Badges

60 Points
2 Years

User Activity

Over 2 years ago
You may also want to consider the MITRE ATT&CK framework. https://attack.mitre.org/
Over 2 years ago
Best Practice Papers Additional detail is available in several public papers vetted by SANS that have become industry best practices  A Process for Continuous Security Improvement Using Log Analysis https://www.sans.org/white-pap... #33824  Successful SIEM and Log…
Over 2 years ago
It's best to start your search based on the use cases/problems you need to solve.  Each product has strengths and weaknesses. I'd suggest you may want to consider UEBA and SOAR in the decision.  Our SOC teams just don't have enough people, and SIEM rules turn out high…
Over 2 years ago
SIEM focuses on correlation - detection, both known (and with UEBA), unknown/0 Day anomalies XDR focuses on blocking - usually of only known patterns - If on Threat Intel List, block - much like implementing AV at a firewall/network level, not entirely dissimilar to IPS.…
Over 2 years ago
As several have said, it depends on quite a few factors 1. What use cases are you trying to solve?  - Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk. - Threat…
Over 2 years ago
@Norman Freitag It's not top rated by analyst firms. While it's easy to ingest data it takes a lot of care and feeding and licensing gets expensive as the size grows. Good for NOC use cases, much tougher for SOC, and requires expensive add ons like Caspida for Insider and…
Over 2 years ago
You're describing the use cases for a Web Application Firewall. Web-specific IDS, injection, attack detection and mitigation.  Cloudflare is one you might look at. Imperva, Whitehat... several vendors and products to choose from. One in the cloud that also does DDoS…
Almost 3 years ago
Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage Typical SOAR playbooks automate the…
Almost 3 years ago
It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but…
Almost 3 years ago
SIEM vs UEBA 1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data 2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time…
Almost 3 years ago
@Shibu Babuchandran Splunk gets expensive as your size grows. It's the St. Bernard puppy.   ELK Metron, Greylog are the common entry log collectors if you have a minimal budget. But I would suggest small organizations should look to partner with an MSSP for managed SOC/SIEM…
Almost 3 years ago
As a rule, a SIEM correlation should:  1) Reduce events by 99.99% - raw events to correlations 2) Impact system performance by <1%  3) Produce Correlated Threats with >35% true positive rate on investigation - 33% are usually false positives or misconfigurations (not real…
Almost 3 years ago
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.   We use NXLOG at Securonix.  I would suggest if you need to deploy…
Almost 3 years ago
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.  They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.  Success After Fail is another common…

Projects

Almost 3 years ago
GSEC, GSNA, GCIH, GCIA, CISSP, MCSE, MCNE, ACTP,
GSEC, GSNA, GCIH, GCIA, CISSP, MCSE, MCNE, ACTP, CCNA...

Answers

Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
User Entity Behavior Analytics (UEBA)
Almost 3 years ago
IT Alerting and Incident Management
Almost 3 years ago
Security Information and Event Management (SIEM)
Almost 3 years ago
Security Information and Event Management (SIEM)
Almost 3 years ago
Security Information and Event Management (SIEM)
Almost 3 years ago
Security Information and Event Management (SIEM)

Interesting Projects and Accomplishments