CorreLog Competitive Analysis White Paper, Updated: January 2018

This white paper provides competitive information, and is not for general publication. Distribution of this whitepaper should be limited to specific clients and purposes. The information herein, while not confidential, should be used discretely.

Market Position / Market Strategy

1. Most SIEM vendors have various and similar weaknesses. Most SIEM products are difficult to install and use, and require a lot of management resources. It can also be very expensive to deploy a SIEM solution (depending upon the deployment size.)

2. CorreLog has several advantages over other vendors and SIEM products.

CorreLog positions itself in the market as a lower-cost solution with similar functions and features to other SIEM solutions. CorreLog excels in correlation functions, and ease of deployment.

3. If the customer already has a SIEM installation, CorreLog can work with that

installation by collecting data, performing correlation, and sending correlated results to that product. This reduces the load on the existing SIEM solution, and makes the solution work better (by correlating data before it arrives at the end solution.)

4. If the customer does not have an existing SIEM solution, you should encourage

them to download CorreLog and see how easy it installs and operates. This is probably the fastest way to distinguish CorreLog from other vendors, since we deploy very easily and the program is very easy to get started with.

CorreLog, Inc. Page 2 1/1/2018

Basic Discussion Points There are various functional and philosophical points that differentiate CorreLog from other vendors. In general, most SIEM solutions have several weak points that CorreLog can address, as outlined below. (Refer to citations and references at the end of this whitepaper.) Most SIEM vendors have a significant advertising budget, as well as sales and engineering resources that CorreLog cannot match at this time. However, many of these vendors have inflated claims, and are predicated on assumptions that organizations may not be taking into account, such as the high-degree of dedication an organization will require to support a large SIEM deployment. General Functionality

Many SIEM Loggers are not real-time event driven systems. They collect data without analysis, and then generate reports on that data. These systems do not make decisions on incoming data. (Ref: 4, Page 1) In contrast, CorreLog makes real-time event driven decisions upon data as it is received. CorreLog is much easier to deploy than your typical SIEM solution, hence is much more agreeable to large-scale distributed environments where 100,000's of different CorreLog servers are deployed.

CorreLog supports an internal "ticketing" system that converts real-time data streams to actionable tickets. A typical SIEM solution does not have an integrated ticketing system, which will make the program less agreeable to workflow and ability to analyze and respond to security threats.

Interoperability

A typical SIEM solution needs to normalize data via collectors. This decreases its ready-to-run interoperability, increasing time-to-deploy and configure. (Ref: 4, Pages 6 and 7)

A typical SIEM solution does not permit multiple ODBC data sources (i.e. multiple connections to different databases), and will operate poorly for devices that do not have ready-to-run connectors, such as z/OS Mainframes.

Ease of Deployment

A typical SIEM solution requires installation of a hardware appliance (for reasonable cost-efficient deployment within the enterprise.) Although some SIEM vendors have non-appliance software (such as 64-bit Linux platform with Java enabled) installation of the software is resource intensive, requiring massive

CorreLog, Inc. Page 3 1/1/2018

download packages and very specific hardware requirements that may be difficult for an organization to immediately allocate or provision.

Ease of Reporting

The reporting for most SIEM solutions require (possibly advanced) knowledge of SQL and query language. (Ref: 4, Page 9) Queries are slow to execute, and index searches take place only on specific fields, limiting the ability to scan all data for a particular keyword (Ref: 4, Page 10). Some SIEM solutions require potentially complicated programming.

Alerts do not occur in real-time and are not event-driven. Alerts are executed on queries at periodic intervals, and a query can take 30 seconds or more to complete. This may limit a typical SIEM solution in its ability to quickly notify the end-user of an attack.

In general, report creation is difficult, because it requires knowledge of SQL and specific data sets (Ref: 4, Page 9)

Correlation Functions

A typical SIEM product does not have any significant correlation capabilities, requiring a separate product to do moderate to advance correlation of data. These solutions define correlation differently from CorreLog, and do not perform the type of anomaly detection or even basic correlation functions of CorreLog. A typical solution lacks any "User Monitor" capability (of the type supported by CorreLog) to assist in tracking of user activities.

Internal Security

A typical SIEM product provides four main types of users: admin, operators, reporters, searchers, and reporters (2, Page 2) and does not have any type of "multi-tenant" modes of operation. (Multi-tenant operation is where a system user has visibility to an assigned space. For example, in a multi-tenant environment, an Oracle administrator cannot view Firewall data, or other security information.)

A typical SIEM solution does not have built-in FIPS tunneling processes, which is critical in a highly deployed environment where data needs to be relayed through a single (or small number) of Firewall ports. CorreLog provides multiple security features including secure Apache TLS, authentication via several different mechanisms (including Active Directory authentication, HTTP authentication, Web Screen Authentication) and uses verifiable and industry standard techniques that are at the highest level of security compliance.

