Security Information and Event Management (SIEM) Forum

Computer & Network Systems Administrator at a aerospace/defense firm with 1,001-5,000 employees
Apr 16 2018
My organization has one last piece to the puzzle in our completion for NIST 800-171 compliance. I know nothing about Network Security and Event Management. I have a team of two Systems and Network Admins that already spend a lot of time ensuring the organization is running smooth, dealing with any technical issues, and ensuring the infrastructure is performing well. What solution is recommended for something that can automate and run with little to no interaction, but ensure the requirements and needs are met? Is there a solution that does not require heavy configuration, one that can give you an overview of the network and tell you exactly what is going on inside the network, and if needed any penetration alerts, if they exist?
David BurtonThere are many good SIEM products on the market today. Our company evaluated several SIEM products, LogRhythm, Splunk, AlienVault, Fortinet, and EventTracker. They all are great products. We settled on EventTracker and purchase the licenses through a 3rd party. Because these companies have internal teams of trained security analysts. They take on the heavy lifting of reviewing alerts, threat analysis, etc. The required manpower is a critical piece when evaluating SIEMs.
Perry JurancichAs David mentioned above, there are many good SIEM products available. The challenge is, in the environment as described, is getting the value out of it if you run it yourself. There is a lot of overhead when it comes to running a SIEM, especially for the uninitiated and non-cyber minded folks. This question is interesting because I had this very conversation with a customer yesterday. My company provides consulting services to myriad companies around the world. Under 800-171 section 3.3 (800-53r4 AU controls), you have to demonstrate you retain logs for your cybersecurity environment (3.3.1), review logs on a regular basis (3.3.3), have the ability to 'audit' the logs (3.3.5) and alert events (AU-6). IMHO, the best solution for an organization that has limited staff and time, a hosted version of SIEM services is best. Not just a hosted SIEM, but have an AI/ML behavioral analysis processing engine with 24x7 'eyes on glass' (not just automated systems monitoring) certified cybersecurity analysts to evaluate all alerts, then only advising the company of an issue to be addressed. It totally takes the heavy lifting off of any company, and the benefit of (in effect) staff augmentation. Bringing a SIEM in-house for small organizations is a challenge at best, a recipe for failure at worst, plus it may not meet 800-171 requirements. TIG ThreatWatch, ArticWolf SOCaaS and SecureWorks are a few in the space. Be careful, make sure you have full access to your data, ability to run reports to generate artifacts for audits and live alerts and you only plug in security devices into the monitoring for 800-171 requirements. Be sure to use one that doesn't cost you by volume of logs, it should be by log source, regardless of volume. Best of luck!
itsecuri350985I have been working with SIEM Technology for more than 10 years. LogRhythm no doubt is one of the best for a small to mid size company.
Content Specialist
IT Central Station
Feb 12 2018
I'm a community manager here at IT Central Station and I'm doing some research to try to make our platform even better. I'd really appreciate it if you could answer a few quick questions. Was your research of SIEM products on our site for a purchase? If not, what was it for? Which product did you end up choosing and when did you finalize the purchase? Was IT Central Station content helpful in helping you make a decision? What other content or data could we have offered that would have helped you make a quicker/better decision? I really appreciate your help! Rhea
Senior Consultant-Information Security at a tech services company with 51-200 employees
I would like to know the evaluation parameters and reviews for SIEM-Alien Vault and LogRhythm to implement in a banking environment in Gulf region.
Shaikh Jamal UddinIBM QRadar is the best option because they are using UBA for the quick detection of insider threats, targeted attack and financial fraud instead of tracking devices or security event by using machine learning algorithm.
User
I do not have a business email address. How can I download PDFs?
Is there any comparison criteria on Tableau depicting SIEM vendors weaknesses and strengths?
Security Analyst at a tech vendor with 51-200 employees
We're looking for real-life experience on behalf of a client in integrating QRadar data into Splunk ES, or Splunk/Splunk ES into QRadar or both into a 3rd option for PA/SA. This client has one of the largest and most complex networks among the federal agencies, currently is using both products in differing areas, and is looking for the best way forward, enterprise-wide.The vendors have been telling us that it can work either way, but we have yet to see a live case of this, and we've been looking for specifics on how to make this work, and work well. We don't have a dog in this fight, we just want the solution that makes the best sense, given the considerable sums already spent on both solutions, and the size and complexity of the networks involved.If you're a taxpayer, here's a chance to help save a lot of time and money.Appreciatively,Barry
User at a consultancy
I am looking for features comparison between AlienVault, SolarWinds LEM, HPE Arcsight, and any other similar enterprise grade products. Can you share a feature comparison document?
FO Engineer at a comms service provider with 501-1,000 employees
Hi everyone,I would like to export Nessus Scanner reports into ArcSight ESM Console but I do not have any idea how to do this.  Can anyone help me, please? Sam
Content and Community Manager
IT Central Station
Recently, our user activity has shown that Splunk is the most commonly searched solution on our site.  3,643 of our community members follow Splunk, and it's listed in five of our product categories: Log Management, Data Visualization, IT Operations Analytics, and Security Information and Event Management (SIEM). What are some of the best features and use-cases of Splunk, and why are people explicitly searching for it to learn more?
Randall HindsI agree with Aaron & Tom on their points. Along their use cases, I have been able to show more than Log data in Splunk views. We tested several plug-ins during a small pilot, and we were able to bring O/S (Win/Unix/Linux) & APM data metrics into the same views as Logged data. I've seen others use it to visualize a wider range of data types, too. That said, Tom's point resonates with me. Their are better tools for visualization (ZoomData & Kibana come to mind), but as an aggregator Splunk has the most plug-in types out there. IF (big if) you have the $$ to support ingesting everything, you could theoretically pull data that lives in 40 or 400 source tools and thousands of hosts/systems into a single set of enterprise views. I am not fortunate enough to have that kind of budget though... After proving the concept in pilot, we had to dismantle our 'unified views' due to lack of funding.
Jean-Luc LabbéGood log management solution you can use if you know what you ae looking for. Not a SIEM solution though even though customer should be aiming for solutions that go beyond what a SIEM does, that is, a Security Intelligence platform.
Julio JimenezThe flexibility that it offers, One of the most powerful features of Splunk is its ability to extract fields from events when you search, creating structure out of unstructured data. It takes a small amount of “learning time” to start creating or getting searches that are meaningful to you. You can start “splunking” for free, which allows you to see the benefit. There is a ton of resources on the web, uses cases, and step by step instructions.

Sign Up with Email