Security Information and Event Management (SIEM) Forum

Malola Varadhan
User at First Abu Dhabi Bank P.j.s.c
Jun 29 2020
I work at mid-sized enterprise bank. I am researching SIEM solutions. Which is the best tool for security information and event management: Arcsight or Securonix?
Consulta85d2Neither, or both.  Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn't the most important choice. The critical choice is in the resources and commitment to manage and use the system. I've seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a "set it and forget it" system. It is most definitely not. A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the "best" and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.
Norman FreitagIn my market, a lot of financial companies had or have an ArcSight installation. Just because in former times it was pretty good. Now a lot of them are looking for a more effective solution due to admin costs for handling more complex scenarios the same applies to QRadar. Looks like the old champions like ArcSight are getting a little "out of Date".  That's why my company (SW development and consulting) decided to recommend Splunk to our customers since 2012.  Actually the best solution for me is to install is a Splunk core with the cost-free Sec App in Phase 1, later on, you can upgrade with the big enterprise sec and get into full automation with phantom, but be patient. So upfront the license fee is quite higher then comparatives but you save a lot Invest on PeopleSite. Another advantage is you can get rid of the classy ETL-Layer structure, so explorative searches and quick adaptation is really possible. If you have concerns about the budget, let me give you one thing on the way. The data you collect for security reasons can be very useful for other departments. Think of ITOps, Compliance, Transactionscontroll, even marketing. So share them some Dashboard with a scope on their issues and they will share your costs. Splunk is a leader in Gartner so your or your boss's political risk choosing Splunk is quite low. Jospeh´s recommendation is worth a look if you must use ArcSight or other classy ETL-structured SIEMs.
Himanshu ShahArcsight is a legacy SIEM a Ro-bust log management tool however works on EPS ( Events per second) costing, which mounts recurring cost on year on year basis. However Securonix SIEM based on Data Lake and Advanced Analytics or  UEBA suite which provides rich context of any insider threat. You can also have Incident Responder and Threat hunting along with automated response with Play books with add on SOAR tool. I think for a mid-ranged bank Securonix may suite better , also one can have this as service by Cloud service for above tools if options available for the same.
Rony_Sklar
IT Central Station
Jun 18 2020
SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security?
Shastri SooknananSIEM is the log file collection of I.T assets and various intel feeds that aggregates and correlates big data, the SOAR component mostly enhances how the detected anomalies are handled with minimal to no human interaction by coordinating corrective action from one or more systems.
Marcus GaitherWhat is SIEM? Firewalls, network appliances, and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing, and analyzing incidents and events. This is often done using machine learning, specialized analytics software, and dedicated sensors. A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity, and finally, issues alerts accordingly. So why isn’t a SIEM solution effective on its own? SIEM tools usually need regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security https://swimlane.com/resources/the-life-of-a-security-analyst-before-and-after-soar" style="">analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data. What is SOAR? Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities. Here’s how: SOAR solutions gather alarm data from each integrated platform and place them in a single location for additional investigation. SOAR’s approach to case management allows users to research, assess, and perform additional relevant investigations from within a single case. SOAR establishes integration as a means to accommodate highly automated, complex https://swimlane.com/solutions/security-automation-and-orchestration/automated-incident-response" style="">incident response workflows, delivering faster results and facilitating an adaptive defense. SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform—like https://swimlane.com/platform/swimlane" style="">Swimlane—including interaction with third-party products for comprehensive integration. Put simply, SOAR—sometimes also known as security automation and orchestration (SAO)—integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to https://swimlane.com/solutions/security-automation-and-orchestration/automated-incident-response" style="">automate incident response workflows. SOAR’s main benefit to a SOC is that it https://swimlane.com/solutions/security-automation-and-orchestration/security-automation" style="">automates and https://swimlane.com/solutions/security-automation-and-orchestration/security-orchestration" style="">orchestrates time-consuming, manual tasks, including opening a ticket in a tracking system, such as Jira, without requiring any human intervention—which allows engineers and analysts to better use their specialized skills. Using SIEM and SOAR for improved SecOps Both SIEM and SOAR intend to improve the lives of the entire security team, from the analyst to the CISO, by increasing the efficacy of the SOC and mitigating vulnerability to the organization. While the collection of data is incredibly meaningful, SIEM solutions tend to produce more alerts than SecOps teams can expect to respond to while still remaining effective. SOAR enables the security team to handle the alert load quickly and efficiently, leaving time for important, skills-based tasks which results in a higher-performing SOC.
