Should You Get a SIEM? Which SIEM Should You Get?

Last Updated: Jul 17, 2024 | Cybersecurity Program

Security Log Analytics

You can't read about cybersecurity without coming across an article in which the author praises a SIEM or Security Information and Event Management setup.

A SIEM is certainly a worthy tool in your cybersecurity arsenal, but before you jump into one, you should be aware of a few things. Namely:

  • Tools used to monitor network, application, or device security generate a lot of data. Using a SIEM can reduce the visibility of the "noise" but this isn't plug and play.
  • SIEMs are licensed by number of nodes or events per second (EPS).
  • You'll need more than one guy on the project or at least have a plan or budget. You'll need to be able to scale and better manage network security monitoring through the use of machine learning to get abnormal alerts in real time or use a managed service provider (MSP).
  • Nearly every SIEM vendor claims they're the best. Not only is this not objective helpful in any way, you'll also have to find the setup that works for your particular use case.
  • TEST TEST TEST! If they don't let you test, drop them like it's hot!

Finding Worthy Setups

I reviewed 33 viable SIEMs in the market and narrowed the choices down to 5 potential choices. The fact that these finalists were included in Gartner's Magic Quadrant for SIEMs wasn't a major factor, but the research and insight certainly did help.

Here are the products I had sales calls and demos/trials/POCs in (in no particular order):

1. Splunk

This was one of my favorite SIEMs to test. The interface was intuitive and easy to use (for me anyway; the boss freaked out about the search syntax), and the people were super nice and helpful.

Once more, there is also a local Splunk group in my area.

This setup actually made me consider being an engineer in this field. No joke.

The problem was the price, as the licensing was based on uncompressed data indexed in GB/day. It's way too expensive, so it's unfortunately out of budget. Too bad.

2. AlienVault

AlienVault was really cool. I enjoyed the demo and had some fun with the OSSIM (open source version) in my home lab.

The blog and documentation were great as well. The people were great. I even got to meet some of their folks a couple of years before doing this demo at the Security Congress conference I attended.

Unfortunately, the pricing wasn't right for this one either. It had different options and is licensed based on the number of unique assets.

3. LogRhythm

I liked the interface and scheduled a demo.

A lot of people had great things to say about this solution.

Unfortunately, we had to cancel the demo after the initial call as our set of approved vendors didn't support this product. This was an unfortunate skip; I would have loved to have seen more.

4. RSA

This solution is on the Gartner chart, and that's about the only good thing I can say, unfortunately, as my interactions with their people were bad.

My experience with the kickoff call was extremely negative. The 2 sales guys on the call refused to get me rolling on a trial/proof of concept until my environment was appropriately sized.

What made this worse was these 2 sales guys were glorified frat boys who couldn't help me appropriately size my environment. This is not a cheap insult. They really were insufferable. There's no way for our organization to calculate events per second (EPS) appropriately without some sort of automation.

When I asked what they could do to help with sizing and pricing information, I got the dumbest response I have ever received that I will probably never forget - "We cannot swag together an IT quote for security analytics." Wow, I've never heard swag used in this context before.

I've seen better customer service from irritating door-to-door salesmen with pointless products. I was really looking forward to this one, so you can imagine my disappointment. This one had to be a hard pass.

5. ManageEngine

Great suite of enterprise products for IT management.

They have a free trial you can download and test—there are no salespeople up front. They will contact you through the trial and link to some useful documentation—really useful.

Their support is amazing, and they regularly offer training and courses, both free and paid. Very cool.

Their pricing is very good, offering different subscription licensing models for support.

I have to say, this one really impressed me. I was not expecting such a positive result. This was the last one I looked into (out of 7—these 5, Nagios, and SolarWinds LEM).

The only negative aspect I can think of is that the out-of-the-box is very plain. A TON of configuration is needed to get this thing humming properly.

Honorable Mention

Nagios

While not a SIEM as much as a log server, this solution is cheap and popular enough to work in a pinch if SIEMS is out of the question (budget-wise).

Their sales and support were phenomenal, and they had great training on their product.

Much Needed Capabilities

The goal is to find a SIEM that can do the following really well:

  • Data collection
    • It seems obvious, but it needs to be able to collect data from various sources and combine it in one searchable interface.
  • Alerting
    • The SIEM will need to be able to alert based on exceeded thresholds. Dashboarding and emailing are fine in this respect, as we already have SNMP alerting.
  • Correlation
    • Data is going to mound up considerably, so it needs to be able to identify similarities and use statistical analysis to make the information useful (or at least provide pretty pictures to my boss).
  • Retention
    • I will constantly have to ask the server guys for more storage, so this solution will need to archive data and allow users to easily access historical data, even if it needs to be saved or loaded. Metadata will also need to be a thing.

Begin a Proof of Concept and Start Testing

We can't go on marketing information alone. We have to get a trial or proof of concept to see how well the products perform in our environment.

I can't spend too much time babysitting the SIEM when I have literally everything else to do, so getting a trial key or proof of concept authorization is critical.

Needs Based on Conversation

  • The main focus will be security in ITOPS, which has many network nodes.
  • A portion of data could be regulated data depending on scoping - HIPPA, CJIS, PCI.
  • It needs to hook into Office 365.
  • It needs to talk to domain controllers.
  • The end goal is pretty straightforward, as I alluded to earlier. I need to be able to reduce the time spent investigating issues and increase the issue resolution speed. This cannot be a portion of my budget to babysit.

Next Steps

  • We need an engineer from the sales team to work with us to obtain 3 to 5 distinct alert profiles to test use cases.
  • Potentially assist with pulling in data from different devices and intelligence data.
  • Make sure the trial key has adequate space for testing (100 GB should be fine).
  • General availability of engineers.
  • GET ACTUAL PRICING INFORMATION, NO HORSE SHIT.
  • Flexibility in licensing and invoicing, especially since this will be a hard sell to the budget masters.
  • We could potentially work on a business value assessment (BVA) because the budget masters will not care how we frame it.

Finalize Testing and Gauge Setup

  • Make sure physical network devices are actually sending data to SIEM (make sure logging is enabled).
  • Make sure agents are installed and configured if required (like on DCs).
  • Verify the appropriate level of logging (like logging on Cisco devices).
  • Make sure ESXi hosts are sending appropriate information from clusters.
  • Remember to save changes and commit (if necessary).

Alternatives to SIEMs and Syslog Servers

You can also use something like Aristotle Insight. I reviewed this company after we had already moved forward with an SIEM and custom analytics setup, but something like this could help when an SIEM may be too much.

Using something more of a cybersecurity analytics tool could get you the visibility you need without all the statistical stuff to worry about.

View Levels:

  • L3 - high level
  • L2 - general
  • L1 - specific info

Small Footprint:

  • Services and user space.
  • Maybe half a MB for compressed and encrypted.
  • Queuing agent for low cell areas.

Wrap Up

There you have it. I probably spent about 1,000 hours researching SIEMS and creating several documents. This was done through my evaluations of pre- and post-demos and POCs, as well as conversations with numerous salespeople and engineers.

Of course, this doesn't include my time with the 2 options we went with—2 years of SolarWinds LEM and nearly 2 years of EventLog Analyzer from ManageEngine. I didn't talk much about the LEM, as it was purchased when I was on family leave. I liked it, but it was extremely difficult and tedious (and everything was in FLASH!). I was happy when we went over to the ZOHO side.

My next go-around (likely at a new place of work) will be more streamlined.

How was your SIEM induction process? How did you fair? Leave a comment below.

Submit a Comment

Comments go through aggressive spam checks before they appear. A human eye will never see identified spam. Please allow up to 48 hours for your comment to appear.

Your email address will not be published. Required fields are marked *