What Solution for SIEM is Best To Be NIST 800-171 Compliant?

There are many good SIEM products on the market today. Our company evaluated several SIEM products, LogRhythm, Splunk, AlienVault, Fortinet, and EventTracker. They all are great products. We settled on EventTracker and purchase the licenses through a 3rd party. Because these companies have internal teams of trained security analysts. They take on the heavy lifting of reviewing alerts, threat analysis, etc. The required manpower is a critical piece when evaluating SIEMs.

The best paid-for system is Splunk. However it will get very expensive for larger organizations. Similar in cost is LogRhythm. However a less expensive, but still paid for solution would be Alien Vault. If you are looking for an open source solution either LOGalyze or Graylog2 would be the way I would go. That said, all of them will take some configuration knowledge. Professional services would be required and training on the tools. If I were in your situation I would invest in an additional resource that has a knowledge in Cyber Threat Intelligence and Security Concentration. Pro Serve is expensive and ongoing training, though required is also not inexpensive. Having a resource in house as a knowledge base is well worth the spend.

Chris, you need to understand three areas where you will be required to work to achieve what you are looking for

1. Rule set that correlate events for define compliance purpose ( most of the SIEM solution provide these rules out-of-the-box)

2. log source integration ( this is not tricky unless there are custom log sources. , you just need to follow particular SIEM vendor log source integration guide. for custom log sources you are required to write a parser and define right mapping of events ( require in-depth understanding) )

3. Configuring log sources to generate and ship required logs to SIEM ( This part is bit tricky as you first need to figure out what type of events are required to identify a particular situation. and then do configure each log source to log identified events and ship the same to SIEM)

Remember, None of the SIEM product is a plugin solution although IBM qradar is straight forward and come up with quick wins. But it require environment specific configuration even for a single use-case of NIST 800-171 compliance check as in your case. if you are lacking with resources then I suggest you to go for outsourcing model either on-premises or cloud based. In this case it does not matter to you if the SIEm solution configuration are simple or complex. what really matter is the cost and data confidentiality.

Hi, I would suggest list down use case and then select Product.
As you want automation, smart alerting, Behavioral Monitoring, Intrusion Detection, SIEM and Vulnerability Assessment . You can go for ALIEN VAULT.

If not and Budget is the constraint then there are many new tools in market, search for Make in India SIEM.

However, I was also struggling for best suitable tool and found Alien Vault as best product for my environment. We appreciate SumaSOft vendor as well for providing ALIEN VAULT SIEM support.

Gartner Report for SIEM:
www.gartner.com

Please look in to the above link and match your use case and Select.

Regards,
Amey Lakeshri

I have been working with SIEM Technology for more than 10 years. LogRhythm no doubt is one of the best for a small to mid size company.

As David mentioned above, there are many good SIEM products available. The challenge is, in the environment as described, is getting the value out of it if you run it yourself. There is a lot of overhead when it comes to running a SIEM, especially for the uninitiated and non-cyber minded folks.
This question is interesting because I had this very conversation with a customer yesterday. My company provides consulting services to myriad companies around the world.

Under 800-171 section 3.3 (800-53r4 AU controls), you have to demonstrate you retain logs for your cybersecurity environment (3.3.1), review logs on a regular basis (3.3.3), have the ability to 'audit' the logs (3.3.5) and alert events (AU-6).

IMHO, the best solution for an organization that has limited staff and time, a hosted version of SIEM services is best. Not just a hosted SIEM, but have an AI/ML behavioral analysis processing engine with 24x7 'eyes on glass' (not just automated systems monitoring) certified cybersecurity analysts to evaluate all alerts, then only advising the company of an issue to be addressed. It totally takes the heavy lifting off of any company, and the benefit of (in effect) staff augmentation.

Bringing a SIEM in-house for small organizations is a challenge at best, a recipe for failure at worst, plus it may not meet 800-171 requirements. TIG ThreatWatch, ArticWolf SOCaaS and SecureWorks are a few in the space. Be careful, make sure you have full access to your data, ability to run reports to generate artifacts for audits and live alerts and you only plug in security devices into the monitoring for 800-171 requirements. Be sure to use one that doesn't cost you by volume of logs, it should be by log source, regardless of volume.

Best of luck!

this is really good question but i will recommend 1) Splunk 2) LogRhythm 3) Qrader for this case you can use Solar wind this one also give you all the reports.

