You can't read about cybersecurity without coming across an article with the author singing the praises of a SIEM or Security Information and Event Management setup.
A SIEM is certainly a worthy tool in your cybersecurity arsenal but before you jump into one, you should be aware of a few things. Namely:
- Tools used to monitor network, application, or device security generate a lot of data. Using a SIEM can reduce the visibility of the “noise” but this isn't plug and play.
- SIEMs are licensed by number of nodes or events per second (EPS).
- You'll need more than one guy on the project or at least have a plan or budget. You'll need to be able to scale and better manage network security monitoring through the use of machine learning to get abnormal alerts in real time or use a managed service provider (MSP).
- Nearly every SIEM vendor claims they're the best. Not only is this not objective helpful in any way, you'll also have to find the setup that works for your particular use case.
- TEST TEST TEST! If they don't let you test, drop them like it's hot!
Finding Worthy Setups
I reviewed 33 viable SIEMs in the market and narrowed the choices down to 5 potential choices. The fact that these finalists were included in Gartner's Magic Quadrant for SIEMs wasn't a major factor, but the research and insight certainly did help.
Here's the products I had sales calls and demos/trials/POCs in (in no particular order):
This was one of my favorite SIEMs to test. The interface was intuitive, it was easy to use (for me anyway, the boss freaked out about the search syntax), and the people were super nice and helpful.
Once more, there is also a local Splunk group in my area.
This setup actually had me considering being an engineer in this field. No joke.
The problem was the price as the licensing was based on uncompressed data indexed in GB/day. Way too expensive so it's unfortunately out of budget. Too bad.
AlienVault was really cool. I enjoyed the demo and had some fun with the OSSIM (open source version) in my home lab.
The blog and documentation were great as well. The people were great. I even got to meet some of their folks a couple years prior to doing this demo at the Security Congress conference I attended.
Unfortunately the pricing wasn't right for this one either. The pricing had different options and is licensed based on the number of unique assets.
I liked the interface and scheduled a demo.
A lot of people had great things to say about this solution.
Unfortunately had to cancel the demo after the initial call as our set of approved vendors didn't support this product. An unfortunate skip, I would have loved to have seen more.
This solution is on the Gartner chart and that's about the only good thing I can unfortunately say as my interactions with their people were bad.
My experience with the kickoff call was extremely negative. The 2 sales guys on the call refused to get me rolling on a trial/proof of concept until my environment was appropriately sized.
What made this worse was these 2 sales guys were glorified frat boys who couldn't help me appropriately size my environment. This is not a cheap insult, they really were insufferable. There's no way for our organization to appropriately calculate events per second (EPS) without some sort of automation.
When I asked for what they can do to help with sizing and pricing information I got the dumbest response I have every received that I will probably never forget – “We cannot swag together an IT quote for security analytics.” Wow, I never swag used in this context before.
I've seen better customer service from irritating door-to-door salesmen with pointless products. I was really looking forward to this one so you can imagine my disappointment. This one had to be a hard pass.
Great suite of enterprise products for IT management.
They have a free trial you can just go download and test, no sales people up front. They will contact through the trial and link to some useful documentation. Really useful.
Their support is amazing and they offer training and courses regularly, both free and paid. Very cool.
Their pricing is very good and offer different subscription licensing models for support.
I got to say, this one really impressed me. I was not expecting such a positive result here. This one was the last one I looked into (out of 7 – these 5, Nagios, and SolarWinds LEM).
The only negative thing I can think of is the out of the box is very plain. A TON of configuration is needed to get this thing humming properly.
While not a SIEM as much as a log server, this solution is cheap and popular enough to work in a pinch if SIEMS are off the table (budget-wise).
Their sales and support were phenomenal and they have great training on their product.
Much Needed Capabilities
The goal is to find a SIEM that can do the following really well:
- Data collection
- Seems obvious, but it needs to be able to collect data from a number of different type of sources and pull it together in one searchable interface.
- The SIEM will need to be able to alert based on exceeded thresholds. Dashboarding and emailing is fine in this respect as we already have SNMP alerting.
- Data is going to mound up considerably so it needs to be able to pull similarities in data and use statistical analysis to make the information useful (or at least be able to provide pretty pictures to my boss).
- I will constantly have to ask the server guys for more storage so this solution will need to have a way to archive data and access historical data easily, even if it needs to be saved or loaded. Meta data will also need to be a thing.
Begin a Proof of Concept and Start Testing
We can't go on marketing information alone. We have to get a trial or proof of concept going so we can see how well the products perform in our environment.
I can't spend too much of my time babysitting the SIEM when I have literally everything else to do so getting a trial key or a proof of concept authorization is critical.
Needs Based on Conversation
- Main focus will be Security into ITOPS – many network nodes.
- A portion of data could be regulated data depending on scoping – HIPPA, CJIS, PCI.
- It needs to hook into Office 365.
- It needs to talk to domain controllers.
- The end goal is pretty straight forward and I alluded to it earlier. I need to be able to reduce mean time to investigate issues and increase the issue resolution speed. This cannot be a portion of the budget that I have to babysit.
- Have engineer from sales team work with us to get 3 to 5 distinct alert profiles to test use cases.
- Potentially assist with pulling in data from different devices, as well as intelligence data.
- Update: here's some good information on integrating intelligence sources – Feed Your SIEM With Free Threat Intelligence Feeds.
- Make sure the trial key has adequate room for testing (100 GB should be fine in this regard).
- General availability of engineers.
- GET ACTUAL PRICING INFORMATION, NO HORSE SHIT.
- Flexibility in licensing and invoicing, especially since this will be a hard sell to the budget masters.
- Potentially work on a business value assessment (BVA) because the budget masters won't care no matter how we frame it.
Finalize Testing and Gauge Setup
- Make sure physical network devices are actually sending data to SIEM (make sure logging is enabled).
- Make sure agents are installed and configured if required (like on DCs).
- Verify appropriate level of logging (like logging on Cisco devices).
- Make sure ESXi hosts are sending appropriate information from clusters.
- Remember to save changes and commit (if necessary).
Alternatives to SIEMs and Syslog Servers
You can also use something like Aristotle Insight. I reviewed this company after we already moved forward with a SIEM and custom analytics setup, but something like this could help when a SIEM may be too much.
Using something that is more of a cybersecurity analytics tool could get you the visibility you need without all the statistical stuff to worry about.
- L3 – high level
- L2 – general
- L1 – specific info
- Services and user space.
- Maybe half a MB for compressed and encrypted.
- Queuing agent for low cell areas.
There you have it. I probably put about 1,000 hours into researching SIEMS and making several documents. This is through my evaluations both pre and post demos and POCs, as well as talking to numerous sales people and engineers.
This of course doesn't include my time with the 2 options we went with – 2 years of SolarWinds LEM and nearly 2 years of EventLog Analyzer from ManageEngine. I didn't talk much about the LEM as it was purchase when I was on family leave. I liked it but it was extremely difficult and tedious to use (and everything was in FLASH!). I was happy when we went over to the ZOHO side.
My next go around (likely at a new place of work) will be more streamlined.
How was your SIEM induction process? How did you fair? Leave a comment below.