When would you recommend a SIEM?


#1

So I posted this question on today’s VLOG before you mentioned the forums.

I wanted to ask do you guys recommend a SIEM solution for your clients?
Do you think a SIEM solution should be part of a minimum standard security model?
When would you recommend a SIEM?
What SIEM would you recommend? Is it Co-Managed?

Has anyone here used Netsurion EventTracker?
I know Solarwinds recommends Secuvant but it’s kinda pricey. I also know you get what you pay for. Anyone have any experience with them?


#2

While a SIEM is a good idea and yes we like a lot of the SolarWinds products, it is not affordable for all clients. Also, I am not aware of any good low cost solutions in SIEM market. This is mostly because it is labor intensive coming up with the feeds and threat data that feeds the tools.


#3

Yeah considering I implemented Solarwinds LEM for the corporation I used to work for I completely understand. However there has to be someone that has processed tons of logs and use learning algorithms to automatically weed out the good stuff thus reducing the hands-on-time setup and maintenance.

This is why I am taking a good look at Perch Security https://perchsecurity.com/. Seems to be young but promising. I don’t know pricing yet but SMB’s seems to be their intended target so we will see.

Netsurion is definitely affordable. So affordable in fact I’m concerned it won’t be anything more than a glorified log collector. Which if that’s the case I’m ok with that. Do you guys do anything for just general log collection at all?


#4

Back to depends on the budget of the client. The basic that we offer is just the SolarWinds RMM tool to keep their systems patched and AV & Web Filtering up to date.


#5

The problem I run into is businesses are used to spending nothing on their IT. It’s difficult to get them to even do a basic managed security package. It’s the cultural mindset. The companies apt to sign up for anything managed the owners are from other parts of the country.

The only thing that I know will combat the mindset problem in my area is education. I don’t like getting out in front of people but I don’t see how I have any other choice if I am to make it as a business. Nothing worth doing is ever easy right?


#6

Take a look at EventTracker, I talked to them a couple weeks ago and liked the product.


#7

I once used this when I worked at an ISP:

https://www.alienvault.com/products/ossim


#8

No matter SIEM or threat tracker you implement they are only as good as the people you have in place to monitor them. Be your choice the Security Onion (all FOSS) Splunk, Alienvault, etc you need to be proactive.


#9

This is why co-managed is important.


#10

Agree two sets of eyes are always better but those eyes need to be well schooled in the application and what it shows.