Security Information and Event Management (SIEM) Forum

William Milton
User at VAE-MARMARA8
Apr 16 2021

Hi, I'm looking for a technical comparison between Splunk Phantom SOAR and FireEye SOAR solutions.

Can anyone help with insights?

Rony_Sklar
IT Central Station
Mar 23 2021

What are the differences between how NDR and SIEM work to improve network security? What are the pros and cons of each? 
Is it necessary to have both types of tools?

DK ShrivastavaNDR is just analysis of network behaviour and forms a part of SIEM strategy. it can only detect anomaly in network traffic flow . SIEM takes logs of network flow also.
Jairo Willian PereiraSIEM aggregates data from multiple systems (like an EDR solution, IDS/IPs etc.) and analyze that data to catch abnormal behavior or potential cyberattacks. SIEM tools offer a central place to collect events and alerts, security data from network devices, servers, domain controllers and more. In a simple way, EDR may be a just another "sensor-type" and "SIEM" stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.
Lindsay MiethYour SIEM should receive and process traffic generated by your NDR as well as events from your endpoint protection systems, server event logs, infrastructure device logs and cloud services logs then be able to correlate these data points to highlight suspicious patterns or anomalies.  The SIEMs can then send commands to perimeter and point systems in certain cases to interrupt such activity or just alert to them.
Dan Feraru
Owner at Infodava
Mar 23 2021

I'm the owner of a small tech services company. 

I'm looking for help with a template for a SIEM PoC (high-level, generic document). Can anyone help? 

Thank you, Dan

Abhishek RVRK SharmaHello Dan,  Most SIEM vendors have a PoC script that they will run you through, but it is typically customized for their architecture. Are you looking for a basic PoC script, or something tailored to a specific use case?  This might help - https://resources.infosecinstitute.com/best-guide-for-preparation-of-siem-poc-proof-of-concept/ (Disclaimer: I work for Securonix. If you're looking to begin a SIEM purchase exercise, I advise incorporating next-gen SIEM requirements in your PoC.)
Michael Perry
Electronics Engineering Lab Technician(R&D) at Dynamic Structures and Materials
Mar 16 2021

I have slowly switched our entire network over to Fortinet products over the past few years and been pleased with the products overall. I would like to utilize FortiSIEM for more robust monitoring and response, but the cost is extremely prohibitive for my company (<25 employees). Suggestions?

Sanguan Treejareonwiwat
President at Chunbok Company Limited
Mar 08 2021

Can anyone advise on which SIEM will work best with Palo Alto Cortex XDR?

Thanks!

Jairo Willian PereiraI think most of them understand "de-facto standards" very well (including Palo Alto - if that doesn't happen the problem is with PA and not with SIEM). Although the question is "excellent and specific", I would be concerned with a SIEM that works better with EVERYONE asset and less with a specific product/3rd party (because in long-term it will be just another datasource of your correlation ecosystem).
Michael DeanI would advise not using LogRhythm. They do not have a log parser for the Cortex.  Splunk works well with it. You do have to setup a log forwarder in Cortex though (that would apply for any SIEM). 
reviewer1406157 Palo Alto Networks and IBM have partnered to deliver logging extensions for Palo Alto Networks Cortex XDR for the widely used IBM QRadar SIEM. Referenece : IBM Security App Exchange - Cortex XDR for QRadar (ibmcloud.com)
Rony_Sklar
IT Central Station
Jan 13 2021

There are many cybersecurity tools available, but some aren't doing the job that they should be doing. 

What are some of the threats that may be associated with using 'fake' cybersecurity tools?

What can people do to ensure that they're using a tool that actually does what it says it does?

SimonClark Dan Doggendorf gave sound advice. Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from. There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason. If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future. Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions. By the way, there are free security products and services that I recommend.
Dan DoggendorfThe biggest threat is risks you think you have managed are not managed at all so you and your executive team have a completely false sense of security.  This is even worse than not having any tool in place.  With no tool in place, you at least know you have a vulnerability. There several ways to ensure a tool is doing what it is supposed to do. 1. Product Selection - when selecting a tool, do not focus on what a tool can do.  Focus on what you want the tool to do.  You drive the direction of the sales demo, not the sales team. 2. Product Implementation - use professional services to implement and configure the solution.  Your team should be right there with them as a knowledge transfer session but the professional who installs and configures the product every day should drive the install, not someone who wants to learn. 3. Trusted Partners - find yourself a trusted partner(s) who can help guide you.  This should consist of product testing labs partners, advisors who live and breathe the space daily, and resellers with a strong engineering team.
Javier MedinaYou should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.
Rony_Sklar
IT Central Station
Jan 04 2021

Do you have recommendations for the best SIEM tool to invest in for a large financial services provider? What particular features of your recommended tool make it the best choice?

