Arcsight ESM (SIEM) vs. Splunk/ELK (Big Data Log Management)
With the Following three models i would like to show:
- Alerting happens at maturity level 2/3 and in-depth analysis at maturity level 4/5 (first alerting then analytics!)
- It's not Arcsight ESM or Splunk/ELK but both working together.
- A balanced approach of Maturity 4/5 and 2/3 combined is the most effective with both systems.
Exploration vs. Alert driven Security
Alert-driven (Security Monitoring) | Exploration-driven (Security Analytics) |
SIEM | Big Data Log Management |
Arcsight ESM | Splunk / ELK / Arcsight Logger |
Incident Detection | Incident Discovery |
Reactive | Proactive |
Like Tech Support | Like Q&A |
Reaction | “Hunting” |
Alert-centric | Question-centric |
Explore alert context | Explore full context |
Drill-down | Drill multiple ways |
Triage/Analyse THIS entity | Explore THIS direction |
Want to be done with the alert | Want to know whats really going on |
Operations - Alert Volume | Research - insight usefulness |
Real/Near-Time vs. Historical analysis
Real-time and near term analysis | Historical analysis | |
Object of analysis | Stream of data or a small puddle of data | A huge pile of data |
Storage | Short term (a few days) | Long term (months to years) |
Data | Usually structured – logs after normalization | May be unstructured- raw logs, indexed |
Analysis types | Mostly known patterns, statistics on data fields | Mostly interactive exploration and models |
Common performance bottlenecks | Process streams: memory, CPU | Store and query: storage, I/O |
Focus | Detect threats | Discover threats |
Usage | Utilize found patterns for alerting | Learn about patterns of data |