Clash of the Titans – ArcSight vs QRadar


ArcSight vs QRadar
Continuing with the SIEM posts we have done at Infosecnirvana, this post is a Head to head comparison of the two Industry leading SIEM products in the market – HP ArcSight and IBM QRadar.
Both the products have consistently been in the Gartner Leaders Quadrant. Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market.
We have worked on both the products and feel that this comparison is a good way to start the discussion rolling on features of both the products and how they approach the problem of Security Information & Event Management.
Okay, Let’s get started!!!
ArcSight vs QRadar
Subject ArcSight QRadar
Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have worked on. In 2011 HP bought them Year 2004-2005, Q1 Labs entered into the SIEM market modifying their NBAD platform (QFLOW) and in 2012, IBM bought them.
Logging Format CEF – Common Event Format LEEF – Log Event Extended Format
Underlying DB Oracle till 2012, then combination of MySQL, PSQL etc. Proprietary based on Ariel Data store and probably Ariel Query Language (AQL)
Vendor Support ArcSight supports more than 400 vendors with their CEF certification program QRadar supports more than 250 vendors with their LEEF certification program
Portfolio Log Correlation – HP ArcSight ESM

Log Management – HP ArcSight Logger

Identity Correlation – HP Identity View

Intelligence Feeds – HPRepSM

Threat Detection – HP ArcSight Threat Detector

Response and Action – HP ArcSight TRM

Log Correlation – IBM QRadar Console

Log Management – IBM QRadar Log Manager

Network Forensics – IBM QRadar NBAD (using QFlow)

Intelligence Feeds – IBM X-Force

Vulnerability Management – IBM QRadar VM (with dedicated Scanner)

