Category Archives: Head 2 Head

Clash of the Titans – ArcSight vs QRadar


ArcSight vs QRadar
Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar.
Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market.
We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management.
Okay, Let’s get started!!!
ArcSight vs QRadar
Subject ArcSight QRadar
Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have worked on. In 2011 HP bought them Year 2004-2005, Q1 Labs entered into the SIEM market modifying their NBAD platform (QFLOW) and in 2012, IBM bought them.
Logging Format CEF – Common Event Format LEEF – Log Event Extended Format
Underlying DB Oracle till 2012, then combination of MySQL, PSQL etc. Proprietary based on Ariel Data store and probably Ariel Query Language (AQL)
Vendor Support ArcSight supports more than 400 vendors with their CEF certification program QRadar supports more than 250 vendors with their LEEF certification program
Portfolio Log Correlation – HP ArcSight ESM

Log Management – HP ArcSight Logger

Identity Correlation – HP Identity View

Intelligence Feeds – HPRepSM

Threat Detection – HP ArcSight Threat Detector

Response and Action – HP ArcSight TRM

Log Correlation – IBM QRadar Console

Log Management – IBM QRadar Log Manager

Network Forensics – IBM QRadar NBAD (using QFlow)

Intelligence Feeds – IBM X-Force

Vulnerability Management – IBM QRadar VM (with dedicated Scanner)

