2018-03-20T15:37:00Z
it_user840669 - PeerSpot reviewer
Computer & Network Systems Administrator at a aerospace/defense firm with 1,001-5,000 employees
  • 34
  • 1413

What Solution for SIEM is Best To Be NIST 800-171 Compliant?

My organization has one last piece to the puzzle in our completion for NIST 800-171 compliance. I know nothing about Network Security and Event Management. I have a team of two Systems and Network Admins that already spend a lot of time ensuring the organization is running smooth, dealing with any technical issues, and ensuring the infrastructure is performing well. What solution is recommended for something that can automate and run with little to no interaction, but ensure the requirements and needs are met? Is there a solution that does not require heavy configuration, one that can give you an overview of the network and tell you exactly what is going on inside the network, and if needed any penetration alerts, if they exist?

NIST is just one aspect of SIEM compliance requirements.

39
PeerSpot user
39 Answers
it_user587232 - PeerSpot reviewer
Senior Consultant at Redrock IT & Security Solutions
Consultant
2018-03-28T14:26:48Z
Mar 28, 2018

There are many good SIEM products on the market today. Our company evaluated several SIEM products, LogRhythm, Splunk, AlienVault, Fortinet, and EventTracker. They all are great products. We settled on EventTracker and purchase the licenses through a 3rd party. Because these companies have internal teams of trained security analysts. They take on the heavy lifting of reviewing alerts, threat analysis, etc. The required manpower is a critical piece when evaluating SIEMs.

Search for a product comparison in Security Information and Event Management (SIEM)
Andre B. - PeerSpot reviewer
Executive Business Analyst & Advisor at EY
Real User
2018-03-29T12:36:17Z
Mar 29, 2018

The best paid-for system is Splunk. However it will get very expensive for larger organizations. Similar in cost is LogRhythm. However a less expensive, but still paid for solution would be Alien Vault. If you are looking for an open source solution either LOGalyze or Graylog2 would be the way I would go. That said, all of them will take some configuration knowledge. Professional services would be required and training on the tools. If I were in your situation I would invest in an additional resource that has a knowledge in Cyber Threat Intelligence and Security Concentration. Pro Serve is expensive and ongoing training, though required is also not inexpensive. Having a resource in house as a knowledge base is well worth the spend.

Farhan Tariq - PeerSpot reviewer
Information Security Analyst at a government with 1,001-5,000 employees
Real User
2018-03-29T10:40:31Z
Mar 29, 2018

Chris, you need to understand three areas where you will be required to work to achieve what you are looking for

1. Rule set that correlate events for define compliance purpose ( most of the SIEM solution provide these rules out-of-the-box)

2. log source integration ( this is not tricky unless there are custom log sources. , you just need to follow particular SIEM vendor log source integration guide. for custom log sources you are required to write a parser and define right mapping of events ( require in-depth understanding) )

3. Configuring log sources to generate and ship required logs to SIEM ( This part is bit tricky as you first need to figure out what type of events are required to identify a particular situation. and then do configure each log source to log identified events and ship the same to SIEM)

Remember, None of the SIEM product is a plugin solution although IBM qradar is straight forward and come up with quick wins. But it require environment specific configuration even for a single use-case of NIST 800-171 compliance check as in your case. if you are lacking with resources then I suggest you to go for outsourcing model either on-premises or cloud based. In this case it does not matter to you if the SIEm solution configuration are simple or complex. what really matter is the cost and data confidentiality.

it_user756744 - PeerSpot reviewer
Information Security Head at Cnergyis Infotech India Pvt. Ltd.
Real User
2018-03-30T11:30:01Z
Mar 30, 2018

Hi, I would suggest list down use case and then select Product.
As you want automation, smart alerting, Behavioral Monitoring, Intrusion Detection, SIEM and Vulnerability Assessment . You can go for ALIEN VAULT.

If not and Budget is the constraint then there are many new tools in market, search for Make in India SIEM.

However, I was also struggling for best suitable tool and found Alien Vault as best product for my environment. We appreciate SumaSOft vendor as well for providing ALIEN VAULT SIEM support.

