Siem

Mr.NetworkMr.Network Member Posts: 117
are you using SIEM? if so, from who and why? :)
CCNA R&S, MCSA.

Comments

  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
  • SpetsRepairSpetsRepair Member Posts: 210 ■■■□□□□□□□
    I've used propriety siems at certain companies and I've used others which i can name

    Splunk is good
    Alert logic
    FortiSiem

    FortiSiem is kind of new and something Fortinet is providing, I haven't worked with it. Just a sales call with Fortinet on their new line of products..
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    We use Graylog but it takes some work. it is worth it for us though.
    Others worth noting are ELK, LogRhythm, Qradar, Splunk, AlienVault's OSSIM/USM the list goes on.

    Are you looking for any specific $thing or just generally wanting to know what others are using?
    “I do not seek answers, but rather to understand the question.”
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    LogRhythm. The population is around 700 servers + checkpoint firewalls and cisco ASAs, not all of them ship logs, but all major systems running on these servers do. Do not collect anything from endpoints directly.

    Not a big fan of it, it's just what we have.
  • jamthatjamthat Member Posts: 304 ■■■□□□□□□□
    I've used Solarwinds LEM, QRadar and Splunk ES. LEM is very good for SMB (definitely on the smaller side) but at the time it didn't seem to get much love from their dev team.. ES can scale to infinity but requires A LOT of knowledge ($$$$$) and fine-tuning to turn it into a true SIEM. QRadar in my case was extremely expensive (as a dedicated SIEM) and replaced with Splunk, and Splunk seemed to be a better fit because while it was still expensive, it met a lot of other business needs that QRadar did not. It all depends on the size, complexity, and skill-set of your org.

    To expand on Splunk a bit, we indexed around 1tb/day and it's great for log aggregation and searching..but for true SIEM functionality, yeah..see previous comment
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    @jamthat I don't have a ton of experience with Splunk and I am curious about the architecture. Would you be willing to share a little about your setup? Curious what type of hardware, storage, networking, EPS, etc. you have for that if you don't mind.
    “I do not seek answers, but rather to understand the question.”
  • jamthatjamthat Member Posts: 304 ■■■□□□□□□□
    Absolutely, I'll shoot you a message tonight after work
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    At my last agency I setup and ran ELK (Elasticsearch, Logstash, Kibana) and it was awesome. It's basically a free open source alternative to Splunk and we were very successful in getting it running. We had a six node cluster that was taking in a couple of gigs worth of logs per day from dozens of servers.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    No we don't...we use splunk for logs and dashboards but the siem is wayyy tooo expensive
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Mr.NetworkMr.Network Member Posts: 117
    Ok, Qradar cost a lot. Have you guys used Security Onion, Sguil, and Elsa ?
    CCNA R&S, MCSA.
  • SkuppSkupp Registered Users Posts: 3 ■□□□□□□□□□
    We use Alienvault here - the price is right icon_lol.gif
  • Mr.NetworkMr.Network Member Posts: 117
    Skupp, ok i was looking at their website, it looks good. But they don't give up price on the site. How much are you paying for the licensing? if I may ask.
    CCNA R&S, MCSA.
  • mataimatai Member Posts: 232 ■■■□□□□□□□
    I think traditional SIEMs may be on their way out. Check out Darktrace or Exabeam.
    Current: CISM, CISA, CISSP, SSCP, GCIH, GCWN, C|EH, VCP5-DCV, VCP5-DT, CCNA Sec, CCNA R&S, CCENT, NPP, CASP, CSA+, Security+, Linux+, Network+, Project+, A+, ITIL v3 F, MCSA Server 2012 (70-410, 70-411, 74-409), 98-349, 98-361, 1D0-610, 1D0-541, 1D0-520
    In Progress: ​Not sure...
  • mbarrettmbarrett Member Posts: 397 ■■■□□□□□□□
    Splunk is good, easy to get off the ground and start using and free if you only want to aggregate a smaller amount of logs. Very scaleable as well. Might be harder to setup queries, etc unless you have one of the "canned" front ends they have available for free.
  • E Double UE Double U Member Posts: 2,233 ■■■■■■■■■■
    We started with ArcSight and moved to QRadar. We have Splunk, but don't use it as a SIEM.

    As for why, because someone that gets paid more than I do decided that is what we will do. I just do what I am told.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • SkuppSkupp Registered Users Posts: 3 ■□□□□□□□□□
    Mr.Network wrote: »
    Skupp, ok i was looking at their website, it looks good. But they don't give up price on the site. How much are you paying for the licensing? if I may ask.

    Hi Mr Network.

    We are currently using their free version.

    Cheers.
Sign In or Register to comment.