SIEM what are you? we communicated normally

Hello! On duty, I had to face the fact that it was required to implement the SIEM system. I'm just telling my life experience about what SIEMs I have implemented and plus or minus what we get for their price. Such a mini reviewer of solutions that are on the market. If you have experience with this or that system, I ask under the cut, we will be happy to discuss this topic. I think for those who are faced with a choice it will be quite useful to read.



So, the first SIEM that I encountered when implementing in the N-bank is ArkSite.



It was quite a long time ago, 5-6 years ago. Yes, I understand that it has already been updated, some buns have been added, and so on. BUT please note that all solutions have evolved too.



So what we liked and what we didn't.



Liked.



  1. Good collectors on devices
  2. It is possible to collect events from many sources and good parsing of logs out of the box
  3. Quite functional console
  4. A simple programming language for creating custom rules
  5. There is a store with addons


This is probably all that I liked, the system works like a clock, but for analytics you need to immerse yourself in it, training is required, since you do not expect a simple understanding of this tool. The level system of a good competent SOC.



Did not like.



  1. If you took a little EPS initially, then after 30 days the system will not let you use more than you have, the correlation will not work.
  2. The interface is frankly so-so, a separate control console also raises questions
  3. The web interface is generally an average between dashboards and configs
  4. – , . – .
  5. java,
  6. = ))) ,
  7. , .


I am describing a purely personal opinion from experience, so I ask you not to throw tomatoes too much.



The next patient in line is IBM QRadar.



I didn’t have time to get to know each other very closely, so I’ll just describe what I saw - imagine an armored train, everything is in order on the rails. But if you put the second armored train on the same rails, then both armored trains will fall. It's the same with the system - for some reason, when a large number of people work with the same requests, everything falls. Someone may shout that we are all rukazhopy and do not know how to do anything, but the fact remains. At the same time, it does not alert anywhere, does not write.

Just booms and that's it. And then you need to wait a long time until it all rises. And by the way, this armored train eats how much fuel (read resources). And no matter how much you add this fuel, everything is not enough for him. And it does not go faster. Still wondering why so, write who knows can.



Soooooo now we go to the next system - McAfee ESM.



Since I was lucky enough to tinker with her, respectively, and I can share what I liked and what I did not. Siemka itself either goes all in one, or take it for parts - each module separately.



Liked.



  1. Dashboards and rules out of the box
  2. Easy collector setup
  3. Correlation and aggregation out of the box
  4. Connecting vulnerability scanners without dancing with a tambourine
  5. Does not turn off when EPS is exceeded
  6. Easy installation (unlike Ark for example)
  7. Works very quickly due to Elastic


Did not like.



  1. Connecting to a separate storage is implemented frankly so-so
  2. He does not always write what exactly is wrong with the collector, we smoke the manual
  3. The collector under the win-machine says that everything is fine, but you need to check in SIEM itself if this is so.
  4. When connecting some sources like MISP, there is no troubleshooting panel, you need to look in another place.
  5. In a strange way, individual modules fall off and are restored.
  6. He talks about the problem - but you need to look in the config, he does not immediately write the problem in the alert.


And so the system is quite simple, made on its own version of Linux from the vendor, there is a set of commands familiar to administer Linux, flexible and convenient. Does not limit how to do it conveniently as the administrator needs. For analytics, there is also a lot of data and is more conveniently presented.



Here's a brief overview of what I managed to see and what my impressions were. If you are interested in learning more about which system, then write, I will try to make an article more interesting and technical.



Thank you very much for your time and reading. It is extremely interesting to know your opinion what is better now according to the criterion of price / quality?



All Articles