Scalable and Intelligent Security Analytics: Splunk, Devo, IBM and McAfee

Organizations of any size can be victims of a cyber attack. Small and medium-sized organizations can be tempting for attackers because they may have fewer obstacles for attackers. On the other hand, large employers face challenges in strategically thinking through structures around security governance and dimensions of monitoring. Security analytics tools can help address common problems, but I have found that solutions vary depending on what you are trying to do. Many companies are subject to industry regulations such as the Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard and Sarbanes-Oxley Act creating compliance requirements. Security analytics tools can help address compliance requirements but also mitigate risk of data breaches and security attacks.

Below are some of the pros and cons of tools like Splunk, Devo, IBM, and McAfee, as well as their primary functions like anomaly detection capability, event correlation capability, and real-time analytics capability. Also, given the explosion of cloud computing, I considered each tool relative to the cloud computing environment. The security issues or targeted applications that the tool seeks to solve were also explored, as well as the critical design considerations for the scalability of each tool.

No alt text provided for this image

Splunk offers a security intelligence platform that supports many security data sources like network security, endpoint solutions, malware, and payload analysis, network data, asset management systems, and threat intelligence. Splunk has a security operation suite that works with real-time security monitoring, advanced threat detection, fraud analysis, as well as incident management. Their analytics-driven SIEM solution is focused on visibility, context, and efficiency, having a modern and flexible big data platform, as well as using machine learning to perform behavioral analytics. Splunk’s enterprise security solution is customizable with drill-down capability. Also, the Splunkbase app store has over 600 apps that can be leveraged with Splunk’s security products.

In terms of advantages, Splunk provides holistic solutions that can grow with users over time. Also, Spunk offers a broad array of partner integration services, in addition to many applications. In terms of disadvantages, Gartner has expressed some concerns around their licensing model and expensive costs associated with implementation. Also, for businesses that want the on-premises appliance, they have to engage with a third-party provider. Another drawback of Splunk includes that their advanced threat detection solutions were not ranked as high when compared with other top products in the marketplace.

No alt text provided for this image

Devo offers a next-gen SIEM solution that has a central hub for data and processes within the security operations center. They offer a cloud capability where SIEM is the cloud-native and flexible deployment models to help companies streamline security operations as they shift to the cloud. Devo’s capability is deployed through a scalable, extensible data analytics platform that can handle petabyte-scale data growth and real-time data analytics. Their solution offers a holistic insight relative to scalable attack surfaces, which help organizations mitigate overwhelming amount of security alerts while providing relevant context to prioritize investigation. The main features of their next-gen SIEM platform includes:    

  • Behavioral analytics – using behavioral analytics as the foundation for detection moves away from rules-based detection of better prioritize high impact threats with context to support intervening actions
  • Community collaboration – solutions focus on the relationship with peers and providers, sharing of proprietary intelligence
  • Analytics insight – SIEM can learn from analyst behavior to help automate investigations and enhance decision making with continual learning
  • Orchestration & automation – SIEM enables a rapid threat response by integrating automated, manual and repetitive processes to improve incident response workforce

Devo’s solutions involve applications in detecting and hunting high impact threats in real-time, triaging and investigating high confidence alerts, increasing signal with rich behavioral analytics, while enhancing speed through actionable insight. The Devo architecture parallelizes the data pipeline allowing growth without decreased performance.

The advantages of the Devo Data Operations Platform include performance, scalability, accessibility, security, and cost-efficiency in a full-stack, multi-tenant platform. Their solutions offer the ability to find unusual behavior in real-time. A drawback of their solution is the lack of a comprehensive free trial and limited reviews as it relates to their newer products.

No alt text provided for this image

IBM’s silent security strategy has a QRadar platform can be deployed as a virtual appliance, SaaS infrastructure as a service, or as a traditional appliance. They also provide a hybrid option where the Saas Solution is hosted in the IBM Cloud, which includes remote monitoring from the managed security service operations centers. They offer a variety of user and entity behavior analytics functionality that is based in machine learning analytics.

