splunk) is used for indexing the machine data. Machine data can be converted into actionable information which helps in making data-driven decisions. The Splunk platform aggregates and analyzes the data from different sources such as programming interface and log information from websites, mobile devices, application servers, etc. Conversion of machine data into operational intelligence can help the Splunk customers in gaining awareness about what is happening over its IT environment in real-time.

Comparison of the two solutions

Listing and comparison of the basic components

The SPLUNK solution includes the following components: 

Basic ComponentsBasic Description
Forwarder (centralized or as agent on endpoints)Collect data and forward to indexer
IndexerIndex logs of IT environment from forwarder
Search Heads User interface to search & report on IT logs
Splunk Base / AppA library with 1000+ apps and add-ons from Splunk, partners, and the community used to collect external threat intelligence feeds, parse log sources, provide basic analytics for session monitoring (VPN, Netflow etc.) ….

The IBM QRadar solution includes the following components: 

Basic ComponentsBasic Description
Event collectorsFlow collectorCollect, normalize, parse data and forward to ProcessorCollect flows from TAP or Span port and forward to Processor
Event processorsFlow processorsIndex and store events from collectorIndex and store flows from collector or direclty from router (NetFlow, J-Flow et sFlow)
QRadar ConsoleGUI to search & reports, administrate and manage the components
X-Force Exchange / AppA cloud collaborative plateforme used to share threat informations, collect external threat intelligence feeds, with apps and add-on from IBM, partners, and the community to improve the IBM security solution throughout tuning app, new dashboard, log source parsers, Third partie solution management from console, virus total api …

Equivalence role and purpose between the Splunk and QRadar bases components :

SPLUNKIBM QRadar
ForwarderEvent collectorsFlow collector
IndexerEvent processorsFlow processors
Search Heads QRadar Console
Splunk BaseIBM  X-Force Exchange

Products proposed by both solutions

SPLUNKIBM
CoreSecuritySecurity
Splunk® EnterpriseSplunk® Enterprise securityIBM Qradar

About Splunk:

The solution offers 2 different products and they are classified into two distinct categories named “CORE” and “SECURITY”. The brief description given on the splunk website is as follows/The short description given on the splunk website is the folowing

While once offer powerful data aggregation and analyse functions, the other one provide the security information monitoring, analyse, security dashboards and incident response capabilties.

In other terms, we could qualify ‘Entreprise’ like a SEM and ‘ES’ like a SIM.

But, the most important thing we should be vigilant about and we should take in consideration, is that Splunk Entreprise Security cannot be used without Splunk Entrerprise, then the final price will obviously not be the same.That one reason why we have to be espcially prudent about the terms we could use in our daily life and the information we give to our different interlocutors.

Some Way, SPLUNK SIEM = SPLUNK Entreprise + Splunk Enterprise Security

it’s the combinaison of this both products which only permit SPLUNK to act like a SIEM and be put in this category of tools. But, can it be qualified as SIEM For all that?

We will try to answer this question in the next chapters, and we will also take a closer look on what makes Splunk Enterprise different from Splunk Enterprise Security and how they together deliver a SIEM-like solution.

About IBM QRadar Unlike Splunk, QRadar solution consists of only one product and natively integrates the functions of SEM and SIM into a single system. It is articulated around several basic components as its competitor. The description given on the IBM website are the folowing.

IBM QRadar Security Information and Event Management (SIEM)  is designed to automatically analyze and correlate activity across multiple data sources including logs, events, network flows, user activity, vulnerability information and threat intelligence to identify known and unknown threats. It’s helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. By consolidating log events and network flow data from thousands of devices, endpoints and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerates incident analysis and remediation.