Response and Action –  IBM QRadar Incident Forensics for Response only

Identity monitoring ArcSight has a separate feature called IdentityView (separate license) to provide the identity perspective of events occurring in ArcSight. It integrates with Identity solutions (AD, Oracle) to keep track of user activity regardless of the account being used. It assigns risk scores to users based on their activity, and can graphically represent this activity and compare it to others with similar roles. QRadar does not have the capability similar to Identity View, however, it does integrate with Identity solution to provide user information in the offenses created.
Network Behavioral Analysis ArcSight does not natively collect flow data however, it can obtain Netflow data from other devices such as routers, etc. The Netflow data provides visibility only up to layer 4 (no application visibility) QRadar due to its origin as a NBAD product has powerful Network Behavioral Analysis (NBAD) capability through its  QFlow appliance (Network Flows data including Layer 7 flows, Jflow, Netflow, IPFIX, SFlow, and Packeteer’s Flow Data Records can be collected and processed). This would allow us to review application and network flows and assess it for anomalous traffic, persistent threats etc.
Vulnerability Management ArcSight can integrate with Vulnerability scanners and gather Scan reports for correlating vulnerability information with the security events collected.  However, it is more of a data aggregator in the case of VM tools. QRadar has a Vulnerability Management product (QVM). This has all the features comparable to ArcSight, however, IBM has upped the ante in this space by including a Scanner in the product that can actively scan hosts if enabled with QVM license. This provides security analysts to gather real time information if they choose to from the same SIEM console.
Dynamic Risk Management ArcSight does not have any risk management capabilities. However, it can integrate with commercial risk management products to provide basic correlation QRadar has a Risk Manager (QRM) product that collects Network configuration information and provides a risk modeling capability to assist in understanding the extent of impact of a configuration change in the network. This is akin to Skybox, Algosec or RedSeal and perform in similar capacity
Log Collection Agent Less – Using Connector Appliance. Logger Appliance can also serve as Log receiversAgent Based – Software Install on Servers for all types of log collection Agent Less – Any QRadar Appliance, Console, All-in-One Combo boxes, Event Collector etc. can collect Logs remotelyAgent Based – Connector software available for Windows. For others, Agentless is the only option.Flow Collection – By default any appliance can collect flow data, however, dedicated Flow Collectors are an option in QRadar.
Log Management Separate Log Management Software, Appliance which is different from the ESM appliance. They have a Express version which combines both but in general HP Logger fills the space of a dedicated Log Management appliance Same software, same appliance can behave as all in one SIEM + Log Manager or dedicated Log Manager or SIEM depending on License added. There is no distinct product differentiation as in ArcSight family.
Event Transmission Events from the source are sent in clear text to the SmartConnectors, however, all further upstream communication happens encrypted. Compression and Aggregation can also be employed in the ArcSight ecosystem from the connectors onwards. Events from the source are sent in clear text, however, communication between QRadar Appliances happen using encrypted SSH tunnels. However, compression happens on Appliance at event storage level and does not happen in event transit.
Handling EPS bursts ArcSight uses large buffers to cache events in case of an EPS burst. Once the buffer is filled, the Queue starts to fill. Once the queue overflows, events get dropped. But the burst EPS can be sustained for longer periods of time compared to QRadar. In QRadar, Each event type has a memory buffer, once the EPS exceed the licensed level and the buffer is filled, all new events are queued and processed on a best effort basis. However, this burst EPS is not sustainable for longer periods of time as with ArcSight. So even though it can take burst EPS during times of attack, it is not sustainable.
Filtering ArcSight provides the ability to filter or modify events at the collection and logging level to eliminate the events that are not of security value. This can be as close to event source as possible using SmartConnectors QRadar provides capability to filter using Routing rules. However, for field based filtering (where only one field from the log needs to be omitted during parsing) can’t be done in QRadar.
Aggregation Log Aggregation can be done based on any field combination. This is really useful when it comes to toning down on the high volume logs of network firewalls and proxies etc. Log Aggregation or Coalescing in QRadar terminology happens at the event collection layer based on the source IP and user only and not on customizable field combinations
Data obfuscation ArcSight allows for obfuscating any field at the log collection level using SmartConnectors. This is very powerful when monitoring confidential data in logs. QRadar does provide Obfuscation abilities using a custom Regex Based, Key Based Obfuscation config. This will allow for encrypting a field, based on the Regex Match when event is processed.
Custom Log Collection Require development of customized configuration files. However, ArcSight Flex Connector SDK is  a very powerful tool to build custom connectors and parsers. Also, the ArcSight community shares knowledge about custom connectors and hence more help available in case you want to develop on your own. QRadar has two parts of custom log collection capability. For supported logs or generic logs, it can update/develop parsers using the “Extract Custom Property” feature. However, if a new log source is to be integrated, then it is through customized configuration files which is much harder to create, test and maintain. Also, help to develop on your own is scarce so Professional services is mandatory.
Scalability ArcSight is really scalable such that it can support multi-tier Correlation Engines, multi-tier Loggers, Connectors etc. and also have effective peering. QRadar scales very well horizontally at the Log Collection layer, however at the Correlation layer it does not scale as well as ArcSight. This is a challenge in large and distributed environments.
High Availability One of the long standing issues of ArcSight is HA. It does not have a true HA capability. It supports failover routing at the Collection layer but does not have any thing at the correlation layer. QRadar has the most simple to setup HA configuration ever. This allows sync of two Appliances in true HA style.
Multi-Tenancy ArcSight has always been the SIEM product of choice for MSSP vendors. The main reason being the ability of the product to delineate events based on customers so that monitoring can be efficiently  performed in a MSSP environment. It maps IP addresses to customer names and network zones to avoid overlap. QRadar did not have the feature until recently (I think v7.2 and above) and was one of the reasons it had very poor Multi-Tenancy support. However, the new feature with “Domain” based categorization provides ability to support MSSP environments. Maturity is yet to be achieved but it’s a step in the right direction.
Out-of-the-box use cases ArcSight’s out-of-the-box use cases are very light compared to and only include limited Multi-Device/Event correlation use cases. QRadar comes with a comprehensive set of basic out-of-the-box use cases for various threat types  such as malware, recon, dos, authentication and access control, etc. Also, several of these use cases are Multi-Device/Event types.
Customizable dashboards and reports ArcSight reporting system includes over 350 standard report templates that address common compliance and risk requirements. The report design system is similar to what you would find in a BI solution, though not as complex. Support for charts and graphs is available, and templates can be customized through Velocity. Reports can be scheduled and distributed automatically by e-mail. QRadar provides over 2000 report templates relevant to specific roles, devices, compliance regulations and vertical industries. Only basic report customization is available. However, if advanced report customization is required, QRadar reporting seems limited. However, majority of the customers using QRadar are happy with the out-of-the box reports.
Case management ArcSight has a built-in case management system that allows the association of events to cases, limited workflow, and the ability to launch investigation tools (anything that can run from a command-line) directly from the console. Cases can contain analyst notes and customizable fields. QRadar  provides a rudimentary case management capability through its Offense Management. Offense Management provides basic features such as open, close, assign, and add notes. Additional events cannot be added to Offenses. This is in stark contrast to ArcSight which has full blown case management system built in.
User portal ArcSight requires a java client to provide most of its functionality, but also provides a web interface primarily for business users. Provides all functionalities for security event monitoring and threat content development through web based GUI
User licenses Individual console licenses should be purchased for each user to perform investigation/monitoring Additional user licenses are not required to be purchased
Pricing Pricing is based on number of log sources and total log size per day Pricing is based on EPS. Linear incremental cost for scaling the solution is based on tier based EPS licensing.
Updates:
This section is for posting differences based on reader feedback. So readers, feel free to add on.

