cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
non-expert
Newcomer II

What SIEM(s) do/have you use(d)?

Hello,

 

For those who have had the luxury of using or dealing with SIEMs on the job or in any other circumstance, what are the products you've come across?

 

I graduated from university not too long ago and the one that seemed to be repeatedly thrown at my face (by name only) was Splunk. After that, I think it was an IBM product that was mentioned but I could be remembering wrong.

 

Up to now, I've never had the chance to actually play around with one.

 

I was wondering what the community has touched up with and what would be considered the most used or popular appliance? Smiley Happy

7 Replies
Shannon
Community Champion

 


@non-expert wrote:

 

For those who have had the luxury of using or dealing with SIEMs on the job or in any other circumstance, what are the products you've come across?


This post should provide feedback on members' experience with SIEMs, and for more information just hit the tag for a list of other posts. 

 

(Additional feedback from others here itself will also be welcome)

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

HI @non-expert 

 

Well I have experienced pre-SIEM situations - watching dropped packets on firewall logs via syslog and analysing the results and analysiing raw syslogs.

 

Other systems I have dealt with are:

 

IBM Tivoli Security Information Manager (TSIM) - now redundant and replaced with TSIEM (Tivoli Security Information Event Manager (once again now replaced with Q1Labs, which then became QRadar - which is the current SIEM within my organisation, along with IBM Watson, Vulnerability Manager, Risk Manager, Forensics etc and now it is available via the Cloud in form of QRoC.

 

How well does your chosen SIEM integrate with other 100's of other vendors or are they proprietary and locked in, this is a key question to ask of Vendors.   Plus how much it costs to produce new integration's, if you need them or are they readily available?

 

In between I have dealt with netForensics, which then was acquisition-ed and became Black Stratus.

 

Lots of organisations simply love "Splunk" and its capabilities until you want more storage and the subscription fees hot up significantly.

 

Some organisations are completely sold on McAfee Orchestrator or Cisco Prime or Meracki solutions, with cloud interfaces.

 

Other like AlienVault and many others.

 

However, you really need to know exactly what you are collecting, with valid Use Cases, because a human being cannot be expected to deal with 50,000 security events incoming without encountering literally 1,000's of noisy events, which may be spurious and of not value at all.   Or they will not be able to Detect, Identify or Respond to relevant events, which may mean the difference between "panic" mode or "controlled" incident handling and lots of cleaning up afterwards, which can be extremely costly.

 

Regards

 

Caute_cautim

Chuxing
Community Champion

Splunk is a good 'toy' in my humble opinion. It can potentially become very useful, should the tool sets, and skills are readily available, for your average IT professions.

 

You can open a trial personal account with Splunk and play with it yourself. But unless you have a strong internal (or contract) expertise, it is very difficult to make it actually contribute to your SIEM.

 

The other thing needs to be pointed out. Unless the organization has a robust ITSM infrastructure, single out SIEM is rather pointless.

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Caute_cautim
Community Champion

@ChuxingI agree to do the job correctly these days, one needs to consider the holistic approach i.e. Security Operations Centre or (SOC) or should the organisation actually use an MSSP, because they do not have the resources or skills to run the SIEM themselves.

 

https://securityaffairs.co/wordpress/47631/breaking-news/soc-security-operations-center.html

 

Capabilities of the Security Analysts and skill sets

The intelligence feeds and sources fed into the SIEM itself

The Use Cases validated and agreed with the organisation

Agreement on what constitutes critical events, and what actions should take place

Incident Handling capabilities after the Identify, Detect and then into the Respond phase.

The time it takes to eliminate or certainly reduce the amount of noise or false positives to make sense within the organisation's business context

How quickly the Security Analysts realises they have an issue, and its deeper than they first thought.

 

Regards

 

Caute_cautim

Chuxing
Community Champion

@Caute_cautim 

Absolutely, my personal experience is that sometimes certain IT leadership and some CISOs like to toss out things like SIEM, especially in public, to show off their knowledge. Yet when you dig deeper, you realize that they don’t even have a decent ITSM setup. How can you triage SIEM, if you can’t even handle daily issues adequately.

 

I always like to focus on fundamentals. Get your IT governance straight, get your policies established, focus on ITSM which is your 99.999% IT management headaches. Once those areas are mature, then SIEM will not be that challenging. Don’t worry too much about the actual tools, they will come naturally, once the foundation is ready and solid.

 

Of course this is just MHO...

 

Cheers,

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Shannon
Community Champion

 

@Caute_cautim, I'll second what @Chuxing said, having experienced just that. A security plan that I presented management with when I joined involved a bottom-up approach --- wherein I strongly emphasized on the need to have a good foundation to start with.

 

The SOC --- including a SIEM  --- was to be implemented towards the end, but it appealed to them the most, so they adopted a top-down approach. (Needless to say, that didn't go like clockwork)

 

While the SOC's outsourced, the MSSP's efficiency doesn't matter much when security operations on the inside aren't efficient in the 1st place...

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
rslade
Influencer II

> Chuxing (Community Champion) posted a new reply in Tech Talk on 03-18-2019 01:05

 

> Splunk is a good 'toy' in my humble opinion.

 

And they make great all-cotton promotional T-shirts (although they have a tendency for the armpit to come apart ...)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468