SolarWinds Log & Event Manager vs Splunk – A Comparative Review

One of the most important—if not THE most important—assets of many of today’s organizations is their data. It is so important and valuable that many ill-intentioned individuals or organizations will go to great lengths to steal that precious data. They do so that using a vast array of techniques and technologies to gain unauthorized access to networks and systems. The number of such attempts appears to be exponentially growing all the time. To prevent that, systems called Intrusion Prevention Systems, or IPS are being deployed by enterprises wishing to protect their data assets. The SolarWinds Log & Event Manager as well as Splunk are two unconventional products in that arena. Today, we’re comparing the two.

We’ll begin our exploration by having a look at intrusion prevention in general. It will help set the table for what is coming. We’ll try to keep it as non-technical as possible. Our idea is not to make you intrusion prevention experts but rather to ensure we are all on the same page as we further explore both products. Talking about exploring the products, this is what we have next. We’ll first describe the main features of the SolarWinds Log & Event Manager, We’ll follow by having a look at the product’s strength and weaknesses and its pros and cons, as reported by users of the platform and we’ll conclude our overview of the product by having a look at its pricing and licensing structure. We will then review Splunk using an identical format with the products features, its strengths and weaknesses, its pros and cons and pricing structure. Finally, we’ll conclude with what users have to say about the two products.

Intrusion Prevention – What Is This All About?

Years ago, viruses were pretty much the only concerns of system administrators. Viruses got to a point where they were so common that the industry reacted by developing virus protection tools. Today, no serious user in his right mind would think of running a computer without virus protection. While we don’t hear much of viruses anymore, intrusion—or the unauthorized access to your data by malicious users—is a new threat. With data often being an organization’s most important asset, corporate networks have become the target of ill-intentioned hackers which will go to great lengths to gain access to data. Just like virus protection software was the answer to the proliferation of viruses, Intrusion Prevention Systems is the answer to intruder attacks.

Intrusion Prevention Systems essentially do two things. First, they detect intrusion attempts and when they detect any suspicious activities, they use different methods to stop or block it. There are two different ways that intrusion attempts can be detected. Signature-based detection works by analyzing network traffic and data and looking for specific patterns associated with intrusion attempts. This is similar to traditional virus protection systems which rely on virus definitions. Signature-based intrusion detection relies on intrusion signatures or patterns. The main drawback of this detection method is that it needs the proper signatures to be loaded into the software. And when a new attack method, there is usually a delay before attack signatures are updated. Some vendors are very fast at providing updated attack signatures while others are much slower. How often and how fast signatures are updated is an important factor to consider when choosing a vendor.

Anomaly-based detection offers better protection against zero-day attacks, those that happen before detection signatures have had a chance to be updated. The process looks for anomalies instead of trying to recognize known intrusion patterns. For example, it would be triggered if someone tried to access a system with a wrong password several times in a row, a common sign of a brute force attack. This is just an example and there are typically hundreds of different suspicious activities that can trigger these systems. Both detection methods have advantages and disadvantages. The best tools are those that use a combination of signature and behaviour analysis for the best protection.

Detecting intrusion attempt is one the first part of preventing them. Once detected, Intrusion Prevention Systems work actively at stopping the detected activities. Several different remedial actions can be undertaken by these systems. They could, for instance, suspend or otherwise deactivate user accounts. Another typical action is blocking the source IP address of the attack or modifying firewall rules. If malicious activity comes from a specific process, the prevention system could kill the process. Starting some protection process is another common reactions and, in the worst cases, whole systems can be shut down to limit potential damage. Another important task of Intrusion Prevention Systems is alerting administrators, recording the event, and reporting suspicious activities.

Passive Intrusion Prevention Measures

While Intrusion Prevention Systems can protect you against numerous types of attacks, nothing beats good, old-fashioned passive intrusion prevention measures. For instance, mandating strong passwords is an excellent way of protecting against many intrusions. Another easy protection measure is changing equipment default passwords. While it is less frequent in corporate networks—although it is not unheard of—I’ve seen only too often Internet gateways that still had their default admin password. While on the subject of passwords, password ageing is another concrete step that can be put in place to reduce intrusion attempts. Any password, even the best one, can eventually be cracked, given enough time. Password ageing ensures that passwords will be changed before they have been cracked.