Pattern Discovery

ArcSight has something called a Threat Detector tool. It basically runs a set of search queries on real time data and provides patterns detected. If interesting monitoring patterns are detected, they can quickly be converted to Use Cases. This is basically useful if you want to create new use cases and you don’t know where to start

QRadar does not have anything similar to Pattern discovery.

Compliance

ArcSight has compliance packages that can be purchased to aid in providing compliance specific alerting, reporting etc. However, these are priced separately.

QRadar has more than 2000 reports grouped based on Compliance requirement which should mostly satisfy compliance needs

I think the list can still be improved based on your feedback.  Please feel free to add them in the  comments section below and the feedback will be incorporated.
Until next time – Ciao!!!

46 thoughts on “Clash of the Titans – ArcSight vs QRadar”

  1. Hello,

    We reviewed the products in a POC, and this is the conclusion:
    – QRadar would be best suited for small company that want to have a SIEM just to have a SIEM and without a dedicated team to work on the product. The product is not mature yet and is complex to use for advanced usages (custom parsers, specific workflow, MSSP …)

    – ArcSight is fully mature but you really need to have the right human ressources to operate it. This is best suited for a SOC.

    – From my knowledge, every point of this side by side comparison are correct.

    I would be curious to see is there will be a clear leader in the coming years. QRadar is promising but don’t deliver yet and their philosophy is questionable for big deployments.

    1. You are absolutely right. I don’t think there is a clear winner in this one as every year QRadar is inching closer to maturity while ArcSight has slowed down in the recent years

      1. Great write up and comparison. I still feel ArcSight is much better MSSP solution than QRadar even though its ranked below QRadar in Gartner reports. QRadar is easy to deploy and can be managed relatively easily when compared to ArcSight where you need skilled engineers. Having said that ArcSight is relatively costlier than QRadar. It all comes down to customer requirements at the end of the day 🙂

  2. The fact is that during one of our POC, we studied, ArcSight, QRadar, LEK and Splunk, and we were not convinced about QRadar.
    First thing, IBM sales are just focussed on the number of appliance they can sell with the product. Pre-sales and engineer don’t help us to define the best architecture, keeping in mind, cost, performance and maintenance.
    Second point we saw, QRadar is not yet mature! Indeed, collection flow are not all encrypted, parsing are not correct, … when parsing exist… each time we discovered an issue with the product, ibm tells “guys it’s normal we are aware, but it’s difficult to solve but it’s on our roadmap”.
    Damned, why not just tell the truth? And say that we have problems we know! But please don’t try to hide them! Last thing, pre-sales and IBM consultant don’t know the product!!! Indeed each time they call the support to answer the questions… when answer is answered…
    During our Splunk test, we saw that the product is very good… but only as an advanced log manager. If you want to use it as SIEM, it’s a pain as the correlation engine is poor event if you use Enterprise Security.
    LEK – LogStash ElasticSearch Kibana, is a good challenger for Splunk but require lot of scripting for the moment. But we have to follow this product!
    Regarding ArcSight, the product is just fantastic! Everything can be customized. The new version, CORRE, without the ORacle layer, permits to gain performance! However regarding MSSP, this functionality need time and knowledge to be sure that it’s well configured. However, since some years, ArcSight doesn’t offer new functionality! Excepted the real and native HA at the end of the year!

