Top 8 Security Information and Event Management (SIEM) Tools

SplunkIBM QRadarDevoNetsurion EventTrackerSecuronix Security AnalyticsFortinet FortiSIEMLogRhythm NextGen SIEMArcSight Enterprise Security Manager (ESM)
  1. leader badge
    It allows us to digest the information, the data, the different data streams, so we can make decisions based upon information that we receive, and it is pretty robust.
  2. leader badge
    The feature that I have found most valuable is how it monitors the real network. That is its leading security feature.What we like about QRadar and the models that IBM has, is it can go from a small-to-medium enterprise to a larger organization, and it gives you the same value.
  3. Find out what your peers are saying about Splunk, IBM, Devo and others in Security Information and Event Management (SIEM). Updated: September 2021.
    535,015 professionals have used our research since 2012.
  4. The most valuable feature is definitely the ability that Devo has to ingest data. From the previous SIEM that I came from and helped my company administer, it really was the type of system where data was parsed on ingest. This meant that if you didn't build the parser efficiently or correctly, sometimes that would bring the system to its knees. You'd have a backlog of processing the logs as it was ingesting them.
  5. There are a host of things that are most valuable. Obviously monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.
  6. The solution is stable and scalable.There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features.
  7. I like the various options, including the option for CMDB and the easier access to create rules, playbooks, or use cases. It's also easier to use for creating dashboards and reports.
  8. report
    Use our free recommendation engine to learn which Security Information and Event Management (SIEM) solutions are best for your needs.
    535,015 professionals have used our research since 2012.
  9. Technical support is very helpful and responsive.File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting.
  10. Very good real-time reporting with a good dashboard. We have been satisfied with the support.

Advice From The Community

Read answers to top Security Information and Event Management (SIEM) questions. 535,015 professionals have gotten help from our community of experts.
Rony_Sklar
Hello community,  What are the differences between how NDR and SIEM work?  What are the pros and cons of each? Is it necessary to have both types of tools?
author avatarWilliam Munroe
User

The answers are all solid. 


I would add that NDR tools do not look just at network traffic. Most of the vendors have realized that the cloud is now part of the network and are intaking and analyzing AWS, Google, and MS cloud information looking for risks and threats. 


I would also add that many mid and small-sized companies either outsource or do not run a SIEM because they are complex and require security analyst resources they often cannot afford.  


Many will run EDR and NDR on-premise or outsource the entire stack to an MSSP and MDR vendor.

author avatarAngela Heindl-Schober (Vectra AI)
Vendor

"SIEM's are incredibly fixable technology platforms that can be used within your environment to discover advanced threats and to fill gaps in coverage for other tools. In theory, you could replicate a lot of EDR use cases in a SIEM by forwarding all endpoint data and building your own searches and data models but it wouldn't be cost- or operational-effective. This is why we have EDR tools. 


The same goes for NDR. While many organisations have attempted to solve NDR use cases with their SIEM tools but have had limited success and are quite cost-prohibitive to build and maintain these solutions. Networks threats are getting more complex and more widespread and organisations need to invest in specialist tools like NDR that provide insights into the threats within your network rather than solutions that just allow you to search on raw data. While most organisations will more than likely require a SIEM to fill some edge cases in their technology stack more often than not organisations save in both upfront and ongoing costs by investing in a strong NDR solution before investing in a SIEM". 

author avatarLindsay Mieth
Real User

Your SIEM should receive and process traffic generated by your NDR as well as events from your endpoint protection systems, server event logs, infrastructure device logs and cloud services logs then be able to correlate these data points to highlight suspicious patterns or anomalies.  The SIEMs can then send commands to perimeter and point systems in certain cases to interrupt such activity or just alert to them.

author avatarJairo Willian Pereira
Real User

SIEM aggregates data from multiple systems (like an EDR solution, IDS/IPs etc.) and analyze that data to catch abnormal behavior or potential cyberattacks. SIEM tools offer a central place to collect events and alerts, security data from network devices, servers, domain controllers and more. In a simple way, EDR may be a just another "sensor-type" and "SIEM" stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.

author avatarDK Shrivastava
User

NDR is just analysis of network behaviour and forms a part of SIEM strategy. it can only detect anomaly in network traffic flow . SIEM takes logs of network flow also.

author avatarNicholas Arraje
Vendor

NDR and SIEM are two different types of tools used by security professionals.  


You don't need a SIEM to run an NDR solution or vice versa. Larger organizations or mature organizations tend to have both in addition to other tools like EDR and SOAR. 


Today's NDR's are typically designed to provide network visibility and detection across your entire network (East-West, North-South) and yes the network is no longer just your on-prem environment. It also includes your Cloud environment as most NDR solutions support AWS, Azure, and GCP.  


NDR tools can generate PCAP data, network log and metadata, and alert data all of which can be consumed by a SIEM.  


SIEMs in many organizations are the log aggregation tools and data laking solutions for the security team. For small organizations that just want NDR, most solutions offer their own UI and don't require a SIEM. 


For those organizations that already have a SIEM, the NDR is one of the most valuable tools to generate forensic data. 


You can learn more about NDR solutions from Bricata's ebook on "What to look for in an NDR". 

author avatarSanghoon Jang
User

hello.
NDR generate source events from network traffic.
SIEM gethering one or more as well as NDR events AND correlation analysis.
So company need both system

Rony_Sklar
SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security? If you've been working in cybersecurity, you've likely come across SOAR and SIEM technologies. There are differences between their capabilities, although they have a fair amount of commonalities. They both collect data, but the quantity of data, type of data, and type of response is where they differ. As threats have advanced, security professionals may be in need of both. That's where SOAR and SIEM come to the rescue, although there has been some confusion as to the difference between the two. The two technologies have different competencies, but can be combined to increase a security team's or SOC's effectiveness. We've evaluated the differences of the best SIEM tools and top SOAR tools to clear up the differences between each. SIEM vs SOAR In short, SIEM aggregates and correlates data from multiple security systems to generate alerts while SOAR acts as the…
author avatarreviewer1510752 (Cyber Security Analyst (Tier 2) at a tech services company with 51-200 employees)
Consultant

SIEM involves in collection, correlation and aggregation of security logs and data from the various log sources integrated into the SIEM solution. The log sources - Servers, Network devices, Firewalls, IDS and IPS, WAF, etc. This correlation is achieved and analysis is carried out either by the analyst monitoring the SIEM solution or automation is involved and the analyst receives alerts from the said SIEM solution.


On the other hand, SOAR helps in the automation of response to alerts generated and received from the SIEM solution and all other integrated platforms in the environment. This helps the analyst in the prioritization of threats and incidents and reduces the total time of detection to the time of recovery.  

author avatarHasan Zuberi ( HZ )
Real User

It's not easy to understand the key differences when looking at SOAR vs. SIEM because they have many components in common. 


Security information and event management (or SIEM) tools are a way to centrally collect pertinent log and event data from various security, network, server, application and database sources. o be able to differentiate between normal and suspicious activities, the SIEM tool needs regular upgrades and tuning, and this should be done by analysts and engineers. Once a SIEM is properly tuned, responding to the alerts generated by a SIEM still remains a manual process. 


Each alert must be reviewed and investigated by an analyst to determine if the event is a false positive, or an actual incident that warrants further investigation and remediation. 


During an actual incident, the investigation and remediation activities will also be a manual process. 


The SOAR terminology (adopted by Gartner) is an approach to security operations and incident response used today to improve security operations efficiency, efficacy, and consistency. To better understand what this means, let’s look at its components separately...

author avatarDenis L
Reseller

TLDR:


SIEM:


Security information management: Long-term storage as well as analysis and reporting of log data.


Security event manager: Real-time monitoring, correlation of events, notifications, and console views.


SOAR:


SIEM + Threat Intelligence (IoC's, AI, etc), Vulnerability and Threat Management (Analysis, Reporting, Management views, Dashboards, real-time analysis) Automation and orchestration for incident response (Something like "Ability to Block dst_ip that we get from for example proxy log, on our firewall).

author avatarGregg Woodcock
Real User

The SIEM is the detection/surveillance engine whereas the SOAR is the remediation/response engine

author avatarShastri Sooknanan
User

SIEM is the log file collection of IT assets and various intel feeds that aggregate and correlate big data. 


The SOAR component mostly enhances how the detected anomalies are handled with minimal to no human interaction by coordinating corrective action from one or more systems.

author avatarHasan Zuberi ( HZ )
Real User


  • The coordination ( Security orchestration ) of various disparate security tools and technologies being used within the tool stack (typically from various vendors) to seamlessly integrate and communicate with each other to establish repeatable, enforceable, measurable, and effective incident response processes and workflows. People and processes must also be orchestrated properly to ensure maximum efficiency.

  • The method of automatically ( Security Automation ) handling tasks and processes without the need for manual human intervention, reducing the time these take by automating repeatable processes and applying machine learning to appropriate tasks. Automation usually takes place through the use of playbooks (the former containing linear tasks, and the latter containing decision-based conditional actions) to reduce or eliminate the mundane actions that must be performed.

  • SOAR allows security teams to do more with fewer resources, while providing features to automate, orchestrate, respond and measure the full incident response lifecycle, including detection, security incident qualification, triage, and escalation, enrichment, containment, and remediation. Some of the key benefits of utilizing SOAR technology include reducing the time from breach discovery to resolution, minimizing the risk resulting from security incidents, improving the overall effectiveness and efficiency of SOC operations acting as a force multiplier.

author avatarSagar_Shah
Real User

What is SIEM?


Firewalls, network appliances and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing and analyzing incidents and events. This is often done using machine learning, specialized analytics software and dedicated sensors.


A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity and finally, issues alerts accordingly.


So why isn’t a SIEM solution effective on its own?


SIEM tools usually need regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data.


What is SOAR?


Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.


Here’s how:



  • SOAR solutions gather alarm data from each integrated platform and place them in a single location for additional investigation.

  • SOAR’s approach to case management allows users to research, assess and perform additional relevant investigations from within a single case.

  • SOAR establishes integration as a means to accommodate highly automated, complex incident response workflows, delivering faster results and facilitating an adaptive defense.

  • SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform including interaction with third-party products for comprehensive integration.


Put simply, SOAR—sometimes also known as security automation and orchestration (SAO)—integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to automate incident response workflows.


SOAR’s main benefit to a SOC is that it automates and orchestrates time-consuming, manual tasks, including opening a ticket in a tracking system, such as Jira, without requiring any human intervention—which allows engineers and analysts to better use their specialized skills.

Evgeny Belenky
Hi community members, Let's discuss what are the main differences between UEBA (User and Entity Behavior Analytics) and SIEM (Security Information and Event Management) solutions.
author avatarDavid Swift
Real User

SIEM vs UEBA


1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data.


2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time Interval" or simple If X happens. UEBA rules look for anomalies - If X Happens and it's NEVER Happened Before. "If Y happens and other Users (or machines E in UEBA), runs an executable or executes a transaction they've never done"


3. SIEMs group by field in rules is normally an IP address. In UEBA the group is the user or machine and may join events (threats - See Mitre ATT&CK Framework https://attack.mitre.org/). With SIEM I target a 99.999% event reduction with UEBA I look for another order of magnitude (99.9999%) reduction by cross-correlating user movement throughout the enterprise as they move from one host to another, and as they show up in various logs with variations on their user name (or no user field at all with IP to User lookup). 

4. UEBA enriches data to give it context - Who is the user? What Department are they in? Is this IP/URL on a black list? Has the user had a bad employee review from HR? Does the user have risks from Lexus/Nexus-like bankruptcy, divorce, or pending court case?


