Unit 2

Competitive Considerations

2012
2014 IBM
IBM Corp.
Corp.

Objectives
When you complete this unit, you can understand the following:
- Competitive Landscape & QRadar Position

- Key Points against our main competitors

IBM Software Group | Security Division

2014 IBM Corp.

Competitive Landscape
& QRadar Position

IBM Software Group | Security Division

2014 IBM Corp.

Overall SIEM Landscape

Many vendors provide
serviceable solutions, but
none with the
broadest integrated
capabilities
ease of deployment
that QRadar provides.

In analysts evaluations,
QRadar continues to
climb past other vendors
year on year, while others
falter and stagnate.

Source: Gartner Magic Quadrant for SIEM 2013, Gartner Critical Capabilities for SIEM 2011, 2012, 2013
IBM Software Group | Security Division
2014 IBM Corp.

Selling the Security Intelligence Platform

Know your Security Intelligence competition and focus on IBMs key differentiators
IBMs top competitors in this space are ArcSight (HP), NitroSecurity (McAfee), Splunk
and RSA (EMC).
These are QRadars top key differentiators regardless of competitor:

Broadest set of
integrated capabilities
Log management (LM)
Next-gen SIEM
Vulnerability management

Why QRadar wins . . .

Simple, fast deployment

Incremental, as you need it,
scalability
Out of the box and auto-updated
intelligence

Advanced network activity

monitoring

Application visibility

Risk management

Single architecture, system and

admin interface

Avoids heavyweight and/or multivendor solutions

Real-time behavioral baselining

IBM Software Group | Security Division

2014 IBM Corp.

Helping Reduce Complexity & Cost

Todays customers use

Tomorrows customers use

IBM QRadar
Security Intelligence Platform

6 products from as many

as 6 vendors
Flows

Arbor Networks

Packets

Vulnerabilities

Configurations

Logs

Events

Lancope

RSA

Qualys
AlgoSec

FireMon

Solera Networks

Tenable
Network
Security

Rapid 7
Skybox
Security

LogLogic

HP ArcSight

Riverbed
Technology

RedSeal
Networks

Tufin

Splunk

McAfee

RSA

Network Anomaly Detection

Network Forensics

Vulnerability Management

Risk Management

Log Manager

SIEM
IBM Software Group | Security Division
2014 IBM Corp.

QRM Competitive Landscape

SIEM competitors have strong Enterprise IT GRC, Point Products dont have
Enterprise SIEM - IBM has both
Benefit

Enterprise
IT GRC

IBM Security
Systems + QRM

McAfee

HP

RSA

OpenPages +
QRM

McAfee Risk and

Compliance
Manager

HP ESP
Compliance &
Risk
Management

RSA
Archer

Tufin

Red Seal

Tripwire

FireMon

Risk Policy
Assessment /
Analytics

QRM

Tufin
Secure
Track

Red Seal
Vulnerability
Advisor

Tripwire
Enterprise

FireMon
Risk
Analyzer

Device audit,
configuration and
optimization

QRM

Tufin
Secure
Track

Red Seal
Network
Advisor

TripWire
Enterprise

FireMon
Security
Manager

Network topology
modeling and
simulation

QRM

Tufin
Secure
Track

Red Seal
Network
Advisor

Correlation of
network flows with
vulnerability data

QRM

Overall TCO

QRM

FireMon
Security
Manager
FireMon
Security
Manager

IBM Software Group | Security Division

2014 IBM Corp.

QVM Competitive insights

Strengths

How to sell against

Market Leader, well proven

QVM uses a proven, mature, certified scanner

Techies favourite

Log-centric SIEM technology with compliance focus

Endpoint Manager and Network Protection integration

Strengths

How to sell against

Market leader

QVM uses a proven, mature, certified scanner

Integrated web application scanning

Position Appscan Enterprise (far superior)

Strong compliance module

QVM flexible, powerful pivoting and reporting

Hosted offering

QVM is already present in QRadar, no additional system

Strengths

How to sell against

Integrated Pentest tool (MetaSploit)

Pen test is a separate function

Hosted offering

QVM is already in QRadar, no additional system

Aggressive Price

QVM Lower cost of ownership

All of the above are standalone so:

- Limited or no network context
- No single vulnerability or asset view
- Additional point solution to deploy and manage

IBM Software Group | Security Division

2014 IBM Corp.

Key Points against our

main competitors
IBM Software Group | Security Division
2014 IBM Corp.

