The difference between a vulnerability scanner and a SIEM

Last Updated on November 21, 2018 by Dave Farquhar

I heard an interesting question the other day: What’s the difference between a vulnerability scanner and a SIEM? Qualys and Nessus are examples of vulnerability scanners. Arcsight and Splunk are examples of SIEMs.

To a security practitioner, the tools couldn’t be much more different, but not everyone is a security practitioner.

On a basic, fundamental level, a vulnerability scanner deals in what’s missing in the environment and what could happen as a result of those things that are missing. A SIEM deals in what actually has happened and is happening.

Vulnerability scanners

Vulnerability scanners–there are many, including Qualys, Nessus, Nexpose, and Retina–scan each system on the network looking for misconfigurations and missing patches, then generate reports. On a high level they all work about the same way. A basic scanner will output CSV files. Higher-end products can generate a basic report with graphs and summaries as well. Ideally, you scan your network once a week with one of them, with credentials, to see how the month’s patching is coming along, so you can correct for problems. On particularly broken, poorly maintained networks, the tools help a security analyst come up with a get-well plan.

Vulnerability scanning tends to be more thorough than a penetration test.

SIEMs

SIEM stands for Security Incident and Event Management. Log collectors and SIEMs collect the logs that all of the systems on the network generate. SIEM functionality costs extra. When that functionality sees something going on on a system, it tries to correlate it with related events on other systems, the network hardware, or anything else it can find in order to give you a bigger picture. There are many log collection and SIEM products on the market as well. Arcsight and Splunk are two popular ones. If you need that kind of functionality and have no budget, the ELK stack is a popular open-source solution.

Although the tools perform very different functions, in some cases you can use them together. It’s not uncommon to feed the vulnerability scanner data into Splunk and let Splunk chart it. You can even do some correlation to add some value to the vulnerabilities that the vuln scanner found. Manually generating charts in Excel can be very demanding on the computer and the analyst. I know because it was what I did for about a year and a half. So automating that part of the job with Splunk is very valuable as it frees your analyst from fighting with Excel as a half-time job.

If you found this post informative or helpful, please share it!