Splunk vs. IBM QRadar: SIEM Head-to-Head

SIEM, the modern tools of which have been in existence for about a dozen years, is an approach to security management that combines the SIM (security information management) and SEM (security event management) functions into one security management system. SIM collects, analyzes and reports on log data; SEM analyzes log and event data in real time to provide threat monitoring, event correlation and incident response. Due to its 24/7, real-time nature, SIEM is now a required technology for large enterprises.

Both SIM and SEM functions provide on-demand analysis of security alerts generated by applications and network hardware. Security providers that can combine these two functions are in the inside lane for new business.

Key features for enterprise SIEM include ingestion of data from multiple sources, interpretation of data, incorporation of threat intelligence feeds, alert correlation, analytics, profiling, automation and summation of potential threats.

IBM QRadar vs. Splunk: Two of the Best in the Business

IBM QRadar and Splunk, the latter of which has been a market leader for the better part of a decade, are two of the finest security information and event management (SIEM) solutions now available. However, each product offers distinct benefits to potential buyers. Both offer strong core SIEM products, but they differ in use of intelligence and integration with third-party and other security tools.

Generally, IBM QRadar is engineered to work optimally with other IBM products, such as Watson AI, while Splunk, being an independent software maker, enables easier interactions with other components inside a system.

What follows are some key features and analysis of each solution. Here is a face-to-face compilation of pros and cons for two of the best in the SIEM tools business: IBM QRadar and Splunk.

IBM QRadar

What QRadar Brings to the Table: IBM’s SIEM toolset, QRadar, is designed for large organizations and consists of a solid platform used to build a corporate-wide threat detection and response system. It also contains extensive blueprints and templates for simpler use cases. QRadar has a large deployment base and an extensive set of service providers that can help organizations procure, run, tune and monitor their deployments.

The IBM QRadar Security Intelligence Platform builds around IBM QRadar SIEM and includes several components. IBM QRadar Vulnerability Manager contextualizes event data with VM data. IBM QRadar Network Insights provides QFlow-based application visibility from network flows.

IBM QRadar User Behavior Analytics is a free UBA module that addresses some insider threat use cases. IBM QRadar Incident Forensics provides forensic investigation support. IBM QRadar Advisor with Watson provides automated root cause research for identified threats.

Key Reasons to Consider QRadar:

  • Easier to make the investment case to a CFO with the power and gravitas of IBM standing behind the product.
  • QRadar offers a versatile and extensive SIEM platform with many choices of out-of-the-box (templated) content for a broad selection of use cases. Admins don’t have to start from scratch when handling installation.
  • QRadar has a solid ecosystem of value-added integrations with other IBM security portfolio solutions (such as IBM QRadar Advisor with Watson, IBM Resilient or the free UBA module) and content developed by third parties (community, and security and IT vendors), easily accessible via IBM QRadar’s marketplace.
  • Watson AI by itself is a big selling point.
  • IBM QRadar User Behavior Analytics is a free UBA module that addresses some insider threat use cases. IBM QRadar Incident Forensics provides forensic investigation support. IBM QRadar Advisor with Watson provides automated root cause research for identified threats. The vendor also offers the IBM Security App Exchange, where IBM QRadar customers can download content developed by IBM or third parties to extend IBM QRadar’s coverage or value proposition.
  • Includes strong support for network data monitoring, with a large number of application-flow signatures to parse flow data.

How QRadar Is Deployed:

  • IBM QRadar SIEM is available as hardware virtual appliances and software packages based on the customer’s event velocity (number of EPS across the data sources in scope). It is also consumable from the cloud as SaaS SIEM hosted by IBM.

How QRadar’s Pricing Works:

  • Pricing for additional components in the IBM QRadar Security Intelligence Platform depends on their respective metrics (e.g., number of flows for IBM QRadar Network Insights or number of assets in scope for IBM QRadar Vulnerability Manager). QRadar Network Insights is available only in hardware appliance format for data centers.

