What is a SIEM.
Security Information and Event Management is a security management approach that incorporates the roles of SIM (security information management) and SEM (security event management) into one security management framework. SIM gathers, analyzes and documents on log data; SEM analyzes real-time log and event data to include threat monitoring, correlation of events and response to incidents. Together, both functions provide real-time monitoring of the applications and network generated security alerts. Security vendors are in the driver’s seat with the new businesses that can incorporate these two features. Key components in enterprise SIEM are data collection from various sources; data interpretation; integration in threat intelligence feeds; risk correlation; analytics; profiling; automation; and summing up potential threats.
This article compares two state-of-the art SIEM tools (IBM QRadar and Elasticsearch) that are widely used.
IBM’s QRadar SIEM toolset, mainly designed for large organizations, is a robust platform used to create a function to detect threats and respond to those threats. Smaller organizations can also use it, as it contains extensive out-of-the-box content for simpler use cases. It has a broad deployment base and wide availability of service providers that can help organizations procure, run, tune, and monitor their deployment of IBM QRadar. In addition to basic SIEM functionality, IBM QRadar SIEM provides support for threat intelligence feeds which can potentially be expanded with IBM Security X-Force Threat Intelligence, a framework for malicious IP address detection, URLs, etc. IBM QRadar SIEM is part of the IBM QRadar Security Intelligence Platform which has additional modules for risk reduction, vulnerability management, forensics. The IBM QRadar Security Intelligence System consists of many modules that work around IBM QRadar SIEM. IBM QRadar Vulnerability Manager contextualizes the data from VM with the data from events. It offers deployment options for subscription cloud service, virtual appliance and physical servers.
IBM QRadar Network Insights gives visibility from network flows to QFlow-based applications. IBM QRadar User Behavior Analytics is a free module that addresses some use cases relating to insider threats. IBM QRadar Incident Forensics offers support to the forensic investigation. IBM QRadar Advisor with Watson conducts automatic analysis on the root cause for identified threats. IBM QRadar SIEM is available as virtual hardware appliances and software packages based on the event velocity of the customer. As SaaS SIEM hosted by IBM, it is also available from the cloud.
Elasticsearch stack (EKL)
Perhaps the most common open-source framework used today as a building block in a SIEM system is the ELK stack or the Elasticsearch stack. it is not considered as a complete SIEM system, there’s plenty of room for debate about whether or not the ELK Stack qualifies as a SIEM system “all in one.” The ELK stack consists of the Elasticsearch, Logstash, Kibana, open-source products, and the log shippers Beats family. Logstash is a log aggregator capable of collecting and processing data from almost any given source. It can filter, process, correlate and generally improve any log data it gathers. Elasticsearch is an engine for storing and indexing time series data, it is one of the best solutions in its field. Kibana is an extremely strong layer of visualization in the stack. Beats include a variety of lightweight log shippers responsible for collecting the data and shipping it through Logstash to the stack.
Logstash uses a wide range of input plug-ins to gather logs. Combined, the log processing, storage, and visualization features of the ELK Stack are virtually unmatched. The ELK Stack, however, is missing some key components for SIEM purposes — at least in its raw open-source format. There is no integrated monitoring or alerting function. This is not only known by users who attempt to utilize the stack for security but is also known for more common uses, such as IT operations. You can add alerts by using the X-Pack, a commercial product from Elastic or by adding security add-ons from open source. There are also no integrated security rules which can be used. This increases the stack’s managing both in terms of resources and operating costs.
|Data sources supported
||Focus on flexibility and support to a wide range of log data/source formats. Elasticsearch would use JSON format to store documents so the data source output will also be in JSON format. Elasticsearch is the ELK Stack’s search engine component, so Elasticsearch is not intended to support multiple input formats. That is basically the job for the data forwarders, parsers and connectors.
Events: Most file sources use the Syslog protocol to send the information to QRadar SIEM others include JDBC Inc, SiteProtector-JDBC, Enterprise Sophos Console-JDBC, NSM Junior Networks, LEA / OPSEC, SDEE, SNMPv1, v2 and v3, etc.
