Competitive Analysis: Fortisiem vs. Splunk

Competitive Analysis
FortiSIEM vs. Splunk
© Copyright Fortinet Inc. All rights reserved.

Table of Contents
 Company Overview
 Products
 How to Win
 FUD, Strengths and Weaknesses
 Feature Comparison
 Architecture / Scalability
 Multi-Tenant Capabilities
 Business Service Monitoring
 Discovery and Inventory
 Pricing Analysis
Fortinet Confidential 2
Company Overview
 Founded in 2003
 Gartner Magic Quadrant Leader
 HQ in San Francisco, CA
 Publicly Traded on NASDAQ: SPLK
 Target: Mid-size and large enterprises
 Revenue: $949.95 Million
 Employees: 2,700+
 Customers: 14,000+
Splunk Products and Solutions
Splunk Enterprise – Log/Data collection platform

Splunk Cloud – SaaS-based log/data collection platform
Splunk Light – Log/Data collection platform for small IT environments
 Premium Solutions:
» Splunk Enterprise Security: Security monitoring for threats
» Splunk IT Service Intelligence: Network monitoring and analytics
» Splunk User Behavior Analytics: Machine learning to find unknown threats
How does this compare to FortiSIEM?
FortiSIEM =
Splunk Enterprise + Splunk Enterprise Security + Splunk IT
Service Intelligence + Splunk User Behavior Analytics*
FortiSIEM does this:

 All in one platform
 In a Single Pane of Glass
 Without additional applications
 Without additional subscriptions or fees
How to Win
 Emphasize showing off CMDB front and center. They've got NOTHING that
compares to it.
 FSM Licensing is more predictable, based on devices and EPS, not GB
indexed per day
 Extensive Performance and Availability Monitoring
» Separate product from Splunk, IT Service Intelligence
» Splunk Enterprise Security limited to Windows monitoring and SNMP traps
 Multi-Tenancy
 Real-Time Configuration Change Monitoring.
» Splunk doesn’t do this
FUD
Splunk Strengths
 Brand Recognition
 Gartner Magic Quadrant Leader
 Widely used for non-Security Log Management, Analytics,
Monitoring and Advanced Search capabilities
 Adaptive Response: Actionable Integration with other vendors
 Extensive documentation / shared knowledge among users
 Security Monitoring Use Cases
 Advanced Security Analytics
Splunk Weaknesses
 Splunk doesn’t do Device Discovery
 Everything is an App – No Single Pane of Glass
 Products that integrate with Splunk have their own app
 Spunk's Premium Solutions don’t integrate seamlessly
 Originated from a log search engine and lacks sophisticated SIEM

functionalities like real time cross-domain event correlation
 Potential high cost due to volume based pricing*
 Only basic predefined correlations for user monitoring & reporting
 Real-Time searches impact data Indexing performance
 Splunk recommends searches that read from disk instead
Splunk Weaknesses
 UEBA is a separate product with a different licensing model

 Though it does plugin to Splunk Enterprise Security
 Search syntax requires “programming-like” expertise:
Feature Comparison
Feature FortiSIEM Splunk Context / Comments
Data Sources SPLK may require an additional App for some data sources, like IPFIX
Threat Intelligence Splunk Enterprise Security (another App) is required for data enrichment
Forensics Additional Apps needed and manual processes
UEBA FSM is adding this in 5.0. SPLK requires additional Premium Solution
Automation Splunk has strong integrations via Adaptive Response
Security Compliance Splunk Enterprise Security includes Compliance reports
Architecture Splunk can scale collection and search but not rule correlation performance
Ticketing Systems Splunk: download Apps for ServiceNow and SalesForce
NOC / SOC Both products have good NOC / SOC capabilities
Multi-Tenancy Unlike Splunk, FortiSIEM was designed to support Multi-Tenancy
Administration SPLK requires programming-like expertise to execute searches
Real-Time Monitoring FSM performs much better since events are parsed in memory
Indicators of Compromise SPLK depends on 3rd party threat feeds for this
Architecture / Scalability
FortiSIEM Splunk
 Query all data from a single database  Different products for SIEM and
 Clustering supports up to 500K EPS Performance / Network Monitoring
for Real-Time correlation  Difficult to increase Real-Time
» Add more Workers to increase performance performance
 Non-SQL database scales up to 500K  Splunk is very fast when searching on
EPS and beyond mass due to the way the data is
 Hardened Linux OS structured on the disk
 Built on virtualized platform  Deployment planning is critical to long-
term success
 Hardware appliances also available
 Higher cost for lower performance
 Software runs on Windows and Linux
Splunk Scalability
How about a quote?