The SolarWinds Log & Event Manager (FREE Trial Available)

SolarWinds is a well-known name in network administration. It enjoys a solid reputation for making some of the best network and system administration tools. Its flagship product, the Network Performance Monitor consistently scores among the top network bandwidth monitoring tools available. SolarWinds is also famous for its many free tools, each addressing a specific need of network administrators. The Kiwi Syslog Server or the SolarWinds TFTP Server are two excellent examples of these free tools.

Don’t let the SolarWinds Log & Event Manager’s name fool you. There is much more to it than meets the eye. Some of the advanced features of this product qualify it as an intrusion detection and prevention system while others put it in the Security Information and Event Management (SIEM) range. The tool, for example, features real-time event correlation and real-time remediation.

The SolarWinds Log & Event Manager boasts instantaneous detection of suspicious activity (an intrusion detection functionality) and automated responses (an intrusion prevention functionality). This tool can also be used to perform security event investigation and forensics. It can be used for mitigation and compliance purposes. The tool features audit-proven reporting which can also be used to demonstrate compliance with various regulatory frameworks such as HIPAA, PCI-DSS, and SOX. The tool also has file integrity monitoring and USB device monitoring. All the advanced features of the software make it more of an integrated security platform than just the log and event management system that its name would lead you to believe.

The Intrusion Prevention features of the SolarWinds Log & Event Manager works by implementing actions called Active Responses whenever threats are detected. Different responses can be linked to specific alerts. For example, the system can write to firewall tables to block the network access of a source IP address that has been identified as performing suspicious activities. The tool can also suspend user accounts, stop or start processes, and shut down systems. You’ll recall how these are precisely the remediation actions we identified before.

Strengths And Weaknesses

According to Gartner, the SolarWinds Log & Event Manager “offers a well-integrated solution that’s a particularly good fit for small and medium businesses, thanks to its simple architecture, easy licensing, and robust out-of-the-box content and features”. The tool multiple event sources, and offers some threat containment and quarantine control functionality that isn’t commonly available from competing products.

However, the research firm also notes that this product is a closed ecosystem, which makes it challenging to integrate with third-party security solutions such as advanced threat detection, threat intelligence feeds and UEBA tools. As the firm wrote: “Integrations with service desk tools are also limited to one-way connectivity via email and SNMP”.

Furthermore, the monitoring of SaaS environments isn’t supported by the product and the monitoring of IaaS is limited. Customers who want to extend their monitoring to networks and applications must purchase other SolarWinds products.

Pros And Cons

We’ve assembled the most significant pros and cons that users of the SolarWinds Log & Event Managers have reported. Here’s what they have to say.

Pros

• The product is incredibly easy to set up. It was deployed and had log sources pointed to it and was performing basic correlations within a day.
• The automated responses that are available after deploying the agent give you incredible control to respond to events on your network.
• The tool’s interface is user-friendly. Some competing products can be daunting to learn how to use and get acclimated to, but the SolarWinds Log & Event Manager has an intuitive layout and is very easy to pick up and use.

Cons

• The product has no custom parser. There will inevitably be a product on your network that The SolarWinds Log & Event Manager won’t know how to parse. Some competing solutions leverage custom parsers for this reason. This product does not have support for creating custom parsers, so unknown log formats remain unparsed.
• The tool can sometimes be too basic. It is an excellent tool for performing basic correlations in a small to mid-size environment. However, if you try to get too advanced with the correlations you are trying to perform, you may get frustrated with the tool’s lack of functionality which is mainly due to the way it parses data.

Pricing And Licensing

Pricing for the SolarWinds Log & Event Manager varies based on the number of monitored nodes. Prices start at $4,585 for up to 30 monitored nodes and licenses for up to 2500 nodes can be purchased with several licensing tiers in between, making the product highly scalable. If you want to take the product for a test run and see for yourself if it’s right for you, a free full-featured 30-day trial is available.