5. UEBA rules commonly link events over longer periods of time with risk scores (probabilities an event represents a compromise), and scores grow as more threats are seen over days, weeks, or months.


6. SIEMs typically work with security devices logs (Firewalls, IDS, AV...), while some of the best UEBA use cases are based on application logs. EX: ATM Machine 1 ran an EXE the other 500 ATMs have never run AND Connected to a Foreign IP address, AND Spit out $5,000 in 10 minutes when normal cash withdrawals are <$500/hour.


7. SIEM rules compare events in real-time to new events. UEBA rules have to "learn normal" by building profiles about the user/entity's past actions to compare new events to determine if they match prior behavior patterns. UEBA rules are often based on 3X spikes by hour/day/week/month vs. X happened Y times static thresholds. 

author avatarNavin Rehnius
Real User

SIEM is the platform where we can see all of the security events. Here we can analyze, investigate, correlate, create reports, dashboards, etc.


UEBA is used to find out the unusual behaviour, compare data with various sources and analyze the found issues.


Hope it is informative!!

Thanks!!!

author avatarTjeerd Saijoen
Vendor

Many SIEM solutions like QRadar are using UEBA in a SIEM solution.


User and Entity Behavior Analytics (UEBA) use machine learning to detect anomalies in the behavior of users and devices connected to a corporate network.

Chiheb Chebbi
Hi community,  What is the best way to deploy agents/sensors (such as a SIEM agent) in large-scale Windows environments?  Any hands-on tips or recommendations? Thank you. 
author avatarDavid Swift
Real User

Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.  


We use NXLOG at Securonix. 


I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.


WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.


Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process. 


You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor). 


Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.

author avatarJairo Willian Pereira
Real User

Some products permit generating a native .MSI package. Sometimes, you can use PowerShell for connecting and installing packs in your environment.


Not-trivial: using a secondary tool (an administrative tool, iLo/iDRAC, PHP, expect, ssh-win, ...) is available or built-in over assets.


https://docs.microsoft.com/en-...

Chiheb Chebbi
Hi community, Once a SIEM is deployed successfully, what are the top use cases you'd recommend to implement for the Microsoft environment?  Thank you in advance!
author avatarShibu Babuchandran
Real User

Some of the use cases that are important and a good start would be:


- Authentication activities


- Account management


- Connection activities


- Policy-related activities

author avatarShibu Babuchandran
Real User

Some of the Top use cases for SIEM: 


1. Authentication activities


Security use cases should ensure that only legitimate users have access to the network. Implement use cases to detect attacks such as Brute Force attacks that target user credentials. Monitor the frequency of failed and successful logins to critical systems and report failed login attempts above the set threshold.


Other activities to monitor would include logins attempted at strange hours, multiple logins from the same IP address, and modifications to system files.


Raise alerts and generate reports as soon as suspicious authentication activity is detected. Having timely and detailed information about the attack helps security officers determine the impact of a compromised account and prevent additional damage.


2. Account management


Attackers know that privileged user credentials will give them greater access to sensitive data and important corporate resources. Account management security use cases should provide full visibility on privileged accounts and detect activities that indicate account misuse.


Monitor user account creation, and deletion, and activities related to system and resource access. Keep an eye out for sudden activity on inactive accounts and increased activity around sensitive data.


Use cases should also flag the unusual escalation of privileges, unauthorized access to shared folders, and any unusual behavior that points to stolen user credentials like employees trying to access data or systems they rarely use.


3. Connection activities


As remote work environments become the norm, it’s crucial to pay closer attention to connection activities related to routers, ports, wireless access points, etc. across the company network.


Your use cases should ensure that remote connections are coming from the expected locations and send alerts for suspicious locations or concurrent VPN connections. Identify and report on connections, both allowed and denied, and provide detailed information on connection attempts such as hostname, source country, destination country, and direction.


4. Policy-related activities


Regulatory bodies such HIPAA, GDPR, and PCI-DSS require specific procedures related to data integrity and confidentiality. These procedures are usually well documented, making it easy to create use cases based on the rules and regulations outlined.


Create use cases that monitor the underlying security controls that enforce compliance. Monitor log files, changes to credentials and events related to personal data, and policy changes related to audits, authentication, authorization, etc. Flag unauthorized changes to configuration files and deleted audit trails.


5. Threat, malware, and vulnerability detection


SIEM is a vital part of threat detection. Use cases created should detect indicators of compromise, malware infections, and system vulnerabilities. Look for activities that suggest malware like unusual network traffic spikes and traffic queries to known malware domains and IP addresses.


Forensic analysis of historical data and threat intelligence feeds can also identify patterns that can expose past or ongoing threat behavior. SIEM use cases can also test for known risks using aggregated data from the SIEM system.

author avatarJohn Rendy
Consultant

That's excellent, @Chiheb Chebbi.


Now you would want to see if all your Windows environments have been configured to send all the logs, especially on the endpoint level. Ensure you get all the authentication logs at the very least. You could opt to get the OS level audit logs to help with a further advanced use case, such as Threat Hunting.


If you are using Office 365, ensure you have enabled the integration for the account activities, including fine grain audit logs for all your file-sharing activities.


Very good and impactful use cases would be the following ones:
1. User Behaviour Analysis 


Monitoring your employees' access behaviour and see if there are any probes for brute force by identifying the high amount of authentication failures.


2. Data Leak Prevention Analysis


Monitoring if your file sharing is controlled for internal activities and which one is set for public sharing (outside organization)


3. Threat Hunting Analysis


Understanding several key attack indicators which leverage Windows-specific utility such as SMB protocol, RDP and privilege escalation on your Windows OS. 

If you have vulnerability assessment tools and you could integrate the result into your SIEM, ensure that your SIEM helps with the proactive patch management, identifying the CVE landscapes of your specific Windows environment and correlating them with the potential attack logs and patch them accordingly to prevent a cyber attack. 

author avatarDavid Swift
Real User

There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines. 


They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List. 


Success After Fail is another common pattern. Most vendor content overcomplicates the rules and has too many that can be detected by these simple rules with 90+% fidelity.


Most of the use cases and the links to the reference papers are on Wikipedia under SIEM here: https://en.wikipedia.org/wiki/...


You can also find four SANS Gold Papers under my name at sans.org/rr that cover compliance, reporting, continuous improvement, etc...and have the full list of the use cases and their triggers.

































































Repeat Attack - Firewall
Repeat Attack - IDS
Repeat Attack - HIPS
Repeat Attack - Failed Login - Source
Repeat Attack - Failed Login - Account
Repeat Attack - WCF/Proxy
Repeat Attack - FIM
Repeat Attack - Foreign Source
Possible Outbreak - Excessive Connections
Suspicious Event - Security Log Cleared
Suspicious Event - Executable Post to Web Server
Virus or Spyware Detected
Malicious Source Detected IP or URL (FireEye, Damballa…)
Known Attacker in Network
Traffic to Known Attacker
Successful Login After Multiple Failed Logins
Firewall Allow after Repetitive Drops
System Monitor - Log Source Stopped Sending Events
High Threat Attack on Vulnerable Asset
Possible Outbreak - Multiple Infected Hosts
Repeat Attack - Multiple Detection Sources


Security Information and Event Management (SIEM) Articles

Giusel
IT Engineer at UTMStack
Aug 15 2021

What is HIDS in Cybersecurity?

A HIDS (Host Intrusion Detection System) is software that detects malicious behavior on the host. It monitors all the operating system operations, tracks user behavior, and operates independently without human assistance.

How does a Host-based Intrusion Detection System work?

HIDS operates at the OS level, unlike others antivirus systems that operate at the application level. It monitors the behavior of programs running on the computer’s operating system to detect any unauthorized or suspicious activity. This type of protection is typically installed on servers with sensitive information such as databases and financial records. This system consists of two parts: the agent and the monitor.

The agent resides in the monitored computer, and it gathers information from the system’s hardware, directories, files, processes running, network traffic, and many more. This data is then sent to a central location where it’s analyzed by a monitoring program that looks for suspicious activities like:

  • Unauthorized access to the system.
  • Hacking into the computer remotely.
  • Trying to change critical system settings.
  • Changes to files or programs, etc.

When an intrusion is detected, the software monitors check what’s going on, and sends alerts to administrators who can then take measures. In addition, it monitors the system’s network connections to ensure that no one is trying to use it as a point of access into the network.

Examples of HIDS tools

1) UTMStack

UTMStack HIDS agent can be installed on a Microsoft Windows, Linux, and Mac system. This Next-Gen SIEM and compliance platform is built to protect small and medium-sized businesses against threats such as SQLI, XSSI, CSRF, and more. 

Free SIEM solution (community edition only) is an additional layer of security that includes Host-based and Network-based Intrusion Detection Systems (HIPS and NIPS) with prevention capabilities. These capabilities are not enabled by default, but the customer can easily do it. It provides a web-based interface for data collection and management of intrusion events by monitoring endpoints and web applications. UTMStack can be used for many types of security purposes, such as monitoring traffic patterns, detecting abnormal activity on servers or networks, or scanning files uploaded for malware infections.

2) AlienVault

Alien Vault logo. Images may be subject to copyright.

HIDS AlienVault is a SaaS, or Software as a Service, protecting large, small, and medium-sized companies from cyberattacks. It provides companies with real-time detection of intrusions and prevents attacks by detecting vulnerabilities before they happen. HIDS AlienVault automates tasks like generating reports and alerting when there is suspicious activity on the network. It has an API that allows developers to integrate it with other applications. This agent also can be installed on a Windows, Linux, and Mac system.

3) Security Onion

Security Onion logo. Images may be subject to copyright.

Security Onion is a free Linux distro designed for intrusion detection, network security monitoring, and log management. It has over 50 tools that are pre-installed for the user. Security Onion is used by large organizations and small to medium-size businesses. It is an excellent tool for beginners and experts in security because of its friendly graphical interface. It also features many dashboards that give you a quick overview of your network’s status.

4) Tripwire

Tripwire logo. Images may be subject to copyright.

Tripwire is open-source software that can be used as a HIDS agent on Linux. It works by comparing file timestamps and creating hashes of files. If any changes occur, it notifies the user. It’s lightweight and does not take up much memory space, nor does it have much of an impact on system performance. The most common use for Tripwire is in network security, configuration management, and compliance auditing. It provides not only detection but also prevention. A primary function of Tripwire is to detect modifications to the system or network, thus preventing intruders from gaining access to any information. This action is accomplished by comparing a single file or folder against a known good backup. Tripwire often operates in a client-server architecture where it compares the central repository with changes made to all clients on the network.

5) SysWatch

SysWatch logo. Images may be subject to copyright.

SysWatch has taken inspiration from Tripwire to develop its software. It’s a Linux-based, open-source, host-based intrusion detection system that can function as a HIDS when configured to do so. It is a free software package that can be used to monitor the activity of various services on either a local host or remote server and detect any signs of unauthorized access or prohibited changes to files, directories, and running processes.

Why do the companies need to install a Host-based Intrusion Detection System?

The reasons why companies need to install a HIDS are:

  1. Prevention from hacker attacks.
  2. Monitoring user activity.
  3. Recording data.
  4. Detecting unusual behavior.

What is the difference between NIDS and HIDS?

NIDS analyzes the network traffic for suspicious behavior, detecting a hacker before he’s able to make an unauthorized intrusion. HIDS detect suspicious activity when the hacker has already breached the system.

