Subject ArcSight QRadar

Product Birth Year 2000, ArcSight SIEM came into the market and incidentally this was the only product they have worked on. In 2011 HP bought them Year 2004-2005, Q1 Labs entered into the SIEM market modifying their NBAD platform (QFLOW) and in 2012, IBM bought them.

Logging Format CEF – Common Event Format LEEF – Log Event Extended Format

Underlying DB Oracle till 2012, then combination of MySQL, PSQL etc. Proprietary based on Ariel Data store and probably Ariel Query Language (AQL)

Vendor Support ArcSight supports more than 400 vendors with their CEF certification program QRadar supports more than 250 vendors with their LEEF certification program

Portfolio Log Correlation – HP ArcSight ESM Log Management – HP ArcSight Logger Identity Correlation – HP Identity View Intelligence Feeds – HPRepSM Threat Detection – HP ArcSight Threat Detector Response and Action – HP ArcSight TRM Log Correlation – IBM QRadar Console Log Management – IBM QRadar Log Manager Network Forensics – IBM QRadar NBAD (using QFlow) Intelligence Feeds – IBM X-Force Vulnerability Management – IBM QRadar VM (with dedicated Scanner) Response and Action – IBM QRadar Incident Forensics for Response only

Identity monitoring ArcSight has a separate feature called IdentityView (separate license) to provide the identity perspective of events occurring in ArcSight. It integrates with Identity solutions (AD, Oracle) to keep track of user activity regardless of the account being used. It assigns risk scores to users based on their activity, and can graphically represent this activity and compare it to others with similar roles. QRadar does not have the capability similar to Identity View, however, it does integrate with Identity solution to provide user information in the offenses created.

Network Behavioral Analysis ArcSight does not natively collect flow data however, it can obtain Netflow data from other devices such as routers, etc. The Netflow data provides visibility only up to layer 4 (no application visibility) QRadar due to its origin as a NBAD product has powerful Network Behavioral Analysis (NBAD) capability through its QFlow appliance (Network Flows data including Layer 7 flows, Jflow, Netflow, IPFIX, SFlow, and Packeteer’s Flow Data Records can be collected and processed). This would allow us to review application and network flows and assess it for anomalous traffic, persistent threats etc.

Vulnerability Management ArcSight can integrate with Vulnerability scanners and gather Scan reports for correlating vulnerability information with the security events collected. However, it is more of a data aggregator in the case of VM tools. QRadar has a Vulnerability Management product (QVM). This has all the features comparable to ArcSight, however, IBM has upped the ante in this space by including a Scanner in the product that can actively scan hosts if enabled with QVM license. This provides security analysts to gather real time information if they choose to from the same SIEM console.

Dynamic Risk Management ArcSight does not have any risk management capabilities. However, it can integrate with commercial risk management products to provide basic correlation QRadar has a Risk Manager (QRM) product that collects Network configuration information and provides a risk modeling capability to assist in understanding the extent of impact of a configuration change in the network. This is akin to Skybox, Algosec or RedSeal and perform in similar capacity

Log Collection Agent Less – Using Connector Appliance. Logger Appliance can also serve as Log receiversAgent Based – Software Install on Servers for all types of log collection Agent Less – Any QRadar Appliance, Console, All-in-One Combo boxes, Event Collector etc. can collect Logs remotelyAgent Based – Connector software available for Windows. For others, Agentless is the only option.Flow Collection – By default any appliance can collect flow data, however, dedicated Flow Collectors are an option in QRadar.

Log Management Separate Log Management Software, Appliance which is different from the ESM appliance. They have a Express version which combines both but in general HP Logger fills the space of a dedicated Log Management appliance Same software, same appliance can behave as all in one SIEM + Log Manager or dedicated Log Manager or SIEM depending on License added. There is no distinct product differentiation as in ArcSight family.

Event Transmission Events from the source are sent in clear text to the SmartConnectors, however, all further upstream communication happens encrypted. Compression and Aggregation can also be employed in the ArcSight ecosystem from the connectors onwards. Events from the source are sent in clear text, however, communication between QRadar Appliances happen using encrypted SSH tunnels. However, compression happens on Appliance at event storage level and does not happen in event transit.