    1. You are absolutely right on all counts. ArcSight even though offers the most mature product, they have not done anything new over the years. They are going through a period of lull. However, QRadar is definitely a better product than your IBM Sales guys made you feel. It is definitely not in the league of ArcSight but they provide more overall value for the money.

  3. Very well written.. If you can include the other add ons as well to complete the arcsight suite like:
    1. Application View: Calculate IT GRC at every level of your organization.
    2. Compliance insight packages: SOX, NERC, HIPPA, ISO and PCI Packs
    3. ArcSight Threat Detector: Formerly known as pattern discovery.

    1. Application View provides application monitoring capabilities, even into applications without security logging capabilities. AppView leverages HP Fortify technology to observe and report on applications at run time and presents that information to an analyst through built in dashboards, reports and active lists.

      Risk Insight is more inline with secular’s comment about calculating IT GRC by combining asset modeling, business priorities and threat data to generate risk scores and reporting.

  4. I just wanted to respond to some of the points raised in the article and some of the above comments. I’m a Product Architect for QRadar and worked with the company for 12 years, long before IBM.

    Event Transmission: It should be noted that QRadar allows you to receive encrypted event streams using many protocols, including TLS Syslog, encrypted JDBC, and other encrypted streams. The barrier to receiving encrypted log streams is normally a problem to be overcome with the device SENDING the logs, not the SIEM itself. This is true of all of our major competitors from my knowledge – we all support this, but your log source needs to support it too.

    Data Obfuscation: QRadar does support data obfuscation at the field level and has for some time. More information can be found here: https://ibm.biz/BdESLh

    Filtering: One can use routing rules to tell QRadar to drop logs, based on any combination of tilters. You can also configure custom retention buckets based on any combination of filters to allow you to keep logs that match filters for only smaller time periods, for logs you don’t care much about.

    Custom Log Collection: While it is an option to employ services to expedite, QRadar does not require professional services to develop custom parsers. You can author your own parsers simply by creating an XML file. This is known as a Log Source Extension. Some QRadar TSS reps have experience crafting simple custom parsers so if this is something you require just bring it up during the sales process, they will let you know if it is simple or if it would require services.

    Scalability – QRadar is infinitely horizontally scalable at both the log collection level and at the log correlation and searching level – so I am not totally sure what is being referred to here. As an example, we have many enterprise customers doing log correlation spread out across hundreds of collectors and many dozens of processors, with many million logs per second to correlate.

    If you have any other questions on QRadar feel free to contact me or even post them in our Forum – https://ibm.biz/BdES9x – you do not need to be an IBM customer to post here, anyone can create an IBM ID.

    Disclaimer: My statements above are my own and do not reflect any official statement or position from IBM.

    1. Thanks Jason for the inputs. I will update the posts where appropriate. However, there are few points I wanted to make. Data Obfuscation is not straight forward implementation as in ArcSight. The moment you are talking about have a Key Pair and XML configuration to create an encrypted field using Regular Expressions,the complexities start to mount when we are doing a large implementation. Its not about “I can do it too using a harder way”, Its about being easily doable like in ArcSight.

      Filtering – I was not aware you could drop logs entirely using Routing rules. I will update the post. Thanks for the info.

      Custom Log Collection – When compared to ArcSight, the power of custom log collection is not fully available in QRadar. I have
      worked in several POC’s in large organisations, where QRadar engineers have not been able to do what ArcSight was previously doing as far as custom log collection is concerned.

      Scalability – I will have to differ on this as I don’t think the kind of Scalability at the Correlation layer using QRadar Console is as powerful as ArcSight is. Sure, you can correlate forwarded offences in a tier based architecture, but without lack of workflow, this scalable architecture becomes more of a pain in terms of operations and management.

      Other than that, I definitely think QRadar is doing a great work in competing with ArcSight and even beating it in a lot of side to side comparisons. But for large organisations with complex requirements, QRadar falls short.