Gartner Report for SIEM:
https://www.gartner.com/doc/reprints?id=1-4LPTE9M&ct=171206&st=sb

Please look in to the above link and match your use case and Select.

Regards,
Amey Lakeshri

it_user350985 - PeerSpot reviewer
IT Security Specialist at a healthcare company with 1,001-5,000 employees
Real User
2018-03-28T22:54:56Z
Mar 28, 2018

I have been working with SIEM Technology for more than 10 years. LogRhythm no doubt is one of the best for a small to mid size company.

it_user615768 - PeerSpot reviewer
Sr Lead Solutions Architect at a tech services company with 501-1,000 employees
User
2018-03-28T15:54:25Z
Mar 28, 2018

As David mentioned above, there are many good SIEM products available. The challenge is, in the environment as described, is getting the value out of it if you run it yourself. There is a lot of overhead when it comes to running a SIEM, especially for the uninitiated and non-cyber minded folks.
This question is interesting because I had this very conversation with a customer yesterday. My company provides consulting services to myriad companies around the world.

Under 800-171 section 3.3 (800-53r4 AU controls), you have to demonstrate you retain logs for your cybersecurity environment (3.3.1), review logs on a regular basis (3.3.3), have the ability to 'audit' the logs (3.3.5) and alert events (AU-6).

IMHO, the best solution for an organization that has limited staff and time, a hosted version of SIEM services is best. Not just a hosted SIEM, but have an AI/ML behavioral analysis processing engine with 24x7 'eyes on glass' (not just automated systems monitoring) certified cybersecurity analysts to evaluate all alerts, then only advising the company of an issue to be addressed. It totally takes the heavy lifting off of any company, and the benefit of (in effect) staff augmentation.

Bringing a SIEM in-house for small organizations is a challenge at best, a recipe for failure at worst, plus it may not meet 800-171 requirements. TIG ThreatWatch, ArticWolf SOCaaS and SecureWorks are a few in the space. Be careful, make sure you have full access to your data, ability to run reports to generate artifacts for audits and live alerts and you only plug in security devices into the monitoring for 800-171 requirements. Be sure to use one that doesn't cost you by volume of logs, it should be by log source, regardless of volume.

Best of luck!

Learn what your peers think about IBM QRadar. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
657,849 professionals have used our research since 2012.
MS Alam - PeerSpot reviewer
System Administrator at Abdullah Al-Othaim Markets
Real User
2018-04-01T19:35:31Z
Apr 1, 2018

this is really good question but i will recommend 1) Splunk 2) LogRhythm 3) Qrader for this case you can use Solar wind this one also give you all the reports.

it_user300714 - PeerSpot reviewer
Cyber Security Manager at a pharma/biotech company with 10,001+ employees
Vendor
2018-03-29T13:29:38Z
Mar 29, 2018

I will chime in here. Emmanuel is correct. Your question focused on SSIEM, but that is only part of the solution. I have been working within my organization’s security team, as a Security Manager responsible for the overall management of penetration testing and vulnerability assessment and remediation. Having the syslog’s of various systems is just part of the puzzle. You will have to identify what you want to know in order to implement a better posture. DO you want to see what’s going on within the network and systems in order to respond to incidents (Incident response) or do you want to see at what level your systems are in order to prevent attacks (threat management)? I have used AlienVault and it is perfect for an IT department that has too little staff to fully man a Security Operations Center (SOC). AlienVault will create one dashboard, with information ranging from account lockout events, to suspicious activity, threat assessments and even threat intelligence (Think of that last as the rabbit hole, that you will fall into endlessly if you’re not careful). I would get in touch with them to evaluate their product.

Emmanuel Munisi - PeerSpot reviewer
IT Field Engineer at Double Click Company
Real User
2018-03-29T09:28:01Z
Mar 29, 2018

I would recomend for ALienVault for this case as its not much difficult to configure and also in maintaning it is easy.

it_user738486 - PeerSpot reviewer
Founding Father with 11-50 employees
User
2018-03-29T06:51:10Z
Mar 29, 2018

No doubt that almost all SIEM solution will provide in NIST compliance. And everyone probally wants to sell your their perfect out of the box solution or service...

