What Are The Differences Between Splunk V Hp Arcsight As A Siem Tool?

Excerpt: SIEM, or Security Information and Event Management, are one of the key aspects of the field of cybersecurity. In essence, it seeks to identify and deal with potential security threats and vulnerabilities before they get out of hand / are exploited to disrupt the organisation’s workings.

Table of contents:

  • Introduction
  • Features of Splunk
  • Features of Arcsight
  • Difference between Splunk and ArcSight
  • Pros and cons of Splunk and ArcSight
  • Conclusion

Introduction

Today, SIEM solutions revolve around advanced software platforms that utilise machine learning and AI to carry out User and Entity Behaviour Analytics (UEBA). A SIEM software collects, stores in a centralised database, and analyses all the information generated by an organisation’s applications, systems and security devices. When it identifies a prospective threat, it generates an alert and an associated threat level based on certain pre-determined criteria. 

Some of the key characteristics of a good SIEM software are:

  • Consolidates multiple data points into a single framework.
  • Customised dashboards and smooth management of alert workflows.
  • Seamless integration with the other products and services utilised by the organisation. 

Two of the industry leaders in the field of SIEM software are Splunk vs HP Arcsight. While the former was founded in 2003 by Michael Baum, Rob Das, and Erik Swan, the latter originated with Alex Daly and Hugh Njemanze in 2000, before it was acquired by Hewlett-Packard a decade later. 

The eponymous products of both companies are highly rated by both customers and experts specialising in the field of SIEM – Gartner Peer Insights, for example, rates Splunk at 4.3/5 and Arcsight at 3.9/5. However, there are some key differences in the features, use cases, and overall experience offered by these two products.

We’ve done some research on our own about the various differences between Splunk HP Arcsight and SIEM tools. If you want to know more, just sit back, relax, and keep reading!

For Candidates who want to advance their career, Splunk training is the best option

Features of Splunk:

Some of the key features of Splunk are:

  • Data ingestion: Splunk can ingest data in formats like JSON and XML, as well as unstructured machine data like web and application logs. The user can form this unstructured data into their preferred data structure.
  • Data indexing: The ingested data is indexed to make it easier to execute queries and searches later.
  • Data searching: This is the process whereby the ingested data is analysed to create metrics, identify patterns and identify trends which can point towards potential security threats.
  • Alerts: Splunk Tutorial can send out alerts via emails or RSS feeds when certain pre-determined criteria regarding the identification of a threat are met.
  • Dashboards: Splunk’s dashboards display search results and data-driven insights in easily understood visual forms, such as graphs, charts, reports and pivots etc.
  • Data model: The indexed data can be modelled into one or more data sets on the basis of specialised domain knowledge. As a result, the end-users who analyse the business cases can easily navigate through and comprehend the significance of the data without needing to understand the technical intricacies of the searching processing language used by Splunk.

Splunk is available in three different models, depending on your requirements. They are:

  • Splunk Enterprise: For IT-driven businesses and companies with a large IT infrastructure.
  • Splunk Cloud: It is the cloud-hosted version of Splunk Enterprise, offering the same features and satisfying the same use cases as the Enterprise model. It can be accessed through either Splunk itself or the AWS Cloud Platform.
  • Splunk Light: As the name suggests, it offers fewer features and functionalities than the above two models, but at a lesser cost also. It allows searches, reports and alerts from all the logged data in real-time from a single location.

Features of Arcsight:

Some of the key features of Arcsight are:

  • Real-time analysis: Arcsight monitors and analyses data points in real-time to identify potential threats before they become actual breaches.
  • Easy compliance: Optional compliance packs generate packaged reports for PCI, SOX Act, and IT Governance. 
  • Security analytics: Arcsight enables you to build and maintain a Security Operations Center (SOC) by utilising big data security analytics.
  • Integration: Arcsight’s SOC can be smoothly integrated with network operations, business intelligence, email security, threat feeds, application security etc.
  • Automation: Arcsight’s native SOAR (Security Orchestration, Automation and Response) stack enables the user to automate a variety of responses to identified threats. This saves time and effort and greatly boosts operational efficiency.

The various models of Arcsight include the cloud-based ArcMC for AWS, Arcsight Enterprise Security Management (ESM), Arcsight Express etc. For more information on the different products offered by Arcsight, go to. 

What are the differences between Splunk and Arcsight?

Some of the notable differences between Splunk and Arcsight are:

  1. Pricing Points: As mentioned above, Splunk offers three different models to the client organisation, depending on the number of people who will use the software and the amount of data required to be ingested. It offers a free trial to potential clients and also has a free service for a single user, with a daily limit on usage of 500 MB. The starting price for the paid version is $1800 per GB per day.

Arcsight offers much greater flexibility in terms of its pricing structure; its pricing models range from scalable pricing, where the cost depends on the amount of data ingested, to an all-you-can-eat model, where you are charged a fixed price for unlimited data consumption. Arcsight does not have any free trial or free version. 

  1. Use cases: Splunk is best used in enterprises, while Arcsight is more suited to highly regulated industries.
  1. Architecture: Splunk’s architecture begins with the Universal Forwarder, which transmits data to the more extensive Splunk Forwarder. A Heavy Forward enables data filtering, an Indexer allows the storage and indexing of data so as to speed up searches, the Search Head gathers and reports on information, and the Deployment Server communicates data across the various components and assists in the deployment of the configuration, and the Licensing Manager regularly checks your licensing details, so as to decide the price which you need to pay.

