Competitive Analysis

FortiSIEM vs. Splunk

© Copyright Fortinet Inc. All rights reserved.

Table of Contents
 Company Overview
 Products
 How to Win
 FUD, Strengths and Weaknesses
 Feature Comparison
 Architecture / Scalability
 Multi-Tenant Capabilities
 Business Service Monitoring
 Discovery and Inventory
 Pricing Analysis

Fortinet Confidential 2
Company Overview
 Founded in 2003
 Gartner Magic Quadrant Leader
 HQ in San Francisco, CA
 Publicly Traded on NASDAQ: SPLK
 Target: Mid-size and large enterprises
 Revenue: $949.95 Million
 Employees: 2,700+
 Customers: 14,000+

Fortinet Confidential 3
Splunk Products and Solutions

Splunk Enterprise – Log/Data collection platform

Splunk Cloud – SaaS-based log/data collection platform
Splunk Light – Log/Data collection platform for small IT environments

 Premium Solutions:
» Splunk Enterprise Security: Security monitoring for threats
» Splunk IT Service Intelligence: Network monitoring and analytics
» Splunk User Behavior Analytics: Machine learning to find unknown threats

Fortinet Confidential 4
How does this compare to FortiSIEM?
FortiSIEM =
Splunk Enterprise + Splunk Enterprise Security + Splunk IT
Service Intelligence + Splunk User Behavior Analytics*

FortiSIEM does this:

 All in one platform
 In a Single Pane of Glass
 Without additional applications
 Without additional subscriptions or fees

Fortinet Confidential 5
How to Win
 Emphasize showing off CMDB front and center. They've got NOTHING that
compares to it.
 FSM Licensing is more predictable, based on devices and EPS, not GB
indexed per day
 Extensive Performance and Availability Monitoring
» Separate product from Splunk, IT Service Intelligence
» Splunk Enterprise Security limited to Windows monitoring and SNMP traps

 Multi-Tenancy
 Real-Time Configuration Change Monitoring.
» Splunk doesn’t do this

Fortinet Confidential 6
FUD

Fortinet Confidential 7
Splunk Strengths
 Brand Recognition
 Gartner Magic Quadrant Leader
 Widely used for non-Security Log Management, Analytics,
Monitoring and Advanced Search capabilities
 Adaptive Response: Actionable Integration with other vendors
 Extensive documentation / shared knowledge among users
 Security Monitoring Use Cases
 Advanced Security Analytics

Fortinet Confidential 8
Splunk Weaknesses
 Splunk doesn’t do Device Discovery
 Everything is an App – No Single Pane of Glass
 Products that integrate with Splunk have their own app
 Spunk's Premium Solutions don’t integrate seamlessly

 Originated from a log search engine and lacks sophisticated SIEM

functionalities like real time cross-domain event correlation
 Potential high cost due to volume based pricing*
 Only basic predefined correlations for user monitoring & reporting
 Real-Time searches impact data Indexing performance
 Splunk recommends searches that read from disk instead

Fortinet Confidential 9
Splunk Weaknesses

 UEBA is a separate product with a different licensing model

 Though it does plugin to Splunk Enterprise Security

 Search syntax requires “programming-like” expertise:

Fortinet Confidential 10
 Feature Comparison
Feature FortiSIEM Splunk Context / Comments

Data Sources SPLK may require an additional App for some data sources, like IPFIX

Threat Intelligence Splunk Enterprise Security (another App) is required for data enrichment

Forensics Additional Apps needed and manual processes

UEBA FSM is adding this in 5.0. SPLK requires additional Premium Solution

Automation Splunk has strong integrations via Adaptive Response

Security Compliance Splunk Enterprise Security includes Compliance reports

Architecture Splunk can scale collection and search but not rule correlation performance

Ticketing Systems Splunk: download Apps for ServiceNow and SalesForce

NOC / SOC Both products have good NOC / SOC capabilities

Multi-Tenancy Unlike Splunk, FortiSIEM was designed to support Multi-Tenancy

Administration SPLK requires programming-like expertise to execute searches

Real-Time Monitoring FSM performs much better since events are parsed in memory

Indicators of Compromise SPLK depends on 3rd party threat feeds for this

Fortinet Confidential 11
Architecture / Scalability

FortiSIEM Splunk
 Query all data from a single database  Different products for SIEM and
 Clustering supports up to 500K EPS Performance / Network Monitoring
for Real-Time correlation  Difficult to increase Real-Time
» Add more Workers to increase performance performance
 Non-SQL database scales up to 500K  Splunk is very fast when searching on
EPS and beyond mass due to the way the data is
 Hardened Linux OS structured on the disk
 Built on virtualized platform  Deployment planning is critical to long-
term success
 Hardware appliances also available
 Higher cost for lower performance
 Software runs on Windows and Linux

Fortinet Confidential 12
Splunk Scalability

How about a quote?