Response and Action –  IBM QRadar Incident Forensics for Response only

Identity monitoring ArcSight has a separate feature called IdentityView (separate license) to provide the identity perspective of events occurring in ArcSight. It integrates with Identity solutions (AD, Oracle) to keep track of user activity regardless of the account being used. It assigns risk scores to users based on their activity, and can graphically represent this activity and compare it to others with similar roles. QRadar does not have the capability similar to Identity View, however, it does integrate with Identity solution to provide user information in the offenses created.
Network Behavioral Analysis ArcSight does not natively collect flow data however, it can obtain Netflow data from other devices such as routers, etc. The Netflow data provides visibility only up to layer 4 (no application visibility) QRadar due to its origin as a NBAD product has powerful Network Behavioral Analysis (NBAD) capability through its  QFlow appliance (Network Flows data including Layer 7 flows, Jflow, Netflow, IPFIX, SFlow, and Packeteer’s Flow Data Records can be collected and processed). This would allow us to review application and network flows and assess it for anomalous traffic, persistent threats etc.
Vulnerability Management ArcSight can integrate with Vulnerability scanners and gather Scan reports for correlating vulnerability information with the security events collected.  However, it is more of a data aggregator in the case of VM tools. QRadar has a Vulnerability Management product (QVM). This has all the features comparable to ArcSight, however, IBM has upped the ante in this space by including a Scanner in the product that can actively scan hosts if enabled with QVM license. This provides security analysts to gather real time information if they choose to from the same SIEM console.
Dynamic Risk Management ArcSight does not have any risk management capabilities. However, it can integrate with commercial risk management products to provide basic correlation QRadar has a Risk Manager (QRM) product that collects Network configuration information and provides a risk modeling capability to assist in understanding the extent of impact of a configuration change in the network. This is akin to Skybox, Algosec or RedSeal and perform in similar capacity
Log Collection Agent Less – Using Connector Appliance. Logger Appliance can also serve as Log receiversAgent Based – Software Install on Servers for all types of log collection Agent Less – Any QRadar Appliance, Console, All-in-One Combo boxes, Event Collector etc. can collect Logs remotelyAgent Based – Connector software available for Windows. For others, Agentless is the only option.Flow Collection – By default any appliance can collect flow data, however, dedicated Flow Collectors are an option in QRadar.
Log Management Separate Log Management Software, Appliance which is different from the ESM appliance. They have a Express version which combines both but in general HP Logger fills the space of a dedicated Log Management appliance Same software, same appliance can behave as all in one SIEM + Log Manager or dedicated Log Manager or SIEM depending on License added. There is no distinct product differentiation as in ArcSight family.
Event Transmission Events from the source are sent in clear text to the SmartConnectors, however, all further upstream communication happens encrypted. Compression and Aggregation can also be employed in the ArcSight ecosystem from the connectors onwards. Events from the source are sent in clear text, however, communication between QRadar Appliances happen using encrypted SSH tunnels. However, compression happens on Appliance at event storage level and does not happen in event transit.
Handling EPS bursts ArcSight uses large buffers to cache events in case of an EPS burst. Once the buffer is filled, the Queue starts to fill. Once the queue overflows, events get dropped. But the burst EPS can be sustained for longer periods of time compared to QRadar. In QRadar, Each event type has a memory buffer, once the EPS exceed the licensed level and the buffer is filled, all new events are queued and processed on a best effort basis. However, this burst EPS is not sustainable for longer periods of time as with ArcSight. So even though it can take burst EPS during times of attack, it is not sustainable.
Filtering ArcSight provides the ability to filter or modify events at the collection and logging level to eliminate the events that are not of security value. This can be as close to event source as possible using SmartConnectors QRadar provides capability to filter using Routing rules. However, for field based filtering (where only one field from the log needs to be omitted during parsing) can’t be done in QRadar.
Aggregation Log Aggregation can be done based on any field combination. This is really useful when it comes to toning down on the high volume logs of network firewalls and proxies etc. Log Aggregation or Coalescing in QRadar terminology happens at the event collection layer based on the source IP and user only and not on customizable field combinations
Data obfuscation ArcSight allows for obfuscating any field at the log collection level using SmartConnectors. This is very powerful when monitoring confidential data in logs. QRadar does provide Obfuscation abilities using a custom Regex Based, Key Based Obfuscation config. This will allow for encrypting a field, based on the Regex Match when event is processed.
Custom Log Collection Require development of customized configuration files. However, ArcSight Flex Connector SDK is  a very powerful tool to build custom connectors and parsers. Also, the ArcSight community shares knowledge about custom connectors and hence more help available in case you want to develop on your own. QRadar has two parts of custom log collection capability. For supported logs or generic logs, it can update/develop parsers using the “Extract Custom Property” feature. However, if a new log source is to be integrated, then it is through customized configuration files which is much harder to create, test and maintain. Also, help to develop on your own is scarce so Professional services is mandatory.
Scalability ArcSight is really scalable such that it can support multi-tier Correlation Engines, multi-tier Loggers, Connectors etc. and also have effective peering. QRadar scales very well horizontally at the Log Collection layer, however at the Correlation layer it does not scale as well as ArcSight. This is a challenge in large and distributed environments.
High Availability One of the long standing issues of ArcSight is HA. It does not have a true HA capability. It supports failover routing at the Collection layer but does not have any thing at the correlation layer. QRadar has the most simple to setup HA configuration ever. This allows sync of two Appliances in true HA style.
Multi-Tenancy ArcSight has always been the SIEM product of choice for MSSP vendors. The main reason being the ability of the product to delineate events based on customers so that monitoring can be efficiently  performed in a MSSP environment. It maps IP addresses to customer names and network zones to avoid overlap. QRadar did not have the feature until recently (I think v7.2 and above) and was one of the reasons it had very poor Multi-Tenancy support. However, the new feature with “Domain” based categorization provides ability to support MSSP environments. Maturity is yet to be achieved but it’s a step in the right direction.
Out-of-the-box use cases ArcSight’s out-of-the-box use cases are very light compared to and only include limited Multi-Device/Event correlation use cases. QRadar comes with a comprehensive set of basic out-of-the-box use cases for various threat types  such as malware, recon, dos, authentication and access control, etc. Also, several of these use cases are Multi-Device/Event types.
Customizable dashboards and reports ArcSight reporting system includes over 350 standard report templates that address common compliance and risk requirements. The report design system is similar to what you would find in a BI solution, though not as complex. Support for charts and graphs is available, and templates can be customized through Velocity. Reports can be scheduled and distributed automatically by e-mail. QRadar provides over 2000 report templates relevant to specific roles, devices, compliance regulations and vertical industries. Only basic report customization is available. However, if advanced report customization is required, QRadar reporting seems limited. However, majority of the customers using QRadar are happy with the out-of-the box reports.
Case management ArcSight has a built-in case management system that allows the association of events to cases, limited workflow, and the ability to launch investigation tools (anything that can run from a command-line) directly from the console. Cases can contain analyst notes and customizable fields. QRadar  provides a rudimentary case management capability through its Offense Management. Offense Management provides basic features such as open, close, assign, and add notes. Additional events cannot be added to Offenses. This is in stark contrast to ArcSight which has full blown case management system built in.
User portal ArcSight requires a java client to provide most of its functionality, but also provides a web interface primarily for business users. Provides all functionalities for security event monitoring and threat content development through web based GUI
User licenses Individual console licenses should be purchased for each user to perform investigation/monitoring Additional user licenses are not required to be purchased
Pricing Pricing is based on number of log sources and total log size per day Pricing is based on EPS. Linear incremental cost for scaling the solution is based on tier based EPS licensing.
Updates:
This section is for posting differences based on reader feedback. So readers, feel free to add on.

Pattern Discovery

ArcSight has something called a Threat Detector tool. It basically runs a set of search queries on real time data and provides patterns detected. If interesting monitoring patterns are detected, they can quickly be converted to Use Cases. This is basically useful if you want to create new use cases and you don’t know where to start

QRadar does not have anything similar to Pattern discovery.

