Hi there. This is Jude Lancaster and today we're going to talk about different SIEM solutions in the marketplace all the different vendors that are out there and focus on a few of them. Learning topics of this video as I mentioned to explore the different SIEM vendors and and what their different components are. So let's get started. The security information and event management market is defined by customers need to analyze security event data in real time. And that really supports the early detection of attacks and breaches. SIEM solutions collect, store, investigate and support mitigation and report on security data for incident response, forensics and regulatory compliance. We'll talk about the vendors mostly included in the Magic Quadrant and they have product designed for this purpose and we back to black market and sell them to security buying customers in all ranges of Industries. This is Gartner's Magic Quadrant, which many of you might be familiar with the obviously up and to the right is the Preferred placement for a technology. You'll see IBM and Splunk very high there, as well as Exabeam, LogRhythm and Rapid7, and a few other technologies. And then you have some more point solutions that we really don't see in the marketplace as much as those in the Magic Quadrant. We're going to focus on IBM QRadar, Splunk, Exabeam and LogRhythm today. So let's talk about deployments for a moment. Gartner defines a small deployment as one with around 300 log sources. So 300 different devices or software that are providing data into the SIEM. And about 1500 EPS. EPS is events per second, which is how SIEM Solutions are typically measured in license. A medium deployment is about a thousand log sources and 7,000 EPS. And a large deployment would be about 1000 log sources and then about 15,000 EPS. This slide doesn't talk about flows, which are the communication between devices on a network, but flows are also very important. And not every SIEM solution collects flows but they really are an important facet of the overall security policy. They tell us what communication is happening between an endpoint on your network and an endpoint somewhere else such as a web page or server or something like that. So let's talk about some concepts. SIEM is the security information and management tool. And it provides that real time analysis of alerts, which are generated by network hardware as well as applications. A rule is a procedure that attempts to correlate these events into a report or an incident so that you can see what's going on in the environment. Rule threshold is the point which the rule is triggered. And then that correlation event is generated event threshold is the number of times the event must occur before triggering the rule threshold. A Rule Action is a procedure that occurs when all rule conditions and threshold settings have been met. So what's going to happen when those things occur? And then a trend is a resource that defines how and over what time data will be aggregated and evaluated for trends. So a trend executes a specified query on a defined schedule and time duration. An event is the actual log of a specific user action, such as a login, a firewall permit. It occurs at a specific time and the event is logged at that time. As I mentioned before, flows which are equally as important as events, is a record of network activity. And it can last for seconds, minutes, hours or even days depending on the activity within the session. So as an example, might be sending an email, might be a flow that lasts for a few seconds, whereas downloading a large file might last for hours or even days. Data collection is the process of collecting flows and logs from different sources. And that typically goes into some kind of common repository like a database built into the SIEM. Normalization is what happens when raw events are turned into a format that has user readable fields such as IP address, machine name, things like that. And that helps the user look at those raw events. License and license throttling monitors the number of events and flows to the system to manage your licensing. And most SIEMs are licensing this way either events per second and flows per second or a combination of the two. Coalescing combines those events based on common attributes. So if we see several actions from one endpoint in a short period of time, those will typically be combined into a single event. So the technology we're going to talk about is IBM QRadar. IBM QRadar came out in 2005 originally came out as Q1 Labs. And it really started a little bit differently than most SIEMs because it started with flows. So QRadar looked at network behavior anomalies and it's end bad platform from QRadar network calm but network behavior anomaly detection platform. And then was purchased by IBM in 2012 and really has been the pillar of IBM Security business since that time. It's proprietary based on Ariel Data store and a proprietary Ariel Query Language. So it uses an Ariel database to store data and events and flows that come into the system. It does Log Correlation, Network Forensics, leverages Intelligence Feeds, Vulnerability Management and then it has a Risk Management component as well. There are several components to QRadar. These are not all of them but are probably the most popular ones. Vulnerability Manager discovers and senses network devices and applications and then pulls in security vulnerabilities and provides context around that so you can prioritize remediation of those particular devices. It's part of the IBM Security QRadar platform is an add on for that. And it allows you to do vulnerability stands of machines and devices on your network. User behavior analytics, which is becoming more and more popular because users, whether through malicious activity, or just through mistakes or incidental activity are really the main place where breaches and risks occur. And QRadar User Behavior Analytics is an add-on, but it's a free add-on for QRadar that analyzes user activity and can detect the insider malicious behavior. Can detect things like whether users credentials have been compromised. And you can prioritize users as far as their risk activity, so it's something that's very useful for QRadar customers. And then the QRadar Network Insights tool leverage its flow data, which is really a differentiator between QRadar and other SIEMs on the market. Most other SIEMs do not bring flow data into their SIEM natively. Some will take flow data, and then pull that in as an event. But that really doesn't give you the full picture of what's actually going on. Network Insights can pull in network data real time, and really give insight into what's happening in the environment. Because the first thing that a hacker or bad actor will do is turn off login. So that really hides the information that is coming into the SIEM if logs are turned off. However, the network doesn't lie, you can't turn off information that's going on in the network. And that's why flows are so important. Because you can detect things like phishing emails, malware data exfiltration, which is really important lateral movement within the environment, and other application of uses and compliance gaps. So flow data is really important and Network Insights around that is important. Let's talk next about ArcSight. And it's a SIEM solution that does event correlation and security analytics. It is comprised of several different components, ArcSight Manager, its CORR-Engine, which is the Correlation Optimized Retention and Retrieval Engine. It has a console to view all this data together, and then the Command Center. And then it also leverages APIs from which you can integrate other Solutions into the ArcSight. Yes, as with other SIEMs it allows you to monitor events in real time and correlate those events to be easier viewed by the solution. A Splunk has been around for about 10 years now and didn't really start out as a SIEM but has gained a lot of popularity in this space. It really the Splunk's goal is to make machine data accessible, usable and valuable to everyone. So the whole goal is to take that information and from multiple different sources and combine it into a single data store, if you will, so that that data can be viewed in a single pane of glass. And that's Splunk's operational intelligence. And that's the unique value proposition that they bring. They also have several free technology add-ons that can provide some additional value. The Distributed Management Console pulls all the Splunk Architecture management together in a single set of dashboards. As I mentioned before, Splunk didn't start out as a SIEM but has really broadened its offerings into a very robust SIEM solution. Here's a kind of a representation of Splunk's services or Splunk's architecture I should say. So it has a data collection layer from that are forwarding things like syslog, potentially API, scripts, things across the wire, et cetera. And then it provides that into a data indexing layer, which then goes into the data presentation layer, which is what the web browser will present to the end user through its visibility. And then finally, let's talk about LogRhythm. And they also have a robust security intelligence platform also in the Gartner Magic Quadrant. It supports centralized management of a LogRhythm implementation, that's what Platform Manager does, has a Data Processor which performs log collection and management. So that would be the item that the piece of hardware that actually pulls in the collection of the different logs. Your Data Indexer indexes your data and metadata. And it has an AI engine or artificial intelligent engine that provides the correlation and analysis capabilities. So that's what does all the Correlation of log events, pulls it all together and gives you some information around rules and analysis. They offer also an all in one for smaller implementations that combines all of those solutions into a single appliance. They can also do some network monitoring, which does deep analysis of network traffic contents so allows for information around the network itself. And then the Data Collector collects log data from remote systems and then prepares it for transporter to the centralized LogRhythm Platform implementation. So if you have different locations you can put a Data Collector there and that will forward that data on to the main logarithm implementation.
