Comparing the top security analytics tools in the industry

Expert Dan Sullivan examines the top security analytics products to help readers determine which may be best for their organization.

Security analytics tools gather, filter, integrate and link diverse kinds of security event data in order to gain a more all-inclusive view of the security of an organization's infrastructure. Just about any organization with an extensive number of devices -- from desktops to mobile devices to servers and routers, etc. -- can benefit from security analytics.

The security analytics market is changing rapidly, however. Vendors are merging, developers are adding new capabilities, and tools once deployed exclusively on-premises are now offered as cloud services as well.  And, in spite of all these rapid changes, businesses are still facing fairly constant requirements, such as the ability to analyze logs, correlate events and generate alerts. This article considers the major offerings on the market and offers advice on choosing an appropriate product for your needs. 

There is no single taxonomy of security analytics use cases that best organizes all requirements, but common requirements patterns include:

  • Basic security analytics with minimal overhead
  • Large enterprise use cases
  • Focus on advanced persistent threats
  • Focus on forensics
  • An ensemble of security tools and services

These categories emphasize varying needs for key security analytics features, such as deployment models, modularity, scope and depth of analysis, forensics, and monitoring, reporting and visualization. Several products are discussed, including Blue Coat Security Analytics Platform, Lancope Stealth Watch System, Juniper Networks JSA Series Secure Analytics, EMC RSA Security Analytics NetWitness, FireEye Threat Analytics Platform, Arbor Networks Security Analytics, Click Security Click Commander, Hexis Cyber Solutions' NeatBeat MON and Sumo Logics' cloud service.

Basic security analytics with minimal overhead

Small and midsize organizations mare often tempting targets for attackers. They may not have as much valuable data as larger enterprises, but they often present fewer obstacles to successfully attack. Companies that are subject to industry regulation, such as Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) compliance, must have security controls in place to protect personally identifiable information and, in the case of HIPAA, protected health information.  Security analytics tools can help mitigate the risk of data breaches and other attacks, but they should meet several criteria to fit the constraints of small and midsize businesses.

Deployment models should minimize administrative overhead, for example.  Appliances and cloud services typically meet these criteria, but virtual machine deployments may also offer low overhead implementations. 

Sumo Logic's cloud service is a good example of a service targeted to small and midsize organizations. The log analytics service offers a single point of management dashboard for monitoring applications, servers and network resources. Since it is a cloud service, there is no hardware or software to install and maintain. The service includes pre-defined reports, so it is well-suited to businesses that need to generate compliance reports, especially for PCI DSS, HIPAA, Federal Information Security Management Act (FISMA)Sarbanes-Oxley Act (SOX), ISO and COBIT.  Meanwhile, machine learning algorithms are used for event detection, eliminating the need for hand crafting rules. And multidimensional key performance indicators (KPIs) are tracked in the management dashboard. 

Like other cloud services, Sumo Logic pricing is based on the number of users and volume of data analyzed.  Details are available here.

Small and midsize companies that prefer to run their security analytics software on-premises should consider Blue Coat Security Analytics Platform. It is available as a virtual machine or pre-configured appliance. Blue Coat's platform has a modular structure that allows customers to select components they need, which are delivered as modules known as blades.

Large enterprise use cases

At the other end of the organization-size spectrum are large enterprises that have to consider scalability, depth and scope of analysis, forensics and monitoring of a security analytics platform. Low management overhead would no doubt be appreciated, but that is a secondary consideration. Comprehensive, high-performance analytics is the priority.

Juniper Networks JSA Series Secure Analytics is available in several models that scale to global enterprise levels of demand. The JSA 5800 appliance, for example, is designed for midsize and larger enterprises, while the JSA 7500 is suited for global enterprises. Smaller enterprises that expect substantial growth can start with the JSA 3800 or the JSA Virtual Appliance, and grow into the larger appliances in the future. If an organization opts for the virtual appliance, it will need a server running VMWare ESX 5.0 or 5.1, 4 CPUs and 12 GB of RAM.

For those organizations that need to mix and match existing security controls with a new security analytics platform, the best product may be one that allows them to deploy a system that plugs functional gaps in their security system.

The EMC RSA Security Analytics NetWitness platform comprises two sets of modules: one providing infrastructure support and the other providing analytics services. Modules are deployed in varying configurations to meet different traffic-level and analysis requirements.

The RSA Security Analytics Decoder is one of the infrastructure components. The decoder is a network appliance designed to collect packet and log data in real time. It includes support for a wide range of log types. Multiple decoders can be deployed across a network to ensure scalability and availability. The RSA Security Analytics Concentrator is another infrastructure component that aggregates data from decoders. Security analysts and administrators use the RSA Security Analytics Broker/Analytic Server to query data collected by decoders and aggregated by concentrators.

