Do you need a SIEM?

Jamm1n

Hey guys,

Do you really need a SIEM? We are looking at a 3 man team who will be supporting the security for a company. Of course you will have all the other protections in place but I have read that unless you have a team dedicated to the SIEM product then you could be missing out on a lot and not using the product to its full potential.

TeKniques

Yeah ... they can be valuable, but I have seen these turn into shelfware real quick. Usually its because most places just set it and forget it out of the box and don't have a dedicated resource to get it set up to where there's real value. Also, it depends on the vendor/product too ...

beads

Better question would be: "Do I have to have SIEM?" Currently PCI-DSS and perhaps SARBOX and some other financial compliance require you to have a SIEM, pronounce "seam" not "sim", by the way.

There are a number of SMB grade SIEMs out there that don't need constant baby-sitting, think SolarWinds, etc. that would likely give you the needed coverage when you need it over the larger pricier ArcSight or QRadar or more modest LogRythm products. There when you need to look for certain correlated events and collecting when you don't necessarily need to stare at a screen all day.

Just stick to your basic correlations and auto-magic alerts and built from there.

- b/eads

Remedymp

Why Do I need a SIEM?

And, Six Steps to SIEM success.

Jamm1n

Good information so far guys... With so many products out there that you need to run a decent security program...Firewall, IPS, AMP(EndPoint), AMP (email), SIEM... of course there is not one for all either.

BlackBeret

Depending on the size of the company you're supporting and how well you tune it determines whether or not you need constant monitoring for it to be effective. One thing to consider is that even if you don't monitor it non-stop a lot of them can be configured with customized contact options. You may not care about every single SQL injection attempt on a web page that isn't connected to a SQL database (tune your rules!) but you might want to be alerted by email/text if it ever detects ransomware.

If you're concerned with cost take a hard look at ELSA/OSSEC, ELK, and actually the entire Security Onion bundle. If you don't need SLA's open source is your friend!

Matt2

While my company needs SIEM for compliance, I do recommend it for any company that's trying to be as secure as possible. Ditto on Security Onion. That is what I decided on after researching, I deployed 3 instances. But if you want reporting, then you'll have to fiddle with it, or step up to a different product that costs $ beyond jus the hardware.

636-555-3226

You do not need to have anything. A properly tuned SIEM set up with the right dashboards and alerts is infinitely valuable. It also requires a FTE to man it for a mid- to large-sized organization. If you can't devote at least 50% of someone's time to setting it up, don't waste your money. It's a bit less work once it's all set up, but it'll still take a large amount of time (perhaps 1+ years, depending on the logs) to get it all set up.

markulous

It depends really. I'm a pretty big fan of them for a lot of situations. You can centrally manage all of your alerts for virtually any log source, traffic, behavior, etc. If you have the budget for it, then it's better to set it up earlier rather than later so you can just add agents later down the road. I would say go for it if you can dedicate the time to it. It'll make your job easier, make compliance easier, and be an effective mitigation tool.

blatini

Remedymp wrote: »

Why Do I need a SIEM?

And, Six Steps to SIEM success.

Thanks for these!

Remedymp

Jamm1n wrote: »

Good information so far guys... With so many products out there that you need to run a decent security program...Firewall, IPS, AMP(EndPoint), AMP (email), SIEM... of course there is not one for all either.

You can either go buy an UTM depending on how many end points you're trying to manage.

Sophos
Barracuda
Fortinet
Mcafee
Sonicwall.


Usually these devices cost anywhere between $1599 and greater depending on how many end points and services you need as well as licensing.

If you go open source, it can be cost effective, but troublesome when things don't work well.

the_Grinch

I think you'd be doing yourself a disservice by not having a SIEM. I couldn't imagine having to login into several different portals in order to view the devices I am in charge of. We utilize ELK and OSSEC where I work and I have no idea where we would be without it. Takes some fine tuning, but within a couple of weeks you should have it about where it needs to be in order to be effective. If you go with ELK/OSSEC I would suggest utilizing Wazuh. It is a fork of OSSEC that adds in a web api which would allow for a lot of customization.

The biggest thing is the visualization. One thing I have noted is that with some visualization I can more acutely find problems. As an example, I know around about how many alerts I should see on a daily basis from OSSEC. One day I looked and one level of alerts were off the charts it made no sense. I started looking into them and saw that were unrelated to what the alert was suppose to be, but were related to something we cared about. I then made a custom query to show that specific alert. Upon running it on past data I saw it had occurred before that day as well. More recently, again I caught it without the team responsible for it actually seeing the problem.

On the flip side, you need a SIEM if you plan on doing any hunting. It can be the difference between reporting full data compromise or 10/20% data compromise. Based off of what I learned in SANS 511 I was able to develop some alerts to give us some early warning. That in turn should allow us to isolate a compromised host(s) and troubleshoot without full compromise.

alias454

I am in agreement, take the time and look into an open source product like ELK Stack or Graylog. Graylog use elasticsearch as its backend too. Realize that it is going to take some hardware resources no matter what you go with. Another thing not to forget is that the open source options of ELK and Graylog are backed by actual companies so you can pay for support if that floats your boat.

wes allen

Splunk Cloud might be something worth looking into.

Also, for smaller shops being able to provide value to IT via a monitoring solution can make a huge difference in ROI. Traditional SIEMs like QRader, LogRythem, etc are very siloed, while something like Splunk can also be a great resource for more general IT monitoring as well. I am not sure how ELK handles permissions, but if you can be granular enough, that might be a good option as well.

Jamm1n

All good info guys, big help

ITHokie

The only thing I would add to other thoughts is that it's asking a lot from a 3 man shop to have skills and time for engineering/administration and analysis of an enterprise SIEM product. Going the set it and forget it route, if that's all you'll have cycles for, is much more palatable with an open source solution and still valuable.

JDMurray

Stay away from (the still very expensive) ArcSight SIEM products. ArcSightreally went downhill with customer service after being bought by HP a few years ago. I know of several orgs frantically replacing their ArcSight installations with Splunk or QRadar.

Jamm1n

yeah I have heard that a lot.

Remedymp

Not all SIEMs are the same.