      1. HI misnomer – Apologies for the late response.

        While every product has pros and cons, when it comes it scalability, I have to say that the “proof is in the pudding” as it were… QRadar SIEM backs some of the largest SIEM deployments in the world. I think that saying that it falls short for “large organizations” is quite inaccurate, as the evidence would say otherwise.

        1. Jason, having worked with McAfee, ArcSight and QRadar, I can say that I have had Scalability claims made from every vendor. However, from personal deployment experience of all the leading SIEM products, I would still stick to my claims regarding QRadar unless I personally see a use case where they scale effortlessly. I know IBM is setting up QRadar as its MSS core engine to replace their custom SIEM engine of yester years. This is definitely good news as I already see a lot of product features being added in the product to address scale, performance and integration related issues. I hope the product continues to grow under IBM care, whilst HP and McAfee have faltered with their buys

    2. Hello Jason,
      Thank you for a detailed follow-up! Can you clarify a bit on 2 points, about log extensions.
      Custom Log Collection – there are some limitations we hit with JDBC custom extensions, while trying to make them from gui – only simple select statements can be used. Is there a way around this in XML custom parser? By this I mean a possibility to include a complex SQL statement (with joins & conditions for selection, sorting, data conversion etc.).
      Second question on this is about categorization, last time I was making a log extension, in order to assign categories it required editing them via CLI interface (them QID’s) – did something improve in this state?

      thx,
      Andrey

      1. Hello Andrey – apologies for the delay in response.

        Custom Log Collection – The reason these limits are in place is to try to keep the customer from “shooting themselves in the foot” as it were, since if your query is too complex and/or long running it can seriously hamper your log collection. As well, we do not want to allow people to issue DROP commands or UPDATE statements. There is a simple work-around for this – create a database view containing the query you want, and issue the SELECT statement against this view. Please keep in mind the above caveat – this view has to be efficient.

        Categorization – The CLI is still required to assign custom QIDs to a log source extension. However, we have some plans in our roadmap to address this. If you are an existing QRadar customer and would like more information, feel free to reach out to your sales rep (or myself) for more details.

  5. Nice comparison! As certified technician in both technologies, I can’t hold back on some comments though 🙂
    “Both HP and IBM took over niche SIEM players and have made themselves relevant in the SIEM market.” is a bit not accurate. ArcSight was a market leader for almost 10 years before HP bought it, not a niche player (for example 10 years in Gartner upper right in a row). QRadar was not as good, but it was also not a niche product that had most of features we see today already present or in “soon to be here” before IBM acquisition (for example QVM was already in short roadmap and so on).

    IBM & HP developing the products much slower than initial companies. This is problem of every big vendor. All the things you see in QRadar as innovative, have been almost ready or in short-term roadmap before it was IBM. I guess same goes for HP, for most part.

    Vulnerability Management – valid for QRadar, a bit biased on ArcSight part. First of all, ArcSight has integrated case/workflow system (that QRadar does not) which can be tuned (with significant effort ofc) to make complete vulnerability workflow, for any of the viable VM products out there. Second – there’s HP Risk Insight.

    Dynamic Risk Management – QRM is indeed nice, but it is rather not on level in comparison to Skybox or AlgoSec. HP partially answers this with EnterpriseView, though it is a EGRC product overall. ArcSight had the NCM back in the day that could be scaled to QRM, but we don’t see much of it these days, I guess it was buried. Sadly. Maybe HP will answer this with their HP NA(Network Automation) integration.

    Handling EPS bursts – very blurry description that obfuscates the reality: QRadar will drop events when you exceed the small buffer that sits on top of license (say, during a DDoS attack?), while ArcSight will almost never drop events if deployed correctly. The “buffer thing” for ArcSight is individual per connector, you can size system to cache 50 GB worth of data per every connector. So ArcSight beats QRadar here all the way.