Their silent security model allows organizations to silently understand which people have access to data, detect insider threats with behavioral analytics, enforce the principle of least privilege and protect data with multi-factor authentication. Their solution is focused on the seamless user experience with single sign-on, seamless authentication, and leverages design thinking techniques to create solutions targeted to the user. Moreover, their application helps companies get ahead of issues related to compliance and regulation, delegate and simplify access recertification for LOBs, map roles to business activities and manage user data for GDPR and secure transactions for PSD2. Their Silent Security product line helps companies secure their business, enable digital transformation, prove compliance and provide security for business assets. An extension of the IBM QRadar Security Intelligence Platform is the QRadar Behavior Analytics runs on machine learning algorithms to help detect threats. It also includes a dashboard that indicates risky users by name with unusual activities by looking at QRadar associated incidents that differ from their peers or have invalid sequences of operations.

IBM Security Guardium, a complimentary feature, provides end-to-end data security and compliance solutions. This feature includes around-the-clock data activity monitoring, data protection design, and configuring and customizing data policy settings. IBM has a security secret server that is used for protecting and auditing privileged account access and authentication secrets across the business. Also, IBM’s Cloud Identity and Security Access Manager can assess high-risk activities while also providing robust authentication features. IBM Managed Identity Services then help with handling user access and diagnosing root causes in IAM programs. IBM’s security solutions work across the security lifecycle for both onsite and cloud applications.

In terms of advantages, IBM’s QRadar program is a fit for medium and large businesses looking for core SIEM functionality or those that want a unified platform to manage several security solutions. In terms of disadvantages, according to Gartner, some IBM clients have turned to third-party solutions instead of IBM’s solutions. Also, QRadar’s UBA functionality can lag behind some of the other vendors. Another drawback includes that IBM Resilient incident response tool does not have native integration within the QRadar platform. Also, automation can only be accessed on IBM’s Incident Response Platform, and some threat-hunting capabilities only are available at premium pricing.

No alt text provided for this image

McAfee offers integrated tools for a variety of security needs. The McAfee Enterprise Security Manager provides a security framework that includes monitoring and threat defense features. Their solutions are built to streamline operations and synchronize device data loss prevention within the cloud that can be used with any cloud service. The McAfee MVISION Cloud service protects data while stopping threats in the cloud across SaaS, PaaS, and IaaS from a single, cloud-native enforcement point.

Main features include helping organizations meet security and compliance requirements when transferring information technology environments to the cloud while extending data loss prevention, threat protection, and application security across public, hybrid, and private cloud environments or software-defined data center environments. Another key feature of McAfee includes reviewing security responsibilities related to protecting user access, data, and network traffic. Their McAfee MVISION Cloud solution helps with enforcing data loss prevention policies in the cloud, preventing unauthorized sharing of sensitive data, blocking sync downloads, detecting compromised situations, encrypting cloud data, and auditing for misconfiguration. Their Cloud Security Maturity Dashboard includes a Cloud Security Report, Cloud Security Maturity Scores, and Quadrant and Cloud Security Recommendations.

In terms of advantages of their solutions, McAfee provides proper central management, the GUI is user-friendly, it supports both MAC and Linux operating systems, it has a large user community and deployment, and administration is fairly straightforward. Also, McAfee’s solution has been recognized for their successful machine learning algorithms in preventing attacks. In terms of disadvantages, McAfee can sometimes require additional software, updates come from third-party applications, and the solution takes up CPU utilization and memory. Also, some customers have commented that when the system is scanning it can hang on the screen effecting the use of other operations. Additionally, there is some noted concern from customers about the costs as it relates to requirements.

No alt text provided for this image

Overall, security analytics tools are essential in gathering, filtering, and integrating diverse security event data to holistically view the security of a company’s infrastructure. The security analytics market is changing fast with the merger of vendors, addition of new capabilities, and deployment of solutions in the cloud. While security analytics tools have a variety of capabilities, hopefully this post provided some initial insight on some of the popular products. While there is not single taxonomy for security analytics, most requirements included things like basic security analytics, significant enterprise use cases, focus on advanced persistent threats and forensics, as well as a variety of security tools and services.