ArcSight’s architecture includes communications, caching, commit, recovery and hardware as integrated, default components. The Arcsight interface or web browser is used to access the Logger, ESM software and CA. The Logger preserves the upgraded ESM events. The smart connectors are managed remotely through the Arcsight connector appliances or the ESM manager. Real-time events are transmitted from the logger to the ESM for real-time correlation. After correlation, events are returned to the logger for long time storage. Smart connector events are directed to a number of different logs to ensure optimal balancing of load. 

  1. Deployment: Splunk can be deployed through the cloud, as a web-based platform, like SaaS, on Mac and Windows desktops, Android and iPhone mobiles, and on-premise on Windows and Linux. 

Arcsight can also be deployed through the cloud, as a web-based software and as SaaS. However, apart from that, it can only be deployed on Windows desktops. 

  1. Training for clients: Splunk offers training for clients through videos, live online meetings and in-person coaching.,

Arcsight only offers training in the form of documentation.

Pros and Cons of Splunk and Arcsight:

Some of the upsides of the Splunk platform are as follows:

  • Ease of use: Splunk is a simple and straightforward platform which can be operated by anyone in the company – the CEO, managers, IT Team etc. 
  • Customisation: The user can tailor the platform to their exact needs through numerous plugins and customisations – including in areas like IT Operations, Business Analytics, Industrial Data, Internet of Things and DevOps.
  • Attractive visual interface: Splunk has a stylish and attractive dashboard that parses the data and insights derived into easily understood charts, graphics and interactive reports. You can easily share these reports with anyone you want to.
  • Data handling: The system can easily collect, store, index and analyse very large amounts of data. 
  • Integrated databases: No external databases of any kind are required.
  • Real-time operations: All ingested data is indexed in real-time. 
  • Smart search function: Relevant information in the ingested data is found and flagged automatically, reducing the time and effort required from the user. The software automatically saves past searches and tags useful information, increasing the overall intelligence of the system.
  • Automated alerts: Automated alerts are immediately sent out via email and RSS feed to all stakeholders whenever certain pre-determined criteria relating to the identification of a threat are satisfied. 

Some of the downsides of the Splunk platform are:

  • Expense: If you need to handle very large amounts of data, you will need to pay at slightly steeper rates.
  • Visually inferior to Tableau: In comparison to Tableau, Spunk’s dashboards are not as beautiful or visually attractive. As a result, many clients seek to integrate the two platforms – combining the data collection, storage and analysis abilities of Spunk with the beautiful visualisations of Tableau.
  • Optimisation of searches: There are no specific or easily understood parameters to correctly optimise searches on Splunk; it is a skill that comes only with the experience obtained from extensive usage of and familiarity with the platform. 
  • Static dashboards: Splunk users can create dashboards from the data analytics, but these dashboards are very static in nature and show KPIs only. Its competitors offer clickable dashboards which users can easily dig through to rapidly get the answers to their questions.

Some of the upsides of Arcsight as a SIEM tool are: 

  • Robust and reliable: It is a strong, robust tool that can easily process very large numbers – ranging to the millions, even – of EPS files.
  • Integration of security outputs: All endpoint security management applications (IPS, IDS, firewalls and anti-virus softwares) and their aggregated outputs are integrated into a single database. This allows easy differentiation between true and false positives, and the elimination of the latter.
  • Integration with IT infrastructures: The software is easily integrated with the other IT infrastructures of the client organisation, such as threat feeds, web systems, and ticketing applications.
  • Clusters: Arcsight allows the user to create clusters, such as Kubernetes clusters.
  •  Attractive presentation of data: The tool makes very good use of dashboards, visualisations and graphics to convey the insights obtained from data analytics in a manner most conducive to comprehension. 

Some of the drawbacks of the Arcsight SIEM software are:

  • Search function: There is room for improvement with regard to the search function; it can be made more efficient and optimal.
  • High maintenance tool: Arcsight is a very sophisticated and technically intricate tool. As a result, it takes a lot of time and effort to set it up in the first place, and an equal amount of work must be put in to maintain it. The training offered by the developers is also quite low and is limited only to documentation. 
  • Troubleshooting: It can be difficult to troubleshoot the issues encountered while using the software if you are operating in a large environment. 
  • Long loading time: It takes a rather long time for the user terminal to fully load since it is very large. 
  • Inferior user interface: The user interface is not as easy to navigate as other software tools. 
  • Slow with updates: New plugins relating to the incorporation of new or niche features, for example, feature-rich dashboards, are not always rolled out in the timeliest manner. 

Conclusion

In summation, both Arclight and Splunk are highly capable, efficient, and well-designed tools for SIEM. An organisation cannot do much wrong by choosing either one of these two platforms. At the end of the day, your final choice will depend on the particular needs of your organisation, such as the number of users, amount of data that needs to be handled, regulations, services you want to integrate with, extensibility, and a number of other factors. You also need to take into consideration your budget, the amount of time and effort you are willing to devote towards the set-up and maintenance of the platform, and the technical knowledge and capacities of the individuals who will be using the tool.

We hope you enjoyed this deep dive into the features, differences, and pros and cons of Splunk and Arcsight as Security Information and Event Management, i.e. SIEM tools.

Author Bio

Meravath Raju is a Digital Marketer, and a passionate writer, who is working with MindMajix, a top global online training provider. He also holds in-depth knowledge of IT and demanding technologies such as Business Intelligence, Salesforce, Cybersecurity, Software Testing, QA, Data analytics, Project Management and ERP tools, etc.