I will chime in here. Emmanuel is correct. Your question focused on SSIEM, but that is only part of the solution. I have been working within my organization’s security team, as a Security Manager responsible for the overall management of penetration testing and vulnerability assessment and remediation. Having the syslog’s of various systems is just part of the puzzle. You will have to identify what you want to know in order to implement a better posture. DO you want to see what’s going on within the network and systems in order to respond to incidents (Incident response) or do you want to see at what level your systems are in order to prevent attacks (threat management)? I have used AlienVault and it is perfect for an IT department that has too little staff to fully man a Security Operations Center (SOC). AlienVault will create one dashboard, with information ranging from account lockout events, to suspicious activity, threat assessments and even threat intelligence (Think of that last as the rabbit hole, that you will fall into endlessly if you’re not careful). I would get in touch with them to evaluate their product.

I would recomend for ALienVault for this case as its not much difficult to configure and also in maintaning it is easy.

No doubt that almost all SIEM solution will provide in NIST compliance. And everyone probally wants to sell your their perfect out of the box solution or service...

There is much more to it than just this question... what other demands are there from the business besides the nist compliance part (e.g. scalability, performance, architecture requirements) Do you know where your (federal) data resides? What is the scope for your SIEM?

In my experience I saw many vendors LogRhythm, Splunk, Arcsight, Qradar, alienvault etc... but none of them has a real easy set up. It is true that it takes a day or 2 to install but it takes at least a year to make it valuable for the business and to smoothly operate and then off course the continuous effort to keep it up to date.

So soley based on this business case above I will not provide a technical advice or advice for outsourcing. I need more info.

Look at SIEM as a service options before you buy a SIEM. All SIEMS are just log correlation tools. Without resources to operationalize the SIEM. It will quickly become a very expensive logging tool. You will need skilled people to setup alerts and maintain the log parsing. Also make sure whatever SIEMaas solution you choose allows you shared access. Which helps to ensure you are getting what you are paying for from the provider. Buying a SIEM is a big expense both in people and the solution. I talk to clients daily that own SIEM tools that they bought any never fully deployed. Happy to offer client references to attest to how much work is involved in owning a SIEM. If that is your goal and you are set on that path. I would recommend LogRhytm. The SIEM scales based 9n hardware and not EPS (Events Per Second). SIEMS based on EPS licensing can become a budget nightmare if you can't manage your log data effectively.

NIST 800-171- has 15 controls and SIEM will help you achieve some of these controls- which requires lot's of manpower, tuning, and automation. I was part of SIEM evaluation and after finalizing on ArcSight- the entire program failed because of collaboration issues with different business, resources and lack of interest and drive with management.

We evaluated a number of SIEM product as well with a similar goal, easy setup and little interaction required. We found the setup and support for AlienVault to be one that best met our needs

Hi,

Because I’m from The Netherlands I don’t know much about NIST. After scanning the publication (nvlpubs.nist.gov) I think it’s mainly technical focused. In my opinion, AlienVault USM is, therefore, a good out-of-the-box solution. Not much build-it-your-own.

The previous respondents have all given great responses. I’d agree that going for a MSSP service is sensible based on the skills you have in-house. AlertLogic have a good reputation (unsure of their US presence). If you were going to go in-house, AlienVault has a shallow learning curve - but you still need “eys on glass”.

"The required manpower is a critical piece when evaluating SIEMs."

Absolutely. We decided pretty early in in the evaluation process that we weren't going to be able to do it in-house. The sheer amount of information, configuration, and maintenance makes it difficult for any organization that doesn't have a dedicated security team to handle it.

"What solution is recommended for something that can automate and run with little to no interaction, but ensure the requirements and needs are met?"

Short answer: The one you have someone else handle for you.

amongst SIEM solutions marketed by editors, the leading products are Splunk, Qradar both solutions offer a complete NIST compliance. what is the most important to know is to what extent these solutions are able to communicate with other solutions and applications this is mainly what qualifies Qradar as the leader in the SIEM field, since on top of being an IBM product as a guarantee in itself, IBM Qradar has a great list of connectors to third party solutions and finds itself in the heart of a wide portfolio of security products ans solutions. the lask of technical resources is not a problem when adopting a Qradar solution, IBM proposes it in SaaS mode which can be advantageous to multiple customers and for those who are not yet adopting a cloud-based solution they ca still have their own in-premises implementation but managed remotely from Qradar Experts with very attractive monthly fees.

Most respectable SIEM solutions can meet 800-171 requirements. Which SIEM is best is based on what your organization wants out of the SIEM outside of the NIST requirements. If you want to meet the minimum requirements, find the cheapest solution that meets the requirements. If you want a solution that will truly serve as a cybersecurity and operational risk tool, choose one of the leaders in the market.