    Out-of-the-box use cases – first I wanted to agree, but when I read about “Qradar has recon, auth and this is good” I must disagree. ArcSight had recon & auth cases since.. I don’t know, version 4.x had it (5 years ago?). So uhm, this part could use some rephrasing. Overall though, Q1 indeed does much more out-of-the-box.

    p.s. Personally, I think the 3rd titan, Splunk, is missing. Would be a hell of a good review! 🙂

    1. Thanks for a great feedback Andrey. By niche product, I meant they were doing only SIEM and not anything else. However, QRadar has become very competitive in the last three years while ArcSight has been at the same place. That is a bit disappointing as far as road map is considered. To be fair, QVM is much better out of the box than the round about way in ArcSight. Even though ArcSight provides you a customization as no other, it is not something every one will be willing to do, when a competing product does it out of the box.
      QRM is definitely a killer with regards to enhancing SIEM capabilities. NCM has been put on the side and I don’t see any future for it now. GRC space is really not something in the SIEM realm of things so that is why I have not included that.
      To clarify on the EPS Burst – QRadar has a burst EPS capability, but the problem is that it can do for a few minutes max, after which it starts to drop. So in case of a attack lasting a few minutes, QRadar can take it. But again, depending on the hardware this burst EPS can vary.
      Out-of-the-box Use cases – Actually, ArcSight is no where close to this when it comes to QRadar. The number and variety of “Offenses – Multi device correlation use cases” in QRadar far outnumbers ArcSight. More than 2000 reports based on Compliance reporting is also available out of the box. So thats that.
      Splunk is something I would really like to add but I don’t think they stack up in the Correlation Use Cases space however, in Log Management, they hit it out of the park.

    1. We will try to do that, but Splunk is not comparable in SIEM capabilities to ArcSight and QRadar. However, Splunk is something which is in our to-do posts.

  6. That I would like to see, is a small tutorial for splunk, explaining how to size it, and how to create a goo splunk infrastructure. I followed the officiel Splunk Archtiect training. But the training is very poor and speaker are not able to answer the questions… this is very bad, as this training is very very expensive!

  7. ArcSight has threat insight which provides effect or risk similar to skybox etc.

    ArcSight has more iut of the box use cases then you list which cover malware, AV, DDOS, user access and policy / security changes.

    ArcSight support s netflow, sflow and jflow connectors which provide direction, bytes ports and ip addressing and protocol header awareness

    also 6.8 fearure notes which is ArcSights next release has full HA synchronised

    1. Thanks Steve for your comments. ArcSight honestly does not have as many use cases as QRadar does. Also, compliance packages need to be purchased in ArcSight, while in QRadar they are out of the box. ArcSight supports flow, but QRadar generates its own application flow. So when you see an alert in QRadar, you also see the packet payload. This is the differentiator.
      HA, Let’s see how that turns out to be in real life

  8. That’s a very good review. it would also be nice if we can see the same for RSA Security Analytics as they have been there in the market before with RSA enVision and they added new features after the acquisition of Netwitness. Thanks

  9. As a Security Consultant and SIEM specialist, the business I work in supports ArcSight, QRadar, LogRhythm, Splunk, Nitro (McAfee) and also RSA.

    I get to see the write ups from analysts’ and feedback from the vendors and put this in reality from a functionality vs a cost based perspective.

    Both are good solutions, both require ongoing tuning to manage.

    I want to address a few points straight off the bat:

    1) Out of the Box Use cases – These are only a template for use in all and any environment.

    2) EPS buffering – Only as big has the hardware you put it on. If you don’t allocate enough cache, its always going to drop.

    3) Case Management – such a broad topic and to hard to define in many instances. Typically, this should be passed over to forensics or service desk (this is what RCA tools are used for) for pcap info.

    4) Data Obfuscation – Both do this well. I cant favor either vendor in this regard.

    As to the technologies, Arcsight is established and is a mature product in many respects, QRadar is a new player in place where IBM has at least done the work to provide a 5 year plan on development in the product.

    As to the EPS count.. QRadar does kill Arcsight in this regard. With the horizontal architecture and in box Normalization and Correlation to be presented to the console, I have environments getting from 180000 EPS to 900,000 EPS without any drops.

    Must of the customers are coming to me asking me to replace ArcSight. I have had 7 this month asking for draft Migration plans to other vendors. They are all looking at the Multi-tiered threat identification options (with the flow collection) rather than taking feeds from externals.

    1. Bob, thanks for taking time to post your feedback. By Case Management, what is being mentioned is the Ticketing system, escalation and notification workflow, Integrating with Help-desk tools etc. ArcSight has this out of the box, QRadar does not. Migrating to QRadar is definitely becoming the norm nowadays given the fact that QFlow provides a lot of value in investigations through Layer 7 data as compared to Layer 3 and 4 in ArcSight.

