Your questions about
Prelude SIEM?
FAQ
Why not use the open-source version of OSS PRELUDE?
Prelude OSS incorporates the basic principles of Prelude SIEM around the IDMEF format. Some of the code is common to both programs. But Prelude OSS is limited in performance and features compared to Prelude SIEM.
If you are in a non critical environment or if you only want to test Prelude SIEM you can deploy Prelude OSS, but keep in mind that it is much less powerful than Prelude SIEM.
Prelude OSS can also be a first step which you can there after enrich via our new offer “Plugins OSS” or by a migration from Prelude OSS to Prelude SIEM with our migration tools.
Why is Prelude SIEM "100% SIEM"?
A SIEM is composed of two distinct functions: a log management module and a real-time detection module. Beyond the definition, this distinction is essential for a simple and powerful overview of security.
One may be tempted to settle for an “improved” log manager, especially as the installation seems easier to use, but it will take your teams more expertise and often more time to perform the work in relation to our real-time detection module.
Time and expertise are the two elements that are the most expensive in the operation of a SIEM, much more expensive than the software or than the cost of installation and configuration.
We insist on our completeness because it is essential to streamline your operating costs.
Why Prelude SIEM does not appear in the "Magic Quadrant" of Gartner?
Every year Gartner publishes a ranking of the main SIEM of the US market in the “Magic Quadrant”. Based on customer testimonials, but without testing the products, Gartner teams define the comparison criteria and assigns scores to each company that is solicited to participate in this study.
Given our product positioning resolutely alternative to the “big four” of the US market, our differentiating (modularity, scalability, security, standard, etc.) that do not appear in the Gartner grid, and despite having been contacted by them, we did not want to participate in this ranking at this moment.
What to know about formats used by other SIEM?
”Traditional” SIEMs have all mostly defined their own proprietary alert format, often based on an extension of the syslog format with a set of key-value. This is the case with ArcSight’s CEF format, or QRadar with LEEF format.
Other tools, log management oriented, do not use a particular format even though they somehow also enrich the syslog format.
IDMEF being a very rich and structured format, it should be noted that it is generally compatible with all these competing formats. We offer several transformation rules of proprietary formats to IDMEF that allows Prelude SIEM to “hypervise” other Siems.
How will the use of the IDMEF standard improve my SIEM deployment?
Prelude SIEM has natively implemented since its origins the IDMEF standard. If in computer science it is always better for medium and long term to choose open standards, it’s not the only reason to convince you of the benefits of the IDMEF format.
IDMEF is not only a standard, but it is by far the best format to manage intrusion detection. The proprietary alternatives (ArcSight CEF, LEEF QRadar, etc.) are simple extensions of the syslog format which by definition is a log format. The IDMEF format has been defined from the beginning to handle detection of intrusion events. This format has been defined by a working group in the IETF that has invested several years on the subject. Within this working group include players such as IBM, Boeing, Nokia, Cisco, ISS, but also the MIT and the Miter and even then the Prelude team.
On the occasion of the first phase of the project SECEF (SECurity Exchange Format), IDMEF was compared to its main competitors like CEF (ArcSight) and LEEF (QRadar) formats. The result is clear. The IDMEF format is much richer and better structured than its competitors.
For users of Prelude SIEM, this means they can go further into automated processing (correlation, filtering etc.). It also allows operators to have more information and more contexts to make decisions quickly. As many advantages that improve the operation of the product while reducing costs.
Is Prelude SIEM compatible with the standard format STIX (Taxii and Cybox)?
The main function of this standard is the CTI description in order to share, store and analyze. STIX is not a competitor of IDMEF. STIX is a complementary format to handle the CTI. Prelude SIEM is compatible with this format within its CTI module.
If you did not find an answer to your questions, do not hesitate to contact us!