2014-08-13 11:10:00 UTC

What are the must-haves for a SIEM solution?


Can you name a few based on the Solutions you have used?

Guest
88 Answers

author avatar
User

- Organisation of the company
- Leadership commitment
- Enough money to get the full system
- The right choice
- Quality teaching
- Enough time to start a production plant
- The commitment of the owners of the systems involved
-Many-many works from developers

2020-01-27 08:37:21 UTC
author avatar
Consultant

An integrated solution that can help prevent, detect, prioritise, deep dive investigate and remediate incidents.

2016-03-11 11:36:48 UTC
author avatar
Vendor

Hi,

from my point of view this is top must-have for any SIEM:
1. log correlation that actually works :)
2. detection of anomalies in network traffic
3. good prioritization of alerts (automatic rejection of irrelevant -> good
baselining capabilities are a prerequisite for this)
4. good and easy event drill-down capabilities (by easy I mean simply
clicking and not writing new regex or query :) )

br,
Danilo

2014-08-24 20:46:50 UTC
author avatar
Vendor

Well from solution perspective one can have as many ... I wanted to draw attention to Business Scope, Requirements, and then see what product fits in and what one wants from SIEM, Must haves are depending what a org wants but a baseline looks like

1.Which Devices Will You Collect Events From- IT Infra Complete
2.Which Events Will You Collect? Type of Events like Access, Auth, Activity
3.How Long Will You Keep the Logs? Time of rentention based on Regulation is has bind to
4.Where Will You Store the Logs? Storage like arrays depending on the volume
5. What type of Reports and Dashboards to get.
6. Risk Profiling and Threat Intelligence Scorecard RAG type detailing, Charting
7. Live Event activity and APTs called zerodays hit with forensic capabilities to deep dive.

2014-08-13 14:29:46 UTC
author avatar
Top 20Reseller

→ What are the must-haves for a SIEM solution? I think to the point of Vikas, it is important to determine the size and scope of the device; however, the question was based on must haves, so if I were to answer the question it would the following:
• Monitor S,J,N flows of the network (network anomaly detection)
• High speed data-correlation from multiple devices and sources (data-correlation)
• Provide suggestions or point to the root cause (Intelligent)
• Provide historical analysis to determine fluctuations and differences in traffic patterns (baselining)
• Real-time charting with reporting features that can be exported to other graphical solutions (reporting)
• Provide threat analysis tools and threat detection using centralized global analysis (threats are sent to central processing center where they are analyzed for future updates if it is considered a zero day attack (future proofing the solution and threat analysis)
• Interfaces with the existing equipment where the SIEM acts as a brain to thwart attacks, it works directly with IPS, NAC, HIDS, NIDS, AV where the threats are sent to a correlation engine and the engine ranks the severity of the threat to perform an action of sort on a device (the session is sent to a honeypot instead of production) (NAC communication).

→ A few that I have used?
• Enterasys Netsight Atlas (now Extreme Networks)
• IBM Q1 Radar
• McAfee Nitro
• Sourcefire/Snort
• Security Onion (Opensource)
• Splunk

Todd

2014-08-13 13:49:36 UTC
author avatar
Vendor

IT infra Assesment(HML), EPS Log estimation(Sizing), Compliance triggers , Security Intelligenge and Risk profiling realtime

2014-08-13 12:36:39 UTC
author avatar
Vendor

Before the start of a SIEM , it is very important to set a scope. The scope is the driver behind SIEM and can be related to compliance, security and operations . It can be a combination of all three and should encompass the entire company. Its highly Imp to know the driver behind the SIEM. Also There should be Stretegic Voice acrocce the Company for Infosec as a whole. SIEM Market is still growing..and Most SIEM project fail because companies do not know what they need SIEM. SIEM is a Component of Secuirty Planning and Roadmap . Its Imp to have in mind that What happened? – When the Event happened?Why it happened? Can we Stop it?

2014-08-13 12:25:39 UTC
author avatar
Top 20Consultant

RSA envision, Lancope and Splunk

2014-08-13 11:37:46 UTC
Find out what your peers are saying about Splunk, LogRhythm, IBM and others in Security Information and Event Management (SIEM). Updated: May 2020.
419,214 professionals have used our research since 2012.