      1. QRadar does have out of the box integration with Spectrum (RCA), Service Desk and BMC and a few others. API and non API based.

        1. So does HP ArcSight, which can integrate with HP Service Centre, BMC etc. and also has an API for any sort of integration. But ArcSight specifically has an internal case management, workflow and escalation system that can come in handy for several clients.

  10. Hi Misnomer,

    Some clarifications as an ArcSight SME:

    ArcSight has Risk Insight (not “Threat Insight”) which provides Risk dashboards for executive views. These allow the analyst to group assets in hierarchies and application stacks (very nice GUI for the model builder), and assign asset values. Any correlation, or vulnerability detected, in ESM against a modeled asset, then bubbles up to the top-level heatmap or model map, and the exec or manager can drill down to view the underlying asset.

    “EnterpriseView” is the ‘fully fledged’ RIsk Insight; it includes all the above and also a compliance framework that models the vulns/correlations against various compliance frameworks, including all the usual suspects. This runs standalone from ESM, directly to supported VA scanners, although it can integrate with ESM and other SIEMs.

    “NCM” is still sold as “TRM”, “Threat Response Manager”, as a virtual appliance. It gives automated response to reconfigure L2/3 devices in response to alerts from ESM. It had very little uptake when it was introduced, because no-one would ever consider letting security change any network configuration. These days, now that security departments have a stronger mandate, it’s possibly this is more acceptable as a solution.

    “ArcSight Interactive Discovery” is the BI visual analytics tool that has again rarely been seen, but is still available and more interesting now Security Analytics is more widespread.

    ArcSight don’t do L7 netflow like QRadar does, but they do use ApplicationView to take CEF feeds directly from web applications, so that they can monitor security activity in apps running .NET or Java.

    Cheers!

  11. Hello Guys,
    Sorry for that but I have to tell you one thing: an ArcSlut is one of the most shitty SIEM I have ever seen.
    I don’t give a fuck, I will migrate from this ‘tool’ to something which will do a good business for me.

    1. I totally agree with mr. TPCH, this software is incredibly unstable. More reliable tool for monitoring would be a notepad. SIEM tool which is scalable… (yeah right) yet doesn’t provide HA is a laugh.

      1. You may dislike ArcSight, but I would not agree on the criticism you provide. A “Well Implemented” ArcSight product can do wonders. We have immense experience in building successful ArcSight implementations.
        As far as HA is concerned, it is an issue but there are architecture workarounds to provide HA for ArcSight implementations.

        1. I implemented many SIEMs – i.e. SSIM, NetIQ, Sentinel, XSA…
          I travel across the India with my security support team
          and I totally agree with you mister. I am double sure it is extremely unstable. I can’t recommend this tool for you my friend.

          1. Rishi,
            You are completely mistaken. SSIM is End of Life and the reason Symantec discontinued this product is because it failed to capture the SIEM market as it was terrible. All the other products are not as mature as ArcSight is.
            As been repeated again and again, a “well implemented” ArcSight is a wonderful SIEM.
            I keep hearing from all you NIIT guys that it is unstable. I can only say one thing – Either you have seen bad implementations of ArcSight or have not understood the capabilities of the product

        2. Lalit,
          I have been working in global deployments of ArcSight, with very complicated installs and set up. I can tell you that ArcSight is a very powerful SIEM product. Bad installs are done regularly by several organizations, but a “Well installed” ArcSight can do wonders. I am not sure what issues you have faced, but ArcSight is the SIEM leader for a long time now.
          SSIM is not in the market anymore for a reason – It is a horrible SIEM product.

  12. Kind sir misnomer,
    I know not you mean “well installed”,Arcsight internal technical forum is full of “have to restart it every 1 hour”. This is application issue not bad instal. You maybe deploying but have you tried use it to working ? Could you also give source of this “leader” information is it HP sells ?

    1. Rushi, please look at the Gartner Magic Quadrant for SIEM – Please go and see the leaders Quadrant for the last 5 years and you will know what I mean.
      Also, I have not only implemented ArcSight, but also operated it. If you are restarting every one hour, you have a serious problem with the Application install, configuration and maintenance. Please work with HP support to fix it. Which technical forum you are talking about – Protect 724? Also, which version are you using? CORRE 6.5?