Key features and pricing model

SPLUNK Enterprise (basic offer)SPLUNK Enterprise Security
Volume or compute based pricing options Unlimited usersAbility to scale up to unlimited amounts of data per dayCollect and index any machine dataReal-time search, analysis and visualizationMonitor and alertMission-critical performance, scale and reliabilityCan’t be integrated with Splunk UBA.Standard support included, Premium support availableUnlimited usersUse all security relevant dataProvides incident tracking, response, and threat analytics.Monitor, detect, investigate and respond to threatsMission-critical performance, scale and reliabilityCan be integrated with Splunk UBA.Standard support included. Premium support availableSplunk Enterprise is Required

Pricing model : Mainly based on the number of users and on how much data you send into your Splunk installation each day (bytes) with built-in volume discounts. 

QRadar SIEM
Number of event based pricingData Store feature*Ingest vast amounts of data from on-prem and cloud sourcesApplies built-in analytics to accurately detect threatsCorrelate related activities to prioritize incidentsAutomatically parses and normalizes logsThreat intelligence and support for STIX/TAXIIIntegrates out-of-the-box with 450 solutionsFlexible architecture can be deployed on-prem or on cloudHighly scalable, self-tuning and self-managing database        

Pricing model : Mainly based on number of events per seconds and flow per minutes you send into your Qradar installation. DataStore, a paying feature, is also avaliable to reduct events deducted on the “events per seconde” licence..

Splunk: The tricky SIEM question

We have seen previously that for data management, SPLUNK proposes two distinct products which have their own features and have been designed to match two different needs and categories of use cases.

The description below from Splunk website indicates which product meets which use case.

However, we know that it is essential to have these two products if we want to benefit from the functionalities of a SIEM. Otherwise incident tracking, response, and threat analytics for example will not be possible nor avaliable (cf. Key features and pricing model).

This point is particularly important and it’s typically the kind of thing which should be taken in consideration before to choose a Security Information and Event Management solution (SIEM), especially if you have to present the solution to different people or to choose between several tools in this category. Once again, spreading the right information is essential.

Then how does Splunk manage to offer a SIEM with two separate products? How do they interact with each other, what is their difference on the fonctional aspect and how these two products are able to be combined into a single security management system which is the very principle of Security Information and Event Management

To get the answers at these questions, let’s take a look on the interesting messages bellow from two users to another one who asked what is the difference between “Enterprise” and “ES” on the community website

Obviously, none of the two products offered by splunk is a SIEM and is able on its own to provide the functions in a single management system.

The fact that they are proposed separately is great difference in comparison of QRADAR which include natively the Security Information and Event Management features in one dedicated product.

Futhermore, QRadar is purpose-built to address security use cases, not only about the data in general, and it’s intentionally designed to offer easily scale with a limited customization effort  from the security teams, to match with this use cases. 

Other particularity, while Splunk Enterprise is a software, Splunk Enterprise Security is an application, an extension, which is installed on it in order to be able to provide all the missing security features and so allow to propose a tool able to deliver SIEM functionalities.  

In some ways, we could even say that only Splunk Enterprise is really a product in itself and that’s its data visualization and analytics capabilities that constitute the basis of its offering.

Although SPLUNK can be put in this category of tool after and only after added the applicative layer containing the security features, it is not native and remains above all an option and not an essential and indissociable element being an integral part of one and same solution. This is why despite that, the subject divides and SPLUNK is above all seen as a powerful SEM, or a big data analytics platform rather than a full SIEM.

QRadar and Data Store: How to separate information data from security data

Another point that distinguish QRadar from Splunk in the SIEM domain and which makes it above all a tool especially intended for security teams, it’s the Data Store functionality.

In addition to allowing unlimited data storage by overcome the default Pricing model based on number of events per seconds you send into your QRadar installation, Data Store allows you to tag the incoming logs in order to separate them into two categories. By doing this, DATA STORE enables organizations to cost-effectively collect, standardize and store large volumes of data to facilitate compliance reporting, optimize AI-based incident investigations, and provide threat research teams the needed data to launch in-depth research and investigations (threat hunting).

