Splunk vs. LogRhythm: SIEM Head-to-Head

PRODUCT COMPARISON: Both LogRhythm and Splunk have a great deal to offer. Both have loyal support from customers and good-to-excellent reviews from industry analysts. But admins should look closely at the finer points each solution offers to see which is better-suited for your company.

1088_ProductComparison

Download our free SIEM Vendor Report based on nearly 300 real user experiences with the top SIEM products in the marketplace.

SIEM Defined: SIEM, the modern tools of which have been in existence for about a dozen years, is an approach to security management that combines the SIM (security information management) and SEM (security event management) functions into one security management system. SIM collects, analyzes and reports on log data; SEM analyzes log and event data in real time to provide threat monitoring, event correlation and incident response. Due to its 24/7, real-time nature, SIEM is now a required technology for large enterprises.

Both SIM and SEM functions provide on-demand analysis of security alerts generated by applications and network hardware. Security providers that can combine these two functions are in the inside lane for new business. Key features for enterprise SIEM include ingestion of data from multiple sources; interpretation of data; incorporation of threat intelligence feeds; alert correlation; analytics; profiling; automation; and summation of potential threats.

Get full clarify into your data center assets with Qualys, which offers maximum protection with vulnerability management, web application scanning, continuous monitoring, and more. Try their top-rated software for free.

LogRhythm vs. Splunk: Two Worthy Competitors

If you're an IT manager seeking a reliable SIEM package, both LogRhythm and Splunk have a great deal to offer. Both have loyal support from customers and good-to-excellent reviews from industry analysts.

Nonetheless, while LogRhythm provides an integrated user experience with a support team that consistently gets A-level reviews, the platform comes with a relatively steep learning curve and really is designed for experienced security administrators. On the other side, Splunk is highly customizable, and, as always, you get what you pay for: Some users have expressed frustration with the cost of implementation.

Here is a face-to-face compilation of pros and cons for two excellent SIEM tools: LogRhythm and Splunk.

LogRhythm SIEM

What LogRhythm Brings to the Table: LogRhythm’s SIEM toolset is designed for midrange or large organizations and consists of a fully featured platform used to build a corporate-wide threat detection and response system. LogRhythm's SIEM package combines everything into a so-called single pane of glass controller: enterprise log management, security analytics, user entity and behavioral analytics (UEBA), network traffic and behavioral analytics (NTBA) and security automation and orchestration. The product is built on a machine analytics/data lake technology foundation designed to scale with each workload, and it has an open platform that enables integration with enterprise security and IT infrastructure.

LogRhythm users in various reviews have said the most valuable feature of the solution is its ability to correlate logs throughout many different log sources. The company's support team also gets rave reviews.

Key Reasons to Consider LogRhythm:

  • LogRhythm offers a versatile and extensive SIEM platform with optional pre-set configurations for a wide selection of use cases. Thus admins can pick the one closest to their own use case and fine-tune it when handling installation.
  • LogRhythm is a great fit for companies seeking a contained platform that includes core SIEM functionality as well as complementary host and network monitoring capabilities. The product is also a match for organizations that need to monitor the security of their ICS/SCADA or OT environments, or that want to merge security event monitoring of IT and OT environments.
  • LogRhythm includes effective support for network data monitoring, with a large number of application-flow signatures to parse flow data.

How LogRhythm is Deployed:

  • LogRhythm SIEM is available as hardware virtual appliances and software packages based on the customer’s event velocity (number of EPS across the data sources in scope). Deployments can be on premises, cloud or hybrid. Third-party providers offer fully hosted and managed solutions.

How LogRhythm’s Pricing Works:

  • Pricing for additional components in the LogRhythm Security Intelligence Platform depends on their respective metrics (e.g., number of data flows).