There is much more to it than just this question... what other demands are there from the business besides the nist compliance part (e.g. scalability, performance, architecture requirements) Do you know where your (federal) data resides? What is the scope for your SIEM?

In my experience I saw many vendors LogRhythm, Splunk, Arcsight, Qradar, alienvault etc... but none of them has a real easy set up. It is true that it takes a day or 2 to install but it takes at least a year to make it valuable for the business and to smoothly operate and then off course the continuous effort to keep it up to date.

So soley based on this business case above I will not provide a technical advice or advice for outsourcing. I need more info.

2018-03-29T06:33:15Z
Mar 29, 2018

Look at SIEM as a service options before you buy a SIEM. All SIEMS are just log correlation tools. Without resources to operationalize the SIEM. It will quickly become a very expensive logging tool. You will need skilled people to setup alerts and maintain the log parsing. Also make sure whatever SIEMaas solution you choose allows you shared access. Which helps to ensure you are getting what you are paying for from the provider. Buying a SIEM is a big expense both in people and the solution. I talk to clients daily that own SIEM tools that they bought any never fully deployed. Happy to offer client references to attest to how much work is involved in owning a SIEM. If that is your goal and you are set on that path. I would recommend LogRhytm. The SIEM scales based 9n hardware and not EPS (Events Per Second). SIEMS based on EPS licensing can become a budget nightmare if you can't manage your log data effectively.

it_user466905 - PeerSpot reviewer
User at a manufacturing company with 10,001+ employees
User
2018-03-28T21:45:43Z
Mar 28, 2018

NIST 800-171- has 15 controls and SIEM will help you achieve some of these controls- which requires lot's of manpower, tuning, and automation. I was part of SIEM evaluation and after finalizing on ArcSight- the entire program failed because of collaboration issues with different business, resources and lack of interest and drive with management.

JK
IT Infrastructure Manager with 501-1,000 employees
User
2018-03-28T21:28:47Z
Mar 28, 2018

We evaluated a number of SIEM product as well with a similar goal, easy setup and little interaction required. We found the setup and support for AlienVault to be one that best met our needs

it_user821361 - PeerSpot reviewer
Solutions Architect at a tech consulting company with 5,001-10,000 employees
User
2018-03-28T20:44:55Z
Mar 28, 2018

Hi,

Because I’m from The Netherlands I don’t know much about NIST. After scanning the publication (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf) I think it’s mainly technical focused. In my opinion, AlienVault USM is, therefore, a good out-of-the-box solution. Not much build-it-your-own.

it_user563148 - PeerSpot reviewer
Head of IT Security at a retailer with 10,001+ employees
Real User
2018-03-28T19:28:43Z
Mar 28, 2018

The previous respondents have all given great responses. I’d agree that going for a MSSP service is sensible based on the skills you have in-house. AlertLogic have a good reputation (unsure of their US presence). If you were going to go in-house, AlienVault has a shallow learning curve - but you still need “eys on glass”.

it_user664185 - PeerSpot reviewer
IT Support Specialist at a legal firm with 51-200 employees
Real User
2018-03-28T15:18:55Z
Mar 28, 2018

"The required manpower is a critical piece when evaluating SIEMs."

Absolutely. We decided pretty early in in the evaluation process that we weren't going to be able to do it in-house. The sheer amount of information, configuration, and maintenance makes it difficult for any organization that doesn't have a dedicated security team to handle it.

"What solution is recommended for something that can automate and run with little to no interaction, but ensure the requirements and needs are met?"

Short answer: The one you have someone else handle for you.

it_user420948 - PeerSpot reviewer
Sales Leader with 1,001-5,000 employees
User
2018-03-28T15:08:41Z
Mar 28, 2018

amongst SIEM solutions marketed by editors, the leading products are Splunk, Qradar both solutions offer a complete NIST compliance. what is the most important to know is to what extent these solutions are able to communicate with other solutions and applications this is mainly what qualifies Qradar as the leader in the SIEM field, since on top of being an IBM product as a guarantee in itself, IBM Qradar has a great list of connectors to third party solutions and finds itself in the heart of a wide portfolio of security products ans solutions. the lask of technical resources is not a problem when adopting a Qradar solution, IBM proposes it in SaaS mode which can be advantageous to multiple customers and for those who are not yet adopting a cloud-based solution they ca still have their own in-premises implementation but managed remotely from Qradar Experts with very attractive monthly fees.

