Hi all,
I'm a Tech Lead at a Tech Services company with 1K+ employees.
I've been looking at the following SIEM products: Elastic Enterprise Search, IBM QRadar, LogRhythm NextGen SIEM, McAfee ESM, Splunk, Splunk Cloud and Elastic Security.
Which SIEM would you recommend for an enterprise as the most "futuristic", reliable, cost-effective and that has good support.
Please justify your answer.
Thanks for your advice!
HI,
I would go with Elastic Enterprise Search. There are a few reasons why.
1. You can start with the community edition, fully free of cost
2. You can level up the skills and capabilities that you would like to use, and then move to a paid version
3. Comes with a fully scalable, SoC architecture that you can build out of this by utilizing the various features that come with Elastic by default. You could start by ingesting just the Logs, Events, Metrics, etc.. and then build out a SIEM use case, APM use case, and XDR use case - all with the same software.
4. Already designed in a fully versatile architecture, the same solution can be used as a 100% on-premise solution to a 100% cloud, and everything in between.
5. It is kind of a buy one a get all solution in a way of speaking
6. It is completely infrastructure agnostic. You could build this on almost any kind of infrastructure as long as you are providing the right amount of computing and storage.
Look at aiSIEM as well.
It’s very cost-effective and includes the following features: SIEM, SOAR, NBAD, NTA, UEBA, IDS/IPS, and TI in a single aiSIEM license.
It's best to start your search based on the use cases/problems you need to solve.
Each product has strengths and weaknesses. I'd suggest you may want to consider UEBA and SOAR in the decision.
Our SOC teams just don't have enough people, and SIEM rules turn out high false-positive rates.
Look at the MITRE ATT&CK Framework for some guidelines on stitching multiple indicators together (threat chains/kill chains).
Collecting and searching on text, everyone can do. Finding anomalies and stitching them together into a correlated event that includes anomalies, not just preset rules with thresholds is much harder.
Enabling blocking actions and automating SOC responses should be part of your planning. I've yet to meet a SOC team with enough people, so improving automation on what to do after detection and how it integrates is a key to doing more than text search/threat hunting.