Compliance

ArcSight has compliance packages that can be purchased to aid in providing compliance specific alerting, reporting etc. However, these are priced separately.

QRadar has more than 2000 reports grouped based on Compliance requirement which should mostly satisfy compliance needs

I think the list can still be improved based on your feedback.  Please feel free to add them in the  comments section below and the feedback will be incorporated.
Until next time – Ciao!!!

Punching Hard – McAfee Nitro SIEM


intel-security-logo

At Infosecnirvana, we have quite a number of posts dedicated to SIEM. We have done a detailed comparison of SIEM products in a post titled – SIEM Comparison along with providing a detailed check list for SIEM evaluation.  We have also posted about SIEM products from time to time as reflected by our post on IBM QRadar and ArcSight. Following up with those posts, this blog is our take on McAfee Nitro SIEM.  So let’s get started

Introduction:

McAfee in 2011 purchased Nitro Security to enter into the SIEM space and subsequently were taken up by Intel. This period of 2011 actually saw a few things happen in the SIEM market space. This included HP buying ArcSight, IBM buying QRadar and McAfee buying Nitro etc. etc. Each of those SIEM products have taken a different route over the last 3 years. Nitro security was one of those niche players in the market which had an IPS portfolio as well a SIEM portfolio, remnants of which still linger in the overall McAfee ESM  product suite. The McAfee ESM product suite is basically a combination of a few components like:

  • ESM – Enterprise Security Management, which serves as the Management Interface for all SIEM components, Reporting engine capable of generating compliance and policy reports.
  • ACE – Advanced Correlation Engine which is interesting a dedicated engine to perform Risk Based (rules based) Correlation, Historical Correlation, Asset Based Risk Scoring and Custom risk scoring based on combinations of fields.
  • DBM – Database Monitor. One of the products McAfee has as standalone for Database Log Generation, Session Auditing etc, is called the DBM. This is a Database IPS kinda product that monitors network traffic via SPAN, port mirror or taps and does not create any impact on database. So for all the legacy databases that don’t have Audit trail enabled or the auditing is not detailed enough, DBM is the perfect fit. Apart from the monitoring audit trail of all transactions from login to log-off including all session queries and commands, it also provides Auto discovery of database instances including unauthorized or rouge databases. The DBM comes in both a network sensor as well as a host agent footprint.
  • ADM – Application Data Monitor. This is again a Application IPS kinda product capable of performing Layer 7 Protocol detection, Full meta-data collection, traffic monitoring via SPAN, port mirror or taps. Full session data capture and visibility into all application traffic is also provided by this sensor along with Advanced Threat detection capabilities. Again, it can be deployed as a sensor or a host agent.
  • ELM – Enterprise Log Manager. This is akin to any log management solution in SIEM and provides Log storage both Local and Network based.
  • Receivers – These are nothing but Parsers, Netflow Collectors, VMWare Collectors and anything that is able to parse and normalize logs.

Strong points for Nitro SIEM: 

After careful evaluation of Nitro SIEM, we would like to highlight these few points as the core Strength of Nitro SIEM:

  1. Architecture: One of the reasons for Nitro SIEM’s popularity is the Architectural flexibility. As a Security administrator, you can pick and chose how you want to architect your solution. If you want to be as modular as possible, then all the above mentioned components can be deployed standalone and integrated using the ESM (Remember EPO architecture for McAfee Endpoint solutions!!!). Say you prefer a smaller footprint, then you can build something called “Combo Boxes” which as the name mentions combines several components in a single box. This helps administrators starved of resources or budget to effectively deploy Nitro SIEM.
  2. Powerful Data Management: One of the biggest strengths of Nitro is the underlying Database – The SAGE DB aka NitroEDB (Nitro Embedded Database) developed by Idaho National labs (the founder of Nitro was a researcher there). NitroEDB is a relational database that supports huge volume, VLDB applications as well as extremely fast in-memory processing. This is the core reason why Nitro SIEM is able to have a High Ingest Rates and extremely fast query speed. This is a killer benefit compared to the other products like ArcSight with its below par implementation of MySQL and PostgreSQL and IBM QRadar with its proprietary EDB (updated based on comments from JC). Splunk is the closest in competition to Nitro with its GFS like implementation.
  3. High Ingest Rates: As mentioned above, NitroEDB enables SIEM to have a high event ingestion rates @ 300K EPS. We don’t think any SIEM in the market today scales up to this number. ArcSight SIEM is the closest with a 100K maximum with its Logger platform and a pure play Syslog-NG server can do 300K EPS.
  4. Network Based Threat Detection: As with QRadar Intelligence Platform, the Nitro platform also uses Network Packet Analysis for DBM and ADM (as mentioned in the components) to perform Database monitoring and Application monitoring. Both QRadar and Nitro are comparable in the Application monitoring space  but when it comes to Database Monitoring, Nitro wins it hands down. ArcSight and the others are poor in this space, something they will have to start looking at.
  5. Database Monitoring: As mentioned above, the DBM is the stand out as it provides excellent auditing capabilities for DB auditing and log collection. This is irrespective of DB version, OS, Auditing capability etc. The monitoring can be done off-box using a sensor in the network or using an agent. Again, this is one of the differentiators compared to ArcSight or QRadar as both of them rely only on JDBC connectivity to pull audit logs (provided Auditing is enabled on DB)
  6. Historical Correlation: Nitro has the ability to perform historical correlation better than the others in the market. One of the reasons for that is the capability to run complex queries and computations (for risk score correlation) against a large data set. This is primarily attributed to the NitroEDB as mentioned above which is really powerful in terms of query performance. QRadar and ArcSight are not as good at historical correlation and pale in comparison with NitroEDB performance for historical queries. Splunk is better at historical queries, but correlation is not as mature in Splunk as the others.
  7. SCADA Device Support: Apart from ArcSight, arguably the only other product in today’s market that has extensive support for SCADA is Nitro SIEM. This is definitely useful in penetrating the Utilities industry, Manufacturing industry etc. and is one of the key differentiators compared to the others.