Chris Loehr - PeerSpot reviewer
President at a tech services company with 51-200 employees
Real User
2019-03-13T12:21:23Z
Mar 13, 2019

Most respectable SIEM solutions can meet 800-171 requirements. Which SIEM is best is based on what your organization wants out of the SIEM outside of the NIST requirements. If you want to meet the minimum requirements, find the cheapest solution that meets the requirements. If you want a solution that will truly serve as a cybersecurity and operational risk tool, choose one of the leaders in the market.

CY
Author with 11-50 employees
Real User
2019-03-11T15:59:19Z
Mar 11, 2019

Hey Chris,

I know I am late to this, but posting for others. Splunk has a prebuilt application specific for satisfying NIST 800-171 requirements. You can check it out here: https://splunkbase.splunk.com/app/3828/

You don't actually need to purchase Splunk's full SIEM solution (Enterprise Security). The app is free and can be installed on core Splunk with no issues.

it_user313884 - PeerSpot reviewer
Contract Sr. Security Engineer, LogRhythm Analysis/Forensics at a financial services firm with 1,001-5,000 employees
Vendor
2018-04-16T21:25:59Z
Apr 16, 2018

Current Status of the SIEM Preparations for PCI Compliance
1
PCI 3.0 Reporting Requirements for PCI
There are numerous reports in the SIEM available for reporting PCI compliance. In the
past, some of these reports were empty when run—that problem has been largely
remediated. Fixing the rest of the empty reports will require handling more the
following:
1. Ensure that all hosts listed as present in the SIEM are continuously reporting,
2. Add the remainder of the edge devices,
3. Add VPN login reports (success/fail) for all access to PROD,
4. Get all DB2 CDE activity monitoring configured,
5. Get all SQL CDE activity monitoring configured, and
6. Add reports from hosts that do malware monitoring/patch updating.
There are SIEM reports that may not really pertain directly to the CDE, as none of these
can access the current configuration of the PROD environment, such as:
1. Wireless access point (WAP) monitoring,
2. Rogue WAP details, and
3. AIE Vendor Authentication Summary.
Daily SIEM Report Recommendations for PCI
The following 12 items from the top list of the SIEM Reports for PCI 3.0 cover the bulk of
the regulatory requirements for daily security compliance monitoring. Each number for
each section has one or two related report items that address confidentiality/integrity.
Section 1-- Proposed Daily Reports for PCI (These may change according to requirements.)
1. Added/disabled accounts,
2. Attacks detected/Top Attackers,
3. Top targeted applications/hosts,
4. Failed application/host access,
5. Malware detected,
6. FIM log summaries, Entity and Log Detail,
7. Privileged AUTH (Administrator/Root/Sudo) use,
8. Object access in the CDE (by Impacted host),
9. Authentication access (fail/success) for Amazon EC2,
10. Authentication access (fail/success) for webservers/webservices,
11. Use of non-encrypted protocols (targets/users), and
12. Security Event Summary (Impacted hosts).
Section 2—Existing PCI Reports in the SIEM (Must have hosts added manually.)

