As several have said, it depends on quite a few factors.
1. What use cases are you trying to solve?
- Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk.
- Threat detection and alerting for compromised accounts and data misuse requires adding UEBA features (Securonix, Exabeam, Caspida/Splunk, Rapid7...)
- Malware prevention generally requires SOAR capabilities
2. What's your staff level? and how well trained are they?
- Open Source / Threat Hunting tools will require much higher time and talent investments (I typically plan on 3X people costs vs commercial)
- You may need to consider an MSSP if staff is small or not well trained.
3. What hours of operation do you need? back to staffing and MSSP options
Well trained SIEM guys with SOC experience are expensive hires and the market is tight. They're not easy to find. Building a great SOC analyst takes a few years. SANS Incident Handling and Incident Response classes help, but are price at $7k or so each. Operating system skills (MCSE/RHCE...), and networking skills (CCNA, CCNP, JNIA, JNIE...), Anti-Virus, IDS and some at least basic packet analysis skills are also needed.
4. What fits your budget?
- Depending on budget you may need to plan in stages.
- SIEM deployment and maturity often takes a full year
- SOAR integration (Ticketing and blocking Responses), can take another year
An integrated approach, understanding your collection of security tools is always going to give a better answer than a single new shiny tool.
If you haven't also consider going back to basics and SANS/CIS Top 20 controls.
Poorly patched networks with little in the way of anti-phishing and poor anti-malware tools often benefit more from getting the basics right before going on to SIEM/UEBA/SOAR.
I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).
I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.
In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.
We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.
SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.
As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.
To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.
The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.
Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.
I would recommend the use of Splunk with the AI/ML and management configuration tool like ansible, by doing so you will get the best outcome as you it will act as SIME AND SOAR plus you can use them in other areas to help boost your business.
We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!
We use both AlienVault and FortiSIEM (formerly AccelOps) and in both cases use a managed security services provider to monitor and maintain. Our chief concern was ease of use and cost. While we really appreciated AlienVault, they were acquired by AT&T towards the end of 2018 and were concerned about how costs would escalate.
I would not expect a SIEM or a managed SIEM service to respond and help you recover from a cyberattack, I would look for a managed SOC service for that, most would include a SIEM service as part of that.
Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem
- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
We would recommend exploring Exabeam (offers a cloud based deployment which could be very compelling) or CI Security (https://ci.security/)
a managed service offering. We are assuming your team is likely resource constrained and needs a solution that meets all of your requirements, but also is simpler to deploy and can be managed with a smaller team. If you're interested in learning more about the solution space I recently delivered a SIEM comparative analysis for a customer that I'd be willing to share. Please feel free to reach out if this is of interest and we can determine the best way to connect directly.
Almost all SIEM solutions does the same task if properly configured.
The point here is for which they want to go Open source or Premium
Here the trick is if they want to go for Open Source, first they need the expert team who are good in managing the infra in every expect because for if any issue they will not get any support from the company.
For premium SIEM solution they just a team how should have basic knowledge on incident response and threat hunting. for any technical challenges the company will assist for 24 * 7.
If your environment is complex and you're trading information with people on a fairly open basis, but it needs to be secure oh, then you should consider QRadar. It has functionality none of the other SIEM solutions come close to offering. The state-of-the-art behavior analytics that are available with QRradar are pretty world-class. Also, its functionality in adapting to log sources is unmatched. Add to that the ability to correlate point in time log events with things happening over time using time series data, and you have the best in breed especially for sensitive government information.
The best tool on the market today is Splunk. Referring to explorative search, easiness of administration and Scalability, there is nothing comparable.
The only possible threshold is that you need to buy the license, it's not freeware.
@Norman Freitag It's not top rated by analyst firms. While it's easy to ingest data it takes a lot of care and feeding and licensing gets expensive as the size grows. Good for NOC use cases, much tougher for SOC, and requires expensive add ons like Caspida for Insider and complex AI/ML use cases.
@David Swift well its top rated by Gartner for example and it is a plattform, so 90 % of Sec Data is very useful for ITOps and much more Dep. like Sales and Marketing.
Together with some Apps its the Single point of Truth for transparency and best decission making for your Company.
Its much easier to handle like the Rest in the same Gartner Quadrant.
So on TCO view i am sorry but i have to totally disagree. Looks like you missed the big picture a little bit.
Have a pleasant day
Hi dear professionals,
Can you share with the community 2-3 top pain points you've been experiencing during the Security Information and Event Management (SIEM) solution purchase?
How have you been able to overcome them, if at all?
Thanks for sharing your knowledge with other peers. Read More »
Hi dear community members,
There's a lot of SIEM solutions. SIEMs are not something you just install and wait for great things to happen, right?
What questions should someone ask before purchasing a SIEM?
Help your peers ask the right questions so that they'll make the best decision.
Thanks Read More »