Your questions about Prelude SIEM.

You will find below some questions that are regularly asked about Prelude SIEM.

Why not use the open-source version PRELUDE OSS?

Prelude OSS share the basic principles of Prelude SIEM around the IDMEF format. Part of the code is common to both software. But Prelude OSS is limited in performance and features compared to Prelude SIEM.

If you are in a non critical environment or if you only want to test Prelude SIEM you can deploy Prelude OSS, but keep in mind that it is limied compared to Prelude SIEM.

Prelude OSS can also be a first step that you can enrich later on via our new "OSS Plugins" offer or directly by migrating from Prelude OSS to Prelude SIEM using our migration tools.

But if you don't have any budget for your IT security... DEPLOY Prelude OSS... without being as powerful as Prelude SIEM it's always better than nothing.

Why is Prelude SIEM "Full SIEM"?

A SIEM is composed of two distinct major features: a log management module and a real-time detection module. Beyond the definition, this distinction is essential for a simple and effective security monitoring.

We may be tempted to settle for an "improved" log manager, especially since it always seems easier to use during installation, but this will require your teams to have more expertise and often more time to complete the work than our real-time detection module.

Time and expertise are the two most expensive elements in operating a SIEM, much more expensive than software or the cost of installation and configuration.

The teams of the large SOCs have understood this well and you will not find almost any of these teams relying on log managers alone.

We insist on our completeness because it is essential to rationalize your operating costs.

Why Prelude SIEM does not appear in the Gartner Magic Quadrant?

We have carefully studied how the gartner ranking works and we are not satisfied with it at the moment.

Among the points that disturb us :

  • Gartner does not test the products it lists. It's rating is based on theoretical analysis of the product and discussion with users chosen by the editor. This is a rather surprising form of notation, although testing SIEMs would be very complex as long as no one agrees on the criteria of choice to be compared.
  • Among the different "comparison" criteria, we are surprised not to find criteria such as: performance, alert format, modularity, completeness, ability of the SIEM to integrate into an existing system, etc. These are all criteria that are Prelude SIEM's strong points and that few of our competitors meet.
  • Gartner's method of analysis is "secret" and sometimes controversial. When it comes to IT security, we are in favor of secrecy, but we cannot accept this for product comparison. On the contrary, it is a subject that deserves transparency.
  • The definition of SIEM (Gartner's definition in 2005 as a SIM + an independent SEM) has been challenged by Gartner to include newcomers who many security experts consider as improved Log managers and not SIEMs
  • The criteria and modalities of participation are much more favorable to large American stakeholders than to smaller stakeholders in the European market
  • Finally, participation in Gartner is not free and we prefer to invest in our product and its features.

To conclude with regard to the "Magic Quadrant", Prelude SIEM is not "Magic", it is efficient!

Is Prelude SIEM not the only SIEM to implement the IDMEF format?

Yes, just as QRadar is the only SIEM to implement the proprietary LEEF format, Arc Sight is the only SIEM to implement its proprietary CEF format, etc. to name only those competitors who have at least one format and who are not satisfied with the very limited syslog format as log management tools do.
However, unlike these proprietary formats, there are many open-source implementations of IDMEF as well as many open-source probe software compatible with IDMEF.

How will the use of the IDMEF standard improve my SIEM deployment?

We insist a lot on the fact that Prelude SIEM natively implements the IDMEF standard. If in IT it is always preferable in the medium and long term to choose open standards, this is not the only reason to convince you of the interest of the IDMEF format.

IDMEF is not only a standard, but it is by far the most suitable format for managing intrusion detection. Proprietary alternatives (ArcSight CEF, QRadar LEEF, etc.) are simple extensions of the syslog format which by definition is a log format. The IDMEF format was defined from the beginning to manage intrusion detection events. This format was defined by a working group at the IETF that has been working on the subject for several years. Within this working group there are actors such as IBM, Boeing, Nokia, Cisco, ISS but also MIT and Mitre and already at the time the Prelude team.

During the first phase of the SECEF (SECurity Exchange Format) project, IDMEF was compared to its main competitors including CEF and LEEF formats. The result is irrevocable. The IDMEF format is much richer than its competitors and better structured.

For Prelude SIEM users, this means that they can take processing automation further (correlation, filtering, etc.). It also provides operators with more information and context to make quick decisions. All these advantages improve the exploitation of the product while reducing costs.

If you have not found the answer to your questions, do not hesitate to contact us!