Current Status of the SIEM Preparations for PCI Compliance (DRAFT)

2
 PCI DSS: Account Management Activity,
 PCI DSS: New Account Summary,
 PCI DSS: Attacks Detected,
 PCI-DSS: Top Suspicious Users Summary,
 PCI-DSS: Top Targeted Applications Summary,
 PCI-DSS: Top Targeted Hosts Summary,
 PCI DSS: Failed Application Access,
 PCI DSS: Failed Host Access,
 PCI DSS: Malware Detected,
 PCI DSS: Malware Patching
 PCI-DSS: AIE FIM Activity Summary,
 PCI-DSS: AIE FIM Activity Details,
 PCI DSS: Administrative AUTH Summary,
 PCI-DSS: Privileged Access Granted/Revoked,
 PCI DSS: Object Access In Cardholder Data Environment,
 PCI-DSS: Non-Encrypted Protocol Summary, and
 PCI-DSS: Security Event by Impacted Host Summary.
(Some of the above will need filters added to reduce the ‘garbage’ generated by the W2K3
DCs to Win7/W2K8 AUTH errors, i.e.,RC4 to AES, as well as all the AWS Java errors.)
Automatic Alarms
Email-based reporting alarms are now configured, but for only specific items, as the
remainder of the reporting alarms now existing would overwhelm the email of the
recipient. This is due to the ‘garbage’ mentioned above, including IPv6 traffic that alerts
on firewall rules in Windows GPs, DC encryption mismatches, etc. The remaining alarms
will created as soon as the filtering is successfully implemented.
Automatic Remediation
The SIEM has the capability to do automatic attack response/remediation. Prior to the
implementation of any sort of automated response, testing for false positive reaction(s)
and the potential for self-inflicted DoS must be determined.
User Tracking
The SIEM has the capability to track users activities independently of the Windows DCs
and block specific actions, such as use of temporary storage (USB drives) or read-write
activity on CD-ROM drives. (This requires and added license.)

MS Alam - PeerSpot reviewer
System Administrator at Abdullah Al-Othaim Markets
Real User
2018-04-11T16:34:14Z
Apr 11, 2018

Splunk is best for most of component like defense and other big industry but we cannot ignore IBM Qrader. this product also very good for this compliance.

it_user545463 - PeerSpot reviewer
Sr Lead Solutions Architect at Booz Allen Hamilton
Real User
2018-04-05T05:28:47Z
Apr 5, 2018

Something to keep in mind, the question included the statement: "run with little to no interaction". Forgive me, but a lot of folks seem to skip over that part. It totally leaves out Splunk, LogRhythm, AlienVault (for a security person it would be easy, but for a network guy, may not so much ), etc. but they are ALL time sinks) and will not meet the little or no interaction requirement.
A service meets the requirement - functionality, it meets 800-171 (the right one does), and adds a 24x7 SOC capability that you just don't get trying to keep it internal. I'd be happy to talk through how to eval a service, I've looked at a lot of them and know some "gotcha's" to watch out for.

FC
Network Management Services (NMS) Enterprise Architect with 1,001-5,000 employees
User
2018-04-04T18:26:31Z
Apr 4, 2018

Here are a few “Trails”.

Background on Security – Protection Information…

* NIST 800-171 provide a detailed list of requirements for Protecting Information in general, with a focus on “Federal” users organization. Translation this such as for: Data encryption; mask, documents security access (e.g. SSO), etc – for Customer and User Information.
* You may review the international ITU-T M.3010, and ITU X.800 related to Security Services requirements
* Am indeed, as NMS Architecture Lead at SES-Networks, to assess our Security practice and Technology Roadmap (based on TMN FCAPS requirements).

Solution Approach:

* Suggest you develop some Specifications to address and define you Target Architecture for Security Mngt (current state, end state; Org-Process-Tools impacts)
* Several Technical Solutions are on the market - re: SIEM (List not exhaustive…):
* Splunk Vendor and ITSI (Splunk Security App; Security Event Mngt – ITSI Notable Event)
* Netcracker Vendor
* Nakina / Nokia Vendor - Security practice
* CMDB / ServiceNow.