Abhishek RVRK SharmaHello, First off, look for a SIEM that offers customized content for financial services. Use cases such as SWIFT fraud, insider threat and data exfiltration, trade surveillance are the sort of support you should be looking for.  I work for Securonix, and our solution has content tailor-made for the financial services industry. Specific financial services firms may have different requirements, but our prebuilt content provides broad coverage. Needless to say, I would recommend Securonix, but one aspect to consider with any solution - for financial services, the creation of new threats is much faster than for other industries. Consider a SIEM tool with strong analytics (UEBA) pedigree and good data ingestion and scaling capabilities.
Daniel SichelI would take a long hard look at IBM QRadar. The user behavior analytics will give you insight into insider activity. You will want to run CIS internals on your endpoints and get detailed logs using their Wincollect server functionality. Using that alongside of something like Varonis and a decent DLP solution will give you complete insight into what your users are doing, when they did it, and what information was involved. Installing it is easy configuring it is formidable but the results will give you attribution and specificity. In addition the capabilities of QRadar allow the development of specific use cases that will detect anomalous behavior and provide excellent IOAS and IOCs.
Malola Varadhan
User at First Abu Dhabi Bank P.j.s.c

I work at mid-sized enterprise bank. I am researching SIEM solutions. Which is the best tool for security information and event management: Arcsight or Securonix?

Abhishek RVRK SharmaThat is kind of like asking - I want a car, what would you recommend? your choice of SIEM should be determined by - your use cases, your budget and your available resources.  Securonix (I work here) is a cloud-native full functionality SIEM recognized by Gartner as a top 3 leader in their MQ for 2020. As a pioneer for UEBA tech, the Securonix SIEM platform deeply integrates advanced UEBA into SIEM functionality. The platform also offers custom content for financial institutions, with pre-built content for use cases such as SWIFT system protection and trade surveillance. I don't know much about ArcSight, so I won't comment, but it always helps to have a SIEM that has custom content for your industry, which is regularly updated and maintained. Being cloud-native also enables better public cloud integration.
Consulta85d2Neither, or both.  Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn't the most important choice. The critical choice is in the resources and commitment to manage and use the system. I've seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a "set it and forget it" system. It is most definitely not. A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the "best" and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.
Himanshu ShahArcsight is a legacy SIEM a Ro-bust log management tool however works on EPS ( Events per second) costing, which mounts recurring cost on year on year basis. However Securonix SIEM based on Data Lake and Advanced Analytics or  UEBA suite which provides rich context of any insider threat. You can also have Incident Responder and Threat hunting along with automated response with Play books with add on SOAR tool. I think for a mid-ranged bank Securonix may suite better , also one can have this as service by Cloud service for above tools if options available for the same.
Rony_Sklar
IT Central Station

How do log management and SIEM differ? Is it necessary to have separate tools for each function or can these functions be rolled into one solution?

Which products are best for SIEM, and which are better for log management? Do you have recommendations of products that effectively combine both log management and SIEM?

Lindsay MiethRony, Daniel's answer is right on the money.  There are many solutions for each in the market, a lot depends upon your ability to manage such tools and your budget.  A small operation may be best served by a managed service if it proves to be economical.  I do not have any recent data on these.  When I was investigating SIEMs there were big systems such as IBM, HP and McAfee then I found LogRhythm which has proved to be a great tool and more of what I needed right away.  We manage it ourselves, though they now have a cloud offering.  Also, if you have mostly Office365 and Azure IaaS logs to work with, you may find MS Azure Sentinel to be a good fit.  I hope this is of some use to you.
Daniel SichelLog Management is just that, it looks at logs from devices and attempts to make inferences about security issues from those logs. SIEM technology typically casts a wider net, looking at all types of security events. The best of breed will look at Network flows and events and logs, and other types of events that don't necessarily come from logging sources and provide an inference engine and rules management platform to allow you to detect anomalies from a wide variety of sources rather than just logs.
David Rivas HueteIn short, Log Management refers to the collection, storage, and organizing of the event logs according to your specifics needs and operational processes. Opposite, the SIEM after data collection, is making the real exploitation of this data acquired from different sources, servers, applications, and OS. In the context of the traditional Intelligence cycle, is performing 3 of the 4 typical stages: Collection, Analysis/Processing, and Distribution to Decision-makers. Said that from the perspective of a former Intel guy is Intelligence vs raw data before even converted into the information.
Menachem D Pritzker
Director of Growth
IT Central Station

Buying a SIEM solution, especially for a large enterprise, is a massive decision.