Splunk

Splunk is possibly one of the most popular Intrusion Prevention Systems. It is available in several different editions sporting different feature sets. Splunk Enterprise Security–or Splunk ES, as it is often called–is what you need for true intrusion prevention. And this is what we’re looking at today. The software monitors your system’s data in real time, looking for vulnerabilities and signs of abnormal activity. Although its goal of preventing intrusions are similar to SolarWinds’, the way it achieves it is different.

Security response is one of the Splunk’s strong suits and it is what makes it an Intrusion Prevention System and an alternative to the SolarWinds product just reviewed. It uses what the vendor calls the Adaptive Response Framework (ARF). The tool integrates with equipment from more than 55 security vendors and can perform automated response, speeding up manual tasks and providing a quicker reaction. The combination of automated remediation and manual intervention gives you the best chances of quickly gaining the upper hand. The tool has a simple and uncluttered user interface, making for a winning solution. Other interesting protection features include the “Notables” function which shows user-customizable alerts and the “Asset Investigator” for flagging malicious activities and preventing further problems.

Strengths and weaknesses

Splunk‘s large partner ecosystem provides integration and Splunk-specific content through the Splunkbase app store. The vendor’s full suite of solutions also makes it easy for users to grow into the platform over time, and advanced analytics capabilities are available in a variety of ways throughout the Splunk ecosystem.

On the downside, Splunk doesn’t offer an appliance version of the solution, and Gartner clients have raised concerns about the licensing model and cost of implementation – in response, Splunk has introduced new licensing approaches, including the Enterprise Adoption Agreement (EAA).

Pros And Cons

Like we did with the previous product, here’s a list of the most important pros and cons as reported by users of Splunk.

Pros

• The tool gathers logs very well from almost all machine types – most alternative products don’t do this quite as well.
• Splunk provides visuals to the user, giving them the ability to transform logs into visual elements such as pie charts, graphs, tables, etc..
• It is very quick in reporting and alerting on anomalies. There is little delay.

Cons

• Splunk‘s search language goes very deep. However, doing some of the more advanced formatting or statistical analysis involves a bit of a learning curve. Splunk training is available for learning the search language and manipulating your data but can cost anywhere from $500.00 to $1 500.00.
• The tool’s dashboard capabilities are pretty decent but to do more exciting visualizations requires a bit of development using simple XML, Javascript, and CSS.
• The vendor releases minor revisions very quickly but because of the sheer number of bugs we’ve run into, we’ve had to upgrade our environment four times in nine months.

Pricing And Licensing

Splunk Enterprise’s pricing is based on how much total data you send to it each day. It starts at $150/month of up to 1 GB of daily ingested data. Volume discounts are available. This price includes unlimited users, unlimited searches, real-time search, analysis and visualization, monitoring and alerting, standard support and more. You’ll need to contact Splunk’s sales to get a detailed quote. Like most products in that kind of price range, a free trial version is available for those who would like to give the product a try.

What’s Been Said About The Two Products?

IT Central Station users give SolarWinds a 9 out of 10 and Splunk an 8 out of 10. However, Gartner Peer Insights users reverse the order, giving Splunk a 4.3 out of 5 and SolarWinds a 4 out of 5.

Jeffrey Robinette, a system engineer at Foxhole Technology, wrote that SolarWinds‘ out-of-the-box reports and dashboard are a key strength, noting that “It allows us to monitor access and pull cyber reports quickly. No more searching through logs on each server.”

In comparison to Splunk, Robinette said that SolarWinds doesn’t require much customization and its pricing is lower, while he wrote about Splunk that “you need a Ph.D. on customizing the reports.”

For Raul Lapaz, senior IT security operations at Roche, while Splunk isn’t cheap, its ease of use, scalability, stability, the speed of the search engine, and compatibility with a wide variety of data sources make it worth it.

Lapaz, however, pointed a few shortcomings, including, for instance, the fact that cluster management can only be done via command line, and that permissions aren’t very flexible. He wrote: “It would be nice to have more granular options, such as double factor authentication”.