Hope it helps you…I would not mind to stay in touch, and share both approaches related to Security Mngt, and Technical Solutions….

it_user831027 - PeerSpot reviewer
Application Specialist, Digital Advisory at a tech services company with 201-500 employees
MSP
2018-04-04T10:33:45Z
Apr 4, 2018

-

it_user74355 - PeerSpot reviewer
User at a tech company with 51-200 employees
User
2018-04-02T16:31:49Z
Apr 2, 2018

Hi,

There are several solutions regarding SIEM. QRadar from IBM has a good approach, it is licensed as a log management and for correlation management. Also, you can compare PaloAlto solutions. You can also consider FireEye for complement some security controls mainly regarding your internal network. And finally you can explore Kibana and Elastic Search, this is a good option for big data and for syslog analysis.

it_user610422 - PeerSpot reviewer
User at a tech company with 51-200 employees
Vendor
2018-04-01T05:26:53Z
Apr 1, 2018

1. Splunk meets most of the requirements.

2. Solarwind may have something to give you visibility into the network.

3. Also put a Next-generation firewall like Palo Alto IN-Line where you can see all the traffic transiting, that way you may contain most of the threats and also has visibility.

it_user349530 - PeerSpot reviewer
Sales Manager
User
2018-03-29T13:26:52Z
Mar 29, 2018

As for the SIEM solution that can meet expectations I can recommend solution form IBM.
IBM QRADAR SIEM is very easy to install and maintain and requires little knowledge of maintenance and operation.
It combines LOGS and Flows on one platform and correlates it with very powerful correlation engine.
Also comes with more than 1500 reports NIST is one of them.
With the training of 2-3 days, they can operate it very easy and with confidence.

it_user604746 - PeerSpot reviewer
A. Manager Information Security Dept. with 51-200 employees
User
2018-03-29T11:27:45Z
Mar 29, 2018

I am working in the IS Department of a bank. Recently I developed the SOC at our bank and using the Splunk Enterprise Solution. Some detail about the SIEM Solution:

It is the diagnostic tool and with the help of this tool, you and your team are able to provide detail of network/ systems traffic to your Network and Systems Team. Splunk has its own language and if you like to learn about the SIEM Solution then I recommend you to use this one. Because that software on which you need to perform programming to get required results it teaches you many things. When you use that you also able to learn about the Network Security techniques as well as the options or parameters that you need to configure on Servers and network equipment.

If you did not have any SIEM Solutions deployed then download the enterprise solution of Splunk and implement all those things you feel to be available in the security of the organization. The important thing and you have to do before deploying the SIEM solution is to design the policies which will help your organization for safety.

If you need further detail you can coordinate with me.

MG - PeerSpot reviewer
Founder at a tech consulting company with 1-10 employees
Real User
2018-03-29T10:39:55Z
Mar 29, 2018

Hi,

Based on the organization size, and the number of 2 network & security admins, the SIEM alone will not help to have a proper defense or meeting any compliance. It is easy to suggest a name for SIEM vendor, many of them ready or shipped they products for such compliance, but as an opinion, what you need now is to build a SOC (Security Operations Center) team to handle the huge size of your organization's employees; consequently, number of the incidents.

And for sure the vital element for every SOC is SIEM! One of the solutions; you can outsource the SOC by contracting with any recognized and trusted Managed Security Service Provider.

it_user669159 - PeerSpot reviewer
User at HCL Technology
Consultant
2018-03-29T06:34:48Z
Mar 29, 2018

Here are the requirements of NIST

3. Requirement

a. Access Control

i. You should have the right role-based access and it should be designed in such a way that segregation of duties can be achieved and if there is data breach or mess happen then you can take preventive measure of training program to educate the user/admin

b. Awareness and Training

i. Self-Explanatory, you have to ensure right kind of awareness around this, this is all about non-federal information *Protecting controlled unclassified information”

c. Audit & Accountability

i. TACACS kind of service will help on complete logs and regular review of this information will help you to mitigate any kind of risk

d. Configuration management

i. Under ITSM process you need to define the control version of configuration and whenever there is a change in the environment ensure you have the last best-known config available for roll-back

e. Identification & Authentication

i. This is an extension of Access Control and Audit & Authenticate

ii. You should know your people and their role and what they are intended to do on the system

f. Incident Response

i. How you handle incident when data breach takes place?

g. Maintenance

i. Maintenance of your ecosystem and their impact on the unclassified data

h. Media Protection

i. Media handling process shall help you to ensure continuity of data security and disposal process around this.