Flows: Information about flow events can be sent to QRadar SIEM in different formats, including Flowlog files, NetFlow, J-Flow, sFlow, Packet.
Vulnerability Assessment Information: The QRadar Risk Manager can import scan results depending on the type of VA scanner from the server scanner, or a search may be initiated remotely.
|Data storage and Processing capabilities
||The idea that there are very important configuration parameters is very important, i.e. distributing Elasticsearch is the data directory on each node of the Elasticsearch cluster.
Elasticsearch uses Lucene for the indexing and querying on “shard” level. All the files in the data folders are written by Elasticsearch and Lucene.
Lucene is responsible for writing the Lucene index files and keeping them there.
Elasticsearch writes metadata on top of Lucene relating to the features.
|IBM QRadar is a modular SIEM. Depending on the scalability, the needs and the different appliances may be added to suit the required processing and performance.
IBM offers several appliances with different categories to choose from and different storage and processing capacities. According to the appliances acquired, storage and processing capabilities vary.
|Flexibility in security directives
||Since the Elastic Stack itself is not a SIEM, it natively does not support safety rules. The Elastic Stack, therefore, doesn’t have a pre-configured set of rules or
Actions and the User is responsible for determining security rules. But Elasticsearch provides a full Query DSL to define queries (which relies on JSON), and therefore rules.
|Rules in QRadar SIEM apply to searching for or detecting anomalies on events, flows, or offenses. If all of the test conditions are satisfied, then the rule will generate a response. A set of default rules is shipped with QRadar console, these rules can be combined using a simple syntax to create new rules. You can download additional rules from the IBM Security App Exchange too.
|Behavioral analysis at application-level
||ELK is not provided with UEBA plugins, but it does have a flexible REST API, so
The integration of the UEBA solution into the Elastic Stack is feasible. One
solutions intended to leverage ML anomaly detection and other behavioral analytics capabilities is Prelert.
|The analytics of user behaviors in IBM QRadar is somewhat limited. Actually, two QRadars features are used based on user behavior. The first is by the use of anomaly detection rules and the second is using the IBM QRadar User Behavior Analytics application.
|Risk analysis capacity
||Elastic Stack does not natively provide any capability to analyze risks.
||IBM QRadar SIEM has an extension of the risk analysis used to prioritize risk reduction vulnerabilities in the application: QRadar Risk Manager. The extension also has a compliance test automation policy engine, which comes with a risk dashboard.
|Security event management and visualization capabilities
||Kibana is the Elastic Stack data visualization component. Using Kibana, users can add plots / charts / maps line / bar / scatter to view large amounts of data. In addition to building dashboards and visualizations, Kibana can be used for data analysis and immersive exploration as well. X-Pack can be easily integrated with Kibana. It offers health monitoring for reporting and for the Elastic cluster.
||It is simple to create and manage Dashboards in QRadar. The default view in QRadar Console is a tab on the Dashboard when logging in. It offers a workplace environment that allows several dashboards used to show views of the network protection, operation, or data gathered. Dashboards allow display objects to be grouped into interactive views that allow concentrating on different network areas. QRadar dashboards are customizable, and users of QRadar can choose between default dashboards or create custom ones to investigate log or network activity.
|Deployment and support
||In terms of implementation, Elasticsearch is easy to install and start indexing data immediately. The difficulty of deploying a cluster is based on how large the cluster is. Elasticsearch may run on either a simple laptop or a small cluster of machines lying around it.
||IBM Security QRadar architecture supports deployments of varying sizes and topologies, from a single host deployment, where all software components run on a single system, to multiple hosts, where devices such as Event Collectors, and Flow Collectors, Data Nodes, Event Processors, and Flow Processors have specific roles.
||All Elastic open source projects, including Elasticsearch, Logstash, Kibana and Beats, are licensed under Apache 2.0. Yet X-Pack is a commercial product. The X-Pack has a 30-day trial license which allows the user to access all features of the Elastic Stack. At the end of the trial period, the user can purchase a subscription.
||Since IBM QRadar SIEM is modular with multiple choices per component, licensing and pricing are not available to the public and usually depends on a deal between IBM and its customers. But the charging metric is generally based on use such as log-source per second and network events flows per minute.