Search

AlienVault OSSIM v/s Splunk

Updated: Sep 6

Hey everyone, this will be a multi-part blog covering the subtle difference and spectacular integration between two industry leaders in SIEM (Security Information and Event Management) - AlienVault OSSIM and Splunk!


Gartner’s Magic Quadrant for 2020:

Gartner is an information security consulting and services company that analyzes various disciplines of information technology and departments and publishes their research in the form of “Magic Quadrant” and “Criticalities”

Fig (1): Gartner’s Magic Quadrant

Gartner is an information security consulting and services company that analyzes various disciplines of information technology and departments and publishes their research in the form of “Magic Quadrant” and “Criticalities”


Gartner uses various attributes for the comparison of different products and generates an annual detailed report which can be bought online. The magic quadrant under discussion is for SIEM tools and products which Gartner released for the year 2020.

As you can see, the graph is divided into 4 sections, namely:

  • Leaders

  • Visionaries

  • Niche Players

  • Challengers

Splunk and IBM Qradar have consistently dominated the SIEM market by providing exceptional services and customization which has retained their spot as the Market Leaders.

Alienvault OSSIM is a SIEM solution provided by AT&T Cyber security and it is termed as a ”Niche Player” by Gartner in their magic quadrant.


AT&T offers three variants of their SIEM solution:

  1. Alienvault OSSIM – This is a free product

  2. Alienvault USM Appliance - This is a production OSSIM

  3. Alienvaullt USM anywhere – This product has specific pricing based on customer requirements. (View all three here)

We’ll be considering Alienvault OSSIM which is a free SIEM solution, for this article.

Splunk is extensively used by a huge number of organizations that require sophisticated analysis of their network and have sufficient budget for the same. Alienvault OSSIM is used by small to mid-sized companies, and has survived the massive pool of competition in the SIEM market, and has steadily proved to be a Niche player that can’t be disregarded in any discussion of security management!



Key Factors of Comparison


We will be comparing OSSIM and Splunk based on these few parameters:

  1. Open or Closed Source Technology?

  2. Scalability and Architecture

  3. Fundamental Concept of Working

  4. Pricing

  5. Integration with other SIEM products and tools

  6. Interoperability between OSSIM and Splunk

  7. Target audience and who should use the products.


1) Open Source or Closed Source Technology:


Alienvault OSSIM has a massive edge over its competitors as it is an open-source technology! Alienvault provides an excellent open-source community where developers contribute on a daily basis and this gives a holistic approach towards securing cyberspace.

Splunk is and always has been a happily proprietary SIEM solution.

Splunk is a closed source software (CSS) and is offered in various versions like

  • Splunk Enterprise Security,

  • Splunk Phantom

  • Splunk User Behaviour Analytics (UBA)



2) Scalability and Architecture:

Alienvault, owing to its open-source nature, has higher scalability as compared to Splunk while considering deployment on a single server. Since there is no constraints of daily limits like EPS, FPS, and Data ingested/day, OSSIM offers an incredible scope of scalability. The other SIEMs are billed on the basis of EPS, FPS, etc. And crossing the daily limit incurs in huge fine and/or withdrawal of license. This issue is completely out of the picture in OSSIM.


OSSIM has three main components in its architecture:

  1. Sensor

  2. Server

  3. Logger


Fig (2): OSSIM Architecture


Splunk has an architecture that consists of forwarders, indexers, and multiple servers. The forwarders act as agents that get the data from one server to the Splunk framework. Splunk operates on multiple servers which increases the scale of its operations, which is ideal for large-scale organizations with multiple servers.


Compared to Alienvault OSSIM, Splunk offers operability on multiple servers, although this shortcoming of OSSIM is solved in the USM version.

Splunk works on Events Per Second (EPS), and Flows Per Second (FPS) and thus has a daily limitation of say 50GB, which cannot be exceeded.


Alienvault OSSIM on the other side is open-source and thus can be scaled as per the user requirements. The operations in OSSIM indeed need to be under the processing threshold and load handling capacity of the servers. Thus, that is the only limitation that’s holding back the OSSIM capability.


Fig (3): Splunk Architecture



3) Fundamental Concept of Working:


A) Alienvault OSSIM:

  1. OSSIM stands for Open Source Security Information Management which is an open-source SIEM product. This works on three key components namely: Sensors, servers, and loggers. The OSSIM has a server on which the entire framework is deployed.

  2. Now there are security sensors placed strategically on the network which act as Network Intrusion Detection System (NIDS), and Host Intrusion Detection System (HIDS).

  3. OSSIM also has an inbuilt tool called NetFlow which captures the packet flowing in a network and then analyzes the packets for any malicious signatures.

  4. OSSIM also integrates with OTX i.e. Open Threat Exchange which is a platform by Alienvault wherein many security researchers and analysts publish daily about new threats and attacks.

  5. The data and information that is collected from the sensor are sent to the server for analysis and then gets stored in the logger.

2) Splunk

  1. Splunk Enterprise version has two important aspects- Forwarders and indexers. An enterprise having Splunk as their SIEM solution will have multiple servers that generate data called logs.

  2. Splunk can be deployed on-premise or on the cloud and it acts as a complete all-in-one solution to all of the enterprise needs.

  3. Splunk has an alerting panel that is pre-configured

  4. Splunk has in-built tools that are used for packet analysis(although OSSIM is more efficient than this, thanks to NetFlow) and log management.

