Does anyone use an SIEM?


(Jonathon Huff) #1

Does anyone use a SIEM? If so, is it useful? We have a network security engineer at a large enterprise who attends our church and has suggested we implement one. But, we cannot afford the SIEM they use. Does anyone have a good recommendation for a church?


(Isaac Johnson) #2

We do use tools that we cobble together to handle HIDS/NIDS/SIEM and some other alerts and whatnot to do very basic correlation of events, but we are managing more than one church/nonprofit/business so we have some scale behind us and there is no way you can do all that and have it be worthwhile without serious scale (remember, that network security engineer is from a “large enterprise” and he is dealing with major scale as well, very likely way bigger than we are and probably with a whole lot of servers he’s rightly afraid of having compromised during East-West movement).

I would not actually tell a church that they should get a SIEM before doing something like re-engineering their network to be zero trust. Doing zero trust somewhat mitigates the ability for things to travel about the network and the need to do major correlation work. Basically, your endpoints should not be inside your perimeter, your perimeter should be very small and only proxy services through the perimeter when endpoints and users are positively identified and authenticated. With Azure/O365 donations it’s pretty cheap to do stuff like that.


(Optimus Prime) #3

I totally agree with @Isaac. I’m not looking to implement Splunk ES at my church. We keep tight control of admin privileges, carefully assign and control the minimum privileges required for tasks, and run very few services locally anyway. I don’t know what SIEM your friend is recommending, but unless managing one is your full time job already, I can’t see how you or your church would benefit from this.

I don’t go around recommending Nagios to everyone just because I know some kind of network monitoring is valuable. I knew how to set it up, and saw the benefit of deploying a free network monitoring tool that I could incorporate alerting into. Even as a free tool, I very rarely point people to it, because the learning curve is too great for someone to “just start using it” at any single site. An effective SIEM deployment is going to cost way more than just the licensing fees; you’ll have to learn it, or, if you want it set up right, you’ll likely have to partner with someone to have them come in and set it up for you.


(Nick Miller) #4

One"free" one to at least get into it is OSSIM by AlienVault. If you’re looking for a stash style Staten Splunk is good, but not cheap if you go above their data limit. A excellent alternative is graylog.


(Travis Phipps) #5

NOTE: Partner/vendor here…

In general, I agree with Isaac and the others that there are probably other things to focus time and money on that would provide more direct improvements to your overall security posture.

But if you determine that a SIEM is definitely something you want or need, there are solutions available from vendors (like us and others) that can include SIEM services with dedicated security operations center (SOC) staff who tune, evaluate, and assess the data and alerts from the SIEM solution. These services normally then bubble up alerts to you in a human-readable form with some level of recommended action you should take for further investigation or remediation of the discovered issues. In other words, you’re not just getting SIEM software and automation, you’re actually engaging with a contracted SOC service with skilled labor dedicated to helping you get real value and improvement from what the SIEM discovers.

These solutions don’t have to break the bank either. The solution we recommend actually lets you target whatever devices in your network that you deem appropriate and you only pay for the devices you choose to monitor. In general they recommend at a minimum that you monitor all firewalls and domain controllers as that will capture your ingress/egress traffic as well as all network authentications within the environment. You can of course add whatever other networking, server, and endpoint devices that you’d like into the scope of the solution.

If you decide this is something you’d be interested in, feel free to ping me and I’ll be more than happy to get you more information.


(Optimus Prime) #6

If we’re making recommendations, Splunk is licensed by ingested data. It’s free to use up to 500 MB per day. I don’t think you can get ES for free though.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/MoreaboutSplunkFree

Again, I really think your time would be better spent elsewhere.


(Nick Miller) #7

You are correct that Splunk Free does do up to 500 MB per day. Graylog had no limitation. That being said I feel you are definitely correct that time would be better spent elsewhere. These solutions can collect, store, and alert on logs, but you will spend an enormous amount of time getting them set up and tweaked just right.

The bigger question you must answer is why would this solution be needed? Do you accept credit cards therefore must be PCI compliant, then yes using a SIEM system or dominant is required based on your PCI level. If not then these solutions are good ideas to help solve/prevent problems.

If you always remember that your goal is security over compliance, then let that lead your decisions as to which policies and solutions you use.


(Jared Brees) #8

As many others have said, there are lots of things I’d do before even considering an SIEM. If you haven’t done everything else, spending time/money with SIEM will only be catching symptoms, not causes.

Things to do first include:

  • mandatory 2FA everywhere, and none of it SMS-based, preferably using something like U2F/Yubikey where available
  • 802.1x
  • cert-based Wi-Fi
  • VLANs to seperate/isolate traffic
  • disabling all unused ports on network equipment
  • cameras and locks on all infrastructure rooms, with limited access, etc.
  • random sweeps for sticky notes with passwords, unlocked computers, etc.
  • user training for not clicking Bad Things
  • all software patches for all products deployed, including switch/firewall firmware
  • identity verification for all password resets
  • nobody running as local administrator (should have to escalate up via separate account)

If you look at this list and say “oh yeah, we’ve had all that for a while now”, them maybe it’s time to consider an SIEM. If you look at it and say “that’s a lot of work/impossible”, then work on those bullet points. :slight_smile: