Alienvault Vs Splunk

The AlienVault USM Appliance is a virtual or hardware platform that provides an incident response and threat detection platform, integrating SIEM with log management functionality.

On the cloud side, they offer a SaaS solution called AlienVault USM Anywhere. A range of apps are available separately to integrate with different security tools and other products.

Splunk Enterprise Security provides a clear visual picture of an organization’s security posture with machine learning that can determine the severity needed for human assistance.

The two products have much in common, but also a few key differences.

In terms of their overall approach to security, they are both very similar. They are both open source, which immediately suggests that they will be good at integrating with other security products and tools.

In this article, we will be examining the two platforms in various areas such as pricing, cloud offerings, scale-up and scale-out capability, dashboards/reports provided out of the box and extensibility.

AlienVault USM Appliance vs Splunk Enterprise Security

AlienVault is a security SIEM that provides a unified platform for log management, threat detection and incident response. It has some built-in dashboards which allows an administrator to monitor the infrastructure status in real time.

Splunk Enterprise Security is designed to provide visibility into all of your organization’s security data in one place. It allows you to search, correlate and visualize this data from any device at any time.

We’ll cover four main areas while comparing AlienVault against Splunk:

• Pricing
• Cloud offerings
• Scaleup/Scaleout.

Pricing

Splunk Enterprise Security comes with three different pricing models. You can choose to purchase the software on a subscription basis, or you can buy perpetual licenses at a discounted price. Splunk also offers an unlimited license for those who want to load in as much data as possible without having to worry about hitting any hardware capacity limits.

On the other hand, AlienVault USM provides a perpetual license model where an individual appliance costs $24,900 or $19,400 for a three-year subscription. The company also offers a free Virtual Appliance Community Edition that includes 24 x 7 support, but is limited to 10 nodes and data retention of 7 days.

At this point it seems like Splunk has the upper hand in pricing but you have to keep in mind that both companies offer different products under their respective enterprise security suites and these prices may differ as we dive deeper into them. However, if we compare the above pricing models on an ‘as-a-service’ basis then things don’t look so good for AlienVault.

Splunk charges $3200 per year while AlienVault charges $4900 a year for the AlienApp or $24,900 per year for the entire solution!

It is important to note that both Splunk and AlienVault price their products based on “capabilities” rather than by number of sensors (as mentioned in their respective marketing materials).

However, looking at the details provided on their pricing pages it does not seem like you can get anything other than one particular product with either of these solutions. Before AlienVault changed its model they were charging via sensor while Splunk was charging by capability.

It’s quite a difference when comparing apples-to -apples which we will cover in detail in the next section. If you are using both products then be aware that vendors do change their models frequently so it’s best to go directly to the source when trying to understand their pricing.

Cloud Offering/Deployment Models

Both vendors offer cloud based solutions. Splunk offers both on-premises and SaaS (Splunk Enterprise Security) while AlienVault only offers a single appliance for $24,900 with 24 x 7 support or 8200 sensor licenses per year.

Splunk also has a ‘HockeyApp’ as part of its SaaS offering which allows you to collect the events from your endpoints and store them in Splunk without having to worry about any additional hardware. You can both monitor and troubleshoot using Splunk’s user interfaces or by integrating it with email, SMS/PagerDuty, Slack or ServiceNow.

Splunk has the upper hand when it comes to deployment models since you can choose between either on-premises or SaaS offerings. Splunk also offers some pretty cool add-ons for their products including an integrated SOC/CERT offering, Modular Forwarder (can be used for Threat Hunting), Splunk for Virtualization as well as Splunk Cloud. You can read more about these offerings here.

On the other hand, AlienVault offers a single appliance and has no intention of entering the cloud arena any time soon. It is quite surprising to see that even with all the talk about ‘The Internet of Things’ like thermostats, smart bulbs and other such devices being connected to the internet, security vendors are still offering on-premises solutions.

Scaleup and Scaleout

Both Splunk and AlienVault offer scaleout options for their products. You can easily add additional sensors or indexers to your solution.

Splunk provides the ability to add multiple indexers without any downtime using ‘Distributed Search’. Additionally, you can connect a number of search heads to a single indexer via HTTP (for non-production environments) and thus reduce the load on a single indexer. The search heads are then responsible for receiving, searching and forwarding data to their local indexers which is also geographically distributed.

Splunk claims that this model “will support multiple petabytes of data with parallel processing” which provides unmatched scalability. An important thing to note here is that the search heads are responsible for aggregation of data, not anonymization. Splunk also provides two additional scaling options in its enterprise solutions which are:

On the other hand, AlienVault only offers their solution on a single appliance. There are no distributed search modules available for the AlienApp which means that in order to scale out you will have to purchase additional sensors.

Splunk is clearly the winner when it comes to scaling but since there is limited information regarding how its aggregation works we can’t really compare both vendors here.

To conclude, it is safe to say that both vendors are offering a scalable solution for their customers. The choice ultimately boils down to the scale and availability requirements of your organization. Whatever choice you make, be sure to evaluate the product for yourself before making any decisions.