It's not uncommon for organizations to encounter hundreds of security incidents on a daily basis—from the trivial poking and prodding of script kiddies to nefarious activities that constitute the inner workings of advanced persistent threats (APTs). Transforming this volume of data into actionable information is impossible without the assistance of security intelligence, specifically, the analytic capabilities of security information and event management (SIEM) tools. AlienVault USM and IBM QRadar are two leading platforms that focus heavily on these areas—let's see how they stack in this comparison.
These platforms of course do a lot more than SIEM, as no single technology or approach to cybersecurity can fully protect against the myriad of threats that confront today's enterprises. Layered security is the best bet for protecting against cyber attacks, and both AlienVault and IBM QRadar consist of a combination vulnerability management, anomaly detection, security monitoring, incident response capabilities, and more.
AlienVault's Open Source Security Information Management (OSSIM) project—an leading SIEM platform in widespread use—is arguably the company's claim to fame. Its suite of security solutions essentially revolve around OSSIM to provide organizations with enterprise-grade threat protection on various levels. The AlienVault Unified Security Platform (USM) is the company's flagship offering that combines a virtual appliance with both network and host-based intrusion detection, SIEM, and continuous threat intelligence.
The AlienVault UI. Source: alienvault.com.
Another notable feature of AlienVault USM is the Open Threat Exchange: a security database consisting of 26,000+ participants in 140 countries crowdsharing over a million potential threats on a daily basis.
IBM has been steadily adding security vendors to its list of acquisitions over the years: Internet Security Systems, BigFix, Trusteer, and more recently Resilient Systems, to name a few. In 2011 it picked up security intelligence software developer Q1 Labs, and with it QRadar—marking its first foray into the SIEM space.
The QRadar interface. Source: ibm.com.
As it stands today, the IBM QRadar Security Intelligence Platform consists of various components managed under a unified console: QRadar SIEM, QFlow Collector for analyzing application level traffic, log manager, and QRadar vulnerability scanner.
Side-by-Side Scoring: AlienVault vs. QRadar
1. Capability Set
Both platforms possess powerful capabilities that you'd expect from enterprise-grade layered security platforms. AlienVault USM was designed to be an all-in-one platform combining SIEM, network/host-based IDS, file integrity monitoring, vulnerability assessment, asset discovery, and netflow analysis. While QRadar provides features such as vulnerability scanning and traffic analysis, its primary strength lies in its SIEM and security data aggregation/analysis capabilities.
2. Ease of Use
QRadar is a robust platform heavily focused on the SIEM side of the security equation, but with this power comes complexity, especially when it comes to set up and tuning the product. In contrast, AlienVault USM is targeted at mid-market firms—this is reflected in its relatively intuitive, easy-to-use interface. Each management console page consists of interactive and customizable elements.
3. Community Support
With the popular open source OSSIM project under its belt, AlienVault has maintained a strong and loyal following amongst the open source community, with ample community support resources for OSSIM to boot. IBM QRadar is primarily an enterprise offering with minimal support resources outside of IBM and its partner network, though substantial online help materials can be accessed via the IBM developerWorks community wikis. Additionally, non-IBM affiliated websites like QRadar Insights offer tutorials and limited support materials.
4. Release Rate
AlienVault USM is currently on version 5.3; IBM QRadar is on version 7.0. Both AlienVault and QRadar have seen regular releases over the years, and both vendors maintain publicly available version histories for their respective platforms.
5. Pricing and Support
As mentioned previously, AlienVault USM targets mid-market organizations, and this fact is reflected in its pricing: at the lowest tier, the all-in-one virtual appliance can be had for $5050—an affordable price point for organizations with modest security budgets. The IBM QRadar platform is a modular product with multiple options per component; suffice to say, it's an enterprise product and is priced as such. Typical deployments run in the tens of thousands and can surpass the six-figure mark with all the bells and whistles. When compared with QRadar, support options are more inexpensive and readily available for AlienVault USM.
6. API and Extensibility
AlienVault offers no REST API for integrating/customizing its USM Platform; that said, it does offer a Golang-based API for its OTX crowdsourced intelligence platform. The platform can be extended with a variety of 3rd-party datasource plugins in its USM plugin library. In contrast, QRadar offers a well-documented RESTful API for accessing various platform feature endpoints, from the SIEM and analytics engine to the vulnerability scanner.
7. 3rd Party Integrations
AlienVault OSSIM is itself an assemblage of open source integrations: Snort for IDS, Nagios for monitoring, and OpenVAS for vulnerability assessment, to name a few. Additionally, the USM platform integrates with various security devices and offers several 3rd-party datasource plugins from its plugin library. Similarly, QRadar offers a vast library of 3rd-party plugins—known as device support modules (DSMs)—for collecting security events generated by a myriad of vendors' products: McAfee, Microsoft, Cisco, Salesforce, VMWare, Kaspersky, and Juniper Networks, to name a few. The offering's Security App Exchange also enables customers to write and share custom apps; the exchange includes contributions from Bit9 + Carbon Black, BrightPoint Security, Exabeam, and Resilient Systems, to name a few.
8. Companies that Use It
Both AlienVault USM and IBM QRadar are used by prominent enterprises worldwide. AlienVault counts Subaru, Focus Brands, Hulu, and the U.S. Air Force as some of its customers; IBM QRadar is used by Fidelity National Financial, The University of Chicago, Gamestop, and more.
9. Learning Curve
Despite a relatively easy to navigate and user-friendly dashboard, QRadar's learning curve is fairly steep, especially when compared to AlienVault USM. The latter's wizard-driven set up and intuitive management console make getting up to speed with the platform a trivial affair.
AlienVault has a better-than-average 884 CSR score, though lack of HTTP strict transport security and DNSSEC keep it from achieving top marks. IBM QRadar's disappointing 608 CSR score is certainly not the worst of the lot; that said, lack of SSL and HTTP strict transport security/DNSSEC could render its website exploitable by cyber attackers.
Scoreboard and Summary
|Ease of Use|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|Total||4.6 out of 5||3.7 out of 5|
In short, AlienVault USM is a safe bet for organizations looking for a relatively affordable and competent all-in-one security platform. IBM QRadar is a powerful SIEM and security data aggregation platform, but its cost-prohibitive price tag and steep learning curve make it an option restricted to enterprises with ample budgetary and professional resources.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security?
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.