Hey Chris,

I know I am late to this, but posting for others. Splunk has a prebuilt application specific for satisfying NIST 800-171 requirements. You can check it out here: splunkbase.splunk.com

You don't actually need to purchase Splunk's full SIEM solution (Enterprise Security). The app is free and can be installed on core Splunk with no issues.

Current Status of the SIEM Preparations for PCI Compliance
1
PCI 3.0 Reporting Requirements for PCI
There are numerous reports in the SIEM available for reporting PCI compliance. In the
past, some of these reports were empty when run—that problem has been largely
remediated. Fixing the rest of the empty reports will require handling more the
following:
1. Ensure that all hosts listed as present in the SIEM are continuously reporting,
2. Add the remainder of the edge devices,
3. Add VPN login reports (success/fail) for all access to PROD,
4. Get all DB2 CDE activity monitoring configured,
5. Get all SQL CDE activity monitoring configured, and
6. Add reports from hosts that do malware monitoring/patch updating.
There are SIEM reports that may not really pertain directly to the CDE, as none of these
can access the current configuration of the PROD environment, such as:
1. Wireless access point (WAP) monitoring,
2. Rogue WAP details, and
3. AIE Vendor Authentication Summary.
Daily SIEM Report Recommendations for PCI
The following 12 items from the top list of the SIEM Reports for PCI 3.0 cover the bulk of
the regulatory requirements for daily security compliance monitoring. Each number for
each section has one or two related report items that address confidentiality/integrity.
Section 1-- Proposed Daily Reports for PCI (These may change according to requirements.)
1. Added/disabled accounts,
2. Attacks detected/Top Attackers,
3. Top targeted applications/hosts,
4. Failed application/host access,
5. Malware detected,
6. FIM log summaries, Entity and Log Detail,
7. Privileged AUTH (Administrator/Root/Sudo) use,
8. Object access in the CDE (by Impacted host),
9. Authentication access (fail/success) for Amazon EC2,
10. Authentication access (fail/success) for webservers/webservices,
11. Use of non-encrypted protocols (targets/users), and
12. Security Event Summary (Impacted hosts).
Section 2—Existing PCI Reports in the SIEM (Must have hosts added manually.)

Current Status of the SIEM Preparations for PCI Compliance (DRAFT)

2
 PCI DSS: Account Management Activity,
 PCI DSS: New Account Summary,
 PCI DSS: Attacks Detected,
 PCI-DSS: Top Suspicious Users Summary,
 PCI-DSS: Top Targeted Applications Summary,
 PCI-DSS: Top Targeted Hosts Summary,
 PCI DSS: Failed Application Access,
 PCI DSS: Failed Host Access,
 PCI DSS: Malware Detected,
 PCI DSS: Malware Patching
 PCI-DSS: AIE FIM Activity Summary,
 PCI-DSS: AIE FIM Activity Details,
 PCI DSS: Administrative AUTH Summary,
 PCI-DSS: Privileged Access Granted/Revoked,
 PCI DSS: Object Access In Cardholder Data Environment,
 PCI-DSS: Non-Encrypted Protocol Summary, and
 PCI-DSS: Security Event by Impacted Host Summary.
(Some of the above will need filters added to reduce the ‘garbage’ generated by the W2K3
DCs to Win7/W2K8 AUTH errors, i.e.,RC4 to AES, as well as all the AWS Java errors.)
Automatic Alarms
Email-based reporting alarms are now configured, but for only specific items, as the
remainder of the reporting alarms now existing would overwhelm the email of the
recipient. This is due to the ‘garbage’ mentioned above, including IPv6 traffic that alerts
on firewall rules in Windows GPs, DC encryption mismatches, etc. The remaining alarms
will created as soon as the filtering is successfully implemented.
Automatic Remediation
The SIEM has the capability to do automatic attack response/remediation. Prior to the
implementation of any sort of automated response, testing for false positive reaction(s)
and the potential for self-inflicted DoS must be determined.
User Tracking
The SIEM has the capability to track users activities independently of the Windows DCs
and block specific actions, such as use of temporary storage (USB drives) or read-write
activity on CD-ROM drives. (This requires and added license.)

Splunk is best for most of component like defense and other big industry but we cannot ignore IBM Qrader. this product also very good for this compliance.