What is the difference between HIDS, HIPS, and NIPS?

1) Host-based intrusion detection system (HIDS) will only detect intrusions; it will notify when an intrusion has been detected, but it doesn’t try to stop them or block them from happening.

2) Host-based intrusion prevention system (HIPS) is similar to a NIDS, but the main goal is detection and threat prevention. For example, a HIPS deployment may detect the host being port-scanned and block all traffic from the host issuing the scan.

3) Network-based intrusion prevention system(NIPS) is a HIDS that monitors traffic on the network to identify malicious activity and take measures to stop them before they happen.

What are the specific functions of HIDS?

1) Logging: A HIDS logs all activities that occur on the protected network and capture information such as user identities, data access time, and type of event that occurred

2) Alerting: The HIDS can produce alerts when it detects an intrusion attempt or if one has been successful. This way, the system administrators are aware of any potential threats to the network.

3) Analysis: The HIDS analyzes log files looking for patterns in behavior to identify intruders. This function allows the system administrators to launch countermeasures or alert law enforcement agencies if they detect malicious activity

How to install and set up a Host-based Intrusion Detection System?

Configuring HIDS in your system is essential to keep your computer secure. When you first configure HIDS, it will take a while to scan your home directory and any new files added to it. However, this is crucial for a healthy system because if you don’t have an up-to-date image of every file on your computer, the virus scanning tool can’t detect any new viruses or devices.

Each HIDS agent provides a specific installation and setup. All that you need to do is reach on Google the installation and set up that you want. 

Shibu BabuchandranThanks for sharing its very informative
Ertugrul Akbas
Manager at a computer software company with 11-50 employees
May 12 2021

The right SIEM tool varies based on a business’ security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities:

  • Scalability — Ensure the solution has the capability to accommodate the current and the projected growth.
  • Log compatibility — Ensure that the solution is compatible with your logs
  • Correlation engine — Does the solution have the ability to search across multiple devices and logs
  • Forensic capabilities — Does the solution offer forensic analysis capabilities from the event source
  • Dashboards — The solution must provide the ability to easily create dashboards and reports
  • Threat intelligence — Find out if the solution has the ability to integrate with internal/external intelligence sources
  • Incident response
  • Machine Learning — Can the system improve its own accuracy through machine learning and deep learning?
  • Performance

Scalability

A modern SIEM can scale into any organization — big or small, locally-based or operating globally. [1]

A modern SIEM manages events in a distributed manner for offloading the processing requirements of the log management system for tasks such as collecting, filtering, normalization, aggregation. This model also is the solution for security-related issues and incremental approach [2,3,36].

Log compatibility

SIEM functions based not just on its correlation rules but on the data you feed it. Feeding your SIEM security-related data results in more accurate alerts.

Currently, most of the SIEM products support hundreds of log formats. If there is a log format that is not supported, there is an API for a custom log parser.

Correlation engine

SIEM use cases or rules are 80% of the value of the product. Check the predefined rule list for the product and also check are there any restrictions. A Next-Gen SIEM correlation engine will be very helpful to analysts indeed. Not all SIEM correlation rules, use cases are created equal and it is hard to find a SIEM that supports both cores, advanced and intelligent use cases at an affordable price. [4,5,6, 7,8,18].

All the SIEM products have correlation but not all SIEM solutions are created equal. A detailed analysis is required to understand the difference in correlation capabilities. For example, most of the SIEM solutions have the watchlist or list management feature, but only some of them and A modern SIEM has multidimensional list management capability in correlation [33,34]. Some SIEM solutions update multiple lists, sets at the same time [34] while others have not.

Some correlation engines have restrictions like

Cross-Correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses.

Correlation and detection methods and correlation features diversity are important like detecting what never seen before and many others. A modern SIEM can play a huge role in making analysts’ jobs easier with modern detection and correlation features like never seen before type of rules [18].

Advanced features are the key features for successful detection. Sample distinguishing use cases:

  • Returns days where a user accessed more than his 95th percentile number of assets
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for the 4th day of a week.
  • If a user number of failed authentication ratio to the number of successful authentication is 10%, alert.
  • Data loss detection by monitoring all endpoints for an abnormal volume of data egress
  • Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade
  • DGA detection
  • Failed login to an asset that a user has previously never logged on to
  • The first-time user is performing an activity from a country
  • First VPN connection from a device for a user
  • First connection from a source IP
  • First access to a device for a user
  • First access to database MSSQL for peer group HR
  • First access to database MSSQL for user
  • First mail to/from a domain for the organization
  • First access to this web domain which has been identified as risky by a reputation feed
  • First execution of a process on a host
  • First access to object fdghsdydhas
  • First access from a host to a database for a user
  • First access from source zone Atlanta office to a database for a user
  • Suspicious temporary account activity
  • Abnormal account administration
  • Unusual account privilege escalation
  • Unusual file modifications
  • Abnormal password activity

Forensic capabilities

Almost every company needs a solution for protecting its sensitive data and detecting suspicious activity in real-time. Besides, when an incident occurs, companies want to be able to provide digital evidence in the courtroom. Integrity is also critical. This is usually achieved by using integrity mechanisms, such as running hash checks on blocks of stored log data. Historical log data must be secured either with a checksum in the form of a popular hash — MD5, SHA1, SHA2, etc. — or with a digital signature.

Easily aggregate and search logs within a single platform is critical.

The latest study by the Ponemon Institute on behalf of IBM found that the average time required to identify a data breach is currently 197 days [35]. So having logs under hands at least 197 days is a good plus and makes everything easy for detection and forensic analysis. It is achieved by live search capability. Disk usage for live search is the most critical parameter. Every SIEM solution has its technology with advantages and disadvantages for live search. Some examples:

IBM Qradar:

How much space is used per day in bytes can be calculated with the following formula: [eps rate] * ([AveragePayloadSize in bytes] + [AverageRecordsSize in bytes]) * 86400 [9]

Splunk:

You can estimate how much index disk space you will need for a given amount of incoming data. Typically, the compressed raw data file is 10% the size of the incoming, pre-indexed raw data. The associated index files range in size from approximately 10% to 110% of the raw data file. The number of unique terms in the data affects this value [10].

McAfee SIEM:

Due to the number of enabled standard indexes on McAfee ESM, you can add only 5 indexes to an accumulator field. If you need more than 5, you can disable up to 42 unused standard indexes (such as sessionid, src/dst mac, src/dst port, src/dst zone, src/dst geolocation).

McAfee ESM uses standard indexes to generate queries, reports, alarms, and views. If you disable an index, McAfee ESM notifies you when it can’t generate a query, report, alarm, or view due to a disabled index, but it does not identify which index is disabled. Due to this limitation, do not disable standard indexes unless needed [11].

ElasticSearch (Lucene Based Solutions)

You can estimate how much index disk space you will need for a given amount of incoming data.

disk space used(original) = 1/3 original for each indexed field + 1 * original for stored + 2 * original per field with term vectors [12].

AlienVault:

Alienvault USM All-in-One has a limit of 200 million events in its database. There are not more than 200 million events in the Alienvault USM All-in-One SIEM database [13,14].

SureLog:

SureLog compresses indexes. Compressing indexes give SureLog the advantage of live search, real-time search capability for years. An example of a SureLog disk capacity requirement of a live search for 5000 EPS for one year is 5 TB. When SureLog disk usage for live search compares to Elasticsearch and Lucene-based systems, the result depicted in the below graph.

Dashboards

Real-time monitoring and dashboards permit visibility at the desired level via security-based, pre-defined and customizable analysis.

In addition, you can create real-time and easy reports by preparing dashboards and widgets which are appropriate for your new ad hoc requirements.

Dashboards deliver monitoring and reporting metrics to track the state of security throughout the network. These are simple to configure and user-friendly, while allowing users to read a summary of existing network infrastructure data using graphs and tables [15,16].

Threat intelligence

Threats are dynamic and attack vectors change constantly. Respond quickly and minimize damage by using the rich external context enabled by threat intelligence. Immediately know about dangerous IP addresses, files, processes, and other risks in your environment.

A modern SIEM combines multiple threat intelligence feeds and generates alerts for the benefit of the security team. A modern SIEM uses this data to reduce false positives, detect hidden threats, and prioritize your most concerning alarms.

Compliance Reporting

Regulatory compliance is necessary. SIEM will help to save time and ensure compliance with predefined reports. Creating a productive SIEM environment requires plenty of predefined reports you need on a daily, weekly or monthly basis and also easy to create reporting infrastructure [16].

A modern SIEM has more than hundreds of predefined reports and a very easy & fast reporting infrastructure [16,17,18,19].

Incident response

Incident response is an action that SIEM takes in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Logoff User active response, the Kill Process active response, and so on [20,21].

Machine Learning

Machine learning in SIEM takes cybersecurity rules and data to help facilitate security analytics. As a result, it can reduce the effort or time spent on rote tasks or even more sophisticated duties. With the right configurations, machine learning can actually make decisions based on the data it receives and change its behavior accordingly. A modern SIEM has has many ML models [22,23,24,25,26,27,28,37]. Example of the ML models:

Performance

The performance analyses of SIEM products are very important in terms of evaluation.

The running performance of SIEM products, the resources which they require (CPU, RAM, DISK), and how they will show performance in the EPS value needed are very important. There are two kinds of evaluation criteria:

  • Limits & Recommendations
  • Requirements

Many SIEM products documented limits and recommendations like:

AlienVault:

AlienVault USM Appliance All-in-One has 1000 EPS data collection and 1000 EPS correlation recommendations.

Solarwinds LEM

A properly configured LEM can handle up to 200 million events per day, or 2,500 EPS (events per second). Conversely, limiting the ‘reservations’ (appropriate CPU and RAM) will result in poor performance and instability. While the maximum EPS limit is 2500 EPS the requirement for 2500 EPS is 48–256GB Ram 16-CPU @2Ghz [30].


McAfee

Maximum Ingestion Events Per Second (iEPS) describes peak advertised EPS for this appliance. iEPS is based on out-of-box settings with no adjustments to default event or flow aggregation and very Stilted overall SIEM user activity (Users, Alarms, Reports, IoCs, etc.). Any customization in the configuration or increase in user activity may result in reduced observed EPS rates [31]. Maximum Ingestion Events Per Second (iEPS) is 1500 for the VM version of McAfee SIEM [31].

All of the SIEM tools has system requirements like:

Arcsight

System requirements for Arcsight [32]

SureLog

System requirements for SureLog All-in-One is 16 core, 32 GB Ram for max 2500 EPS with 100 correlation rules activated.

