Siem

Mr.Network · June 2017

are you using SIEM? if so, from who and why?

Remedymp · June 2017

So it siems..

SpetsRepair · June 2017

I've used propriety siems at certain companies and I've used others which i can name

Splunk is good
Alert logic
FortiSiem

FortiSiem is kind of new and something Fortinet is providing, I haven't worked with it. Just a sales call with Fortinet on their new line of products..

alias454 · June 2017

We use Graylog but it takes some work. it is worth it for us though.
Others worth noting are ELK, LogRhythm, Qradar, Splunk, AlienVault's OSSIM/USM the list goes on.

Are you looking for any specific $thing or just generally wanting to know what others are using?

gespenstern · June 2017

LogRhythm. The population is around 700 servers + checkpoint firewalls and cisco ASAs, not all of them ship logs, but all major systems running on these servers do. Do not collect anything from endpoints directly.

Not a big fan of it, it's just what we have.

jamthat · June 2017

I've used Solarwinds LEM, QRadar and Splunk ES. LEM is very good for SMB (definitely on the smaller side) but at the time it didn't seem to get much love from their dev team.. ES can scale to infinity but requires A LOT of knowledge ($$$$$) and fine-tuning to turn it into a true SIEM. QRadar in my case was extremely expensive (as a dedicated SIEM) and replaced with Splunk, and Splunk seemed to be a better fit because while it was still expensive, it met a lot of other business needs that QRadar did not. It all depends on the size, complexity, and skill-set of your org.

To expand on Splunk a bit, we indexed around 1tb/day and it's great for log aggregation and searching..but for true SIEM functionality, yeah..see previous comment

alias454 · June 2017

@jamthat I don't have a ton of experience with Splunk and I am curious about the architecture. Would you be willing to share a little about your setup? Curious what type of hardware, storage, networking, EPS, etc. you have for that if you don't mind.

jamthat · June 2017

Absolutely, I'll shoot you a message tonight after work

the_Grinch · June 2017

At my last agency I setup and ran ELK (Elasticsearch, Logstash, Kibana) and it was awesome. It's basically a free open source alternative to Splunk and we were very successful in getting it running. We had a six node cluster that was taking in a couple of gigs worth of logs per day from dozens of servers.

UnixGuy · June 2017

No we don't...we use splunk for logs and dashboards but the siem is wayyy tooo expensive

Mr.Network · August 2017

Ok, Qradar cost a lot. Have you guys used Security Onion, Sguil, and Elsa ?

Skupp · August 2017

We use Alienvault here - the price is right

Mr.Network · August 2017

Skupp, ok i was looking at their website, it looks good. But they don't give up price on the site. How much are you paying for the licensing? if I may ask.

matai · August 2017

I think traditional SIEMs may be on their way out. Check out Darktrace or Exabeam.

mbarrett · August 2017

Splunk is good, easy to get off the ground and start using and free if you only want to aggregate a smaller amount of logs. Very scaleable as well. Might be harder to setup queries, etc unless you have one of the "canned" front ends they have available for free.

E Double U · August 2017

We started with ArcSight and moved to QRadar. We have Splunk, but don't use it as a SIEM.

As for why, because someone that gets paid more than I do decided that is what we will do. I just do what I am told.

Skupp · August 2017

Mr.Network wrote: »

Skupp, ok i was looking at their website, it looks good. But they don't give up price on the site. How much are you paying for the licensing? if I may ask.

Hi Mr Network.

We are currently using their free version.

Cheers.

Siem

Comments