Something to keep in mind, the question included the statement: "run with little to no interaction". Forgive me, but a lot of folks seem to skip over that part. It totally leaves out Splunk, LogRhythm, AlienVault (for a security person it would be easy, but for a network guy, may not so much ), etc. but they are ALL time sinks) and will not meet the little or no interaction requirement.
A service meets the requirement - functionality, it meets 800-171 (the right one does), and adds a 24x7 SOC capability that you just don't get trying to keep it internal. I'd be happy to talk through how to eval a service, I've looked at a lot of them and know some "gotcha's" to watch out for.

Here are a few “Trails”.

Background on Security – Protection Information…

* NIST 800-171 provide a detailed list of requirements for Protecting Information in general, with a focus on “Federal” users organization. Translation this such as for: Data encryption; mask, documents security access (e.g. SSO), etc – for Customer and User Information.
* You may review the international ITU-T M.3010, and ITU X.800 related to Security Services requirements
* Am indeed, as NMS Architecture Lead at SES-Networks, to assess our Security practice and Technology Roadmap (based on TMN FCAPS requirements).

Solution Approach:

* Suggest you develop some Specifications to address and define you Target Architecture for Security Mngt (current state, end state; Org-Process-Tools impacts)
* Several Technical Solutions are on the market - re: SIEM (List not exhaustive…):
* Splunk Vendor and ITSI (Splunk Security App; Security Event Mngt – ITSI Notable Event)
* Netcracker Vendor
* Nakina / Nokia Vendor - Security practice
* CMDB / ServiceNow.

Hope it helps you…I would not mind to stay in touch, and share both approaches related to Security Mngt, and Technical Solutions….

-

Hi,

There are several solutions regarding SIEM. QRadar from IBM has a good approach, it is licensed as a log management and for correlation management. Also, you can compare PaloAlto solutions. You can also consider FireEye for complement some security controls mainly regarding your internal network. And finally you can explore Kibana and Elastic Search, this is a good option for big data and for syslog analysis.

1. Splunk meets most of the requirements.

2. Solarwind may have something to give you visibility into the network.

3. Also put a Next-generation firewall like Palo Alto IN-Line where you can see all the traffic transiting, that way you may contain most of the threats and also has visibility.

As for the SIEM solution that can meet expectations I can recommend solution form IBM.
IBM QRADAR SIEM is very easy to install and maintain and requires little knowledge of maintenance and operation.
It combines LOGS and Flows on one platform and correlates it with very powerful correlation engine.
Also comes with more than 1500 reports NIST is one of them.
With the training of 2-3 days, they can operate it very easy and with confidence.

I am working in the IS Department of a bank. Recently I developed the SOC at our bank and using the Splunk Enterprise Solution. Some detail about the SIEM Solution:

It is the diagnostic tool and with the help of this tool, you and your team are able to provide detail of network/ systems traffic to your Network and Systems Team. Splunk has its own language and if you like to learn about the SIEM Solution then I recommend you to use this one. Because that software on which you need to perform programming to get required results it teaches you many things. When you use that you also able to learn about the Network Security techniques as well as the options or parameters that you need to configure on Servers and network equipment.

If you did not have any SIEM Solutions deployed then download the enterprise solution of Splunk and implement all those things you feel to be available in the security of the organization. The important thing and you have to do before deploying the SIEM solution is to design the policies which will help your organization for safety.

If you need further detail you can coordinate with me.

Hi,

Based on the organization size, and the number of 2 network & security admins, the SIEM alone will not help to have a proper defense or meeting any compliance. It is easy to suggest a name for SIEM vendor, many of them ready or shipped they products for such compliance, but as an opinion, what you need now is to build a SOC (Security Operations Center) team to handle the huge size of your organization's employees; consequently, number of the incidents.

And for sure the vital element for every SOC is SIEM! One of the solutions; you can outsource the SOC by contracting with any recognized and trusted Managed Security Service Provider.

Here are the requirements of NIST

3. Requirement

a. Access Control

i. You should have the right role-based access and it should be designed in such a way that segregation of duties can be achieved and if there is data breach or mess happen then you can take preventive measure of training program to educate the user/admin

b. Awareness and Training

i. Self-Explanatory, you have to ensure right kind of awareness around this, this is all about non-federal information *Protecting controlled unclassified information”

c. Audit & Accountability

i. TACACS kind of service will help on complete logs and regular review of this information will help you to mitigate any kind of risk

d. Configuration management

i. Under ITSM process you need to define the control version of configuration and whenever there is a change in the environment ensure you have the last best-known config available for roll-back

e. Identification & Authentication

i. This is an extension of Access Control and Audit & Authenticate

ii. You should know your people and their role and what they are intended to do on the system

f. Incident Response

i. How you handle incident when data breach takes place?

