I work at mid-sized enterprise bank. I am researching SIEM solutions. Which is the best tool for security information and event management: Arcsight or Securonix?
In my market, a lot of financial companies had or have an ArcSight installation. Just because in former times it was pretty good. Now a lot of them are looking for a more effective solution due to admin costs for handling more complex scenarios the same applies to QRadar. Looks like the old champions like ArcSight are getting a little "out of Date". That's why my company (SW development and consulting) decided to recommend Splunk to our customers since 2012.
Actually the best solution for me is to install is a Splunk core with the cost-free Sec App in Phase 1, later on, you can upgrade with the big enterprise sec and get into full automation with phantom, but be patient.
So upfront the license fee is quite higher then comparatives but you save a lot Invest on PeopleSite. Another advantage is you can get rid of the classy ETL-Layer structure, so explorative searches and quick adaptation is really possible.
If you have concerns about the budget, let me give you one thing on the way. The data you collect for security reasons can be very useful for other departments. Think of ITOps, Compliance, Transactionscontroll, even marketing.
So share them some Dashboard with a scope on their issues and they will share your costs.Splunk is a leader in Gartner so your or your boss's political risk choosing Splunk is quite low.
Jospeh´s recommendation is worth a look if you must use ArcSight or other classy ETL-structured SIEMs.
Neither, or both.
Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn't the most important choice. The critical choice is in the resources and commitment to manage and use the system. I've seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a "set it and forget it" system. It is most definitely not. A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the "best" and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.
I would agree that besides the technology you also need the manpower behind it. And with regards to technology, you asked Securonix vs Arcsight. I would go with Arcsight, to gain the visibility into the logs first. I have worked with Arcsight for 8 years now as a partner and as a customer. We were able to ingest logs from anywhere, we were able to ingest logs from anything - custom applications, custom logs - not to mention the logs from the usual security devices - and you also get the OOB support for a lot of devices - Sales claims they have the broadest support with regards to other SIEM vendors.
Yes it was said that it was dated, but they are really making strides to modernize the solution and they will also integrate a Machine Learning UEBA from Interset. My suggestion would be to deploy a SIEM first, which can then be upgraded with an UEBA solution.
Arcsight is a legacy SIEM a Ro-bust log management tool however works on EPS ( Events per second) costing, which mounts recurring cost on year on year basis. However Securonix SIEM based on Data Lake and Advanced Analytics or UEBA suite which provides rich context of any insider threat. You can also have Incident Responder and Threat hunting along with automated response with Play books with add on SOAR tool. I think for a mid-ranged bank Securonix may suite better , also one can have this as service by Cloud service for above tools if options available for the same.
QRadar, Splunk, or LogRythm could be better options. The success of SIEM solutions depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions. It is also worthwhile to evaluate the forensics capability of these solutions before buying.
I recommend ArcSight as it has many proven advantages. in terms pricing and technology.
We didn’t use any of the products but I include you a link to Gartner comparison. https://www.gartner.com/review.
To be upfront i am a security vendor and we are the authors and developers of Snare our Siem agnostic Enterprise solution for log collection and log management. We work with lots of Siem vendors and Snare deploys and integrates with all major Siem platforms e.g. Arcsight, Qradar, Splunk, RSA. We have over 500 Banks and financial services companies using Snare Agents and Snare central where we have been able to contain and reduce their Siem ingestion charges by up to 60% where the Siem vendor charges for log data ingestion by EPS, GB or any metered basis - https://www.youtube.com/channel/UCr8sLTVcI7oivIjEQBfu7UA.
Snare Collaborates and compliments Siem solutions. Snare Agents provide Granular Filtering @ Source, Truncation of Noise out of logs @ Source in a lightweight Agent. Snare Central provides dashboard analytics to monitor log traffic from windows, Linux, Unix, OSX, Syslog feeds etc.while also providing "Out of the Box Compliance Reporting, Alerts" and ability to reflect logs to multiple destinations simultaneously. From our experience, Arcsight is a good Siem, very feature-rich but does require a lot of resources and is generally very expensive one-time and ongoing ingestion of logs into Arcsight (unless you have Snare). Arcsight connectors provide an agentless collection process but this has many issues as it is not as secure as Agents and can invite log tampering, no encryption, unable to set group policy etc...I have lots of my Customers using Snare Agents with logs going to Arcsight and can provide a reference point if required. My largest financial services customer has over 100,000 Snare agents filtering, reflecting logs to Arcsight. Please take a look at https://www.snaresolutions.com/siem-integration/