Which SIEM is better? Now I know that they’re all pretty good (at least the ones I’ve worked with), but I have never been a Security analyst where managing a SIEM was my primary duty. Splunk has all the buzz, but I think that it’s very expensive; while Alien Vault seems to be an enigma, but it’s very cost-effective.
What at are my colleagues thinking?
So we had both Splunk and Alien Vault installed in our environment.
Splunk was slick but very costly to maintain as a SIEM. We used it basically to parse UNIX logs. Seems the UNIX gents had more money than Security
Alien Vault on the other hand was cost effective and suited our needs so we used Alien Vault. It allowed us the flexibility to monitor our network and did an okay job.
We did an extensive investigation on other products but the cost SIEMs are hard to sell to management. Unless of course you have just had an incident BUT the ongoing maintenance becomes hard to justify as folk forget about the incident.
In my present organization QRadar was to be implemented on-site, but midway through that the project got scrapped for a host of reasons, so I never got to see the good or bad.
We eventually decided to optimize things by going with a Managed Security Services (MSS) provider. Their initial proposal featured LogRythm, but during the implementation I found they switched to QRadar. When I asked why, the engineer couldn't offer any explanation, other than citing a management decision.
I'd checked the reviews on Gartner, TrustRadius and FireCompass, but in any case we'll be at the mercy of what the provider uses, enjoying just the solution's dashboard...
Coming from an organisation, which did the original acquisition with Q1Labs and turned it into QRadar. Having used and implemented a number of SIEM's right from the original days of watching dropped packets days and analysing the outcomes etc.
I have seen many Splunk implementations stall due to brilliant hype and marketing catching up with reality - when the rubber hits the road, and suddenly someone reasons they need more storage and shock horror it costs US $40,000 dollars to put in that new application for correlation purposes and then it all starts adding up.
The marketing hype is tremendous, we offer this, but you cannot believe all that they state - you have to push hard and ask the real issues:
Do we have the capability with in-house?
Do we have sufficient knowledge and ability to keep up with the vast flow of attacks and it is well maintained from not only the vendors but in collaboration with others like minded sources?
Is the integration available, for those tricky applications?
Can you create Use Cases that make sense to the organisation?
Do I have sufficient capacity and performance associated with the required infrastructure internally either in the cloud or locally to maintain the expected life time of the events i.e. in Financial Institutions, you have to keep the events for up to 7 years and be able to retrieve them within an expected set of parameters
Can I keep the staff I have invested in to keep them focused on my organisation and not suddenly looking elsewhere for a better role?
The key issue fundamentally, appear to be are the staff fully trained, fully versed with the technology or suddenly does the organisation have grandiose ideas of having a Security Operations Centre (SOC), attempting to run it 8x5, but actually want 24x7 and you only have three staff.
I would say go back to the fundamentals, can you Identify, Detect and Respond in these days of vast amounts of false positives and do you have the capabilities to work out quickly, whether it really impacts the organisation or are you going to waste vast amounts of time chasing rabbits down a hole?
Or in reality all you needed was a log analyser to meet legislation requirements?
The ability to Identity the real threats means fundamentally more reliable intelligence, even through collaboration and are you purchasing a piece of "tin", which you can support fully and obtain the business value add to be able to detect confidently and then react quickly and efficiently to protect the organisation.
Do you have the security metrics and full support of the business to invest and you have worked out the why, what, how and where before you even think about looking for a solution at the outset?
We live in a world of it simply must do this, because I do not fully understand what I want, but a technology will provide it - no - you need People, Process and Technology - none of these alone will give you the outcomes you expect. Now go out there and get real - collaborate this is a problem, no single organisation can solve by itself or a single technology no matter,how good you think you are..
Work out what is important to the business, rather than simply attempting to solve it by applying new technology without fundamentally working out what the real problem is and what you are protecting within your own organisations and why it concerns you.
I think which SIEM is "better" depend on your environment and staff capability.
If your environment is pretty heterogeneous, the ability to support multiple log sources should be considered (ex. API log source from cloud such as Azure or AWS log).
If your staff have little or no experience in managing/using SIEM, some product have pretty steep learning curve and could be frustrating even during implementation phase.
If your staff already have some experience but find current tools lacking, feature sets and capabilities obviously play bigger role.
Below are some questions I used to evaluate SIEM during selection:
What log sources can be collected?
Once collected, what analysis can be done with it?
What integration are there with existing security tools? (Or other additional sources, such as threat intel or honeypot)
If a security incident happen, how will this tool help/fit into the incident response workflow?
I'd say antivirus product is different from SIEM in this aspect because the skillset/knowledge required to manage one is different. Analyst often need to be familiar with the SIEM and customize rules to generate additional alarm; but we usually don't need to be skilled with malware analysis and make that much custom change to AV product.
I agree that we should not define any product with single score. The score should be ranked in different categories/factors with reasons.