I’ve been at SolarWinds almost 4 weeks now and I’ve been sitting in on a lot of prospect sales calls, to get a feel for SolarWinds Log & Event Manager (LEM) customers and their use cases for SIEM and Log Management.  A surprising number already have Splunk, but it does not appear to be satisfying them.

LEM, like most SIEMs, does not prevent someone from breaking in to your IT house.  LEM will bite intruders pretty hard if you tell it to....


Upon installation, Splunk is like starting with a blank spreadsheet

Splunk provides a 367 page search manual of syntax descriptions and usage examples.  Contrast this with LEM, which uses a drag-and-drop interface and is highly visual for administrators and security professionals.  It employs visual search tools such as word clouds, tree maps, bubble charts and histograms, all available without additional work.


In addition, LEM comes with over 700 rules, filters and reports to provide security and compliance best practices.  While “security-in-a-box” might be the panacea that isn’t here yet, LEM is moving fast in that direction.


Splunk doesn’t do In-Memory Correlation 

With Splunk, you need to wait until data has been indexed and written to the database prior to any analysis.  LEM performs in-memory event correlation allowing you to analyze millions of events across your infrastructure in real-time.  This is important when you not only want to use log files for forensics and compliance, but you also want to provide automated responses to anomalous behavior the SIEM detects.


Splunk doesn’t provide automated responses

Splunk requires that the user manually respond to actions and incidents.  LEM includes a library of built-in active responses that allow it to automatically respond to anomalous behavior and security incidents.  For example, upon seeing multiple attempted failed logins from multiple IP addresses, LEM can disable the account.


The capability to take proactive measures to improve security without human involvement is critical, as many customers do not have legions of security professionals on staff. If an incident occurs in the middle of the night, most customers would prefer the software to take immediate action. In addition, the definition of an incident is easily customized, as is the automated response to take with LEM.


Splunk doesn’t defend against USB abuse

LEM protects against end-point data loss and the introduction of malware with a built-in USB defender technology that tracks unauthorized USB activity and can take immediate action.  A typical use case is that if a USB is inserted into a sensitive group of endpoints, LEM will disable the USB, preventing both data loss and the introduction of malicious code.  Based upon my initial research, it appears that Splunk does not offer this feature.


Splunk may require additional installation assistance

Splunk offers “Splunk Professional Services” to deliver deployment and advisory services, which may be required based upon your configuration needs.  SolarWinds takes a different approach, allowing customers to be up and running quickly using a virtual appliance deployment model, easy-to-use web based console and intuitive interface.  Almost all LEM customers do a free 30 day trial prior to purchase and find out quickly that it truly is easy to deploy themselves, rather than going back to management and asking for professional services dollars to get going.



Now, just to focus on cool LEM features

LEM provides log collection, storage, analysis, real-time correlation and automated responses.  LEM is not a spreadsheet approach to SIEM.

Key differentiators:

  • LEM automatically indexes data from security appliances, firewalls, intrusion detection systems, servers and apps and normalizes log data into common formats to help identify problems.
  • LEM also provides 300+ audit-proven report templates and a console that enables you to customize reports for your organization’s specific needs.  Great management reporting can make the difference between a successful implementation and one that is perceived as a failure.  If you happen to have a manager who loves status updates, you will appreciate the automated reporting capabilities in LEM.
  • LEM enables organizations to proactively defend and mitigate security threats with continuous real-time intrusion detection from multiple domains and systems.  LEM enables you to analyze millions of events across you infrastructure with real-time, in memory, non-linear, cross-domain and multi-dimensional correlation.
  • In terms of log file storage, LEM stores log data in a high-compression data store. The user is not troubled with maintenance and administration, and retention requirements are easy to specify.



More on LEM v. Splunk