It’s a bona fide trend that companies that started out producing SIEM solutions are now branching out to provide full data management platforms. This is indeed the case with both Splunk and AT&T Cybersecurity, formerly known as Alienvault.
SIEM, the modern tools of which have been in existence for about 14 years, is an approach to security management that combines the SIM (security information management) and SEM (security event management) functions into one security management system. SIM collects, analyzes and reports on log data; SEM analyzes log and event data in real time to provide threat monitoring, event correlation and incident response. Due to its 24/7, real-time nature, SIEM is now a required technology for large enterprises.
Both SIM and SEM functions provide on-demand analysis of security alerts generated by applications and network hardware. Security providers that can combine these two functions are in the inside lane for new business.
Key features for enterprise SIEM include ingestion of data from multiple sources, interpretation of data, incorporation of threat intelligence feeds, alert correlation, analytics, profiling, automation and summation of potential threats.
AT&T Cybersecurity vs. Splunk: Two of the Best in the World
AT&T Cybersecurity and Splunk, both of which have been in the market Top 10 for the better part of a decade, are two of the most popular security information and event management (SIEM) solutions now available. They also have blossomed to become top-notch data management platforms. However, each vendor offers distinct benefits to potential buyers. Both offer strong core SIEM products, but they differ in use of intelligence and integration with third-party and other security tools.
Both companies make a point of playing nicely with most other supporting products, knowing that most—if not all—IT shops already have a number of different SIEM and data management products at work on a daily basis.
What follows are some key features and analysis of each solution. Here is a face-to-face compilation of pros and cons for two of the best in the SIEM and DM tools business.
AT&T Cybersecurity
HQ: San Mateo, Calif.
CEO: Barmak Meftah (2011-)
Founded: 2007, Madrid, Spain
Number of employees: 400
Parent organization: AT&T Communications
Founders: Alberto Roman, Ignacio Cabrera, Julio Casal, Dominique Karg
What AT&T Cybersecurity brings to the IT table:
The AT&T Unified Security Management (USM) Appliance is a virtual or hardware appliance-based threat detection and incident response platform that combines SIEM and log management functionality with other security tools, such as asset discovery, vulnerability assessment and intrusion detection. USM Anywhere provides similar functionality in a cloud-based SaaS offering. A range of apps are available to add functionality, including integration with Cisco Umbrella, Palo Alto Networks, Carbon Black and others.
The former Alienvault was acquired by AT&T in August 2018, had its name changed to AT&T Cybersecurity in February 2019, and is an integral part of AT&T’s newly created Cybersecurity Solutions division. The AT&T Cybersecurity SIEM product, Unified Security Management (USM) Anywhere, is delivered as SaaS, and includes several components for asset discovery; vulnerability assessment; and intrusion detection system (IDS) for network, host and cloud; as well as for core SIEM capabilities. USM Appliance (an on-premises software deployment) is still supported, but the vendor’s emphasis is on the Anywhere SaaS offering. Additional offerings include the Open Threat Exchange (OTX) threat intelligence sharing capability and OTX Endpoint Threat Hunter service, both no-cost services. AT&T Cybersecurity also offers Open Source Security Information Management (OSSIM).
Key values/differentiators:
- AT&T Cybersecurity is aimed at end-user SIEM buyers, with an emphasis on financial services and health care as well as service providers. End-user customers are typically midmarket, not large, enterprises.
- Notable capabilities that have been added since the last Magic Quadrant research include monitoring of Google G Suite and Office 365 SaaS, an API to support app integrations, and a central management console (USM Central) for managed security service (MSS) partners.
- Midsize organizations seeking an SIEM-as-a-service delivery model with bundled security controls, but with little need for extensive database or application monitoring, or advanced analytics, should consider AT&T Cybersecurity.
- USM Anywhere bundles several security controls, sensors and other capabilities like file integrity monitoring (FIM)/endpoint detection and response (EDR) and vulnerability scanning as components of the solution.
- The Anywhere SaaS solution has a straightforward architecture: cloud-based storage and analytics/reporting with on-premises endpoint agents and a network appliance for log aggregation and forwarding, NIDPS, and vulnerability scanning. Scalability requires adding more agents and network sensors as needed.
- Implementation is straightforward: Users request new sensors via the management interface for the specific hosting platform (on-premises virtual machine or a virtual instance in Amazon Web Services [AWS] or Microsoft Azure), and the sensor is made available to be deployed. Configuring the sensor to accept events is supported by a wizard.
- Product currency and scalability are handled on the cloud-based platform. New features and updates are automatically deployed. If a client exceeds its licensed capacity, it is notified so it can arrange to move to a higher-capacity service tier.