How long does your organization spend on making this decision? How long does it then take to implement?

What are your considerations before pulling the trigger on a particular solution?

What's your shortlist process like?

How do you do your research?

What are your primary considerations?

How do independent user review sites like IT Central Station, or independent analyst reviews, influence your decision?

Would love to hear your thoughts. Thanks in advance :)

KevinGrahamHow long does your organization spend on making this decision? How long does it then take to implement? Should be 12 months inclusive of testing and PoC What are your considerations before pulling the trigger on a particular solution? Right sizing in current climate, ease of management and translation. What's your shortlist process like? PoC and reference on sizing. What are your primary considerations? How do independent user review sites like IT Central Station, or independent analyst reviews, influence your decision?
Rony_Sklar
IT Central Station

SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security?

If you've been working in cybersecurity, you've likely come across SOAR and SIEM technologies. There are differences between their capabilities, although they have a fair amount of commonalities. They both collect data, but the quantity of data, type of data, and type of response is where they differ. As threats have advanced, security professionals may be in need of both.

That's where SOAR and SIEM come to the rescue, although there has been some confusion as to the difference between the two. The two technologies have different competencies, but can be combined to increase a security team's or SOC's effectiveness.

We've evaluated the differences of the best SIEM tools and top SOAR tools to clear up the differences between each.

SIEM vs SOAR

In short, SIEM aggregates and correlates data from multiple security systems to generate alerts while SOAR acts as the remediation and response engine to those alerts.

SIEM is the collection and aggregation of security data sourced from integrated platforms logging event-related data - firewalls, network appliances, intrusion detection and prevention systems, etc. - then correlates data across devices, categorizes, and analyzes incidents before issuing alerts. The alerts are identified by using sophisticated analytical techniques and machine learning, which require fine tuning. This leaves a lot of alerts for a security team or SOC to prioritize and remediate; a difficult, time-consuming process.

SOAR, on the other hand, is designed to help security teams automate the response process by gathering alerts, managing cases, and responding to the endless alerts generated by SIEM. With SOAR, security teams can integrate with security alerts and create adaptive, automated incident response workflows. This gives SecOps the ability to prioritize threats and deliver faster results.

Shastri SooknananSIEM is the log file collection of I.T assets and various intel feeds that aggregates and correlates big data, the SOAR component mostly enhances how the detected anomalies are handled with minimal to no human interaction by coordinating corrective action from one or more systems.
Marcus GaitherWhat is SIEM? Firewalls, network appliances, and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing, and analyzing incidents and events. This is often done using machine learning, specialized analytics software, and dedicated sensors. A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity, and finally, issues alerts accordingly. So why isn’t a SIEM solution effective on its own? SIEM tools usually need regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security https://swimlane.com/resources/the-life-of-a-security-analyst-before-and-after-soar" style="">analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data. What is SOAR? Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities. Here’s how: SOAR solutions gather alarm data from each integrated platform and place them in a single location for additional investigation. SOAR’s approach to case management allows users to research, assess, and perform additional relevant investigations from within a single case. SOAR establishes integration as a means to accommodate highly automated, complex https://swimlane.com/solutions/security-automation-and-orchestration/automated-incident-response" style="">incident response workflows, delivering faster results and facilitating an adaptive defense. SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform—like https://swimlane.com/platform/swimlane" style="">Swimlane—including interaction with third-party products for comprehensive integration. Put simply, SOAR—sometimes also known as security automation and orchestration (SAO)—integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to https://swimlane.com/solutions/security-automation-and-orchestration/automated-incident-response" style="">automate incident response workflows. SOAR’s main benefit to a SOC is that it https://swimlane.com/solutions/security-automation-and-orchestration/security-automation" style="">automates and https://swimlane.com/solutions/security-automation-and-orchestration/security-orchestration" style="">orchestrates time-consuming, manual tasks, including opening a ticket in a tracking system, such as Jira, without requiring any human intervention—which allows engineers and analysts to better use their specialized skills. Using SIEM and SOAR for improved SecOps Both SIEM and SOAR intend to improve the lives of the entire security team, from the analyst to the CISO, by increasing the efficacy of the SOC and mitigating vulnerability to the organization. While the collection of data is incredibly meaningful, SIEM solutions tend to produce more alerts than SecOps teams can expect to respond to while still remaining effective. SOAR enables the security team to handle the alert load quickly and efficiently, leaving time for important, skills-based tasks which results in a higher-performing SOC.
Gregg WoodcockThe SIEM is the detection/surveillance engine whereas the SOAR is the remediation/response engine
Rony_Sklar
IT Central Station

Are event correlation and aggregation both needed for effective event monitoring and SIEM? 