References:

  1. http://anet-canada.ca/2019/11/02/large-scale-surelog-siem-implementation/
  2. https://solutionsreview.com/security-information-event-management/the-3-most-common-siem-mistakes-and-how-to-avoid-them/
  3. http://anet-canada.ca/2019/11/19/surelog-siem-has-most-valuable-siem-use-cases/
  4. http://anet-canada.ca/2020/01/09/not-all-siem-solutions-are-equal-and-not-all-siem-use-cases-are-the-same/
  5. http://anet-canada.ca/2019/11/11/surelog-siem-use-cases/
  6. http://anet-canada.ca/2019/11/04/gdpr-use-cases/
  7. https://www.ibm.com/support/pages/qradar-how-determine-average-event-payload-and-record-size-bytes-updated
  8. https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Estimateyourstoragerequirements
  9. https://docs.mcafee.com/bundle/enterprise-security-manager-11.0.0-installation-guide-unmanaged/page/GUID-2F189D5A-AC92-4965-80A4-03EE2272F37C.html
  10. https://lucidworks.com/post/estimating-memory-and-storage-for-lucenesolr/
  11. https://cdn5.alienvault.com/docs/data-sheets/usm-appliance.pdf
  12. https://success.alienvault.com/s/question/0D50Z00008oGqax/alienvault-v571-functional-release
  13. https://medium.com/@eakbas/creating-new-dashboards-with-surelog-siem-a67232c84366
  14. https://searchdatacenter.techtarget.com/feature/14-SIEM-reports-and-alerts-to-boost-security
  15. https://medium.com/@eakbas/surelog-predefined-reports-sample-detect-password-changes-and-password-resets-with-surelog-siem-1807d97f9a25
  16. http://anet-canada.ca/2020/01/18/never-seen-before-type-of-rules-with-surelog-siem/
  17. http://anet-canada.ca/2019/07/27/implementing-windows-advanced-logging-cheat-sheet-with-surelog-siem/
  18. https://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144
  19. https://logrhythm.com/products/features/smartresponse-automation-plugin-library/
  20. http://anet-canada.ca/2019/06/21/surelog-siem-and-advanced-threat-analytics-with-machine-learning-ml/
  21. http://anet-canada.ca/2019/08/19/user-and-entity-profiling-with-surelog/
  22. http://anet-canada.ca/2019/10/05/domain-generation-algorithm-dga-detection-in-surelog/
  23. http://anet-canada.ca/2019/10/12/hunting-critical-process-masquerade-using-surelog-siem/
  24. http://anet-canada.ca/2019/10/22/hunting-malware-and-viruses-by-detecting-random-strings-using-surelog-siem/
  25. http://anet-canada.ca/2019/11/02/detecting-top-4-tools-used-by-cyber-criminals-recently-with-surelog/
  26. https://www.ibm.com/us-en/marketplace/qradar-user-behavior-analytics
  27. https://www.slideshare.net/anetertugrul/siem-tools-146762789
  28. https://documentation.solarwinds.com/en/success_center/LEM/content/System_Requirements/SEM_2019-4_system_requirements.htm
  29. https://community.mcafee.com/t5/Security-Information-and-Event/Mcafee-SIEM/td-p/617728?lightbox-message-images-617737=2991i122AF2F454808D73
  30. https://community.microfocus.com/t5/ArcSight-User-Discussions/ArcSight-VM-ESM-System-requirement/td-p/2687370
  31. https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_ref_data_collection_overview.html
  32. http://www.anet-canada.ca/blogs
  33. https://www.all-about-security.de/fileadmin/micropages/Fachartikel_28/2019_Cost_of_a_Data_Breach_Report_final.pdf
  34. https://solutionsreview.com/security-information-event-management/the-3-most-common-siem-mistakes-and-how-to-avoid-them/
  35. https://www.varonis.com/blog/user-entity-behavior-analytics-ueba/
Ertugrul Akbas
Manager at a computer software company with 11-50 employees
Jul 14 2021

There are many comparisons and scoring reports like Gartner. But a small part of their scoring is technical capacity. Other comparisons available on the web or magazines are marketing, sales, and presales documents. They do not include extensive technical analysis.

In today’s ever-evolving cybersecurity climate, businesses face more threats than ever before. Finding the right SIEM is crucial in protecting against the latest risks and equipping your organization with a robust security strategy.

A SIEM’s power is in its correlation. 80% of SIEM is a correlation. if you are spending 80 percent of your time within a SIEM tool doing alert review and analysis, then you are on the right track. [SANS Your SIEM Questions Answered]

A detailed comparison of the correlation capacity of SIEM products technically will be given. The comparison based on the most critical correlation and detection capabilities:

  1. Rule Chain (Multi-Stage Rules)
  2. Correlation Logic
  3. List/Watchlist Management
  4. Real-Time Correlation
  5. Cross-Correlation
  6. Correlation Operators
  7. Correlation Field Operators
  8. Correlation Field Restrictions
  9. Machine Learning


Rule Chain (Multi-Stage Rules):

Rule chain is the ability to combine multiple steps (rules) of a use case without any restrictions. This type of rule detects a sequence of events that occur.

Most of the SIEM tools like Micro Focus ArcSight, Logrthym, Qradar, Securonix, and SureLog support multi-sage rules.

AlienVault, McAfee, FireEye, FortiSIEM, Solarwinds LEM, ManageEngine SIEM are the other SIEM tools that support multi-sage rules with some limits.

McAfee has a restriction on the rule chain capability. For example: "if a firewall admin login has occurred and after this login action there is no configuration change immediately (wait for 15 minutes) but if there is a change in the firewall after this 15 minutes within 12 hours, notify", is not possible with McAfee. It is not possible to develop this type of rule chain because it is not possible to define "wait 15 minutes" then check for "later 12 hours".

McAfee Rule Chain Editor

Since there are two or more actions that require time windows, the 10 minutes must be divided between them. For this example, five minutes is the period for each action. 

Once the unsuccessful attempts have occurred in five minutes, the system begins to listen for a successful login from the same IP source in the next five minutes. .so there is no chance to implement wait logic between actions (rules)

FireEye has the same restrictions as McAfee.

Solarwinds LEM has the same restrictions as McAfee.

ManageEngine SIEM has the same restrictions as Solarwinds LEM. In ManageEngine SIEM, there is no chance to define a new rule type to chain. Also, there are schema fields restrictions to link rule chains.

AlienVault has the same restrictions as Solarwinds LEM. Also, when chaining rules, Alienvault only uses None, Plugin_sid, SRC_IP, DST_IP, SRC_Port, DST_Port, Protocol, and Sendor. There is no way for other schema fields to link rule chains.

FortiSIEM also does not have "wait for 15 minutes" kind of capability to chain rules.

Logpoint does not have this kind of correlation capability.

Rapid7 does not have this kind of correlation capability.

One another requirement when chaining rules, is cross-linking of rule fields. As an example: If a device is the destination of a brute force attack and then this destination device is the source of the port scan, detect this device.

Alienvault only uses SRC_IP, DST_IP, SRC_Port, DST_Port, Protocol rule fields.

McAfee does not support cross-linking of rule fields.

Logpoint does not have this kind of correlation capability.

Rapid7 does not have this kind of correlation capability.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Logic:

Rules are discriminators used to find a certain behavior. If their designer knows what it's searching for, they will be invaluable tools. To design a rule without any limits or barriers, the correlation logic of the rule engine must be very powerful and flexible. It is hard to test the correlation logic of the SIEM tools. One of the simplest ways is to try to implement a discriminator use case (correlation rule). For example :

"Detects more than three authentication failures from the same user within five minutes without any successful login in-between."

Micro Focus ArcSight also can detect similar use cases.

If you want to detect this use case with Splunk, it might be possible to do with "transaction" events. But those searches are very taxing in the search head.

Rapid7 and Logpoint have the same issues with Splunk.

AlienVault, FortiSIEM, ManageEngine SIEM, McAfee, Solarwinds LEM could not detect the above use case.

Another test use case is detecting changes. Rapid7 has a change detection capability.

Rapid7 Change Detection Wizard

Qradar also has a change detection capability.

Another example is "Never Seen Before Type Of Rules" [2,3]. While Micro Focus ArcSight, Exabeam, Qradar, Rapid7, Securonix, and SureLog have this capability, AlienVault, McAfee, FireEye, Solarwinds LEM, and ManageEngine do not.

If we continue with the decisive scenarios that are not available in every SIEM product, we can use the below rules:

  1. If a machine bandwidth usage is > 200Mbytes within 5 minutes or If a user to DSTIP bandwidth usage is > 500Mbytes within 10 minutes.
  2. If an account has not been used at least in the last 30 days, notify/lock/delete this account. (This use case is mandatory for FedRAMP Moderate; Control AC-2(3) nd NIST 800-53; Control AC-2(3))

McAfee does not support those types of rules. Please check the below blogs.

The second rule is also not supported by many SIEM products like McAfee, FortiSIEM, Logrthym, AlienVault, Solarwinds, ManageEngine, and RSA.

Maybe you can develop a query with Splunk and Logpoint. But if you want to detect this immediately, you should consider system resource usage.

List/Watchlist Management:

Micro Focus ArcSight, Logrthym, Qradar, Securonix, and SureLog - all have a list management feature. 

Both products support simple lists, multi-dimensional lists, complex lists, lists with 20 columns. Also, those products add, delete, modify, list items dynamically, or manually. 

AlienVault:

Dynamic list usage in correlation rules is not supported in AlienVault. It is not possible to develop a rule like If a VPN user connected after business hours and the user is not in VPN white list, alert.

The only way to implement a simple Active Lists is to develop a code.

https://www.alienvault.com/blogs/security-essentials/how-to-use-ossim-usm-active-lists-with-python-scripts

But even if you can develop Python Scripts, there is no key: value, reference set, reference map, multi-dimensional type of lists. 

AlienVault SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, AlienVault does not support list operators like count, sum, compare, check case sensitivity.

FortiSIEM:

Dynamic list usage in correlation rules is limited to one dimension.

There is no key: value, reference set, reference map, multi-dimensional type of lists. The only available operators are “IN, NOT IN”. Also, the only way of removing items from a watchlist is time-based. Also, FortiSIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, FortiSIEM does not support list operators like count, sum, compare, check case sensitivity.

McAfee:

There is no key: value, reference set, reference map, multi-dimensional, type of lists. McAfee SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, McAfee SIEM does not support list operators like count, sum, compare, check case sensitivity.

LogPoint:

LogPoint supports two kinds of lists; Static List and Dynamic List. Also LogPoint supports tables, but there is no reference set, reference map, multi-dimensional type of lists.

Also, if you are looking for a GUI for list/watchlist management, LogPoints works over queries. Dynamic lists and table updates are the only query-based. Also, LogPoint SIEM does not support updating multiple lists at the same time (more than one list) by a query. Also, LogPoint SIEM does not support list operators like count, sum, compare, check case sensitivity.

RSA NetWitness Platform:

RSA has a limited list management capability. There is no key: value, reference set, reference map, multi-dimensional, type of lists. Also, RSA SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, RSA SIEM does not support list operators like count, sum, compare, check case sensitivity.

There are many other correlation features to check [1] . But without an advanced list/watchlist management, it is not possible to detect advanced attacks.

Real-Time Correlation:

AlienVault, Micro Focus ArcSight, Fireye, FortiSIEM, Logrthym, ManageEngine SIEM, McAfee, Qradar, RSA NetWitness, Solarwinds LEM has a real-time correlation capability. if you use Splunk ES for real-time detection, you have to consider "Each real-time search unpreemptively locks 1 core on EVERY INDEXER and on your Search Head”.

Elastic also has no real-time correlation feature.

Cross Correlation:

Micro Focus ArcSight, FortiSIEM, Logrthym, McAfee, Qradar has a cross-correlation capability.

AlienVault cross-correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses.

RSA NetWitness utilizes ESPER CEP, and there is no GUI for cross-correlation rule development.

Logpoint does not have this kind of correlation capability. Mainly it is a search-based tool.

Rapid7 does not have this kind of correlation capability. Mainly it is a search-based tool.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Operators:

Micro Focus ArcSight, Logrthym, Qradar, SureLog has a correlation operator support feature, such as:

  • And
  • Or
  • Fallowed by Within
  • Not Fallowed by Within

SureLog also has some additional correlation operators like:

  • At the Same Time
  • Before
  • After

McAfee has some missing operators like "At the Same Time", "Before", "Not Fallowed by Within"

Solarwinds LEM documents mention some other correlation limits.. For example you cannot create a rule using “NOT FALLOWED BY” operator."At the Same Time", "Before" are an example of ther missing correlation operators.