- Support for native user analytics is limited to the capabilities provided by the underlying graph database, along with monitoring for attacks against identity and directory services. Integrations with third-party user and entity behavior analytics (UEBA) solutions are not supported.
How AT&T Cybersecurity is deployed:
AT&T offers multiple deployment options: software on-premises, in IaaS and as a hybrid model.
How AT&T Cybersecurity’s pricing works:
USM Anywhere is sold as a monthly subscription, with three Editions available: Essentials, Standard and Enterprise. Pricing starts at $650 per month for up to five user accounts and one sensor with a maximum monthly data volume of 4TB and 15 days of searchable event storage.
To take under advisement:
USM Anywhere lags behind some competitors in several areas, such as application and database monitoring, and integrations with third-party solutions such as cloud access security brokers (CASB), DAM, DAP and DLP.
Who uses it: any size enterprise
How it is deployed: subscription cloud service only
eWEEK score: 4.8/5.0
Splunk
HQ: San Francisco, CA
CEO: Douglas Merritt (Nov. 19, 2015–)
Founded: October 2003
Subsidiaries: SignalFx, VictorOps Inc., Omnition, Streamlio, Inc.
Founders: Michael Baum, Rob Das, Erik Swan
What Splunk brings to the IT table:
Not only does Splunk have one of the more colorful names in all of the IT business, its SIEM system is highly rated and popular. Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases and those seeking a scalable solution with a full range of options from basic log management through advanced analytics and response should consider Splunk.
Its Security Operations Suite comprises Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities.
Splunk’s security portfolio has been ranked as a leading technology for six consecutive years by Gartner Research—not a trivial accomplishment. The platform helps customers optimize their security nerve centers and address a wide range of security monitoring and threat-detection use cases. Customers use Splunk Enterprise Security and Splunk User Behavior Analytics together as an Analytics-Driven SIEM to build their Security Operations Centers to detect, investigate and respond to threats. Splunk Phantom, a leading security orchestration, automation and response (SOAR) solution, helps customers investigate and accelerate their response to incidents.
Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases, as well as seeking a scalable solution with a full range of options from basic log management through advanced analytics and response, should consider Splunk.
Key values/differentiators:
- Splunk’s Security Operations Suite is centrally run and has an intuitive user interface. The platform is composed of Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases.
- The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities. UBA adds machine learning (ML)-driven, advanced analytics. Phantom provides SOAR capabilities. Additional apps for security use cases are available through Splunkbase.
- Splunk’s most important enhancements over the past 12 months are support for guided investigation via the Investigation Workbench UI in Splunk ES, rapid content updates for ES and UBA, and speed improvements.
- Splunk’s offerings provide organizations with multiple entry points into security monitoring with a path that can start with basic event collection and simple use cases with Splunk Enterprise through to richer SIEM functionality with ES, more advanced analytics with UBA and SOAR capabilities with Phantom.
- The vendor has a strong ecosystem of technology integrations available in the Splunk application marketplace, although users of other technologies that compete with Splunk (for example, in the user analytics space) should validate the depth of integration.
- PII protection features are strong; obfuscation and PII masking are supported down to the field level and can be applied based on user identities, locations and other characteristics.
How Splunk is deployed:
- Splunk offers multiple deployment options: software on-premises, in IaaS and as a hybrid model. Splunk Cloud is a Splunk-hosted and -operated SaaS solution using AWS infrastructure. Splunk Enterprise and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures.
How Splunk’s pricing works:
- Splunk is licensed based on the amount of data ingested into the platform, with pricing discounts for DNS and NetFlow data. ES is also licensed by gigabytes per day, whereas UBA is licensed by the number of user accounts in an organization, and all these are available either as perpetual or term licenses, with various options for enterprisewide pricing and true-ups. Phantom is priced by the number of events on which users take action.
To take under advisement:
- In another example of “You generally get what you pay for,” Splunk is generally more expensive than its competitors. Customers and prospective buyers tend to express concerns about pricing models and total cost. The addition of Phantom and the introduction of the “nerve center” concept (separate SIEM, UBA and SOAR products) result in three pricing models with different measurement approaches.
- Splunk UBA is an on-premises or customer cloud-only solution at this point, which can create friction with Splunk Cloud customers wishing to remain in a SaaS model.
- Splunk has no native agent support for FIM or EDR, although there are integrations with numerous third-party solutions.
- Splunk support for OT/IoT is largely dependent on the capabilities of third-party apps, rather than on Splunk support for OT protocols.
Who uses it: midrange to large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK aggregate score: 4.9/5.0
————————————-
eWEEK has created this series of articles to examine all sectors of IT and present up-to-date research and analysis on the leading companies in each space. It’s all designed for enterprise buyers of hardware, software, services and cloud products to have more and better information in hand when the time comes to make an investment.