Gregg WoodcockThe SIEM is the detection/surveillance engine whereas the SOAR is the remediation/response engine
Rony_Sklar
IT Central Station
Jun 10 2020
Are event correlation and aggregation both needed for effective event monitoring and SIEM? 
David CollierBoth are techniques aimed at reducing the number of active alerts an operator receives from the monitoring tool. I don't fully agree with the previous descriptions of correlation and aggregation, welcome though they are. Let's take a typical scenario. Assume a network interface on a large switch fails to result in many systems experiencing a failure. In the 'raw' state, i.e. with no correlation or aggregation, the monitoring system would receive potentially thousands of events - possibly multiple SNMP traps from other network devices or servers, event logs records from Windows servers, Syslog entries from Linux, errors from the database management system, errors from web servers relying on that database and probably lots of incidents raised by users on the help desk. Good correlation algorithms will be able to distinguish between "cause" alarms and "symptom" alarms. In this scenario, the "cause" is the failing network switch port and the symptoms are the database failures and log file entries. Simplistically, fixing the cause will also address the symptoms. Typically, aggregation is used to "combine" events into a single alarm. Again there are multiple methods to do this. A simple one would be - as previously described - duplicate reduction. In a poorly configured monitoring environment every check that breaches threshold results in an alarm. If monitoring is granular, say every 30 seconds the CPU utilization is measured and an alarm raised if it exceeds 80% then very quickly the operator would be overwhelmed by many meaningless alarms - especially if the CPU is doing some work where high CPU usage is expected. In this case, handling 'duplicates' is helpful when helping operators identify real issues. In this case, it may be enough to update the original alarm with the duration of the threshold breach. There are many techniques for aggregation and correlation beyond identifying cause and symptoms events or ignoring duplicates. For instance, Time based event handling. Consider a scenario where an event is only considered relevant if another event hasn't happened in a given timeframe before or after the focus event. Or a scenario where avent aggregation occurs based on reset thresholds rather than alarm thresholds. There are also some solutions that purport to intelligently correlate events using AI. Although, speaking personally, this seems more marketing speak than a one-click feature. In reality, these advanced (i.e. $$$$$$) solutions need to maintain a dynamic infrastructure topology in near-real-time and map events to service components in order to assess root cause correlation. In the days of rapidly flexing and shrinking infrastructures, cloud services, and containerization, it is extremely difficult to maintain an accurate, near-real-time view of an entire IT infrastructure from users through to lines of application code. A degree of machine learning has helped, but the cost-benefit simply isn't there yet for these topology-based event correlation features.
James MeeksAs previously mentioned, Correlation is the comparing of the same type of events. In my experience, alerts are created to notify when a series of these occurs and reaches as the prescribed threshold. Aggregation, based on my experience, is the means of clumping/combining objects of similar nature together and providing a record of the "collection"; of deriving group and subgroup data by analysis of a set of individual data entries. Alerts for this are usually created for prognostication and forecasting. Often the "grouping" is not detailed information so there is a requirement for digging into the substantiating data to determine how this data was summarized. Alerts/Alarms can be set for both, but usually only for the former and not the latter.
Daniel SichelOther answers are pretty much sum this up but there is one important point to make. In some technology it's important to take into account the number of events that got are aggregated and for your sim device to be able to treat them as individual events for the purpose of correlation.
Rony_Sklar
IT Central Station
May 27 2020
Is AWS Cloudwatch enough on its own, or is it a good idea to use a SIEM platform in conjunction with it?
Consulta85d2CloudWatch is great, but it's not enough on its own. CloudWatch provides some limited alerting capabilities, but this is nothing like a true correlation engine or behavioral anomaly detection engine. You really need to feed your CloudWatch data into a SIEM or UEBA to get the most value from those logs. Also note that many of the logs that get fed into CloudWatch could also be fed directly to a SIEM via other means like syslog or agents, so you should consider what requirements you need to fulfill and where you'll get the best value for your money.