Only "AND", "OR" Operator supported. "NOT" Operator is not supported. Also, other operators listed above are not supported.

ManageEngine Eventlog analyzer correlation has only one operator “Fallowed by Within”. Many operators are missing like ”Not Fallowed by Within”.

Also, other operators listed above are not supported like "At the Same Time", "Before".

FortiSIEM does not support "At the Same Time", "Before".

RSA NetWitness does not support "At the Same Time", "Before".

Logpoint does not have this kind of correlation capability. Mainly it is a search-based tool.

Rapid7 does not have this kind of correlation capability. Mainly it is a search-based tool.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Field Operators:

Required correlation operators for powerful correlation:

  • Link Fields
  • Check Base64
  • Count Characters
  • In List
  • Not In List
  • Count
  • Sum
  • Regex Matches
  • Matches,
  • Not Maches,
  • Entropy Bigger Than
  • Entropy SmallerThan
  • Is null,
  • Is not null,
  • IP Range Equals,
  • IP Range Not Equals,
  • In list,
  • Not in list,
  • Starts with in list,
  • Starts with in list case insensitive,
  • Not starts with in list,
  • Not starts with in list case insensitive,
  • Contains list key in data,
  • Not contains string in list,
  • Not contains string in list case insensitive,
  • Is contained in string,
  • Regex in list,
  • Check data in regex list,
  • Contains in list,
  • Not contains in list,
  • Contains credit card number

McAfee has some of those correlation operators but less than the above list.

McAfee Operators

AlienVault, FortiSIEM, ManageEngine and Solarwinds LEM does not support most of the above list.

RSA NetWitness utilizes ESPER CEP, and there is no GUI for rule development. ESPER language does not support all of the operators.

Logpoint does not have this kind of correlation capability. Mainly it is a search-based tool.

Rapid7 does not have this kind of correlation capability. Mainly it is a search-based tool.

Exabeam and Securonix are UEBA tools. They are not correlation-based solutions.

Correlation Field Restrictions:

Micro Focus ArcSight, Logrthym, Qradar has no restrictions on fields. All the available fields on search and report schema will be available for correlation.

McAfee has also some limitations. if I see a user attempt to login to our VPN from two different "regions" within a three-hour window. I have the logic built but in the correlation rules "Advanced Options" I try to set a 'Distinct values' of 2 but the monitored fields only seem to provide a 'Source Geo location' option, and not the ability to select state, region, country, etc.

AlienVault correlation engine has sticky diff restrictions.


Solarwinds LEM does not use all the report fields on correlation. Also, correlation cannot fire on raw log data that is received

ManageEngine SIEM has correlation field restrictions. It is not possible to use all the available reports and search schema in correlation.

Machine Learning:

SureLog, IBM QRadar, Microfocus, LogRhythm, Exabeam, Securonix, NetWitness Platform has NLP/ML/AI features like DGA detection, outlier detections, rarity detection, similarity detection. 

LogPoint uses 3rd party UEBA tool Fortscale (RSA Now).

References:

  1. https://drertugrulakbas.medium.com/detecting-unusual-activities-using-a-next-generation-siem-use-cases-d91f4e24b0f2
  2. https://drertugrulakbas.medium.com/at-the-same-time-siem-operator-be8d6598b7b8
  3. https://www.itcentralstation.com/articles/what-really-matters-when-selecting-a-siem-and-how-to-choose-a-siem-looking-into-the-correlation https://answers.splunk.com/answers/663659/need-help-writing-query-to-alert-if-an-account-has.html
  4. https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500
  5. https://gosplunk.com/accounts-deleted-within-24-hours-of-creation/
  6. https://drertugrulakbas.medium.com/siem-for-smb-in-2020-a04e3fe8e98d
  7. https://www.itcentralstation.com/articles/how-to-select-the-right-siem-solution
  8. https://drertugrulakbas.medium.com/ml-ai-is-a-feature-not-a-silver-bullet-and-ueba-questions-d504a6926c4e
  9. https://www.linkedin.com/pulse/ai-cybersecurity-closing-steve-king/
  10. https://towardsdatascience.com/the-limitations-of-machine-learning-a00e0c3040c6
  11. https://www.computerworld.com/article/3466508/the-impact-of-machine-learning-on-security.html
  12. https://drertugrulakbas.medium.com/detecting-unusual-activities-using-a-next-generation-siem-use-cases-part-2-27b201bcc127
CraigHeartwellExcellent article.  ArcSight claims to use ML - they are not listed under ML… more »
Tjeerd Saijoen
CEO at Rufusforyou
Jul 04 2021

Security and protecting your IT environment is the biggest challenge now. 

How to prevent ransomware attacks?

Part 1 described our approach to proactively protect your environment. The first step is to scan your environment from server to endpoint and check your complete environment on several issues preventing a hacker to penetrate your systems. Most of the times hackers getting a chance because of the complexity of IT. One thing your IT department forgets most of the time is, for example, the BIOS and the microcode. The first thing we do is discover all hardware, software, BIOS, Microcode, and the relationship with all those components. We have different options to do this. If you are a SMB environment a tool like Lansweeper is an excellent solution, it is not expensive and it will do the job.

Example: Lansweeper Inventory

For bigger environments, we have different options: BMC Discovery, IBM TADDM. I will mention only BMC and IBM. You have many more. I do not have experience with other brands and describe only BMC and IBM.

I worked for a long time with IBM. For this solution I prefer BMC. It is easy to install and extremely easy to understand and work with it.

Example: BMC Discovery

IBM Maximo Asset Management IBM Asset management software

IBM has a lot of different solutions but to cope with those threads and IT Complexity, IBM´s strategy is changing towards Artificial Intelligence. Also, from the Tivoli brand, you have TADDM.

Enterprise asset management (EAM) is a combination of software, systems, and services used to maintain and control operational assets and equipment. The aim is to optimize the quality and utilization of assets throughout their lifecycle, increase productive uptime and reduce operational costs.

Enterprise asset management involves work management, asset maintenance, planning and scheduling, supply chain management and environmental, health and safety (EHS) initiatives.

In the Internet of Things (IoT) era — with everything from valves to vehicles connected by sensors and systems — practitioners are incorporating advanced analytics and artificial intelligence (AI) into EAM. Data gathered from instrumented assets is analyzed using AI techniques. The resulting insights help maintenance teams make better decisions, enhance efficiency, perform preventive maintenance and maximize investments in their physical assets.

Example IBM Maximo asset management, together with TADDM a total solution

Now you have the asset management database, you know every application, every server, every hardware and software component, and the relationship. 

So we can ask for example: are there endpoints with an old virus checker? Or how many systems are not on the right OS level? Bring all systems on the same anti-virus level or do I have any systems with an old BIOS level. If yes, then upgrade it to the same level as described in our policy template.

Netanya Carmi
Content Manager
IT Central Station
Jul 04 2021

Security Incident and Event Management (SIEM) has been widely adopted and used to manage cybersecurity events. As a result, the SIEM market is expected to grow by approximately 25% over the next five years as the need for cybersecurity automation increases. Even though the market is expanding, the cost of SIEM has remained relatively flat.

All of the top SIEM tools ingest and analyze massive amounts of security event data from a wide range of other systems, like firewall software, network routers, and intrusion detection and prevention software, to name a few. It’s effectively impossible for a human being to keep track of multiple security device logs, so SIEM organizes, analyzes, and creates alerts for security operations to follow up on. The overarching advantage of SIEM is the ability to perform quick, accurate detection and identification of security events that help avert cyber disasters by alerting analysts to impending attacks.

SIEM can be combined with Security Orchestration Automation and Response (SOAR) for additional benefits. Many think that SOAR and SIEM are one and the same, but there is a difference between SOAR and SIEM which you should understand before moving forward with purchasing either one of them.

The Advantages of SIEM

SIEM systems help the Security Operations Center (SOC) function effectively. In particular, they enable:

  1. Faster, more efficient SecOps: With a SIEM sifting through millions of data points, SOC analysts can quickly get a handle on what’s happening using analysis templates to quickly analyze log and threat intelligence data, which radically cuts down on the destructive impact of a cyberattack. Without a SIEM, security analysts would have to interpret multiple security device logs and data sources, such as threat intel feeds, by hand. In addition to burning people out - which is itself a big problem - it slows the incident response process down significantly. You can configure your SIEM tool to respond to incidents in real-time, potentially saving your company from data loss or worse.

  2. More accurate threat detection and security alerting: SIEM systems can leverage their extensive data sets to detect and identify threats more accurately than would be possible using individual security data streams. They also have the ability to enrich security event data and offer critical context to incident alerts. For example, a SIEM can correlate a threat signature detected in one device log with a threat found on another log.

  3. Improved security data: SIEMs aggregate security data, improving the potential for it to be analyzed and used in incident response workflows. This can also result in better visibility over the entire security landscape in the enterprise. The SIEM also typically normalizes security. In its raw form, the multiple data streams feeding into the SIEM have different schemas and fields. It’s not normalized. For example, data about users originating from network logins, email servers, databases, and mobile devices might all take different forms. This creates a problem for data analysis and event correlation. The SIEM is able to reformat the data, making it consistent for incident analysis and response processes. Data storage is a related benefit. The SIEM can store normalized security data for extended analytics and reporting. This may also help with compliance.

  4. Better network visibility: SIEM log management and aggregation make it easier to get an overview of the network. Indeed, given the complexity and diversity of modern networks, a network can easily have “dark spaces.” This means that as the network scales, network managers and security teams lose visibility into what’s actually happening with databases, servers, devices, and third parties. Hackers look for dark spaces on networks. It gives them a place to hide persistent threats and move laterally across digital assets without being detected. SIEM mitigates this risk by collecting security event data from everywhere in the network. It then stores and analyzes it in a central place. SIEM log analysis can shine a light on these dark spaces, so to speak.

  5. Improved compliance: Regulations and compliance frameworks such as HIPAA invariably require logging of security data as a key control. SIEM systems fulfill this role, easing the attestation process with pre-set compliance reporting templates that streamline the compliance process.

Disadvantages of SIEM

Organizations that struggle with SIEM systems generally have difficulty with a few well-known problematic aspects of the technology.

  1. Cost: SIEM systems can be rather expensive. Even so, the benefits can outweigh the cost to provide a positive ROI (return on investment).

  2. Effort to configure: SIEM systems almost always need costly external resources to install and configure. That process can take a long time, too. The time to value can lag, causing organizational and budget challenges.

  3. Dedicated security resources for monitoring: Once up and running, SIEM systems need dedicated staff for operations and continuous tuning. Without constant updating, a SIEM can become “noisy,” generating excessive alerts - to the point where they may even be ignored by the SOC.

Conclusion

SIEM systems are potentially highly valuable additions to a SOC. They correlate security data feeds, enabling them to detect serious security incidents in time to take action. They then facilitate an effective, fast response by the SOC team. At the same time, SIEM software can take significant time to set up and to adjust the alerts and responses. Embarking on a SIEM project represents a serious commitment of time and resources on the part of the security team. It should be undertaken with rigorous planning and realistic budgeting in order to ensure long-term success.

Ertugrul Akbas
Manager at a computer software company with 11-50 employees
May 11 2021
SIEM

Part of the SIEM problems enterprises face is failing to maintain it with the proper correlation rules.