Weak points for Nitro SIEM:

  1. Stability: In our testing and real-life deployments, one of the recurring problems we have faced with Nitro SIEM is stability. It is rare to have all the components working without issues at any given point in time. One of the reasons for this we think is the integration tier that has to interact with the various components to perform Security monitoring. There are just too many points of failure and troubleshooting is a nightmare. This is essential in organizations where in-house monitoring is performed. In case of outsourcing, even though this is still an issue, the risk is transferred to the outsourced vendor. Hopefully, McAfee realizes this and fixes these teething issues of stability in future releases.
  2. Correlation: Even though Risk based correlation is a great value add in Nitro, the overall capabilities fall short when compared with the others in the market. We might be a bit biased with this piece as we always compare Correlation capabilities of any SIEM we evaluate against HP ArcSight. In our opinion, ArcSight Correlation is by far the best in the industry and no product can match it in terms of flexibility, power of customization and advanced computing. That said, Nitro does compete hard and we would definitely be keen to see them take the Risk/Rules based correlation to the next level.
  3. Event Parsing & Custom Event Support: Even though the support for Events generated by Third Party vendors is excellent, we feel that more devices and vendors can be supported as does ArcSight. However, custom parsers or receivers are not intuitive to create in Nitro SIEM as with QRadar.  Nitro is not as good as the Super-Easy QRadar Custom Mapping feature or Splunk with its Field Extraction where it’s a breeze to develop any custom connector. Nitro, thus has some room for improvement in this area.
  4. User Interface: Although the UI reminds you of all things McAfee (EPO, NSM etc), we feel that a flash driven UI is not the best for SIEM. This is not to take away anything from the capabilities of the product in terms of data presentation, but Flash driven UI proves to be a dampener on the overall experience.  As a general opinion, we are keen to see anything other than a Java or Flash UI because we feel that both of them are the most vulnerable software out there and both are clunky when it comes to event analysis, visualization etc. This is where we feel QRadar has a refreshing interface. It does use Java for some parts of the console, but otherwise, the Browser console is so light and so simple that working with QRadar is a delight. Even Splunk has a wonderful UI and is really easy to use compared to ArcSight and Nitro which feel clunky and heavy.

Conclusion:

Overall, McAfee Nitro SIEM is a very good product that scales up against the Industry leaders – ArcSight and QRadar toe to toe. However, as with all acquisitions, they have a few chinks to work out before they truly are ready to lead the pack. Gartner ratings, if anything to go by, consistently rate McAfee in the leaders quadrant but they have been in the 3rd position for quite some time now. With HP ArcSight not doing anything new in the last two releases, QRadar is the only competitor to look forth and emulate. Hope McAfee rises above the competition with a more stable and mature SIEM product thereby shaking the Industry up.

So that’s it folks. Feel free to comment on what you feel about McAfee Nitro SIEM and what its benefits and weakness are.

Evaluating SIEM – Version 2.0


We are Infosecnirvana have posted Evaluating SIEM – What you need to know?. Readers had a lot of good comments on this post and one of the readers – Frank Bijkersma who blogs here came up with an idea to expand the content in the post to make it a Whitepaper which will serve as a good post. So here you go – Evaluating SIEM – Version 2.0.

Evaluating SIEM - Version 2.0

So here it is. Please feel free to read the guide and let us know your thoughts on it.