Has anyone got experience in deployment of a SIEM solution?

Question

Has anyone got experience in deployment of a SIEM solution?

Has anyone got experience in deployment of a SIEM solution using either McAfee Nitro or IBM Qradar or AlienVault USM?

I am looking to understand the pitfalls associated. I find that the vendor documentation is often short on specifics in relation to the overall components needed and am concerned that there is a nasty expensive surprise waiting for me.

it_user108681

Security Solution Architect with 501-1,000 employees

9
48

9 Answers

Answered Apr 4, 2017

Product comparison that may be of interest to you

AT&T AlienVault USM vs. IBM Security QRadar

May 2023

Free Report: AT&T AlienVault USM vs. IBM Security QRadar

Find out what your peers are saying about AT&T AlienVault USM vs. IBM Security QRadar and other solutions. Updated: May 2023.

DOWNLOAD NOW

709,643 professionals have used our research since 2012.

Related Questions

Liam Brandt

User at Catalyic Consulting (Pvt.) Ltd

Mar 22, 2023

Why do most companies prefer IBM QRadar?

Hi community, Please let us know your thoughts in the comments below. Thank you!

See 2 answers

VS

Valter Sav

User at RAS Unipers

Mar 14, 2023

Hi, in my opinion, because it is still the best at giving you visibility of what's happening in your IT infrastructure, and at detecting threats. Visibility and detection may seem simple tasks. but actually, they require a lot of capabilities in understanding, integrating, logging, and alarms from a huge multitude of devices. Such tasks go under the line of log ingestion, normalization, etc., and that is far from easy. QRadar has done a lot of work in that direction. Another aspect is event correlation. And here, either you write the correlation rules yourself, spending $$$$ of professional services, and by the way, it'll take forever to test, implement and maintain up to date, or your access to a very long list of preset correlation rules, that are already available and waiting to be activated. Finally, visibility and threat detection is just the beginning of a journey pointed at becoming aware of what's happening in your IT and taking relevant and effective action. There are several other technologies that have to be used to minimize exposure, and contain, and remediate relations to an attack. I believe IBM has a few of those, that can be integrated. But whichever you use at the end of this journey, if the original feed is not correct, not relevant, or not complete, you missed your goal in the first place.My 5 cents :)VS

Read full answer

Jairo Willian Pereira

Information Security Manager at a retailer with 10,001+ employees

Mar 22, 2023

I´m not sure about this affirmation. There are a lot of other tools used.

Read full answer

Julia Miller

Community Director at PeerSpot

Oct 18, 2022

What is your experience regarding pricing and costs for IBM QRadar Advisor with Watson?

Hi, We all know it's really hard to get good pricing and cost information. Please share what you can so you can help your peers.

2 out of 4 answers

SU

reviewer1136397

Team Lead - Information Security at LTI - Larsen & Toubro Infotech

Feb 6, 2022

I can't speak to the exact pricing. I've never looked at its commercial costs.

Read full answer

RR

reviewer1409433

Cyber Security Specialist at UST Global

May 12, 2022

Licensing is mostly dependent on the EPS, events per second. Depending upon the number of products that are integrated with the platform, we have to come to an optimal EPS value. I'm not very sure about the financials, however, the licensing cost cannot be as much as that for Sentinel, which is not very low. For customers who need medium EPS values, we advise QRadar. The basic out the box cost covers, the EPS value that you have specified, and then some archiving maybe. It should include at least six months of archiving and other functionalities. Most of the customers will go for the standard package and we don't have to go for extra archival or enhanced DPS. 10% to 15% of DPS can always be increased. It will not completely shut down the system, however, it'll start sending us notifications that the DPS is getting increased and then we can go for a higher licensing.

Read full answer

See all 4 answers

Related Articles

NC

Netanya Carmi

Content Manager at PeerSpot (formerly IT Central Station)

May 2, 2022

Top 8 Log Management Tools 2022

PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 8 Log Management Tools to help you d...

Ertugrul Akbas

Manager at ANET

Oct 9, 2021

The Math of SIEM Comparison

There are many comparisons and scoring reports like Gartner. But a small part of their scoring is technical capacity. Other comparisons available on the web or magazines are marketing, sales, and presales documents. They do not include extensive technical analysis. In today’s ever-evolving cybersecurity climate, businesses face more threats than ever before. Finding the right SIEM is crucia...

2 out of 6 comments

CH

CraigHeartwell

Visionary at Whaduu, LLC

Jul 12, 2021

Excellent article. ArcSight claims to use ML - they are not listed under ML here (?). Can LogRhythm handle your correlation logic example? A simple comparison table would be very useful (features, checkmarks).

