Security Information and Event Management (SIEM) Forum

Miriam Tover
Content Specialist
IT Central Station
Sep 03 2019
There's a lot of vendor hype about SIEM solutions. SIEMs are not something you just install it and wait for great things to happen, right? What questions should someone ask before purchasing a SIEM? Help your peers ask the right questions so that they'll make the best decision.
reviewer1057374Some areas and questions for evaluating a SIEM solution. These are some common things that come up from customers that we deal with. But there can also be a lot of others based on specific business needs. It helps if they have a clear objective of what it is you are wanting. So review questions like the following: * Is it just logs from a select few systems or all systems like servers, databases, applications, and desktops? * Are all the users and systems internal or are they also mobile and could be working from home or over the Internet from a café? * What operating systems need to be covered ie Windows, Linux, Solaris, Mac OSX, etc.? * Do you want to collect syslogs from other devices like firewalls, routers, switches, wireless APs, etc.? * There can be some discussions on Agents vs Agentless so there can be discussions on the pros and cons of these needs. * Do you have compliance issues they need to manage ie like PCI DSS, ISO27001, HIPAA, etc.? * What is it that you are wanting from the SIEM in reporting, there can be a lot of options on static reports, dynamic dashboards, PDF reports, correlation of log data with other systems like ticketing systems? * Do you want to run a SOC or just get reports if and when they want to look at something, do you have the resources to monitor things or do you need to also work with an MSSP. * What sort of alerting and threshold reporting do you want to get? * Do you have complex network segments with multiple zones to collect and aggregate logs that they need to centralize to keep the logs away from the systems generating them and away from potential hackers? * In general for those that are starting out for the first time, just stick to the core critical systems and collect logs from those systems until you understand more of what you are wanting to do with a SIEM collection and reporting. This helps to keep the project scope more controlled and confined so it's easier to manage. As you learn more then you can grow the scope later on. Once you have a clearer idea on what you are wanting then it's looking to the vendors to download the software and see how well it works in your environment. * How easy was it to get an eval license, did the sales and presales support help you get going quickly. * How easy and quickly can you install the software and start to collect logs and then start to get some reports and visualizations on the data. * How easy was it to identify problems and security issues, and what sort of value is that to the business. * How easy is it to roll out, many large corporate environments can have complex change control processes and can the software easily fit within these processes. * Cost is always a component to any solution so how well does it scale for your business, does it have known costs or are there variable costs like per GB of storage which often bites customers as there is always more data than you expect. * How well can the solution scale out to hundreds or 10s of thousands of systems as the business needs change or the business grows. * Can upgrades and license changes be done with minimal effort? * What are the futures of the company do they invest in R&D to keep enhancing the product as there is always something new to do or OS version to support. * How well does the vendor do support, do they only do internet only or do they allow you to talk to a real person that can understand you. * Does the vendor play nicely with others, almost all customers have a mixed environment so being able to integrate and work other SIEM vendors always helps. So having a clearer understanding of what they are wanting makes it easier to see “ yes this was a success” or ”no this was a failure” and did not meet the business objectives. Some use a scoring system in a spreadsheet to rank various areas from a scale of 1-10 with 1 being poor and 10 meets all needs. By doing this in a matrix it often helps to sort the good and bad more easily and the good from the very good as part of the review process. So having a bit of structure to the evaluation process helps with finding the right fit for the business.
Rainier VarillaDiscovery questions you should ask any SIEM vendor: -Would you like more insight into what’s going on in your network? -Are your security-related compliance efforts manual and time-consuming? -Would you know if an advanced threat went after your customer data or employee data before it was too late? -Do you feel confident you're protected against stealthy, long term attacks that use social engineering tactics? -Can you detect all the threats and risks taking place across mobile computing, social networks, and cloud environments? -Do you find it difficult to keep up with constantly evolving threats, using limited staff and budget? -Do you have a clear sense of what the risks are, associated with any vulnerabilities in your network, so you can build a prioritized plan of addressing the vulnerabilities? -Are there any devices you’ve recently added or network changes you’ve made that impact your ability to ensure security and demonstrate compliance? -Old ways of protecting networks can't keep up, and many organizations are looking for help in improving their security and risk posture. Is this a priority you are considering today?
