Security Information Event Management (SIEM)
-
I looked at Arctic Wolf in 2019. Was interesting, but not something the client ended up going towards. They did not feel the spend was worth it.
But I thought it was a good solution at a decent price.
-
@JaredBusch said in Security Information Event Management (SIEM):
I looked at Arctic Wolf in 2019. Was interesting, but not something the client ended up going towards. They did not feel the spend was worth it.
But I thought it was a good solution at a decent price.
Thanks! Got a demo setup already.....
-
@JasGot Make sure you go directly with them as opposed as a vendor. The reporting is kinda hard as you have to always request it instead of readily accessible to you.
-
Rapid 7 is worth a look.
-
@dbeato said in Security Information Event Management (SIEM):
@JasGot Make sure you go directly with them as opposed as a vendor. The reporting is kinda hard as you have to always request it instead of readily accessible to you.
Do you mean instead of through a vendor? I'm looking into this for one of our customers. I thought I would set them up directly rather than becoming a reseller or partner myself. It's our first go, and I don't think I want to get too involved.
Is this what you meant?
-
@JasGot said in Security Information Event Management (SIEM):
Anyone able to recommend a Security Information Event Management (SIEM) vendor?
Azure Sentinel works well. I have been using that for some things at work, growing into it slowly. It's SIEM / SOAR.
-
We use Dell SecureWorks MDR. Has been good so far. We get quarterly meetings and whenever anything questionable is seen in logs/scans/user usage, we are contacted.
-
I'm surprised nobody has mentioned elastic yet.
There's an open source version and a free version (more features).
-
Alienvault (Paid) / OSSIM (Free). We use the paid version here. It's a bit cumbersome to work with, but gives a lot of good details IMO.
-
@IRJ said in Security Information Event Management (SIEM):
I'm surprised nobody has mentioned elastic yet.
There's an open source version and a free version (more features).
I did not mention it intentionally.
Because it is too complex to use as a SEIM unless you already know a lot about it.
-
@JaredBusch said in Security Information Event Management (SIEM):
Because it is too complex to use as a SEIM unless you already know a lot about it.
Agreed, i've been looking at it for checking over logs from all our servers. But one minutes it's workign fine then boom errors all over the place . So need to look for a new system myself for this and log management
-
@JasGot Yes, that is what I meant.
-
Wow! What an excellent response!
Thank you to everyone. I'll start exploring these and report back. -
@hobbit666 said in Security Information Event Management (SIEM):
But one minutes it's workign fine then boom errors all over the place
This is not because Elastic is bad, it is because it is complex. Which is why it is a poor solution for people like @JasGot
Unless a person has the time to really learn elastic and how to do things well, it jsut turns into a mess.
-
@JaredBusch said in Security Information Event Management (SIEM):
@IRJ said in Security Information Event Management (SIEM):
I'm surprised nobody has mentioned elastic yet.
There's an open source version and a free version (more features).
I did not mention it intentionally.
Because it is too complex to use as a SEIM unless you already know a lot about it.
Elastic basic (free) is pretty simple. Open Source version requires a bit more knowledge and integration
-
-
@IRJ said in Security Information Event Management (SIEM):
@JaredBusch said in Security Information Event Management (SIEM):
@IRJ said in Security Information Event Management (SIEM):
I'm surprised nobody has mentioned elastic yet.
There's an open source version and a free version (more features).
I did not mention it intentionally.
Because it is too complex to use as a SEIM unless you already know a lot about it.
Elastic basic (free) is pretty simple. Open Source version requires a bit more knowledge and integration
Setting up Elastic to ingest some basic logs? Simple. Setting up a SEIM with Elastic? Not so much.
-
@JaredBusch said in Security Information Event Management (SIEM):
This is not because Elastic is bad, it is because it is complex. Which is why it is a poor solution for people like @JasGot
Unless a person has the time to really learn elastic and how to do things well, it jsut turns into a mess.Yea, I'm not in the mood to learn something that complex for a one off.
-
@JaredBusch said in Security Information Event Management (SIEM):
@IRJ said in Security Information Event Management (SIEM):
@JaredBusch said in Security Information Event Management (SIEM):
@IRJ said in Security Information Event Management (SIEM):
I'm surprised nobody has mentioned elastic yet.
There's an open source version and a free version (more features).
I did not mention it intentionally.
Because it is too complex to use as a SEIM unless you already know a lot about it.
Elastic basic (free) is pretty simple. Open Source version requires a bit more knowledge and integration
Setting up Elastic to ingest some basic logs? Simple. Setting up a SEIM with Elastic? Not so much.
This. As straight log management, it's some effort, but like, half a day tops. SEIM with it, though, is an undertaking on top of that.
-
@JaredBusch said in Security Information Event Management (SIEM):
This is not because Elastic is bad, it is because it is complex.
Agreed, it's a beast of a system.
The SIEM part requires a "Basic" license, but seems to be around $200 / year.