(Splunk is a SIEM product that works with agents called forwarders and tools like indexer, and server. Splunk can be deployed on-premise in hardware form or it can be deployed on the cloud as a SaaS solution. In either way, forwarders are used to get the log data and information from various Splunk servers which are placed across the entire enterprise network. This data is then forwarded to an indexer and then it integrates with the Splunk Framework)


4) Pricing

Alienvault OSSIM and USM anywhere:

  • The Alienvault USM anywhere starts at $1075 per month and goes up to $2595 and can be deployed as an on-premise or as a cloud solution for SIEM. USM anywhere was developed after OSSIM to overcome its shortcomings with affordable pricing

  • The Alienvault OSSIM is an open-source tech and is available for free from the official website https://cybersecurity.att.com/

The user can download an ISO file from this website and install it on their computer. The detailed process of installation is given on the website as well.

Splunk:

  • The pricing of Splunk Enterprise is based on a number of users and the amount of data ingested per day. Usually, it is several petabytes per day(Pb/day)

  • The price starts at $1800 for a 1 GB per day level solution. The pricing varies depending on daily data consumption.

  • The costing for the cloud-based solution depends on the number of users and can be viewed on the official website here: https://www.Splunk.com/en_us/software/pricing.html


5) Integration with other SIEM products:


Splunk offers an all-in-one solution and can be integrated with a few other SIEM tools and products.

Splunk with AWS and Azure:

Splunk integrates with AWS for providing its cloud services. AWS facilitates Splunk to search, analyze, collect, and store any kind of time-series data.

Splunk uses the ZURE logs and Azure audit logs for feeding the data to the Splunk framework and also storing the analyzed data, events, and logs in the Azure logger.

Splunk also integrates with other tools and products like:

1. Jenkins- To analyze test results

2. Active Directory- Used for user management

3. Slack- Used for sending Alert Notifications

4. Jira- Bug & issue tracking, project management, and automating operations on Splunk

Alienvault OSSIM: It integrates with various open-source tools for providing highly efficient security solutions and gives the user a sophisticated approach for managing their security requirements. Some tools are given below:

  • Snort- Application-level functionality and works as external IDS and IPS. Also used for generating external alerts.

  • Suricata- Similar to snort but supports multithreading. Snort work on 1 core while Suricata can use multiple cores of CPU and thus is faster in processing. Also, it possesses additional features since it is developed recently

Fig (4): Suricata Dashboard

  • NXLog- this is similar to Syslog-ng and Rsylog but isn’t limited to just UNIX. Nxlog is a multi-platform log management tool that is used for log analysis, regulating policy violations, server logs, system logs, and application logs.

Fig (5): NXLog working

  • ELK Stack- ElasticSearch, Logstash, and Kibana can be used (though not as it is, requires manual configurations) to facilitate the SIEM in systematically analyzing, sorting, searching, and exploring data in real-time massive datasets.

Since ELK Stack has been free and open-source, it has proved to be a consistent option for the OSSIM users for effective integration to increase their SIEM functionality. (Elastic.io)


  • Graylog- The Graylog Effective Log Format (GELF) is developed by AT&T cyber security to overcome the shortcomings of the traditional Syslog. This is basically a log management tool that analyzes terabytes of data extremely fast.

  • OSSEC- This is an open-source Host-based Intrusion Detection System (HIDS). It does log analysis, rootkit detection, time-based alerting, and can be integrated well with OSSIM to increase performance.


6) Interoperability between Splunk and Alienvault OSSIM

  • So we have seen how Splunk and OSSIM can integrate with different SIEM products and open source tools to increase their overall functionality and performance.

  • Let’s see how Splunk and OSSIM can work together to alleviate an enterprises’ security solution and management.

  • Alienvault OSSIM in itself doesn’t have excellent log management capabilities but being an open-source tool, it has powerful log analysis, sorting, and searching capability. This feature can be smartly be utilized in an organization’s security framework. How??

OSSIM can act as the FIRST STEP of security and Splunk can be added right on top of it!

  • The logs analyzed by OSSIM are then forwarded to the next step of sophisticated security architecture consisting of Splunk.

  • As Splunk mostly requires heavy forwarders to forward the data from one webserver to another for indexing and then getting it on its dashboard, an addition of OSSIM at the base of the framework will prove to be a highly efficient way of Log, event, and threat management.

  • OSSIM works on one server while Splunk has multiple servers across the entire network, there can be multiple OSSIM instances on each server and this will reduce the load on spunk, and also improve the amount of data ingested per day.

This was my pick about the marriage of Splunk with Alienvault OSSIM.

This might have multiple shortcomings in a practical environment where production and development occur, but this is theoretically possible.


In fact, this has already been implemented by multiple organizations across the globe to increase the overall functionality, speed, and accuracy of their SIEM solutions!


7) Target Audience

Splunk:

  • Splunk is intended to be used by mid-sized to large organizations where an All-in-one security solution is required

  • Splunk is used by regulated industries where the enterprise needs to adhere to set standards of governance, risk, and compliance.

Alienvault OSSIM:

  • OSSIM is targeted at the industries that have zero to no budget for security.

  • It is widely used by uncapped heroes of the IT security world who have not succeeded in convincing their managers that Security is a threat, and ensure that the company stays safe regardless of the negligence of their bosses.



Conclusion


We’ve seen compared both the products on many factors and it is safe to say that one can use any of the products based on their security budget and requirements.

Smart integration of Splunk and OSSIM can also be done to achieve spectacular results.

Splunk uses the Splunk Processing Language (SPL) to search for strings and elements in the Splunk dashboard whereas OSSIM uses plain text search for finding elements in its logs.

Splunk has an excellent in-built log management system and thus doesn’t require a third-party tool. OSSIM by default doesn’t have an efficient log manager and relies on secondary tools. Although this shortcoming has been overcome in the paid version i.e. USM.



Thank you for reading! For more such interesting articles, subscribe to my blogs.

You can connect with me here:

LinkedIn handle: Musaddik Vasaikar

Instagram handle: Cyber.musa


138 views0 comments

Recent Posts

See All