Simo SimThat is correct, you don't just install it and that is it. There is quite some work to do after installation: * You need to get events into the system, they need to be normalized, this is dependent upon the vendor and how they offer support for it. Again this is also important where there is a version upgrade of the source device where log types change. * You need to configure correlation content and tune it to fit your environment – remove false positives, add assets to the SIEM and so on * Monitor the system what kind of alerts are generated * Keep the system up to date with vendor-provided updated software What questions should someone ask before purchasing a SIEM? * Do you have an existing library of use cases? * What kind of content is available? * Is this content updated regularly? * What kind of event sources do you support? * What If I need to add a custom application? * What is your license model? If I have a surge, will the system accept it – will anything be throttled as a result of license violation? * How can I monitor for the availability of elements within the system – usually the collection layer and analysis/storage layer are separate – if the collection layer does not work that means the analysis layer has nothing to analyze. So how can I monitor that? * Can I upgrade the system just by changing the license? Will the proposed solution limit us at some point and it will need to replaced as a whole – this is usually true with SIEM that is delivered as an appliance? * Does the license limit me in any way as to how many different sources I can collect?
Nurit Sherman
Content Specialist
IT Central Station
Aug 23 2019
There are so many SIEM solutions out there and so much vendor hype in the market. Conducting an effective trial is really important! A number of community members are currently evaluating solutions. Do you have any advice for them about the best way to conduct a trial or POC?  How do you conduct a trial effectively?  Are there any mistakes to avoid?
reviewer813081I agree with Chris and would like to elaborate even more. Understanding your own use cases before the POC is key to then generate the test cases you would like to evaluate. 1) What data sources are required to collect from to support this use case? Does the SIEM support collecting from these data sources? Does the SIEM only present raw log data or generate additional contextual information from these data sources? 2) What built in analytics are available in the SIEM to support my use cases leveraging these data sources? How easily can I customize the analytics aligned to my specific needs or environmental/organizational nuances? 3) How easy is it to interpret results and to differentiate from other observations/alarms generated by the SIEM? 4) How actionable are results? Meaning, how quick/easy is it to advance the investigation to the next step? How easy it it to pivot on search results and/or lookup additional contextual data (what is the reputation of the external IP? what is the role of the host and its vulnerability state? who is the user? etc) 5) What guidance/capabilities does the SIEM have to lead or even automate steps of the investigative process for my use case? 6) How can I perform a retrospective on how the use case was fulfilled? Does the SIEM capture the details of the investigative process to be able to self-assess and improve?
Gary Kennedy1. Understand your environment: Segments, microsegments etc. Know where everything is. 2. Understand what your trying to do: Why are you monitoring, regulations? Compliance? 3. Understand your retention requirements: Storage Cost!!! Your capturing events per minute, and it gets expensive. 4. Understand how you want to use the SIEM: Is it part of your SOC or NOC? How will your Security Analyst use it? Will it be monitored 24/7? Have a game plan on who and what to do with alerts. 5. There are two basic ways you will pay for it: Either by the amount of traffic, or by the # of employee’s in the company. Splunk uses the amount of traffic across the wire, Exabeam is by # of Employees. 6. Should you use VM’s or buy hardware. Hardware is cheaper in the short run, but in the long run, VM’s are cheaper and more versatile with storage. 7. Do you have C level buy in? This will cost, so if you don’t have that level of buy in you will not get what you want. 8. Narrow your choices down to three vendor/solutions and ask each to do a pilot program with no promise to purchase for 90 days if possible, shorter if needed. This will give you an idea of the amount of data you will be monitoring and give you a better idea of the cost. Set each solution on a different subnet of the network and then review the success or failure of the solution with those that have to use it. Don’t forget to get management to give their two cents worth. They will give you honest feedback on reports required etc. also, include your Auditing Dept. to make sure the solutions will meet their requirements. 9. After the test, evaluate the solution with the same criteria for each solution: Make a list of requirements and grade them all with the same criteria. 10. Check the cost against what you can afford, and remember, the cost will go up 10-20% each year due to the newer technology will give you more visibility into the network. 11. After running the system for a year, re-evaluate the solution: Did it do what you thought it would? Does it meet your needs? Do you need to enhance it?(buy more modules) etc. or do you need more training.