To Take Under Advisement:

  • Be aware that LogRhythm doesn’t have an app store like Splunk, IBM and others do.
  • Gartner researchers report that while LogRhythm does have a partner program to help facilitate custom integrations, LogRhythm’s APIs are less amenable to third partners. In the same vein, Gartner believes companies with third-party threat intelligence feeds should be sure to first confirm support with LogRhythm, because it supports a limited number of feeds off the top. Services can add other implementations, but it comes at an additional cost.
  • The research firm also reported that some customers have expressed concerns about LogRhythm's ability to scale to support very high event volume environments. Experts advise that potential buyers should first validate LogRhythm's ability to support their workload use-case volumes.

Who uses it: midrange to large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK aggregate score: 4.7/5.0

Splunk Security Portfolio

What Splunk Brings to the Table: Splunk’s SIEM system is highly rated and popular among IT managers and developers. Enterprises looking at SIEM solutions that can share architecture and vendor management across SIEM and use cases are good customers for Splunk. Those seeking a scalable solution with a full range of options from basic log management through advanced analytics and response, also should evaluate Splunk. The company’s Security Operations Suite is composed of Splunk Enterprise and added three packages: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom.

Splunk Enterprise provides event and data collection, search and visualizations for various uses in IT operations and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities.

Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases, and seeking a scalable solution with a full range of options from basic log management through advanced analytics and response, should consider Splunk.

Splunk’s security portfolio has been ranked as a leading technology for six consecutive years by Gartner Research; this is not a trivial accomplishment. The platform helps customers to optimize their security nerve centers and address a wide range of security monitoring and threat-detection use cases.

Key Reasons to Consider Splunk:

  • Splunk provides a full suite of singularly controlled security event management solutions that enable users to grow into the platform over time. This starts with Core, then adds ES and UBA; Splunk's app store uses the company's large partner ecosystem to provide a wide range of integration and Splunk-specific content.
  • Splunk’s Security Operations Suite is centrally run and has an intuitive user interface. The platform is composed of Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases.
  • The vendor has a strong ecosystem of technology integrations available in the Splunk application marketplace, although users of other technologies that compete with Splunk (for example, in the user analytics space) should validate the depth of integration.
  • Splunk’s premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities. UBA adds ML-driven, advanced analytics. Phantom provides SOAR capabilities. Additional apps for security use cases are available through Splunkbase.
  • Splunk’s offerings provide organizations with multiple entry points into security monitoring with a path that can start with basic event collection and simple use cases with Splunk Enterprise through to richer SIEM functionality with ES, more advanced analytics with UBA and SOAR capabilities with Phantom.
  • PII protection features are strong; obfuscation and PII masking are supported down to the field level, and can be applied based on user identities, locations and other characteristics.

How Splunk is Deployed:

  • Splunk Cloud is a company-hosted and -operated SaaS solution using AWS infrastructure. Splunk Enterprise and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures. Also available as serverware.

How Splunk’s Pricing Works:

  • Splunk’s licenses are based on the amount of data ingested into the platform, with pricing discounts for DNS and NetFlow data. ES is also licensed by gigabytes per day, whereas UBA is licensed by the number of user accounts in an organization, and all these are available either as perpetual or term licenses, with various options for enterprisewide pricing and true-ups. Phantom is priced by the number of events on which users take action.

To Take Under Advisement:

  • Splunk doesn't offer an appliance version of the solution, so companies that want an on-premises appliance will have to work with a partner that can provide integration on supported hardware. Gartner clients have also expressed concerns about Splunk's licensing model and the overall cost of implementation; Splunk has introduced new licensing options to address those concerns.
  • In another example of “you generally get what you pay for,” Splunk is generally more expensive than its competitors. Customers and prospective buyers tend to express concerns about pricing models and total cost. The addition of Phantom, and the introduction of the “nerve center” concept (separate SIEM, UBA and SOAR products), results in three pricing models with different measurement approaches.
  • Splunk UBA is an on-premises or customer cloud-only solution at this point, which can create friction with Splunk Cloud customers wishing to remain in a SaaS model.
  • Splunk has no native agent support for FIM or EDR, although there are integrations with numerous third-party solutions.

Who uses it: midrange to large enterprises
How it is deployed: options for subscription cloud service, physical servers
eWEEK aggregate score: 4.8/5.0

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...