Dr. Thulaganyo Rabogadi
Director, Technical at a government with 201-500 employees
May 11 2020
I am the technical director of a science and technology division for the government.  Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack? Thanks! I appreciate your help. 
Gabriel CrespoI think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.
AdrianMacheDepending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem Thank you, Adrian
Gregg WoodcockI am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).
Avigail Sugarman
Community Manager at IT Central Station
Jan 27 2020
Can you name a few based on the Solutions you have used?
Gabor Mayer- Organisation of the company - Leadership commitment - Enough money to get the full system - The right choice - Quality teaching - Enough time to start a production plant - The commitment of the owners of the systems involved -Many-many works from developers
Miriam Tover
Content Specialist
IT Central Station
Jan 21 2020
SIEM is one of the fastest trending topics on IT Central Station. Why do companies need to purchase SIEM? Is it due to compliance reporting, system monitoring, intrusion detection, or something else? Why is it so important? Thanks for helping your peers cut through vendor hype and make the right decision.
Sofiane MedhkourSIEM provides real-time analysis of security alerts generated by applications and network hardware. It’s important as it’ll be the centralized point where to get security event report of all the infrastructure and the place where to take the first action. You can buy it as a software there’s a lot of solution, but you need a security analyst to follow it, or you can buy it as a service.
reviewer916710SIEM is needed for compliance reporting, system monitoring, intrusion detection, and something else. Based on my knowledge and experience in this area I will list the drivers for purchasing a SIEM based on priority as follows: 1. Monitoring different types of cybersecurity hacking attempts from outsiders and insiders. 2. Early detection of security hacking attempts and as a result, a prompt response is initiated. 3. Testing the effectiveness of all type of security controls in place such as network firewalls, IPSs, WAF, AV, DLP, etc. 4. Visibility of all layers of traffic on different network segments. 5. Reporting non-compliance issues. 6. Early detection of existing vulnerabilities in systems. 7. Security intelligence from SIEM vendor and other vendors in the network because logs are correlated into the SIEM. 8. Helping business people and improving quality assurance effectiveness by building customized rules on the received logs. 9. Others such as log retention, log management, and forensics.
Jacob HinkleA SIEM is a tool which sorts logs and alerts on security-related events, customizable for a business’s needs and regulatory compliance requirements. Many certifications like ISO 27001 and SOC 2 require that there be active monitoring of networks and computer systems to ensure data confidentiality, integrity, and availability. A good SIEM will update itself with new signatures and behavioral patterns to be able to identify malicious activities and behaviors or threat actors by collating logs from various devices and endpoints on your network. A SIEM can augment and enhance the work done by security analysts in identifying problems and prevent costly, damaging attacks like ransomware outbreaks, theft of intellectual property or financial fraud. They also have the benefit of being online 24/7 where a staff of at least three analysts would be needed to catch the same coverage. Though a SIEM is primarily designed to catch security-related events, they can also be customized to monitor applications such as SQL or Financial software and alert on specific events such as disks being full, RAM usage or network outages.
Miriam Tover
Content Specialist
IT Central Station
There's a lot of vendor hype about SIEM solutions. SIEMs are not something you just install it and wait for great things to happen, right? What questions should someone ask before purchasing a SIEM? Help your peers ask the right questions so that they'll make the best decision.