Siddhant MishraHi Rhea, When it comes to evaluating a SIEM solution, there is a bit of research and evaluation required from the customer or your end as well - these mostly includes answering questions like: What is the business objective that you want the SIEM to fulfill? Is it compliance? or threat hunting? Do you have enough resources to man the SIEM? and many more....there are few things that you need to evaluate on your end before going all out on vendors as to what there solution is capable of. Here are some resources that will help you plan or evaluate a SIEM vendor in the most effective manner and help you answer the Why, What and How for your SIEM deployment: - How much does a SIEM Cost: https://dnif.it/siem/blog/how-much-does-siem-cost.html - Why you need a next gen SIEM: https://dnif.it/resources/why-you-need-a-next-gen-siem.html
Miriam Tover
Content Specialist
IT Central Station
Aug 20 2019
SIEM is one of the fastest trending topics on IT Central Station. Why do companies need to purchase SIEM? Is it due to compliance reporting, system monitoring, intrusion detection, or something else? Why is it so important? Thanks for helping your peers cut through vendor hype and make the right decision.
Sofiane MedhkourSIEM provides real-time analysis of security alerts generated by applications and network hardware. It’s important as it’ll be the centralized point where to get security event report of all the infrastructure and the place where to take the first action. You can buy it as a software there’s a lot of solution, but you need a security analyst to follow it, or you can buy it as a service.
Reviewer5570SIEM is needed for compliance reporting, system monitoring, intrusion detection, and something else. Based on my knowledge and experience in this area I will list the drivers for purchasing a SIEM based on priority as follows: 1. Monitoring different types of cybersecurity hacking attempts from outsiders and insiders. 2. Early detection of security hacking attempts and as a result, a prompt response is initiated. 3. Testing the effectiveness of all type of security controls in place such as network firewalls, IPSs, WAF, AV, DLP, etc. 4. Visibility of all layers of traffic on different network segments. 5. Reporting non-compliance issues. 6. Early detection of existing vulnerabilities in systems. 7. Security intelligence from SIEM vendor and other vendors in the network because logs are correlated into the SIEM. 8. Helping business people and improving quality assurance effectiveness by building customized rules on the received logs. 9. Others such as log retention, log management, and forensics.
Jacob HinkleA SIEM is a tool which sorts logs and alerts on security-related events, customizable for a business’s needs and regulatory compliance requirements. Many certifications like ISO 27001 and SOC 2 require that there be active monitoring of networks and computer systems to ensure data confidentiality, integrity, and availability. A good SIEM will update itself with new signatures and behavioral patterns to be able to identify malicious activities and behaviors or threat actors by collating logs from various devices and endpoints on your network. A SIEM can augment and enhance the work done by security analysts in identifying problems and prevent costly, damaging attacks like ransomware outbreaks, theft of intellectual property or financial fraud. They also have the benefit of being online 24/7 where a staff of at least three analysts would be needed to catch the same coverage. Though a SIEM is primarily designed to catch security-related events, they can also be customized to monitor applications such as SQL or Financial software and alert on specific events such as disks being full, RAM usage or network outages.
Ariel Lindenfeld
Sr. Director of Community
IT Central Station
May 03 2019
One of our community members wrote that what's important is  "compatibility with diverse sources, including the ability to adapt to unknown ones, performance, and the ability to do multi-level correlation." What do you think? See other excellent answers below. Let the community know what you think. Share your opinions now!
Michael SCHLEICHBased on my experience with SIEM, 7 years I worked with ArcSight on a daily basis. I would say that there are 3 mains points. 1) Objectives What you would like to do with the SIEM. What you have to achieve? This is very important. If you just need a solution to manage your logs and make searches for incident investigation. I will use Splunk If you need to build security monitoring use case with automatic notification I will use ArcSight or QRadar. 2) Perimeter to monitor What is the size of the infra to monitor? How many AD users? How many logs per day Which logs to collect? How many different vendors or logs type If you have a big environment to monitor You have no other choice to choose ArcSight If it less QRadar could be used. 3) Security Team Who will work with the SIEM? This is highly critical because if you don't have a dedicated team with specific skills I will not recommend ArcSight because it is very complex and custom use is not enough documented. You need an Expert on site to be able to use this tool correctly and efficiently to increase usefulness. QRadar is less complex but for sure it will be less flexible. If you want to use other SIEM solution or open source, you need to answer first to the 3 above points then you need to check if the solution can be able to collect, process, parse and categorize the logs you have to choose for your Use Cases You have to verify how to build correlation, what are the limits You have to check if you can build automatic notification You have to check the evolution, what will be the new features You have to ask the roadmap. You shouldn't choose something that won't be developed anymore. It is a lot of resources and time to build a SOC in using a SIEM To configure the SIEM Infra completely It is wrong to say that you can migrate easily to another solution. Completely wrong. The last point, you need to verify the documentation and the support. Very important for bugs, issues or important missing features. I hope this answer will help you. You can contact me if you have a precise question.
