Hello,
For those who have had the luxury of using or dealing with SIEMs on the job or in any other circumstance, what are the products you've come across?
I graduated from university not too long ago and the one that seemed to be repeatedly thrown at my face (by name only) was Splunk. After that, I think it was an IBM product that was mentioned but I could be remembering wrong.
Up to now, I've never had the chance to actually play around with one.
I was wondering what the community has touched up with and what would be considered the most used or popular appliance?
@non-expert wrote:
For those who have had the luxury of using or dealing with SIEMs on the job or in any other circumstance, what are the products you've come across?
This post should provide feedback on members' experience with SIEMs, and for more information just hit the tag for a list of other posts.
(Additional feedback from others here itself will also be welcome)
HI @non-expert
Well I have experienced pre-SIEM situations - watching dropped packets on firewall logs via syslog and analysing the results and analysiing raw syslogs.
Other systems I have dealt with are:
IBM Tivoli Security Information Manager (TSIM) - now redundant and replaced with TSIEM (Tivoli Security Information Event Manager (once again now replaced with Q1Labs, which then became QRadar - which is the current SIEM within my organisation, along with IBM Watson, Vulnerability Manager, Risk Manager, Forensics etc and now it is available via the Cloud in form of QRoC.
How well does your chosen SIEM integrate with other 100's of other vendors or are they proprietary and locked in, this is a key question to ask of Vendors. Plus how much it costs to produce new integration's, if you need them or are they readily available?
In between I have dealt with netForensics, which then was acquisition-ed and became Black Stratus.
Lots of organisations simply love "Splunk" and its capabilities until you want more storage and the subscription fees hot up significantly.
Some organisations are completely sold on McAfee Orchestrator or Cisco Prime or Meracki solutions, with cloud interfaces.
Other like AlienVault and many others.
However, you really need to know exactly what you are collecting, with valid Use Cases, because a human being cannot be expected to deal with 50,000 security events incoming without encountering literally 1,000's of noisy events, which may be spurious and of not value at all. Or they will not be able to Detect, Identify or Respond to relevant events, which may mean the difference between "panic" mode or "controlled" incident handling and lots of cleaning up afterwards, which can be extremely costly.
Regards
Caute_cautim
Splunk is a good 'toy' in my humble opinion. It can potentially become very useful, should the tool sets, and skills are readily available, for your average IT professions.
You can open a trial personal account with Splunk and play with it yourself. But unless you have a strong internal (or contract) expertise, it is very difficult to make it actually contribute to your SIEM.
The other thing needs to be pointed out. Unless the organization has a robust ITSM infrastructure, single out SIEM is rather pointless.
@ChuxingI agree to do the job correctly these days, one needs to consider the holistic approach i.e. Security Operations Centre or (SOC) or should the organisation actually use an MSSP, because they do not have the resources or skills to run the SIEM themselves.
https://securityaffairs.co/wordpress/47631/breaking-news/soc-security-operations-center.html
Capabilities of the Security Analysts and skill sets
The intelligence feeds and sources fed into the SIEM itself
The Use Cases validated and agreed with the organisation
Agreement on what constitutes critical events, and what actions should take place
Incident Handling capabilities after the Identify, Detect and then into the Respond phase.
The time it takes to eliminate or certainly reduce the amount of noise or false positives to make sense within the organisation's business context
How quickly the Security Analysts realises they have an issue, and its deeper than they first thought.
Regards
Caute_cautim
Absolutely, my personal experience is that sometimes certain IT leadership and some CISOs like to toss out things like SIEM, especially in public, to show off their knowledge. Yet when you dig deeper, you realize that they don’t even have a decent ITSM setup. How can you triage SIEM, if you can’t even handle daily issues adequately.
I always like to focus on fundamentals. Get your IT governance straight, get your policies established, focus on ITSM which is your 99.999% IT management headaches. Once those areas are mature, then SIEM will not be that challenging. Don’t worry too much about the actual tools, they will come naturally, once the foundation is ready and solid.
Of course this is just MHO...
Cheers,
@Caute_cautim, I'll second what @Chuxing said, having experienced just that. A security plan that I presented management with when I joined involved a bottom-up approach --- wherein I strongly emphasized on the need to have a good foundation to start with.
The SOC --- including a SIEM --- was to be implemented towards the end, but it appealed to them the most, so they adopted a top-down approach. (Needless to say, that didn't go like clockwork)
While the SOC's outsourced, the MSSP's efficiency doesn't matter much when security operations on the inside aren't efficient in the 1st place...
> Chuxing (Community Champion) posted a new reply in Tech Talk on 03-18-2019 01:05
> Splunk is a good 'toy' in my humble opinion.
And they make great all-cotton promotional T-shirts (although they have a tendency for the armpit to come apart ...)