Key points against

for clients & prospects

Lack of Integration creates problems for their customers

ArcSight separate LM, SIEM & forensics offerings. Frequent splunk partnering. This
all means separate consoles/reporting/ rules engines. Drives complexity which
product analyzes which data?
QRadars common architecture yields unified console/reporting/analytics/workflow.
Simple, w/easy upgrade.
Performance/Scalability/Upgradeability

To migrate from 5 to 6.0 requires fork lift server replacement. ESM 6.0c (CORR)
scales better than 5, but they have limitations (e.g. biggest storage partition: them 8TB
. . . Us: Unlimited with appliance scale).
QRadar offers simple upgrade/migration, scales horizontally, and easily adds
EPS/retention capacity.
Ease of use

Still complex/costly Gartners 2013 MQ: While the CORR-Engine eliminated

deployment & support complexity, customers will still find ESM to be more complex than
other leading solutions. Encourage a PoC!!!
Visibility

ArcSight focuses primarily on security event data. Minimal support for layer 7 flow
visibility/network data.
QRadar delivers flows . . . and network, asset, vulnerability, and threat intelligence data.
IBM Software Group | Security Division
2014 IBM Corp.

Key points against

for clients & prospects

Correlation (them) versus Offenses (us)

Highlight QRadar ability to give the customers clear, prioritized offenses . . . Cite 2 billion log
records per day
~25 offenses to be investigated.
Nitro offers no alert chaining. Forces customers to manually tie relevant items together
Performance and Scalability
Their ESM appliance is a bottleneck; when it tops out on performance, it must be completely
replaced.
QRadar scales horizontally, allowing customers to easily add EPS/retention capacity.
Risk Management
No fully integrated Risk Management solution. Requires RedSeal (separate company/platform)
purchase.
QRadar Risk Manager uses the same console/architecture/underpinnings as QRadar SIEM, Log
Manager.
Proof of Concept
For all of the above reasons, we will win a properly set up PoC every time.
Network Communication
QRadar collects and event and the event is correlated, and stored on the collection event processor,
including the raw payload. This is compared to the following of competition:
Event Collector receives event
Event collector then sends event to the console
Event Collector also sends event to the raw storage appliance
Event Collector also sends event to the correlation Engine.
As you can see from above, this type of distributed architecture can require the same event being
sent across the network to three additional appliances.
IBM Software Group | Security Division
2014 IBM Corp.

Key points against

for clients & prospects

Price

Prospect should ask about TCO. Include purchase, install, maintenance and support
for dedicated hardware resources.
We know of examples where implementation and professional services cost 4 to 5
times QRadars estimate.
Limited functionality

splunk offers only a subset of what QRadar offers. Splunk has:

No asset discovery
No asset management
No asset profiling
No risk manager
No vulnerability mgr.
No effective incident mgmt
No event suppression (cant handle event storms)
Not Common Criteria certified

IBM Software Group | Security Division

2014 IBM Corp.

Key points against

for clients & prospects

RSAs Security Analytics (RSAs main strategic thrust vs. our Security Intelligence)

This is a mash-up of 4 products (NetWitness, enVision, Archer and Hadoop). Panned

thus far re: usability.
Hadoop back end will store a lot of Security Analytics data, which is EMCs focus (sell
more storage!)
QRadars Security Intelligence platform is truly integrated and easily scales/upgrades.
Ease of use

Users must be Security Data Scientists, manually hunting for meaningful info. Costly
even for large orgs.
This is where QRadar shines . . . Cite 2 billion log records per day
~25 offenses to
be investigated.
SIEM Alive or Dead?

RSA pushing the notion that SIEM is dead. Translation: we have failed in the SIEM
market and are asserting the new answer is to load data into Hadoop and do manual
investigation/drilling/pivoting.
QRadar is built on a well-architected SIEM base that delivers Security Intelligence,
deriving insights from its rules and from context and data pulled in from numerous data
sources (logs, vulnerability data, and much more)
IBM Software Group | Security Division
2014 IBM Corp.

What we just achieved

You are now able to understand the following:
- Competitive Landscape & QRadar Position

- Key Points against our main competitors

IBM Software Group | Security Division

2014 IBM Corp.