“Deploying Splunk as scale is not easy. It requires a significant amount of
relatively complex architecture once you push past the single server instance.
Breaking out your search and indexing layer requires someone with Splunk
experience. Want to add search layer replication for HA? Want to host in AWS
and do cross-region index replication? Splunk expertise is in high demand today
and finding talented engineers to pull off your large-scale implementation is
hard. Do your homework.”
 From Security Information and Event Management (SIEM) A Peek Into

What Real Users Think October 2017
» https://www.itcentralstation.com/product_reviews/splunk-review-44101-by-joshua-
biggley?tid=pdf_cat_1911
13
Multi-Tenant Capabilities
FortiSIEM Splunk
 Role Based Access Control  Not designed for MSSPs
 Robust visibility enforcement  Has basic Multi-Tenancy functionality
 Flexible deployment options  Multi-Tenancy achieved with:
 Single view of incidents across all » Separate data indexes
customers » Role-based permissions
 Whitelabeling of GUI and Reports for » User access control
MSP Customization
 Run queries over a selected set of
customers
 Support customers with overlapping IP
addresses
Business Service Monitoring
FortiSIEM Splunk
 Group CMDB discovered devices and  Separate product
applications into a “Business Service” » Splunk IT Service Intelligence has Business
Service-Like monitoring
 Dashboard displays overall status of the
Business Service  Different web interface
» Drill down to see which devices/software  Additional cost
services are impacting the Business Service
 Not flexible or highly useful like
 Quickly see which Business Services FortiSIEM Business Services
would be impacted if a device or
application fails or is taken out of service  Splunk Enterprise Security:
» Health Monitoring limited to Windows and
 Flexible Health Monitoring: SNMP traps
» Devices: SNMP & APIs
» Applications: Synthetic Transactions
 Splunk is capable of monitoring local
Windows resources & software
 Multiple alert options
Discovery and Inventory
FortiSIEM Splunk
 Simplifies configuration of Rules,  They don’t have discovery capabilities
Business Services & Reports
» Automatic grouping based on device profile
 In almost all cases devices are
manually configured to send logs to
 Real-time asset discovery & classification Splunk
» Network devices, applications, servers & users
» Discover rogue devices
 User discovery & monitoring

 Network topology discovery
 Configuration change detection
 File integrity monitoring
Pricing Analysis
 Splunk requires more hardware resources than FortiSIEM
» Splunk Indexers can handle up to 2K EPS
» FortiSIEM Workers can do 5K EPS
 Splunk is often the most expensive SIEM product on the market
Splunk – Pricing Comparison
Splunk Splunk
GB per Splunk Enterprise Total
Day GB -> Enterprise Security Splunk FSM
Ingest* EPS List List** List FSM SKUs*** EPS** FSM List FSM Price Delta
5 116 $15,000 $12,500 $27,500 FSM-AIO-BASE 500 $ 21,179 -23%, +384 EPS
10 231 $25,000 $20,833 $45,833 FSM-AIO-BASE 500 $31,769 -31%, +519 EPS
FSM-AIO-25-UG
15 347 $37,500 $31,250 $68,750 FSM-AIO-BASE 1,500 $58,232 -15%, +1,153 EPS
FSM-AIO-100-UG
20 463 $45,000 $37,500 $82,500 FSM-AIO-BASE 1,500 $58,232 -29%, +1,037 EPS
FSM-AIO-100-UG
50 1157 $95,000 $79,167 $174,167 FSM-AIO-BASE 3,500 $111,099 -36%, +2,343 EPS
FSM-AIO-50-UG
FSM-AIO-250-UG
100 2315 $180,000 $150,000 $330,000 FSM-AIO-BASE 10,000 $237,584 -28%,+7,685 EPS
FSM-AIO-450-UG
* Uncompressed data is measured for the license.

** Splunk Enterprise Security List pricing is estimated based on actual Splunk Enterprise List pricing and actual Splunk Enterprise Security 100GB pricing.
*** FSM EPS required was estimated after adjusting for Peak EPS required. Without this adjustment, FSM would have cost even less.
18

Competitive Analysis: Fortisiem vs. Splunk

Uploaded by

Copyright:

Available Formats

You might also like

Competitive Analysis: Fortisiem vs. Splunk

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Competitive Analysis: Fortisiem vs. Splunk

Uploaded by

Copyright:

Available Formats

Competitive Analysis

FortiSIEM vs. Splunk

© Copyright Fortinet Inc. All rights reserved.

Splunk Enterprise – Log/Data collection platform

FortiSIEM does this:

 Originated from a log search engine and lacks sophisticated SIEM

 UEBA is a separate product with a different licensing model

 Search syntax requires “programming-like” expertise:

Forensics Additional Apps needed and manual processes

Automation Splunk has strong integrations via Adaptive Response

Security Compliance Splunk Enterprise Security includes Compliance reports

Ticketing Systems Splunk: download Apps for ServiceNow and SalesForce

NOC / SOC Both products have good NOC / SOC capabilities

Multi-Tenancy Unlike Splunk, FortiSIEM was designed to support Multi-Tenancy

Administration SPLK requires programming-like expertise to execute searches

How about a quote?

 From Security Information and Event Management (SIEM) A Peek Into

 User discovery & monitoring

* Uncompressed data is measured for the license.

You might also like