SIEM use cases or rules are 80% of the value of the product. All SIEM solutions have a correlation feature, but they are not the same. Before choosing a SIEM, you must check correlation capabilities. Each product has many different features and their advantages and limits.

Some examples of correlation limits from product user guides and product's websites.

AlienVault:

AlienVault is a great product and combines many open source tools like vulnerability scanner and asset manager. There are some limits on correlations like:

“Cross-Correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses”.

AlienVault uses 4,500 built-in “correlation directives” for threat correlation and most them are just for AlienVault NIDS”.

There is a limit on list management. Dynamic List usage in correlation rules is not supported in AlienVault.

Also, keep in mind that AlienVault correlation engine has sticky diff restrictions.


LogPoint:

LogPoint is a great tool and listed in Gartner in 2020. LogPoint user guide has details about alerts. Use case development is only with developing a search query.


ManageEngine:

ManageEngine EventAnalyzer SIEM is a good product and has many fantastic reporting features. When it comes to correlation, ManageEngine EventAnalyzer SIEM does not parse Firewall Traffic, IPS, Proxy, etc logs. Just configuration and authentication logs. So correlation rules cannot include Firewall Traffic, IPS, Proxy, etc. details.

ManageEngine EventAnalyzer SIEM has predefined rule templates. So you cannot create a rule from scratch. You have to select one predefined rule from templates.

Examples of other limits:

  1. There is no capability to develop your own rule. You have to use available templates.
  2. Eventlog analyzer correlation has only one operator “Fallowed by Within”. Many operators are missing like ”Not Fallowed by Within”

Eventlog has many missing operators like:

  • Matches,
  • Doesn't match,
  • Is null,
  • Is not null,
  • IP Range Equals,
  • IP Range Not Equals,
  • In list,
  • Not in list,
  • Starts with in list,
  • Starts with in list case insensitive,
  • Not starts with in list,
  • Not starts with in list case insensitive,
  • Contains list key in data,
  • Not contains string in list,
  • Not contains string in list case insensitive,
  • Is contained in string,
  • Regex in list,
  • Check data in regex list,
  • Contains in list,
  • Not contains in list,
  • Contains credit card number,
  1. There is no way to use dynamic and static lists in correlation
  2. There is no way to use the output of one correlation as an input to the new correlation rule
  3. There are column restrictions in correlation. You cannot use all the available columns in reports

Solarwinds SIEM:

Solarwinds SIEM is a good product and has many good features. When it comes to correlation:

  • Solarwinds LEM does not use all the report fields on correlation. Also, correlation cannot fire on raw log data that is received

  • Solarwinds LEM correlation engine has many limits. For example, you cannot create a rule using the “NOT FALLOWED BY” operator
  • Only the AND and OR operators are supported. The NOT operator is not supported
  • Solarwinds does not support creating scenarios based on multiple rules.
  • Threshold rules are very limited. For example, you cannot create a rule like If you want to check whether there are 5 events from Host Firewalls with severity 4 or greater in 10 minutes between the same source and same destination IP
  • Dynamic list updates through actions are missing
  • Linking multiple rule fields is missing
  • “Group By” is not supported

You should also check system requirements and performance limits up to 5000 rule execution per day


Splunk:

If you think about SIEM, you have to consider Splunk ES. Splunk Core/Enterprise is not a SIEM product. Splunk is a great product. Splunk says that:

"Each real-time search "unpreemptively" locks 1 core on EVERY INDEXER and on your Search Head”.

Also, there is no functional real time detection.

McAfee:

EPS:


Maximum Ingestion Events Per Second (EPS) describes the peak advertised EPS for this appliance. iEPS is based on out-of-box settings with no adjustments to default event or flow aggregation and very limited overall SIEM user activity (Users, Alarms, Reports, loCs, etc.). Any customization in the configuration or increase in user activity may result in reduced observed EPS rates.

2 - Maximum Query Events Per Second (gEPS) describes what a typical ESM appliance could expect to achieve under normal, active ESM usage conditions and reduced levels of event aggregation. Max qEPS assumes multiple analysts are accessing the system simultaneously while background activities such as Alarms, Reports and CyberThreat (loC) queries are executing. In addition, Max qEPS assumes that customers would adjust the event and flow aggregation rates lower than out-of-box settings. McAfee recommends using QEPS numbers as the basis for sizing most ESM designs. Note that Max qEPS represents best performance estimates based on observations with typical larger enterprise customers; aggressive customizations or dramatic increases in user activity may result in reduced observed iEPS rates.

https://community.mcafee.com/t5/Security-Information-and-Event/Mcafee-SIEM/td-p/617728

MacAfee SIEM All-in-One VM correlation maximum limit is 1500 EPS.


McAfee SIEM is a powerful SIEM. If you want to dig into correlation details, you will see some comments on the McAfee SIEM blog like:

If a use case has many rules (for example 5 rules), currently McAfee will get only 1 of these 5 source event's custom types in the use case.

The only way is using the API.

No Case insensitive option when using watchlists.

https://community.mcafee.com/t5/Security-Information-and-Event/No-Case-insenstive-option-when-using-watchlist-or-correlation/m-p/630011

There are some limits on correlation fields:

if I see a user attempt to login to our VPN from two different "regions" within a three-hour window.

I have the logic built but in the correlation rules "Advanced Options" I try to set a 'Distinct values' of 2.

But the monitored fields only seem to provide the 'Source Geo location' option but not the ability to select: state, region, country, etc.

https://community.mcafee.com/t5/Security-Information-and-Event/VPN-quot-Super-Human-quot-Use-Case/m-p/619606

Non-Supported rule types:

Rule chain:

if a firewall admin login has occurred and after this login action there is n configuration change immediately (within 15 minutes) but if there is a change in the firewall within 12 hours, notify

Threshold rules:

Destination IP is 1.1.1.1 and destination port is 389 and sent_bytes > 100000 (total) in time frame of 10 minutes and group by source IP.

https://community.mcafee.com/t5/Security-Information-and-Event/accumulator-field-in-correlation-rule/m-p/634698

I want to know how many SQL injection attack events from a single IP for 5 minutes. I know that I can set a threshold. But I want to know the exact number.

SUM type of thresholds are not supported

If I want to detect total downloads within 5 minutes more than 500 Mb, it is not possible with Mcafee

If the correlation is important, you may consider reading technical documents. Some remarkable examples of limits and notifications are given above. There are many other SIEM solutions like IBM Qradar, Arcsight, FortiSIEM, SureLog, RSA, LogRhytm. You have to check what the product user guides and technical documents say in detail about correlation.

Correlation and detection capabilities are important. In order to choose a SIEM according to correlation capabilities you should also check if those use cases supported:

  • Warn if Powershell command with base64 format and more than 100 characters appears
  • Password changes for the same user more than 3 within 45 days
  • If there are more than 10 DNS requests within 5 minutes that have the same domain but different subdomains, notify. Example: xxx.domian.com, yyy.domian.com
  • Misuse of an account
  • Lateral movement
  • Executive only asset accessed by a non-executive user
  • Multiple VPN accounts failed login from a single IP
  • First access to critical assets
  • User access from multiple hosts
  • The user account created and deleted in a short period of time
  • Monitor privileged accounts for suspicious activity
  • Chained RDP connections
  • RDP with unusual charset
  • Multiple RDP from the same host in a short time
  • Lateral movement following an attack
  • Returns days where a user accessed more than his 95th percentile number of assets
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for the 4th day of the week [1],
  • If a user number of failed authentication ratio to the number of successful authentication is %10, alert
  • Data loss detection by monitoring all endpoints for an abnormal volume of data egress
  • Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade [2]
  • DGA detection [3]
  • Detect attack Tools [4]
  • Detect malware [5]
  • Detect suspicious/malicious processes [5]
  • Detect suspicious/malicious files [5]
  • Detect suspicious/malicious services [5]
  • Detect abnormal port used in outbound network connection from an asset [1]
  • An abnormal number of assets logged on [1]
  • Failed logon to an asset that a user has previously never logged on to [6]
  • The first time a user saves files to a USB drive
  • First time the user is performing an activity from a country
  • First VPN connection from a device for a user
  • First connection from a source IP
  • First access to a device for a user
  • First access to database MSSQL for peer group HR
  • First access to database MSSQL for user
  • First mail to/from a domain for the organization
  • First access to this web domain which has been identified as risky by a reputation feed
  • First execution of a process on a host
  • First access to object fdghsdydhas
  • First access from a host to a database for a user
  • First access from source zone Atlanta office to a database for a user
  • Suspicious temporary account activity
  • Abnormal account administration
  • Unusual account privilege escalation
  • Unusual file modifications
  • Abnormal password activity
Netanya Carmi
Content Manager
IT Central Station
Apr 26 2021

Security information and event management (SIEM) is a multipurpose security management protocol that combines security information management (SIM) and security event management (SEM). SIEM has recently emerged as the gold standard approach to network security. It uses historical as well as real-time correlation software to keep track of security data logs, allowing you to troubleshoot historical threats as well as to flag new security issues as they occur.

Data logs document any unusual activity that occurs in your network. Because all network activity is collected in the data log, it is one of the most effective tools for detecting threats that may have managed to sneak through your other lines of defense. In addition to identifying, monitoring, recording, and analyzing security events, SIEM as a service should also simplify and automate your data log management, managing network security from a centralized, unified dashboard and offering a comprehensive view of your IT infrastructure’s security. This is much easier, faster, and more efficient than having to check in individually on all your various security services and technologies.

Top SIEM tools, according to IT Central Station users, include Splunk, IBM QRadar, Securonix, Security Analytics, and Devo.

Difference Between SOC and SIEM

SIEM SOC often get grouped together. But while SIEM is a kind of technology that allows security analysts to discover and act on suspected threats, a SOC (security operations center) encompasses not only the technology but also the people and processes involved in monitoring the network, searching for threats, and responding to incidents.

Rather than having their SOC in a dedicated facility, many companies today have virtual SOCs and use part-time staff from their development, security, and operations teams. Some also set up managed or hybrid SOCs, combining in-house staff with expertise and tools from MSSPs (Managed Security Service Providers).

Using the SIEM, SOC analysts monitor around the clock for security incidents and are responsible for responding if one is detected. The SIEM solution is the management tool, providing an additional layer of security to the SOC. You generally will not see a SOC without a SIEM, as SIEM software is a foundational element of SOC. SIEMs are valuable tools, but can have limitations. They will identify, filter, and flag the most serious security events but then it is up to the SOC analysts to determine the priorities and provide the solutions.

Security and technology teams often debate whether SIEM should be handled by an MSSP or in-house. In order to be able to handle SIEM in-house, you need three things:

  1. The money to invest in the staffing and operational costs.
  2. The time to invest in reviewing and monitoring data logs, customizing alerts, etc.
  3. The expertise to implement SIEM into your security program and audit as needed.

If any of these three elements is lacking, it might make more sense to consider going with an MSSP.

SIEM SOC Use Cases

The following are examples of use cases in which SOCs used SIEM as a part of their security operations:

1. Compliance

    The Payment Card Industry Data Security Standard (PCI DSS) secures credit cardholders’ data from theft and misuse. SIEM SOC can help with PCI compliance through:

    a. Perimeter security - monitoring for unauthorized network connections, searching for insecure services and protocols,, and checking traffic flow.
    b. Monitoring any event that results in change to user identity/user credentials.
    c. Detecting threats in real time
    d. Searching for replicates, default credentials, etc. on production and data systems.
    e. Collecting system and security logs, auditing and reporting them, and generating compliance reports.