i. Personnel Security

i. It is physical security area, I think this can be achieved through organization policy or ISO controls

j. Physical protection

i. Protection of data, personnel, information, etc fall under this again ISO Standard operating procedure shall help you here

k. Risk assessment

i. This is part of InfoSec Risk Assessment to identify what is the open area of improvement and how they will impact the overall organization i.e. penalty when data breach get disclosed from outside world

l. Security assessment

i. Security assessment will help to mitigate the access level, system hardening, system patching, release of new patch es against known/unknown malware, etc etc. this is policy document which ensures that how you are going to handle the security assessment.

m. System and communication protection

i. Security Assessment will identify the gaps and based on which you can think of protecting the area of exposure with specific hardware/software/configuration related control in place

n. System and information integrity

i. This is all about CIA (confidentiality + Integrity + Availability) this can be achieved with role-based access control, system hardening, standard and strong process n policy.

4. Only SIEM will never help you to achieve completely, SIEM is only detection control and you should have prevention/remediation control as well in place. If your information is so critical then you can think of deploying CyberArk (Privileged Access Control) to help with in conjunction with Active Directory

If you need any assistance then you can write to me, I shall be able to you help you with.

2018-03-29T06:05:01Z
Mar 29, 2018

I would strongly recommend LogRhythm, you can download NIST kb module for free, which will contain predefined rules, u just need to provide the log sources and enable them.

it_user718317 - PeerSpot reviewer
User at a tech services company with 1,001-5,000 employees
User
2018-03-29T05:09:25Z
Mar 29, 2018

Almost All popular SIEM tools are NIST complaint. You can decide on anyone of it. but EventTracker has been a choice for many Enterprise grade companies as they make sure (CUI) is gathered as per NIST requirements and (IR) Incident Response is also complaint with NIST standards.

it_user639639 - PeerSpot reviewer
Senior Security Operation Centre Analyst with 1,001-5,000 employees
User
2018-03-29T03:54:34Z
Mar 29, 2018

LogRhythm and Splunk

Chris Loehr - PeerSpot reviewer
President at a tech services company with 51-200 employees
Real User
2018-03-29T01:59:29Z
Mar 29, 2018

Most popular SIEMs meet the "software" needs of the NIST800-171. You still have to have the process in place to use the SIEM like the NIST's intent. A SIEM is no walk-in-the-park no matter what vendor tells you. You have to tuned it, you have to set up good alerts, you have to have reports and you tune some more. The SIEM has to adjust to changes in the environment. If you have O365 for example for your email, you should have info going into the SIEM, as well.

If you just want to check the box, go find the cheapest thing. That is what I have seen many people do. It is not the right thing. You should get the most out of what you are doing. Like some have stated above , if you cannot run it in-house effectively on a continuous basis, find someone who has a hosted solution and let them do it for you. A SIEM is not trivial and can save your a$$ if an attack occurs.

it_user128931 - PeerSpot reviewer
CIO at a tech consulting company
Real User
2018-03-28T19:07:07Z
Mar 28, 2018

I would look at a product called Splunk.
It will collect all the logs from every host on the network and collate them into a dashboard that assures compliance and highlights events, security and other potential failures.

TW
Security Brand Channel Account Manager at IBM
Real User
2018-03-28T18:33:56Z
Mar 28, 2018

Its not so much the solution as the complete offering.  Many companies struggling with supporting the expanding security solutions with limited budget and resources. You will find many SIEM offerings that have a NIST reporting capability however, you need to focus on the support side.

My recommendation is to look for a good Managed SIEM offering. If you don't wish to have any hardware installed, I recommend looking at Cloud-based offering. IBM QRadar can be offered as on Prep and Cloud-based. I work with many of our partners who offer Managed SIEM 24/7. They would only need minimal help from your team to set up. They can tune the SIEM, generate the NIST reports and even deal with all initial threats.

JR
System Engineer at a government with 51-200 employees
User
2018-03-28T18:07:08Z
Mar 28, 2018

My understanding is SolarWinds LEM is NIST 800-171. As mentioned above, several of these products do a great job, so it comes down to cost and how much time you want to spend on getting it to run and creating dashboards. SolarWinds LEM has a good out of the box Dashboard and you can search for events, so we liked that here. The cost was much lower for our server bank than Splunk and Oracle Vault. If we get pulled into our enterprise, which appears to be using Splunk but I hear that may change, we will show them our dashboard and we or they will build something similar in Splunk.