reviewer1057374Some areas and questions for evaluating a SIEM solution. These are some common things that come up from customers that we deal with. But there can also be a lot of others based on specific business needs. It helps if they have a clear objective of what it is you are wanting. So review questions like the following: * Is it just logs from a select few systems or all systems like servers, databases, applications, and desktops? * Are all the users and systems internal or are they also mobile and could be working from home or over the Internet from a café? * What operating systems need to be covered ie Windows, Linux, Solaris, Mac OSX, etc.? * Do you want to collect syslogs from other devices like firewalls, routers, switches, wireless APs, etc.? * There can be some discussions on Agents vs Agentless so there can be discussions on the pros and cons of these needs. * Do you have compliance issues they need to manage ie like PCI DSS, ISO27001, HIPAA, etc.? * What is it that you are wanting from the SIEM in reporting, there can be a lot of options on static reports, dynamic dashboards, PDF reports, correlation of log data with other systems like ticketing systems? * Do you want to run a SOC or just get reports if and when they want to look at something, do you have the resources to monitor things or do you need to also work with an MSSP. * What sort of alerting and threshold reporting do you want to get? * Do you have complex network segments with multiple zones to collect and aggregate logs that they need to centralize to keep the logs away from the systems generating them and away from potential hackers? * In general for those that are starting out for the first time, just stick to the core critical systems and collect logs from those systems until you understand more of what you are wanting to do with a SIEM collection and reporting. This helps to keep the project scope more controlled and confined so it's easier to manage. As you learn more then you can grow the scope later on. Once you have a clearer idea on what you are wanting then it's looking to the vendors to download the software and see how well it works in your environment. * How easy was it to get an eval license, did the sales and presales support help you get going quickly. * How easy and quickly can you install the software and start to collect logs and then start to get some reports and visualizations on the data. * How easy was it to identify problems and security issues, and what sort of value is that to the business. * How easy is it to roll out, many large corporate environments can have complex change control processes and can the software easily fit within these processes. * Cost is always a component to any solution so how well does it scale for your business, does it have known costs or are there variable costs like per GB of storage which often bites customers as there is always more data than you expect. * How well can the solution scale out to hundreds or 10s of thousands of systems as the business needs change or the business grows. * Can upgrades and license changes be done with minimal effort? * What are the futures of the company do they invest in R&D to keep enhancing the product as there is always something new to do or OS version to support. * How well does the vendor do support, do they only do internet only or do they allow you to talk to a real person that can understand you. * Does the vendor play nicely with others, almost all customers have a mixed environment so being able to integrate and work other SIEM vendors always helps. So having a clearer understanding of what they are wanting makes it easier to see “ yes this was a success” or ”no this was a failure” and did not meet the business objectives. Some use a scoring system in a spreadsheet to rank various areas from a scale of 1-10 with 1 being poor and 10 meets all needs. By doing this in a matrix it often helps to sort the good and bad more easily and the good from the very good as part of the review process. So having a bit of structure to the evaluation process helps with finding the right fit for the business.
Rainier VarillaDiscovery questions you should ask any SIEM vendor: -Would you like more insight into what’s going on in your network? -Are your security-related compliance efforts manual and time-consuming? -Would you know if an advanced threat went after your customer data or employee data before it was too late? -Do you feel confident you're protected against stealthy, long term attacks that use social engineering tactics? -Can you detect all the threats and risks taking place across mobile computing, social networks, and cloud environments? -Do you find it difficult to keep up with constantly evolving threats, using limited staff and budget? -Do you have a clear sense of what the risks are, associated with any vulnerabilities in your network, so you can build a prioritized plan of addressing the vulnerabilities? -Are there any devices you’ve recently added or network changes you’ve made that impact your ability to ensure security and demonstrate compliance? -Old ways of protecting networks can't keep up, and many organizations are looking for help in improving their security and risk posture. Is this a priority you are considering today?
Simo SimThat is correct, you don't just install it and that is it. There is quite some work to do after installation: * You need to get events into the system, they need to be normalized, this is dependent upon the vendor and how they offer support for it. Again this is also important where there is a version upgrade of the source device where log types change. * You need to configure correlation content and tune it to fit your environment – remove false positives, add assets to the SIEM and so on * Monitor the system what kind of alerts are generated * Keep the system up to date with vendor-provided updated software What questions should someone ask before purchasing a SIEM? * Do you have an existing library of use cases? * What kind of content is available? * Is this content updated regularly? * What kind of event sources do you support? * What If I need to add a custom application? * What is your license model? If I have a surge, will the system accept it – will anything be throttled as a result of license violation? * How can I monitor for the availability of elements within the system – usually the collection layer and analysis/storage layer are separate – if the collection layer does not work that means the analysis layer has nothing to analyze. So how can I monitor that? * Can I upgrade the system just by changing the license? Will the proposed solution limit us at some point and it will need to replaced as a whole – this is usually true with SIEM that is delivered as an appliance? * Does the license limit me in any way as to how many different sources I can collect?