    2. Insider Threats
    Insider threats are at the root of three out of five security breaches, and can go undetected for months or even years. SIEM SOC can help detect and stop insider threats by:

    a. Using behavioral analysis to detect compromised user credentials.
    b. Detecting anomalous privilege escalation.
    c. Correlating threat intelligence with network traffic to discover malware/compromised user accounts.
    d. Combining and analyzing seemingly unrelated events via behavioral analysis to exfiltrate data.
    e. Detecting and stopping encryption of large amounts of data, e.g. by ransomware.
    f. Using their broad view of multiple systems to detect lateral movement.

      3. Advanced Security
      Many IoT (Internet of Things) devices are vulnerable to advanced security threats. SIEM SOC can help mitigate these threats in the following ways:

      a. Detecting unusual traffic from the organization’s IoT devices, which might be used for a DoS (Denial of Service) attack.
      b. Detecting unpatched vulnerabilities, old operating systems, and insecure protocols on IoT devices.
      c. Monitoring who has access control and where they connect to; alerting to the presence of an unknown or suspicious source or target.
      d. Monitoring unusual data flow, which may signify a transfer of sensitive data.
      e. Identifying at-risk devices
      f. Identifying suspicious or anomalous behavior of particular devices that might be compromised.


      Rony_Sklar
      IT Central Station
      Apr 09 2021

      There are a lot of considerations when choosing a Security Incident and Event Management (SIEM) Solution for your business. That’s why users on IT Central Station often turn to our community to ask for advice.

      In this Q&A round-up, we’re going to take a look at some of the insights about SIEM that have emerged in our community. We’re going to focus specifically on the tips and insights that users have shared for successfully implementing a SIEM solution.

      SIEM solutions are as good as the people implementing them

      Many users turn to our community to ask for SIEM recommendations – some general and some more specific. Although fellow users are happy to make product suggestions, a common theme emerges in many of the answers: The solution that you choose is only as good as the team behind it.

      Simo Sim, a Systems Engineer, notes, “besides the technology you also need the manpower behind it.” Another user, Aji Joseph, says that successful SIEM implementation “depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.”

      Consulta85d2, who appears on our Threat Intelligence Leaderboard echoes this sentiment, adding that it’s important to realise that one needs to actively manage whatever SIEM solution is chosen. He notes, “The critical choice is in the resources and commitment to manage and use the system. I’ve seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a “set it and forget it” system…A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the “best” and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.”

      But how do you choose a SIEM solution that you know your team can handle?

      Anthony Mack notes that effective implementation (particularly at scale) ”demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.” He suggests that one should choose a solution that matches one’s current IT posture. To do this he recommends “an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.”

      Tips for choosing the right SIEM solution

      As with any enterprise tech solution, it’s important to spend time doing your research and POC, so that you know that you’re spending on the right product. We sifted through some of our users’ answers to summarize some of the best tips.

      1. Define your goal

      Before starting to evaluate solutions, It’s important to define what you want to accomplish with a SIEM. Marty Barron says, “Every SIEM has different strengths and weaknesses so you need to know what is most important to you in terms of goals, so you don’t waste time looking at something that can’t do the thing you need it to do.”

      1. Limit your options

      As Kent Gladstone-USA says, “Review a finite number of products, otherwise you’ll never finish”. Although it’s important to spend time doing due diligence, you need to get to the point of implementation. If you have too many options, it will take too long to make a decision. Users suggest making a shortlist of options that meet your technical requirements, speak to your goal, and match your budget

      1. Create a framework for your POC

      Once you’ve narrowed down your options, it’s time to trial the shortlisted products. Users recommend putting a framework in place to guide the POC. This way, you can evaluate your options systematically.

      One user, DAX Paulino, suggests “creat[ing] a checklist of features that you need, from the basic (i.e. interactive dashboards, ease of integration, Threat Intelligence), to the more advanced (i.e. Automated response, Behavior Analytics, etc.). Give each item on your checklist a score so that you can weigh in on each item as a measure of your decision. Don’t forget to factor in usability and support.”

      More advice about SIEM solutions from our user community

      If you’re researching SIEM solutions, there’s a wealth of information on our site that can guide you in your research. You can read in depth reviews of SIEM solutions, and also explore the other questions and answers about SIEM from our user community.

      If you don’t find the exact answers that you’re looking for, you can also post a question and get answers from your peers.

      IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

      Rony_SklarShout out to @Simo Sim @Aji Joseph ​@Consulta85d2 ​@Anthony Mack ​@Marty Barron… more »
      Matthew Shoffner
      IT Central Station

      The major regulatory compliance schemes do not mention Security Incident and Event Management (SIEM) systems by name, but in reality, SIEM tools are essential for achieving compliance and passing their certification audits. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), for example, which is used for PCI-DSS and Sarbanes Oxley (SOX) among others, mandates continuous monitoring, detection processes and the ability to analyze anomalies and events. These are tasks arguably SIEM tools do better than any other security tool, which is one of the many benefits of SIEM.

      SIEM Is Critical For Compliance

      A SIEM solution is an absolutely critical tool for complying with security regulations promulgated by regulatory bodies. To understand why this is the case, it is first helpful to grasp how cybersecurity technologies and practices actually enable compliance. The regulations tend to be general, not prescriptive. The specifics of implementing the controls required by the law, testing them and passing an audit are left up to the organization that needs to comply with them. To achieve compliance, organizations rely on frameworks and standards like NIST CSF. However, it’s a subjective and sometimes messy, confusing process.

      The Sarbanes Oxley Act does not say, “Install a SIEM system and monitor your network.” Rather, Section 404 of the law itself actually just says that a publicly-traded company should issue “an internal control report, which shall…contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” SOX says very little about IT, but the accounting industry, along with various industry bodies, have developed a SOX compliance framework that requires IT departments to pass an audit verifying that an organization has:

      • Established physical and electronic controls that will prevent users lacking credentials from accessing sensitive information.
      • Maintained secure locations for servers and data centers.
      • Ensured that proper controls for IT assets containing financial information are in place to protect these digital assets from breach.

      Using SIEM software, you are able to monitor the underlying security policies that enable such controls to exist. For instance, a firewall is an electronic control that prevents unauthorized users from accessing sensitive information. That’s great. How will a company pass an audit that wants to check how well that control is working? Enter the SIEM. The SIEM can aggregate, correlate and analyze multiple firewall logs. From this process, it can produce an audit report demonstrating how the company has been implementing the control required for SOX compliance.

      SIEM Compliance Requirements

      Compliance programs that follow NIST CSF try to snap to the framework’s functional categories. The categories span the security lifecycle, starting with Identify (ID), Protect (PR), Detect (DE), Respond (RE) and Recover (RC). In this way, each stage of security is covered by the framework. The security team first identifies risks, then endeavors to protect them. If there is an incident, it responds and then tries to recover.

      Not every category and sub-category relates to SIEM. However, SIEMs are foundational to achieving compliance with the framework across multiple categories and their respective requirements. They do this with compliance reporting, endpoint detection and response (EDR), threat intelligence gathering, monitoring, log management, analysis and visualization. In particular, SIEM is instrumental in meeting the requirements defined for the following NIST CSF category/sub-categories:

      • Protect (PR)/Access control—SIEMs can produce audit reports based on multiple access control system logs.
      • Protect (PR)/Information protection processes and procedures—Having a SIEM in place as a countermeasure against intrusion is an application of this framework sub-category.
      • Protect (PR)/Protective technology—SIEM serves as protective technology in multiple senses of the term. It is part of the Security Operating Center’s (SOC’s) toolset for guarding against improper access to data and systems of record.
      • Detect (DE)/Anomalies and events—SIEMs detect anomalies and issue alerts to SOC analysts.
      • Detect (DE)/Security continuous monitoring—SIEMs perform continuous monitoring, staying on top of multiple other systems of continuous monitoring.
      • Detect (DE)/Detection processes—SIEMs detect attacks and threats and alert SOC analysts when they find one.
      • Respond (RS)/Analysis—SIEMs create reports used in forensic analysis of security events.
      • Recover (RC)/improvements—SIEM reports give analysts and security managers the insights they need to improve incident responses process after an event has occurred.

      Regulations Requiring Compliance

      Nearly all regulations that mandate IT compliance have a requirement of logging all relevant events and then operationalizing an incident response process that handles the threats—and documents the entire series of response activities. After that, the regulations set out the expectation that the company will maintain records of its incident responses. SIEM performs all of these tasks. This is relevant across multiple sets of regulations.

      The Federal Information Security Modernization Act (FISMA)

      FISMA security practices cover “any federal agency document and implement controls of information technology systems which are in support to their assets and operations.” According to NIST, compliance contains the following tasks that are the province of SIEM:

      • Continuously monitoring security controls.
      • Refining controls using risk-assessment procedures.
      • Documenting controls in the security plan.

      The Payment Card Industry Data Security Standard (PCI DSS)

      PCI DSS sets out security standards to establish a secure environment for businesses that accept, process, store or transmit payment card information. SIEMs helps with PCI DSS by:

      • Helping protect networks on which payment card information is stored or processed.
      • Providing the basis for passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
      • Comprising the threat detection aspects of the PCI DSS standard.

      General Data Protection Regulation (GDPR)

      GDPR covers data protection and privacy in the EU and the European Economic Area, along with transfers of personal data outside these regions. SIEMs are essential for GDPR compliance because they:

      • Enable companies to process personal data securely by what the law calls “appropriate technical and organizational measures.”
      • Provide a key element of “confidentiality, integrity and availability” of systems and services that process personal information.
      • Help data custodians restore access and availability to personal data in a timely manner if there is a security incident.

      Health Insurance and Portability Accountability Act (HIPAA)

      HIPAA protects the private, individually identifiable health information, or protected health information (PHI). With a SIEM, an entity needing to comply with HIPAA can:

      • Identify and defend against threats to the PHI.
      • Secure systems that ensure the confidentiality, integrity and availability of PHI.
      • Monitor systems to mitigate the risk of impermissible uses or disclosures of PHI.

      Conclusion

      SIEMs are integral to compliance. Without a SIEM, it would be difficult in the extreme to meet the criteria set down by the dominant standards such as NIST CSF. It’s an ever-evolving situation, in any event. As networks and infrastructure grows more complex, SIEMs will be even more useful in enabling companies to keep up with compliance audits.

      Matthew Shoffner
      IT Central Station

      A Security Incident and Event Management (SIEM) solution typically represents a significant investment, even for a large enterprise. With the average price coming in at $50,000, ranging from a minimum of $20,000 and getting to be upwards of $1M, SIEM solutions carry a hefty price tag. However, the value of the top SIEM tools, for general security health and compliance, probably makes the technology worth the cost, but it’s a big check to write.

      The benefits of SIEM are obvious and a crucial part to a security strategy, helping SOCs organize and respond to security threats. The benefits of mitigating threats, keeping inline with compliance and audit standards, and avoiding costly data loss and business delays can easily outweigh SIEM TCO.

      Additionally, you could add a Security Orchestration, Automation, and Retention (SOAR) tool to accompany your SIEM solution, which would be an additional cost that enables you to handle security issues more efficiently. Commonly confused with one another, there are differences between SOAR and SIEM.

      SIEM cost summary


      Item

      Cost Range

      Explanation

      SIEM software cost

      $20,000 - $1M

      Average cost is $50,000

      Deployment consulting support

      $50,000

      One-time fee. Varies based on complexity of implementation, but can easily reach six figures for large enterprises or highly integrated, customized solutions.