  13. QRadar is the best SIEM on each point. I use both tools (AS and QR) since many years in MSSP model, and there is no possible comparison.
    ArcSight is not able to work fine in huge and complex environment where QRadar is like a fish in a bowl.
    I deployed some QRadar SIEM in WW architecture, to collect and process more than 2 millions events per second… It’s not possible with ArcSight.
    QRadar is natively able to collect and process Layer 7 IP flows, and to correlate them with events. Not possible with AS.
    QRadar is natively able to do Vuln Scan from Correlation Rules. Not possible with AS.
    QRadar is natively able to do Advanced Forensics. Not AS.
    AS is a good solution to do small SIEM, with limited features.
    QR is truely the best SIEM since 4 years.

  14. Hi There,

    i’ve read your article, and its quite helpful for first-timers, but as a QRadar SME, i must add the following comments:

    Loggin Format -> Propietary standarized logging format
    This is to clarify that it can support log sources that talk a format created either by HP or IBM.

    Underlying DB:
    QRadar uses the Ariel DB, but AQL is for “Ariel Query Language”, also it uses a Postgre for the console data and configuration data.

    Vendor Support:
    This has been quite updated from both sides

    Portfolio:
    Log correlation is part of bot the Log Manager and SIEM, the first a notched down version because of license limits.

    Network Behavioral Analysis:
    it also includes IPFIX (unoficially called netflow v11).

    Dynamic Risk Management:
    A sidenote to add, the QRadar AIO (all in one), can handle SIEM & VM, but not RM and IF, both of these require a separate appliance.

    Log Collection:
    Agent based should reflect “available for windows, for Microsoft-Based OSes and Aplications, with a universal file log reader”

    Custom Log Collection:
    This is partially wrong. “Extract custom property” is when a property is not read by any log source, supported or not. When a factory parser does not read properly an event, it requires an LSX (Log source extension) to enhance the factory parser, while you can ask IBM to fix it. the LSX is also the file you require to develop to support an unsupported product. its is quite easy to develop, the IBM community helps people with questions about it (myself included), and to test and maintain is also quite easy, as it has an LSX manager. The only “annoying” part, is to create the QID’s from scratch using comand-line, but i found that normally an existing QID already has the same properties for a non-supported application event.

    Multi-Tenancy:
    It could previously handle it, through a combination of Users, Roles, and network hierarchy, but as you mentioned, now it has a “domain” based category system, and now with 7.2.5, it enhances the concept.

    Pricing:
    its also based by number of log sources, and different appliances (for example, the QFlow Collector).

    Hope it helps.:)

  15. Good comparison. Your criteria needs to consider the SIEM as a horizontal service across cloud, on-premise, hybrid platforms as that reflects the customer landscape now. So support for major cloud suppliers like AWS, Azure as well as hyper v and VMware. Box.com, Dropbox etc. These services are now mission critical to customers. So in short, a SIEM products support for heterogenous landscapes including Saas and IaaS cloud types is crucial.

  16. Guys, you should really update this entry or consider removing it… there were a lot of changes in the past two years, and all the weakness mentioned here of QRadar have been addressed.
    QRadar has the largest implementations in the world, can scale without limits, fully multitenant, with anomaly detection, and even a real Artificial intelligence behind it (Watson for CyberSecurity), with built in User Behaviour Analytics (FREE!), XForce IP Reputation feed (FREE!) and the XForce App Exchange “appstore” for qradar plugins for compliance packages, 3rd party advanced integrations and many other cool apps.
    Today there is a huge difference between QRadar and other competitors like HP, Splunk and McAffe (and I have seen them work in several Proof of concepts from my customers).

    BTW, I work for IBM, but my opinions are my own.

    1. hi dario,

      Thanks for the feedback. However, please note that the SIEM comparison posts are constantly updated. The head 2 head post has been posted in the past and so we wont be updating it.

    2. Hi Dario,

      You mentioned “fully multitenant”. QRM is a very good thing, but it’s support tenancy? As far as I know, no. Can you please confirm?

      Thank you,
      Adrian

Leave a Reply to TheUnF Cancel reply