Handling EPS bursts ArcSight uses large buffers to cache events in case of an EPS burst. Once the buffer is filled, the Queue starts to fill. Once the queue overflows, events get dropped. But the burst EPS can be sustained for longer periods of time compared to QRadar. In QRadar, Each event type has a memory buffer, once the EPS exceed the licensed level and the buffer is filled, all new events are queued and processed on a best effort basis. However, this burst EPS is not sustainable for longer periods of time as with ArcSight. So even though it can take burst EPS during times of attack, it is not sustainable.

Filtering ArcSight provides the ability to filter or modify events at the collection and logging level to eliminate the events that are not of security value. This can be as close to event source as possible using SmartConnectors QRadar provides capability to filter using Routing rules. However, for field based filtering (where only one field from the log needs to be omitted during parsing) can’t be done in QRadar.

Aggregation Log Aggregation can be done based on any field combination. This is really useful when it comes to toning down on the high volume logs of network firewalls and proxies etc. Log Aggregation or Coalescing in QRadar terminology happens at the event collection layer based on the source IP and user only and not on customizable field combinations

Data obfuscation ArcSight allows for obfuscating any field at the log collection level using SmartConnectors. This is very powerful when monitoring confidential data in logs. QRadar does provide Obfuscation abilities using a custom Regex Based, Key Based Obfuscation config. This will allow for encrypting a field, based on the Regex Match when event is processed.

Custom Log Collection Require development of customized configuration files. However, ArcSight Flex Connector SDK is a very powerful tool to build custom connectors and parsers. Also, the ArcSight community shares knowledge about custom connectors and hence more help available in case you want to develop on your own. QRadar has two parts of custom log collection capability. For supported logs or generic logs, it can update/develop parsers using the “Extract Custom Property” feature. However, if a new log source is to be integrated, then it is through customized configuration files which is much harder to create, test and maintain. Also, help to develop on your own is scarce so Professional services is mandatory.

Scalability ArcSight is really scalable such that it can support multi-tier Correlation Engines, multi-tier Loggers, Connectors etc. and also have effective peering. QRadar scales very well horizontally at the Log Collection layer, however at the Correlation layer it does not scale as well as ArcSight. This is a challenge in large and distributed environments.

High Availability One of the long standing issues of ArcSight is HA. It does not have a true HA capability. It supports failover routing at the Collection layer but does not have any thing at the correlation layer. QRadar has the most simple to setup HA configuration ever. This allows sync of two Appliances in true HA style.

Multi-Tenancy ArcSight has always been the SIEM product of choice for MSSP vendors. The main reason being the ability of the product to delineate events based on customers so that monitoring can be efficiently performed in a MSSP environment. It maps IP addresses to customer names and network zones to avoid overlap. QRadar did not have the feature until recently (I think v7.2 and above) and was one of the reasons it had very poor Multi-Tenancy support. However, the new feature with “Domain” based categorization provides ability to support MSSP environments. Maturity is yet to be achieved but it’s a step in the right direction.

Out-of-the-box use cases ArcSight’s out-of-the-box use cases are very light compared to and only include limited Multi-Device/Event correlation use cases. QRadar comes with a comprehensive set of basic out-of-the-box use cases for various threat types such as malware, recon, dos, authentication and access control, etc. Also, several of these use cases are Multi-Device/Event types.

Customizable dashboards and reports ArcSight reporting system includes over 350 standard report templates that address common compliance and risk requirements. The report design system is similar to what you would find in a BI solution, though not as complex. Support for charts and graphs is available, and templates can be customized through Velocity. Reports can be scheduled and distributed automatically by e-mail. QRadar provides over 2000 report templates relevant to specific roles, devices, compliance regulations and vertical industries. Only basic report customization is available. However, if advanced report customization is required, QRadar reporting seems limited. However, majority of the customers using QRadar are happy with the out-of-the box reports.

Case management ArcSight has a built-in case management system that allows the association of events to cases, limited workflow, and the ability to launch investigation tools (anything that can run from a command-line) directly from the console. Cases can contain analyst notes and customizable fields. QRadar provides a rudimentary case management capability through its Offense Management. Offense Management provides basic features such as open, close, assign, and add notes. Additional events cannot be added to Offenses. This is in stark contrast to ArcSight which has full blown case management system built in.

User portal ArcSight requires a java client to provide most of its functionality, but also provides a web interface primarily for business users. Provides all functionalities for security event monitoring and threat content development through web based GUI

User licenses Individual console licenses should be purchased for each user to perform investigation/monitoring Additional user licenses are not required to be purchased