To Take Under Advisement:

  • IBM QRadar works most optimally with other IBM components. 
  • User experience can fall behind some of the newer competitors, with a non-unified look and feel among the tabs and modules in IBM QRadar. IBM is said to be working on improving this.
  • Risk scoring in the platform is shown as magnitude within offenses, and it can require a level of maturity in security processes to operationalize this. Risk scoring is provided with no customization required.
  • Analysts indicate that IBM receives lower scores than other SIEM leaders, including Splunk, for integration and deployment, and service/support. Reference customers for SIEM give IBM below-average scores for service and support. IBM has indicated that it has recently increased staffing levels for service and support.

Who uses it: midsize to large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK aggregate score: 4.8/5.0

Splunk Security Portfolio

What Splunk Brings to the Table: Not only does Splunk have one of the more colorful names in all of the IT business, its SIEM system is highly rated and popular. Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases and those seeking a scalable solution with a full range of options from basic log management through advanced analytics and response should consider Splunk.

Its Security Operations Suite comprises Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities.

Splunk’s security portfolio has been ranked as a leading technology for six consecutive years by Gartner Research—not a trivial accomplishment. The platform helps customers optimize their security nerve centers and address a wide range of security monitoring and threat-detection use cases. Customers use Splunk Enterprise Security and Splunk User Behavior Analytics together as an Analytics-Driven SIEM to build their Security Operations Centers to detect, investigate and respond to threats. Splunk Phantom, a leading security orchestration, automation and response (SOAR) solution, helps customers investigate and accelerate their response to incidents.

Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases, as well as seeking a scalable solution with a full range of options from basic log management through advanced analytics and response, should consider Splunk.

Key Reasons to Consider Splunk:

  • Splunk’s Security Operations Suite is centrally run and has an intuitive user interface. The platform is composed of Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases.
  • The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities. UBA adds machine learning (ML)-driven, advanced analytics. Phantom provides SOAR capabilities. Additional apps for security use cases are available through Splunkbase.
  • Splunk’s most important enhancements over the past 12 months are support for guided investigation via the Investigation Workbench UI in Splunk ES, rapid content updates for ES and UBA, and speed improvements.
  • Splunk’s offerings provide organizations with multiple entry points into security monitoring with a path that can start with basic event collection and simple use cases with Splunk Enterprise through to richer SIEM functionality with ES, more advanced analytics with UBA and SOAR capabilities with Phantom.
  • The vendor has a strong ecosystem of technology integrations available in the Splunk application marketplace, although users of other technologies that compete with Splunk (for example, in the user analytics space) should validate the depth of integration.
  • PII protection features are strong; obfuscation and PII masking are supported down to the field level and can be applied based on user identities, locations and other characteristics.

How Splunk Is Deployed:

  • Splunk offers multiple deployment options: software on-premises, in IaaS and as a hybrid model. Splunk Cloud is a Splunk-hosted and -operated SaaS solution using AWS infrastructure. Splunk Enterprise and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures.

How Splunk’s Pricing Works:

  • Splunk is licensed based on the amount of data ingested into the platform, with pricing discounts for DNS and NetFlow data. ES is also licensed by gigabytes per day, whereas UBA is licensed by the number of user accounts in an organization, and all these are available either as perpetual or term licenses, with various options for enterprisewide pricing and true-ups. Phantom is priced by the number of events on which users take action.

To Take Under Advisement:

  • In another example of “You generally get what you pay for,” Splunk is generally more expensive than its competitors. Customers and prospective buyers tend to express concerns about pricing models and total cost. The addition of Phantom and the introduction of the “nerve center” concept (separate SIEM, UBA and SOAR products) result in three pricing models with different measurement approaches.
  • Splunk UBA is an on-premises or customer cloud-only solution at this point, which can create friction with Splunk Cloud customers wishing to remain in a SaaS model.
  • Splunk has no native agent support for FIM or EDR, although there are integrations with numerous third-party solutions.
  • Splunk support for OT/IoT is largely dependent on the capabilities of third-party apps, rather than on Splunk support for OT protocols.