Nurit Sherman
Content Specialist
IT Central Station
There are so many SIEM solutions out there and so much vendor hype in the market. Conducting an effective trial is really important! A number of community members are currently evaluating solutions. Do you have any advice for them about the best way to conduct a trial or POC?  How do you conduct a trial effectively?  Are there any mistakes to avoid?
Gary Kennedy1. Understand your environment: Segments, microsegments etc. Know where everything is. 2. Understand what your trying to do: Why are you monitoring, regulations? Compliance? 3. Understand your retention requirements: Storage Cost!!! Your capturing events per minute, and it gets expensive. 4. Understand how you want to use the SIEM: Is it part of your SOC or NOC? How will your Security Analyst use it? Will it be monitored 24/7? Have a game plan on who and what to do with alerts. 5. There are two basic ways you will pay for it: Either by the amount of traffic, or by the # of employee’s in the company. Splunk uses the amount of traffic across the wire, Exabeam is by # of Employees. 6. Should you use VM’s or buy hardware. Hardware is cheaper in the short run, but in the long run, VM’s are cheaper and more versatile with storage. 7. Do you have C level buy in? This will cost, so if you don’t have that level of buy in you will not get what you want. 8. Narrow your choices down to three vendor/solutions and ask each to do a pilot program with no promise to purchase for 90 days if possible, shorter if needed. This will give you an idea of the amount of data you will be monitoring and give you a better idea of the cost. Set each solution on a different subnet of the network and then review the success or failure of the solution with those that have to use it. Don’t forget to get management to give their two cents worth. They will give you honest feedback on reports required etc. also, include your Auditing Dept. to make sure the solutions will meet their requirements. 9. After the test, evaluate the solution with the same criteria for each solution: Make a list of requirements and grade them all with the same criteria. 10. Check the cost against what you can afford, and remember, the cost will go up 10-20% each year due to the newer technology will give you more visibility into the network. 11. After running the system for a year, re-evaluate the solution: Did it do what you thought it would? Does it meet your needs? Do you need to enhance it?(buy more modules) etc. or do you need more training.
reviewer813081I agree with Chris and would like to elaborate even more. Understanding your own use cases before the POC is key to then generate the test cases you would like to evaluate. 1) What data sources are required to collect from to support this use case? Does the SIEM support collecting from these data sources? Does the SIEM only present raw log data or generate additional contextual information from these data sources? 2) What built in analytics are available in the SIEM to support my use cases leveraging these data sources? How easily can I customize the analytics aligned to my specific needs or environmental/organizational nuances? 3) How easy is it to interpret results and to differentiate from other observations/alarms generated by the SIEM? 4) How actionable are results? Meaning, how quick/easy is it to advance the investigation to the next step? How easy it it to pivot on search results and/or lookup additional contextual data (what is the reputation of the external IP? what is the role of the host and its vulnerability state? who is the user? etc) 5) What guidance/capabilities does the SIEM have to lead or even automate steps of the investigative process for my use case? 6) How can I perform a retrospective on how the use case was fulfilled? Does the SIEM capture the details of the investigative process to be able to self-assess and improve?
Siddhant MishraHi Rhea, When it comes to evaluating a SIEM solution, there is a bit of research and evaluation required from the customer or your end as well - these mostly includes answering questions like: What is the business objective that you want the SIEM to fulfill? Is it compliance? or threat hunting? Do you have enough resources to man the SIEM? and many more....there are few things that you need to evaluate on your end before going all out on vendors as to what there solution is capable of. Here are some resources that will help you plan or evaluate a SIEM vendor in the most effective manner and help you answer the Why, What and How for your SIEM deployment: - How much does a SIEM Cost: https://dnif.it/siem/blog/how-much-does-siem-cost.html - Why you need a next gen SIEM: https://dnif.it/resources/why-you-need-a-next-gen-siem.html