Arcsight ESM (SIEM) vs. Splunk/ELK (Big Data Log Management)

With the Following three models i would like to show:

  • Alerting happens at maturity level 2/3 and in-depth analysis at maturity level 4/5 (first alerting then analytics!)
  • It's not Arcsight ESM or Splunk/ELK but both working together.
  • A balanced approach of Maturity 4/5 and 2/3 combined is the most effective with both systems.

Exploration vs. Alert driven Security

Alert-driven
(Security Monitoring)
Exploration-driven
(Security Analytics)
SIEMBig Data Log Management
Arcsight ESMSplunk / ELK / Arcsight Logger
Incident DetectionIncident Discovery
ReactiveProactive
Like Tech SupportLike Q&A
Reaction“Hunting”
Alert-centricQuestion-centric
Explore alert contextExplore full context
Drill-downDrill multiple ways
Triage/Analyse THIS entityExplore THIS direction
Want to be done with the alertWant to know whats really going on
Operations - Alert VolumeResearch - insight usefulness

Real/Near-Time vs. Historical analysis

Real-time and near term analysis Historical analysis
Object of analysis Stream of data or a small puddle of data A huge pile of data
Storage Short term (a few days) Long term (months to years)
Data Usually structured – logs after normalization May be unstructured- raw logs, indexed
Analysis types Mostly known patterns, statistics on data fields Mostly interactive exploration and models
Common performance bottlenecks Process streams: memory, CPU Store and query: storage, I/O
Focus Detect threats Discover threats
Usage Utilize found patterns for alerting Learn about patterns of data

Maturity Model

Maturity model

Bottom up (Level 1/2/3) combined with Top Down (Level 4/5)