Concretely, “Data Store” tags the incoming logs using a simple collection filter (Routing Rule) set-up from the QRadar console. By selecting the data source or event criteria from the data source, it is possible to easily define what data are sent to “Data Store” to be directly stored and ignored by the correlation engine. These informational, non-critical or compliance data have for only purpose to be collected and stored and they will not be deducted from the “Events Per Second QRadar SIEM” license. At the opposite, the security data will not be sent to “Data Store” and will be transmitted to the correlation engine because, by their nature, they are intended to real time analysis and security incident detection. So,  they will be deducted from the “Events Per Second QRadar SIEM” license. 

Difference between filtered and unfiltered data :

Incoming DATA

Filtered with “DATA Store” feature(Storage data)Non filtered with “DATA Store” feature(Analysys data)
Not sent to the correlation engineSent to the correlation engine
Not counted and removed on the Events Per Second QRadar SIEM licenseCounted and removed on Events Per Second QRadar SIEM license
Are mainly non-critical security and compliance dataAre mainly critical data for real time correlating

In summary, the purposes is to : 

  • Focus correlation on security data, while having the ability to meet compliance requirements on centralized collection of data from an increasing number of sources.
  • Overcome the “Events Per Second QRadar SIEM” default pricing model limitations by only subtracting the correlated logs (not filtered by data store).
  • Be able to constitute a data lake with predictable price based on the number of hosts (processor and data node components) which store the tagued data.
  • Have sufficient amount of data to make a posteriori analyzes and in-depth investigations (threat hunting operations).

Conclusion 

Splunk and QRadar are both powerful data management tools, however their approaches are very different.

Splunk is particularly known to be one of the best data analytics platform on the market and one of the most in-demand tools for Big Data professionals. Even if many people use Splunk for security, the real power of the platform comes in the different use cases it’s possible to fulfill with a single software. Thus, it will be especially used to monitor and analyse a huge amount of information coming from many various data sources (for it operations, to look for fraud, for business decission, for Heating Venting and Air-conditioning (HVAC) systems level…)

However, companies sometimes decide to replace Splunk for an equivalent open source solution due the increase data volume collection costs over time but, keep in mind that the open source philosophy is very often something like “do it yourself” meaning that could increase indirectly your man day cost

QRadar is famous to be one of the best product when it comes to security management for an organization. With a versatile and solid SIEM plateform it’s able to provide intelligent security analytics and a centralized threat detection and response system. Thus, it will be mainly used for monitoring, detection, investigation and response to most critical organization-wide cybersecurity threats as well as to reduce the expensive time spent on manual events tracking by the infosec teams in order to focus on the investigation and responses quality.

Anyway, choosing a data management tool will mostly depend on what you are looking to do, your budget, the workforce required for daily use, and regarding a SIEM solution, its ability to meet your own security needs.

Finally, to convince your management and unite the business teams around your solution, the correct information spreading will be an essential point. 

SOURCEs

QRADAR

https://mindmajix.com/ibm-qradar-tutorial

(QRADAR composants)
https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/c_qradar_comps2_deployment_guide.html

SPLUNK

https://intellipaat.com/blog/what-is-splunk/

https://www.gartner.com/reviews/market/security-information-event-management/vendor/splunk/product/splunk-enterprise-security-on-premises

(SPLUNK composants)

https://lantern.splunk.com/hc/en-us/articles/360043716573-Getting-to-know-your-Splunk-architecture-

QRADAR VS SPLUNK

https://mindmajix.com/ibm-qradar-vs-splunk

https://www.splunk.com/en_us/software.html

https://www.ibm.com/uk-en/products/qradar-siem?mhsrc=ibmsearch_p&mhq=IBM%20QRadar%20SIEM

DATA STORE

https://www.ibm.com/support/pages/new-ibm-qradar-data-store-offering

Leave a Reply

Your email address will not be published. Required fields are marked *