“Deploying Splunk as scale is not easy. It requires a significant amount of
relatively complex architecture once you push past the single server instance.
Breaking out your search and indexing layer requires someone with Splunk
experience. Want to add search layer replication for HA? Want to host in AWS
and do cross-region index replication? Splunk expertise is in high demand today
and finding talented engineers to pull off your large-scale implementation is
hard. Do your homework.”

 From Security Information and Event Management (SIEM) A Peek Into

What Real Users Think October 2017
» https://www.itcentralstation.com/product_reviews/splunk-review-44101-by-joshua-
biggley?tid=pdf_cat_1911

13
Multi-Tenant Capabilities

FortiSIEM Splunk
 Role Based Access Control  Not designed for MSSPs
 Robust visibility enforcement  Has basic Multi-Tenancy functionality
 Flexible deployment options  Multi-Tenancy achieved with:
 Single view of incidents across all » Separate data indexes
customers » Role-based permissions
 Whitelabeling of GUI and Reports for » User access control
MSP Customization
 Run queries over a selected set of
customers
 Support customers with overlapping IP
addresses

Fortinet Confidential 14
Business Service Monitoring

FortiSIEM Splunk
 Group CMDB discovered devices and  Separate product
applications into a “Business Service” » Splunk IT Service Intelligence has Business
Service-Like monitoring
 Dashboard displays overall status of the
Business Service  Different web interface
» Drill down to see which devices/software  Additional cost
services are impacting the Business Service
 Not flexible or highly useful like
 Quickly see which Business Services FortiSIEM Business Services
would be impacted if a device or
application fails or is taken out of service  Splunk Enterprise Security:
» Health Monitoring limited to Windows and
 Flexible Health Monitoring: SNMP traps
» Devices: SNMP & APIs
» Applications: Synthetic Transactions
 Splunk is capable of monitoring local
Windows resources & software
 Multiple alert options

Fortinet Confidential 15
Discovery and Inventory

FortiSIEM Splunk
 Simplifies configuration of Rules,  They don’t have discovery capabilities
Business Services & Reports
» Automatic grouping based on device profile
 In almost all cases devices are
manually configured to send logs to
 Real-time asset discovery & classification Splunk
» Network devices, applications, servers & users
» Discover rogue devices

 User discovery & monitoring

 Network topology discovery
 Configuration change detection
 File integrity monitoring

Fortinet Confidential 16
Pricing Analysis
 Splunk requires more hardware resources than FortiSIEM
» Splunk Indexers can handle up to 2K EPS
» FortiSIEM Workers can do 5K EPS
 Splunk is often the most expensive SIEM product on the market

Fortinet Confidential 17
 Splunk – Pricing Comparison
Splunk Splunk
GB per Splunk Enterprise Total
Day GB -> Enterprise Security Splunk FSM
Ingest* EPS List List** List FSM SKUs*** EPS** FSM List FSM Price Delta
5 116 $15,000 $12,500 $27,500 FSM-AIO-BASE 500 $ 21,179 -23%, +384 EPS

10 231 $25,000 $20,833 $45,833 FSM-AIO-BASE 500 $31,769 -31%, +519 EPS
FSM-AIO-25-UG

15 347 $37,500 $31,250 $68,750 FSM-AIO-BASE 1,500 $58,232 -15%, +1,153 EPS
FSM-AIO-100-UG

20 463 $45,000 $37,500 $82,500 FSM-AIO-BASE 1,500 $58,232 -29%, +1,037 EPS
FSM-AIO-100-UG

50 1157 $95,000 $79,167 $174,167 FSM-AIO-BASE 3,500 $111,099 -36%, +2,343 EPS
FSM-AIO-50-UG
FSM-AIO-250-UG

100 2315 $180,000 $150,000 $330,000 FSM-AIO-BASE 10,000 $237,584 -28%,+7,685 EPS
FSM-AIO-450-UG

* Uncompressed data is measured for the license.

** Splunk Enterprise Security List pricing is estimated based on actual Splunk Enterprise List pricing and actual Splunk Enterprise Security 100GB pricing.
*** FSM EPS required was estimated after adjusting for Peak EPS required. Without this adjustment, FSM would have cost even less.

18