CorreLog, Inc. Page 4 1/1/2018

Cost Effective Solution

CorreLog furnishes a highly competitive advantage in terms of overall cost-effectiveness. Not only is CorreLog Server a very reasonably priced solution, but also in terms of life cycle costs (including training, time to respond, maintenance) it offers multiple benefits over competitive products that are universally known to be difficult to learn and get started with For example, some customers will not be able to leverage a competitive SIEM solution without extensive training that may include on-site training or certification that may take days or weeks. In contrast, CorreLog comes with reasonable defaults, extensive online help and documentation, and an intuitive user interface. Most CorreLog Server operators can get started right away by simple point-and-click exploration of the product.

Long Product Life Cycle

CorreLog Server has a long customer / product life cycle. Not only does the system run under any version of Windows dating back to Windows NT 2000 (and encompassing Win8 and Windows 2016) but the product includes numerous adapters, readily downloadable and installable service packs and upgrades, and continuous product improvement. Unlike some competitive products, which require major work to upgrade (including the need to upgrade hardware for appliances) the CorreLog solution provides an easy upgrade and maintenance path, including the ability to add new adapters and plug-ins to provide new functions specific for an enterprise.

Personal and Tailored Product Support

CorreLog regards all of its customers as "Gold Level". CorreLog engineers and application specialists learn the customer's environment, applications, requirements, and objectives. CorreLog furnishes a tailored service offering, which includes implementation services, recommendations, troubleshooting, and product enhancement services. Unlike many competitive organizations, CorreLog establishes a close and long-term relationship with customers, with dedicated technical leads, project management services, and a single-point contact for the product. This ensures a high value and rate-of-return on software investments through either formal or informal consultancy.

CorreLog, Inc. Page 5 1/1/2018

Differentiators

Distributed Operation

CorreLog favors a highly distributed environment, due to its ease of deployment, remote configuration capabilities, and other features.

Other SIEM product favors a single console environment. Although able to operate in a distributed environment, it is difficult to deploy and provision.

Scalability

CorreLog easily scales horizontally to support large numbers of devices and high EPS.

Other SIEM product requires either a hardware appliance, or a highly specific platform to install, limiting its ability to easily scale in an enterprise.

Correlation and Anomaly Detection

CorreLog excels at correlation and anomaly detection, incorporating numerous features and functions to support this role.

Other SIEM product Logger has limited (or arguable no significant) correlation functions, limiting the ability to quickly determine anomalies, or support forensics.

Support for Special Devices

CorreLog does not require normalization of data, and uses standards based protocols. CorreLog supports z/OS mainframes, other special devices (such as through its SNMP adapters.)

Other SIEM product typically requires "connectors" for each device type. The number of connectors is finite. It may be difficult for Other SIEM product to manage specialized devices such as mainframes or application programs.

Extensibility

CorreLog is highly extensible, provides a developer interface that increases interoperability and re-use of collected data.

Other SIEM product is a fairly closed system, limiting the ability of the enterprise to use third-party analytical software. Customization, although extensive, is limited.

CorreLog, Inc. Page 6 1/1/2018

Competitors

Description Weaknesses

Splunk Splunk is a software only solution, and is the program that is most similar to CorreLog Server on this page. It is a web based non-appliance general search engine with some ability to work as a SIEM. It installs quickly (like CorreLog Server) and has a lot of (half-baked) adapters and add-ons.

Not focused on security;

Not event driven;

Potentially very slow;

Expensive when licensing large amounts of data;

Somewhat confusing interface;

Poor support;

Adapters don't do much heavy lifting.

ArcSight HP ArcSight is an industry standard appliance that provides data normalization, and is heavily embedded in government and industry.

Very expensive to purchase;

Requires data normalization to work;

Very difficult to configure;

Not suitable for small (or perhaps medium) size businesses.

Q-Radar IBM Q-Radar is an industry standard appliance that requires data normalization. It is heavily embedded in government and industry.

Same as above.

Weak on any application monitoring;

Weak on "multi-tenancy" and creating shared views of data.

McAfee McAfee "Nitro Security" is an appliance. It is not very popular, and generally has a poor reputation. It gets traction mainly through other McAfee products.

Same as above;

Buggy;

Weak on extensibility;

Weak on correlation and analytics;

Very slow to operate.

CorreLog, Inc. Page 7 1/1/2018

References (Ref: 1) Forrester - Market Overview: Security Information Management (SIM) (Ref: 2) http://www.sans.org/reading_room/analysts_program/loggerReview_Jan09.pdf (Ref: 3) http://review.techworld.com/security/3234293/arcsight-logger-review/ (Ref: 4) http://review.techworld.com/monitoring-tool/3234293/arcsight-logger-review/?view=review&pn=2