it_user331212Real-time threat analysing and reporting capabilities
Siddhant MishraWhen it comes to "features to look for in a SIEM" the answer is not simple and straightforward - as the saying goes: "one size fits all" doesn't work in this case. Many infosec experts would argue that when it comes to security implementations, having a SIEM in place is the only way to go. That’s because a traditional SIEM, without fail, significantly increases visibility into vulnerabilities. However, these platforms still struggle with collecting and correlating logs in siloed data stores (the various security point solutions throughout the enterprise) which is an overkill when it comes to providing an enterprise-wide insight to security teams. Here are some resources that you might explore to better evaluate as per your cybersecurity requirements: Resources you might find useful: > Ebook - Why you need a next-gen SIEM - http://bit.ly/2UZxwHn > Blog - How to make the most of your next-gen SIEM - http://bit.ly/2UTzcC8
Chris Poorte
Computer & Network Systems Administrator at a aerospace/defense firm with 1,001-5,000 employees
My organization has one last piece to the puzzle in our completion for NIST 800-171 compliance. I know nothing about Network Security and Event Management. I have a team of two Systems and Network Admins that already spend a lot of time ensuring the organization is running smooth, dealing with any technical issues, and ensuring the infrastructure is performing well. What solution is recommended for something that can automate and run with little to no interaction, but ensure the requirements and needs are met? Is there a solution that does not require heavy configuration, one that can give you an overview of the network and tell you exactly what is going on inside the network, and if needed any penetration alerts, if they exist?
David BurtonThere are many good SIEM products on the market today. Our company evaluated several SIEM products, LogRhythm, Splunk, AlienVault, Fortinet, and EventTracker. They all are great products. We settled on EventTracker and purchase the licenses through a 3rd party. Because these companies have internal teams of trained security analysts. They take on the heavy lifting of reviewing alerts, threat analysis, etc. The required manpower is a critical piece when evaluating SIEMs.
Perry JurancichAs David mentioned above, there are many good SIEM products available. The challenge is, in the environment as described, is getting the value out of it if you run it yourself. There is a lot of overhead when it comes to running a SIEM, especially for the uninitiated and non-cyber minded folks. This question is interesting because I had this very conversation with a customer yesterday. My company provides consulting services to myriad companies around the world. Under 800-171 section 3.3 (800-53r4 AU controls), you have to demonstrate you retain logs for your cybersecurity environment (3.3.1), review logs on a regular basis (3.3.3), have the ability to 'audit' the logs (3.3.5) and alert events (AU-6). IMHO, the best solution for an organization that has limited staff and time, a hosted version of SIEM services is best. Not just a hosted SIEM, but have an AI/ML behavioral analysis processing engine with 24x7 'eyes on glass' (not just automated systems monitoring) certified cybersecurity analysts to evaluate all alerts, then only advising the company of an issue to be addressed. It totally takes the heavy lifting off of any company, and the benefit of (in effect) staff augmentation. Bringing a SIEM in-house for small organizations is a challenge at best, a recipe for failure at worst, plus it may not meet 800-171 requirements. TIG ThreatWatch, ArticWolf SOCaaS and SecureWorks are a few in the space. Be careful, make sure you have full access to your data, ability to run reports to generate artifacts for audits and live alerts and you only plug in security devices into the monitoring for 800-171 requirements. Be sure to use one that doesn't cost you by volume of logs, it should be by log source, regardless of volume. Best of luck!
itsecuri350985I have been working with SIEM Technology for more than 10 years. LogRhythm no doubt is one of the best for a small to mid size company.
Sign Up with Email