      Training

      $0 - $10,000

      Some training can be included with the product. Cost of additional training not included varies by requirements and number of people to be trained.

      Database administrator (DBA)

      $74,000

      DBA average US salary

      Admin personnel

      $74,000 to $500,000

      Varies by staffing needs. Three admins can cover a full 24-hour shift. Includes additional product tuning that will be necessary.

      Hardware

      $25,000 - $75,000

      Varies by size of configuration, but will generally cost more than plain off-the-shelf hardware due to performance requirements.

      Intelligence Feeds

      $1,500 to $10,000

      Some feeds are free, but others need to be purchased and vary by quantity and level of feeds.

      Infrastructure

      $10,000

      Includes servers, storage, and switches.



      SIEM Cost Breakdown

      One helpful way to think about SIEM costs is to take a basic enterprise technology project and add on a couple of extras. In particular:

      • Consulting support for the deployment process. SIEM implementation, traditionally, is not as simple as standing up a traditional enterprise solution. It has to connect with a wide variety of other systems and must be configured to handle a high volume of data. With advancements, SIEM can now be set up without much, if any, consultation. This tends to mean hiring external consultants. Not all departments have the skills in-house to do the work. Consultants can provide customizations, which include threat identification, alerting, and remediation rules, to fine tune your SIEM product to handle threats you’re facing.
      • Hiring a database administrator (DBA). This may not be a full time hire, but setting up a SIEM involves some pretty complicated data architecture and integration processes. In addition, most SIEMs lack self-managing databases. Someone has to take care of all this. A DBA gets paid $74,000 per year on average.
      • Hardware that can handle the load. SIEMs ingest and process enormous amounts of data, with huge real-time insertion and retrieval rates. As a result, the SIEM cannot run on any old piece of hardware. Someone, usually an external consultant, needs to spec out the hardware based on the SIEM’s connectivity and expected data loads.
      • Personnel. SIEMs need to be staffed, often around the clock. Labor costs vary, of course, but in North America and Europe, hiring experienced SIEM admins for three shifts will cost something in the neighborhood of $500,000 a year.
      • Intelligence feeds. The threat intel feeds going into the SIEM can come with their own price tags. Some are free, but many cost between $1,500 and $10,000 per year.
      • Training. SIEMs are a distinct technology that almost always requires specialized training for the people who operate them. Initial training, along with recurring annual retraining, should be part of the SIEM budget.
      • Ongoing tuning. SIEMs tend to be a bit fussy, creating a lot of distracting “noise” that can defeat their entire purpose if not corrected. As a result, SIEMs usually need ongoing tuning, which may require external consultants.

      Considering these cost elements, it’s easy to see how a SIEM can cost a million dollars to acquire and launch in its first year. It could then require a budget of half a million dollars to keep it up and running. Plus, some SIEMs price on a per-second or per-event basis. It’s essential to understand exactly what the costs will be based on expected usage patterns.


      Tips For Keeping SIEM Costs Low

      It’s possible to keep SIEM costs relatively low.

      • Buy a solution that fits your needs today. One approach is to limit the scope of the solution at launch. This keeps hardware and DBA costs down and speeds the deployment process, which in turn cuts down on consultant costs. The trick here is to design for scaling up later on, if that’s required.
      • Outsource SIEM monitoring. Another option is to outsource SIEM monitoring and event management. This may not work for everyone, but a Managed Security Service Provider (MSSP) can take over some of the more difficult SIEM operations. This will likely cost less than staffing people around the clock.
      • Use a log collection strategy. Use your SIEM software to log only critical items while leaving non-critical events to be handled by a log management server. You can then more easily discard lower value events at shorter retention periods to reduce storage and maintenance costs.

      SIEMs tend to be expensive and time-consuming solutions to run, even as they deliver much-needed security incident and event detection and response capabilities. The investment is probably worth it, but it’s a pretty big investment, especially for a smaller company or government agency.

      Rony_Sklar
      IT Central Station


      Members of the IT Central Station community are always happy to take a few minutes to help other users by answering questions posted on our site. In this Q&A round-up, we’re focusing on our users’ answers about SIEM, Identity and Access Management, and the Differences between Hyper-converged Infrastructure vs Converged Infrastructure.

      Which is the best SIEM tool for a mid-sized enterprise financial services firm: Arcsight or Securonix?

      One of our users was looking for SIEM recommendations, and was specifically looking at ArcSight and Securonix. As always users were very helpful, and suggested possible tools based on their own experience.

      ArcSight appeared to be the popular recommendation between the two tools; One user, Himanshu Shah, suggested that Securonix may be better suited for a mid-sized business as ArcSight “works on EPS (Events per second) costing”, which can become costly. Users also suggested looking at other options, such as QRadar, Splunk, and LogRhythm.

      However, Consulta85d2 responded, “Neither, or both. Having done literally thousands of SIEM deployments, I can tell you from experience that the technology choice isn’t the most important choice. The critical choice is in the resources and commitment to manage and use the system.”

      Aji Joseph held similar sentiments and highlighted the key role that the SoC team plays: “The success of SIEM solutions depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.” He also suggested evaluating the forensics capabilities of the various solutions before buying.

      What are some tips for effective identity and access management to prevent insider data breaches?

      Insider breaches can be a real issue in businesses. Users gave advice on how to effectively implement Identity and Access Management to tackle this issue.

      Mark Adams, a Senior Manager, IT Security and Compliance / CISO at a large construction company, gave great advice for implementing a solution, noting that it’s important to “make the implementation a formal project and involve all key stakeholders, including those from the business, not just IT folks.” He gave practical tips, including identifying and classifying all information assets and creating rules for access to those assets. He also highlighted the importance of reviewing access periodically. He stated, “Data owners should be involved in the review since they are usually in a better position to determine if individuals’ access is still legitimate.”

      What are the key differences between converged and hyper-converged solutions?

      Users helped to clarify key differences between hyper-converged (HCI) and converged infrastructure. Based on the users’ answers, the key differences revolve around ease of use, flexibility, and price.

      HCI solutions are typically more expensive, but have significant advantages. Steffen Hornung pointed to the scaleout nature of HCI, noting that “add more nodes to the system to support new workloads without losing Performance because you add all types at once (compute, storage and networking).”

      Dan Reynolds summarised the appeal of HCI really well, pointing out that it’s a complete solution: “Hyper-converged is typically an “all in one box/rack” solution. It consists of compute, storage & network resources all tied together physically (and through software)….You don’t have to architect it. All you have to know is how much “power” you need (what you want to do with it).” In contrast, he noted that “with converged infrastructure (which can still be ‘software defined’) you have to match and configure the components to work together.”

      Thanks, as always, to all the users who are taking the time to ask and answer questions on IT Central Station!

      IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.

      Do you have a question that you’d like to ask our IT Central Station Community? Ask now!

      Rony_Sklar@Himanshu Shah ​@Consulta85d2 ​@Aji Joseph ​@Mark Adams ​@Steffen Hornung ​@Dan… more »
      Matthew Shoffner
      IT Central Station

      Security Incident and Event Management (SIEM) has been widely adopted and used to manage cybersecurity events as the benefits of SIEM are apparent. As a result, the SIEM market is expected to grow by approximately 25% over the next 5 years as the need for cybersecurity automation increases. Even though the market is expanding, the cost of SIEM has remained relatively flat.

      All of the top SIEM tools ingest and analyze mass amounts of security event data from a wide range of other systems, like firewall software, network routers, and intrusion detection and prevention software to name a few. It’s effectively impossible for a human being to keep track of multiple security device logs, so SIEM organizes, analyzes, and creates alerts for security operations to follow up on. The overarching advantage of SIEM is its ability to perform quick, accurate detection and identification of security events.

      SIEM can be combined with Security Orchestration Automation and Response (SOAR) for additional benefits. Many think that SOAR and SIEM are one in the same, but there is a difference between SOAR and SIEM which you should understand before moving forward with purchasing either.

      The Advantages of SIEM

      SIEMs help the Security Operations Center (SOC) function effectively. In particular, they enable:

      1. Faster, more efficient SecOps. With a SIEM sifting through millions of data points, SOC analysts can quickly get a handle on what’s happening using analysis templates to quickly analyze log and threat intelligence data, which can save both in responding to a security threat as well as the adverse impact of a cyberattack. Without a SIEM, security analysists would have to interpret multiple security device logs and data sources, such as threat intel feeds, by hand. In addition to burning people out—which is itself a big problem—it slows the incident response process down significantly. You can configure your SIEM tool to respond to incidents in real-time, potentially saving your company from data loss or worse.
      2. More Accurate Threat Detection and Security Alerting. SIEM tools can leverage their extensive data sets to detect and identify threats more accurately than would be possible using individual security data streams. They also have the ability to enrich security event data and offer critical context to incident alerts. For example, a SIEM can correlate a threat signature detected in one device log with a threat found on another log.
      3. Improved Security Data. SIEMs aggregate security data, improving the potential for it to be analyzed and used in incident response workflows. This can also result in better visibility over the entire security landscape in the enterprise. The SIEM also typically normalizes security. In its raw form, the multiple data streams feeding into the SIEM have different schemas and fields. It’s not normalized. For example, data about users originating from network logs, email servers, databases and mobile devices might all take different forms. This creates a problem for data analysis and event correlation. The SIEM is able to reformat the data, making it consistent for incident analyst and response processes. Data storage is a related benefit. The SIEM can store normalized security data for extended analytics and reporting. This may also help with compliance.
      4. Better Network Visibility. SIEM log management and aggregation make it easier to get an overview of the network. Indeed, given the complexity and diversity of modern networks, a network can easily have “dark spaces.” This means that as the network scales, network managers and security teams lose visibility into what’s actually happening with databases, servers, devices and third parties. Hackers look for dark spaces on networks. It gives them a place to hide persistent threats and move laterally across digital assets without being detected. SIEM mitigates this risk by collecting security event data from everywhere in the network. It then stores and analyzes it in a central place. SIEM log analysis can shine a light on these dark spaces, so to speak.
      5. Improved Compliance. Regulations and compliance frameworks such as HIPAA invariably require logging of security data as a key control. SIEMs fulfill this role, easing the attestation process with pre-set compliance reporting templates that streamline the compliance process.

      Disadvantages of SIEM

      SIEM software is not without it's flaws. Organization that adopt SIEM generally have difficulty with a few things.

      1. Cost. SIEM systems can be rather expensive. We’ve broken down SIEM costs to provide a full total cost of ownership. Although the cost can be high, the benefits can outweigh the cost to provide a positive ROI.
      2. Effort to configure. They also almost always need costly external resources to install and configure. That process can take a long time, too. The time to value can lag, causing organizational and budget challenges.
      3. Dedicated security resources to monitor. Then, once up and running, they need dedicated staff for operations and continuous tuning. Without constant updating, a SIEM can become “noisy,” generating excessive alerts to the point where it may even be ignored by the SOC.

      Conclusion

      SIEMs are potentially highly valuable additions to a SOC. They correlate security data feeds, enabling them to detect serious security incidents in time to take action. They then facilitate an effective, fast response by the SOC team. At the same time, SIEM software can take significant time to set up and to adjust the alerts and responses. Embarking on a SIEM project represents a serious commitment of time and resources on the part of the security team. It should be undertaken with rigorous planning and realistic budgeting in order to ensure long term success.

      Find out what your peers are saying about Splunk, IBM, Devo and others in Security Information and Event Management (SIEM). Updated: September 2021.
      535,015 professionals have used our research since 2012.