David CollierBoth are techniques aimed at reducing the number of active alerts an operator receives from the monitoring tool. I don't fully agree with the previous descriptions of correlation and aggregation, welcome though they are. Let's take a typical scenario. Assume a network interface on a large switch fails to result in many systems experiencing a failure. In the 'raw' state, i.e. with no correlation or aggregation, the monitoring system would receive potentially thousands of events - possibly multiple SNMP traps from other network devices or servers, event logs records from Windows servers, Syslog entries from Linux, errors from the database management system, errors from web servers relying on that database and probably lots of incidents raised by users on the help desk. Good correlation algorithms will be able to distinguish between "cause" alarms and "symptom" alarms. In this scenario, the "cause" is the failing network switch port and the symptoms are the database failures and log file entries. Simplistically, fixing the cause will also address the symptoms. Typically, aggregation is used to "combine" events into a single alarm. Again there are multiple methods to do this. A simple one would be - as previously described - duplicate reduction. In a poorly configured monitoring environment every check that breaches threshold results in an alarm. If monitoring is granular, say every 30 seconds the CPU utilization is measured and an alarm raised if it exceeds 80% then very quickly the operator would be overwhelmed by many meaningless alarms - especially if the CPU is doing some work where high CPU usage is expected. In this case, handling 'duplicates' is helpful when helping operators identify real issues. In this case, it may be enough to update the original alarm with the duration of the threshold breach. There are many techniques for aggregation and correlation beyond identifying cause and symptoms events or ignoring duplicates. For instance, Time based event handling. Consider a scenario where an event is only considered relevant if another event hasn't happened in a given timeframe before or after the focus event. Or a scenario where avent aggregation occurs based on reset thresholds rather than alarm thresholds. There are also some solutions that purport to intelligently correlate events using AI. Although, speaking personally, this seems more marketing speak than a one-click feature. In reality, these advanced (i.e. $$$$$$) solutions need to maintain a dynamic infrastructure topology in near-real-time and map events to service components in order to assess root cause correlation. In the days of rapidly flexing and shrinking infrastructures, cloud services, and containerization, it is extremely difficult to maintain an accurate, near-real-time view of an entire IT infrastructure from users through to lines of application code. A degree of machine learning has helped, but the cost-benefit simply isn't there yet for these topology-based event correlation features.
James MeeksAs previously mentioned, Correlation is the comparing of the same type of events. In my experience, alerts are created to notify when a series of these occurs and reaches as the prescribed threshold. Aggregation, based on my experience, is the means of clumping/combining objects of similar nature together and providing a record of the "collection"; of deriving group and subgroup data by analysis of a set of individual data entries. Alerts for this are usually created for prognostication and forecasting. Often the "grouping" is not detailed information so there is a requirement for digging into the substantiating data to determine how this data was summarized. Alerts/Alarms can be set for both, but usually only for the former and not the latter.
Daniel SichelOther answers are pretty much sum this up but there is one important point to make. In some technology it's important to take into account the number of events that got are aggregated and for your sim device to be able to treat them as individual events for the purpose of correlation.
Rony_Sklar
IT Central Station

Is AWS Cloudwatch enough on its own, or is it a good idea to use a SIEM platform in conjunction with it?

Consulta85d2CloudWatch is great, but it's not enough on its own. CloudWatch provides some limited alerting capabilities, but this is nothing like a true correlation engine or behavioral anomaly detection engine. You really need to feed your CloudWatch data into a SIEM or UEBA to get the most value from those logs. Also note that many of the logs that get fed into CloudWatch could also be fed directly to a SIEM via other means like syslog or agents, so you should consider what requirements you need to fulfill and where you'll get the best value for your money.
Dr. Thulaganyo Rabogadi
Director, Technical at a government with 201-500 employees

I am the technical director of a science and technology division for the government. 

Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack?

Thanks! I appreciate your help. 

Gabriel CrespoI think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.
AdrianMacheDepending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem Thank you, Adrian
Gregg WoodcockI am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).