The RSA Security Analytics distributed platform is well-suited for large networks. Infrastructure components may be added as network traffic or log volumes grow. Like other distributed systems, it can be more complicated to manage and configure, however. Organizations should therefore plan to invest in sufficient system administration support to monitor and maintain the security analytics platform.

The analytics components of the RSA platform provide for real-time analysis of network, log and endpoint data to detect events. An archiver is also available to store and report on security data collected over time.

Focus on advanced persistent threats

Organization size is just one dimension for categorizing security analytics use cases. Sometimes it is more appropriate to consider the most important features an organization expects to use. For example, if a business already has good endpoint protections and data collection capabilities, it might want to focus on detecting advanced persistent threats. Security analytics with an emphasis on scope and depth of analysis and support for forensics are well-suited for this use case.

Arbor Pravail Security Analytics employs multiple techniques to detect advanced threats in real time. This security analytics platform uses full-packet capture to collect large volumes of raw data that help identify the presence of multiple attack vectors in use against your organization. Network traffic data is stored and re-analyzed as new data comes in. For example, if a new type of threat is detected by the vendor's intelligence surveillance, new detection techniques can be developed and deployed. These techniques can then analyze old data to determine if an attack is underway.

Some attackers will compromise a network and then cease activity for weeks. This period of "going dark" may work in the attacker's favor in some cases where minimal malicious activity is harder to detect than ongoing attacks that generate recognizable attack patterns. By keeping historical traffic data and scanning it for signs of previous attack, organizations can mitigate some advantages attackers gain by going dark for periods of time.

In addition to analyzing historical data, analyzing the flow of traffic is also a key method for discovering advanced persistent threats. Lancope Stealth Watch System uses flow records about network events to detect the stages of advanced attacks. The Lancope system includes a data aggregator that consolidates disparate data into a single, analyzable source of network and device event data.  A console provides up-to-date data and alerts on significant events in the course of an advanced attack.

Click Security's Click Commander is well-suited for analyzing the behaviors of malicious attackers, profiling activities at different stages of the kill chain, and issuing alerts and other custom notifications. This tool includes visualization tools to create graphs of activities while providing actor profiles and contextual data for analyzing events depicted in the graphs.

Focus on forensics

There is some overlap in use cases that focus on advanced persistent threats and those that focus on Forensics.  Both the Arbor Pravail Security Analytics and the Lancope Stealth Watch System are well-suited to forensic-oriented use cases. In addition, other systems that collect and integrate data and provide comprehensive query and analysis capabilities can meet the need for forensic support.

The Blue Coat Security Analytics platform, for example, is well-integrated with security tools such as firewalls, data loss prevention, intrusion detection systems/intrusion prevention systems and malware scanners. It is also integrated with data generating or data delivering devices and tools, such as those from Dell, HP, McAfee, Palo Alto Networks and Splunk.

Ensemble of security tools and services

For those organizations that need to mix and match existing security controls with a new security analytics platform, the best product may be one that allows them to deploy a system that plugs functional gaps in their security system. In this case, vendors that offer modularized features may be a good fit.

The Blue Coat Security Analytics Platform, for example, allows customers to integrate different modules, or blades, as needed. The platform's variety of deployment models -- including both appliances and virtual machines -- enables customers to deploy a security analytics tool with the right functionality and level of scalability that is called for.

If security analytics reporting is a top priority, consider Sumo Logic if their predefined compliance reports fit your needs. EMC RSA Security Analytics NetWitness should be considered by organizations that need long-term archiving of their security data.


Security analytics tools address common problems: how to use available data about events on a company's infrastructure to identify threats and attacks, analyze the methods of attack, and alert systems administrators and application owners when malicious activity is in progress. Organizations of any size are potential targets.

Small businesses might think they are immune to sophisticated hackers, but they aren't. They may have highly valued customers, such as Global 2000 companies, large government agencies or others that are the ultimate target of an attacker.  Security analytics is not the first line of defense for large or small organizations, but it is an increasingly important one.

IT professionals responsible for recommending, evaluating and purchasing a security analytics platform should carefully assess their needs with respect to existing security controls and applications. If an organization has tools deployed to meet some security analytics requirements, it might not want to spend more for duplicate functionality. On the other hand, if there is any area of IT where redundant functionality is welcome, it is security.

Security analytics tools offer a variety of capabilities. Some, like Sumo Logic's cloud-based service, are designed for small and midsize companies that want broad security coverage with minimal overhead.

Larger enterprises will need to limit their consideration to systems that scale to high volumes of traffic and can collect data from national or global networks. Offerings from Juniper Networks and EMC RSA fall into this category. 

In cases where advanced persistent threat detection and forensics are top priorities, consider tools that offer real-time analysis of flow network. Some vendors offer modular components in the security analytic platforms and these may be especially useful for filling gaps in otherwise broad security coverage.

Next Steps

What is the key to obtaining reliable security data and taking effective action 

This was last published in July 2015

Dig Deeper on Data security and privacy