Siem

Mr.Network

are you using SIEM? if so, from who and why?

Find more posts tagged with

Comments

Remedymp

So it siems..

SpetsRepair

I've used propriety siems at certain companies and I've used others which i can name

Splunk is good
Alert logic
FortiSiem

FortiSiem is kind of new and something Fortinet is providing, I haven't worked with it. Just a sales call with Fortinet on their new line of products..

alias454

We use Graylog but it takes some work. it is worth it for us though.
Others worth noting are ELK, LogRhythm, Qradar, Splunk, AlienVault's OSSIM/USM the list goes on.

Are you looking for any specific $thing or just generally wanting to know what others are using?

gespenstern

LogRhythm. The population is around 700 servers + checkpoint firewalls and cisco ASAs, not all of them ship logs, but all major systems running on these servers do. Do not collect anything from endpoints directly.

Not a big fan of it, it's just what we have.

jamthat

I've used Solarwinds LEM, QRadar and Splunk ES. LEM is very good for SMB (definitely on the smaller side) but at the time it didn't seem to get much love from their dev team.. ES can scale to infinity but requires A LOT of knowledge ($$$$$) and fine-tuning to turn it into a true SIEM. QRadar in my case was extremely expensive (as a dedicated SIEM) and replaced with Splunk, and Splunk seemed to be a better fit because while it was still expensive, it met a lot of other business needs that QRadar did not. It all depends on the size, complexity, and skill-set of your org.

To expand on Splunk a bit, we indexed around 1tb/day and it's great for log aggregation and searching..but for true SIEM functionality, yeah..see previous comment

alias454

@jamthat I don't have a ton of experience with Splunk and I am curious about the architecture. Would you be willing to share a little about your setup? Curious what type of hardware, storage, networking, EPS, etc. you have for that if you don't mind.

jamthat

Absolutely, I'll shoot you a message tonight after work

the_Grinch

At my last agency I setup and ran ELK (Elasticsearch, Logstash, Kibana) and it was awesome. It's basically a free open source alternative to Splunk and we were very successful in getting it running. We had a six node cluster that was taking in a couple of gigs worth of logs per day from dozens of servers.

UnixGuy

No we don't...we use splunk for logs and dashboards but the siem is wayyy tooo expensive

Mr.Network

Ok, Qradar cost a lot. Have you guys used Security Onion, Sguil, and Elsa ?

Skupp

We use Alienvault here - the price is right

Mr.Network

Skupp, ok i was looking at their website, it looks good. But they don't give up price on the site. How much are you paying for the licensing? if I may ask.

matai

I think traditional SIEMs may be on their way out. Check out Darktrace or Exabeam.

mbarrett

Splunk is good, easy to get off the ground and start using and free if you only want to aggregate a smaller amount of logs. Very scaleable as well. Might be harder to setup queries, etc unless you have one of the "canned" front ends they have available for free.

E Double U

We started with ArcSight and moved to QRadar. We have Splunk, but don't use it as a SIEM.

As for why, because someone that gets paid more than I do decided that is what we will do. I just do what I am told.

Skupp

Mr.Network wrote: »

Skupp, ok i was looking at their website, it looks good. But they don't give up price on the site. How much are you paying for the licensing? if I may ask.

Hi Mr Network.

We are currently using their free version.

Cheers.