Read full comment

Ertugrul Akbas

Manager at ANET

Jul 12, 2021

@CraigHeartwell, thanks for your spelling correction. ArcSight acquired Interset for ML. Yes, LogRhythm can handle the logic. SIEM Comparison table is on my mind for a long time. I published the Turkish version. I need to work to extend it before publishing.

Read full comment

See all 6 comments

Ertugrul Akbas

Manager at ANET

Nov 11, 2022

How to Select the Right SIEM Solution?

The right SIEM tool varies based on a business’ security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities: Scalability — Ensure the solution has the capability to accommodate the current and the projected growth. Log compatibility — Ensure that the solution is compatible with your logs Correlation engine — Does the solution have th...

2 out of 3 comments

MK

Mike Kehoe

IBM Security, European Threat Management Sales Leader at IBM

May 11, 2021

Having the SIEM as a central feeder is a traditional solution architecture. The question can be asked , do I have the right security platform ?. As the interconnections to this traditional centralized solution will always need maintaining. In the case of a Security platform this effort is removed.

Read full comment

JS

John Stanford

Senior Network Architect / Network Team Leader at ICE Consulting. Inc.

May 12, 2021

A good Security Platform includes SIEM, UEBA, NTA, and SOAR! on a single pane of glass, but I agree all security platforms require constant maintenance to remain viable as a part of the security posture!

Read full comment

See all 3 comments

Ertugrul Akbas

Manager at ANET

Jan 24, 2023

Features of Today's SIEMs – Requirements for Today’s Attacks and Breaches

It is important to retain logs for a significant amount of time in order to be able to investigate and analyze past attacks. This allows security teams to identify patterns and trends that can aid in the detection and prevention of future attacks. The retention period will vary depending on the organization's specific requirements and regulations, but it is generally recommended to keep logs ...

Navcharan Singh

Senior Seo Executive at Ace Cloud Hosting

Oct 7, 2022

SIEM vs. Firewall

Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....

Product Comparisons

Related Categories

Security Information and Event Management (SIEM)

it_user640764 · Answer 1 · 2017-04-04T14:24:13Z

This tool can help you both with the implementation and post-implemtation phase. Health Check Framework (HCF) for IBM QRadar: https://www.scnsoft.com/services/security-intelligence-services/health-check-framework-for-ibm-qradar-siem
HCF allows to automate certain things within your deployment, troubleshoot performance issus and fine-tune the solution.

it_user194049 · Answer 2 · 2016-04-26T19:13:12Z

i have implemented the IBM QRadar, its the simplest to install and configure.
install, add log sources,create use cases as per your needs and QRadar will log all the events and network activity.
you can then perform forensics as well as vulnerability scans.

it_user280122 · Answer 3 · 2016-04-13T08:45:30Z

The basic things like adding log sources is hopefully not a problem but i think to get most value from the SIEM is to make a list of use cases tweaked to your organisation and log sources to find the problems/incidents your C-level can understand. Then you will keep on getting the fundings you need to get the issues you think is necessary to make the SIEM a valuable tool.

A.J. DiLorenzo · Answer 4 · 2016-04-05T22:19:40Z

I've implemented AccelOps SIEM which also does Server/Network Performance and Availability monitoring. Most of the work involved was with configuration of SNMPv2/v3 or WMI on endpoint devices if the SIEM is not agent-based. Also, a lot of configuration with fine tuning the rules/reports specific to your organization as mentioned. Basic Linux knowledge is also recommended for AccelOps. I would also recommend purchasing Proessional Services hours for implementation guidance and proper training of IT staff and end-users (if applicable) that will be accessing/using the SIEM.

it_user214419 · Answer 5 · 2015-03-26T16:44:52Z

Hello. If you need any assistance through sizing and deployment of IBM QRadar, you should contact a local sales partner in your area. A partner should be able to size your specific needs, no matter little or big they are.

it_user417333 · Answer 6 · 2016-04-04T10:37:32Z

it_user417333

InfoSec Manager

MSP

Apr 4, 2016

is it the same now for Alienvault? What level of Linux knowledge is needed?

it_user182445 · Answer 7 · 2015-01-16T13:55:04Z

I have implemented McAfee Nitro and IMB Qradar, where the later was the easiest to implement. Majority of the work is fine tuning and creating rules that are specific for your organization. All vendors will tell you about builtin intelligence that offer nothing in the read world

it_user113184 · Answer 8 · 2014-05-15T14:51:56Z

it_user113184

Security Expert at Q1 Labs, an IBM Company

Consultant

May 15, 2014

That's the problem with the SIEM solutions that have no built-in intelligence.

it_user102447 · Answer 9 · 2014-05-08T21:44:31Z

We implemented the Alienvault USM product and one of the largest considerations to make is the Linux knowledge required to implement, configure and manage the solution. Depending on the current in-house skill set and architecture this may or may not present as a consideration.