g. Maintenance

i. Maintenance of your ecosystem and their impact on the unclassified data

h. Media Protection

i. Media handling process shall help you to ensure continuity of data security and disposal process around this.

i. Personnel Security

i. It is physical security area, I think this can be achieved through organization policy or ISO controls

j. Physical protection

i. Protection of data, personnel, information, etc fall under this again ISO Standard operating procedure shall help you here

k. Risk assessment

i. This is part of InfoSec Risk Assessment to identify what is the open area of improvement and how they will impact the overall organization i.e. penalty when data breach get disclosed from outside world

l. Security assessment

i. Security assessment will help to mitigate the access level, system hardening, system patching, release of new patch es against known/unknown malware, etc etc. this is policy document which ensures that how you are going to handle the security assessment.

m. System and communication protection

i. Security Assessment will identify the gaps and based on which you can think of protecting the area of exposure with specific hardware/software/configuration related control in place

n. System and information integrity

i. This is all about CIA (confidentiality + Integrity + Availability) this can be achieved with role-based access control, system hardening, standard and strong process n policy.

4. Only SIEM will never help you to achieve completely, SIEM is only detection control and you should have prevention/remediation control as well in place. If your information is so critical then you can think of deploying CyberArk (Privileged Access Control) to help with in conjunction with Active Directory

If you need any assistance then you can write to me, I shall be able to you help you with.

I would strongly recommend LogRhythm, you can download NIST kb module for free, which will contain predefined rules, u just need to provide the log sources and enable them.

Almost All popular SIEM tools are NIST complaint. You can decide on anyone of it. but EventTracker has been a choice for many Enterprise grade companies as they make sure (CUI) is gathered as per NIST requirements and (IR) Incident Response is also complaint with NIST standards.

LogRhythm and Splunk

Most popular SIEMs meet the "software" needs of the NIST800-171. You still have to have the process in place to use the SIEM like the NIST's intent. A SIEM is no walk-in-the-park no matter what vendor tells you. You have to tuned it, you have to set up good alerts, you have to have reports and you tune some more. The SIEM has to adjust to changes in the environment. If you have O365 for example for your email, you should have info going into the SIEM, as well.

If you just want to check the box, go find the cheapest thing. That is what I have seen many people do. It is not the right thing. You should get the most out of what you are doing. Like some have stated above , if you cannot run it in-house effectively on a continuous basis, find someone who has a hosted solution and let them do it for you. A SIEM is not trivial and can save your a$$ if an attack occurs.

I would look at a product called Splunk.
It will collect all the logs from every host on the network and collate them into a dashboard that assures compliance and highlights events, security and other potential failures.

Its not so much the solution as the complete offering.  Many companies struggling with supporting the expanding security solutions with limited budget and resources. You will find many SIEM offerings that have a NIST reporting capability however, you need to focus on the support side.

My recommendation is to look for a good Managed SIEM offering. If you don't wish to have any hardware installed, I recommend looking at Cloud-based offering. IBM QRadar can be offered as on Prep and Cloud-based. I work with many of our partners who offer Managed SIEM 24/7. They would only need minimal help from your team to set up. They can tune the SIEM, generate the NIST reports and even deal with all initial threats.

My understanding is SolarWinds LEM is NIST 800-171. As mentioned above, several of these products do a great job, so it comes down to cost and how much time you want to spend on getting it to run and creating dashboards. SolarWinds LEM has a good out of the box Dashboard and you can search for events, so we liked that here. The cost was much lower for our server bank than Splunk and Oracle Vault. If we get pulled into our enterprise, which appears to be using Splunk but I hear that may change, we will show them our dashboard and we or they will build something similar in Splunk.

As it was mentioned by our colleagues here, there is a variety of good SIEM's products. However, I believe your choice may be based on how is your infrastructure and in a well-implemented risk assessment. I can talk a little about of the IBM's Qradar, which is a tool you can accomplish all the NIST 800-171 Requirements. I'm a novice dealing with it, I'm still learning. What I know is that when it's properly configured, setting logs, flows, etc, it can provide you a great view of what is going on in your systems.

Hello I do not know the requirements of NIST 800-171, however for simplicity and alerts of what happens on the network, I recommend considering the solution called Darktrace, at least it has given us that panoramic quickly and easily if I compare it with the implementation of a SIEM and the effort that must be made to be successful.