MM
Infrastructure and System Analyst with 1,001-5,000 employees
User
2018-03-28T18:00:59Z
Mar 28, 2018

As it was mentioned by our colleagues here, there is a variety of good SIEM's products. However, I believe your choice may be based on how is your infrastructure and in a well-implemented risk assessment. I can talk a little about of the IBM's Qradar, which is a tool you can accomplish all the NIST 800-171 Requirements. I'm a novice dealing with it, I'm still learning. What I know is that when it's properly configured, setting logs, flows, etc, it can provide you a great view of what is going on in your systems.

it_user609195 - PeerSpot reviewer
Information Security Officer at a tech company with 51-200 employees
User
2018-03-28T17:11:15Z
Mar 28, 2018

Hello I do not know the requirements of NIST 800-171, however for simplicity and alerts of what happens on the network, I recommend considering the solution called Darktrace, at least it has given us that panoramic quickly and easily if I compare it with the implementation of a SIEM and the effort that must be made to be successful.

Related Questions
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Nov 17, 2022
Hi community,  I am a Service Delivery Manager at a medium-sized tech services company. I am researching PSIM (Physical Security Information Management). What are the main use cases and benefits of products that fall under this category? Thank you for your help.
See 1 answer
IA
Principal Consultant Cyber Security at Servian
Nov 17, 2022
Physical security of an information management system assures security by implementing protective controls to a location that hosts your most confidential data. For example, when you access data centers physically to access servers, storage, routers, switches, etc. Similarly, when you are accessing the location (warehouse, IT department, finance or HR department) with malicious intentions to discover the possibility of a targeted attack which could be by inserting the infected USB drive, stealing confidential documents, taking pictures, finding the ways to access the data centers from elevators to the reception to the data center. ISO27001:2013 explains in detail what protective controls must be there to ensure physical security like access cards, port security, identification, CCTV, Biometrics, preventing WIFI access outside the location, fire alarm system, assembly points, etc.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 5, 2022
Hi dear professionals, Can you share with the community 2-3 top pain points you've been experiencing during the Security Information and Event Management (SIEM) solution purchase? How have you been able to overcome them, if at all? Thanks for sharing your knowledge with other peers.
See 2 answers
JK
CEO at a tech consulting company with 1-10 employees
Jun 30, 2022
1. License models are not communicated transparently which makes planning complicated. You have to talk to multiple people at multiple vendors in several meetings to fully understand the cost scaling factors. That is quite time-consuming. You can overcome this when you just dictate price limits - yes you can actually do that. 2. Planning and conducting a PoC can be a challenge. Depending on how a PoC process is being setup by the vendor. You can overcome this if you ask for the PoC Procedure Plan right from the initial contact with the vendor and use it for internal planning.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Aug 5, 2022
Volume versus costs.Using an intermediate (free) tool to store, transform data and  forward only the sumarization (smartdata) of what really matters.
Related Articles
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. While both security solutions are integral components of cybersecurity infrastructure, they have different capabilities, functions, and roles. Do you need SIEM if you already have a firewall? If you have questions about the difference between SIEM and firewall, you have come to the right place....
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Apr 4, 2022
Hi peers, This is our new Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members. Trending Is RPA beneficial for a healthcare organization? With the increasing risk of cyber attacks in the west, due to the war in Ukraine, how safe is your data in the cloud? Articles 8 Business Automation Ideas to Save Time and...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 4, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
Related Articles
Navcharan Singh - PeerSpot reviewer
Senior Seo Executive at Ace Cloud Hosting
Oct 7, 2022
SIEM vs. Firewall
Security Information and Event Management (SIEM) solutions differ significantly from firewalls. W...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Community Spotlight #17
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summ...
Download Free Report
Download our free IBM QRadar Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
DOWNLOAD NOW
657,849 professionals have used our research since 2012.