Source

SIEM Technology

Hi Medium, here we are again with a new article, today we will talk about SIEM technology and it’s importance in any environment:

+ What is SIEM?
+ Why is SIEM Important?
+ The Essential SIEM Tools
+ 8 Best SIEM Tools
+ 4 Best Open Source SIEM
+ Conclusion

+ What is SIEM?

SIEM is a security event/log management, SIEM basic capabilities are log collection, normalization, notifications and alerts, security Incident Detection, and Threat response workflow.

SIEM records data from users’ internal networks (network, devices, servers, and firewalls) and identifies potential issues of attacks.

All those collected information passed to a management console where it can be analyzed to ensure that vulnerabilities between cybersecurity tools can be monitored and addressed.

Once that information reaches the management console, it is then viewed by a data analyst who can provide feedback on the overall process, those feedback will be automatically educated by the SIEM systems in order to increase its familiarity with the surrounding environment.

Once the system identifies a threat it communicates with other security systems to stop the unwanted activity.

+ Why is SIEM Important?

SIEM become a core security component of modern organizations. The main reason that the SIEM system not only provides that an attack has happened, but allows you to see how and why it happened as well because of everything user or tracker leaves behind in logged and that help to generate insight into past attack and events.
SIEM system has the ability to distinguish between legitimate use and a malicious attack.
SIEM provides transparency over logs in order to generate clear insights and improvements.

+ The Essential SIEM Tools :

Not all SIEM systems are built the same. As a result, there is no one-size-fits-all solution, in this part, we will indicate the core features needed for a SIEM system.
+ Log Data Management is a core of any SIEM system, once data is normalized and compared against previously recorded data, SIEM can then recognize patterns of malicious behavior and raise notifications to alert the user to take action. This data can be searched by an analyst who can define new criteria for future alerts. This helps to enhance the system’s defenses against new threats.
+ Reporting when you are attacked the SIEM creates a report that details how it happened so you may make the changes needed in your topology to make sure that it doesn’t happen again.
+ Fine Tuning Alert Conditions designed to add new alerts stops you from getting left behind, also we may find a platform that can limit the number of alerts received.
+ Dashboard makes it much easier to identify threats with a simple user interface, and it will be better if your SIEM is configured to show specific event data.

+ 8 Best SIEM Tools :

  1. SolarWinds Log & Event Manager
  2. HP ArcSight
  3. Splunk Enterprise Security
  4. LogRhythm Security Intelligence Platform
  5. AlienVault Unified Security Management
  6. rsa NetWitness
  7. IBM qradar
  8. McAfee Enterprise Security Manager

Before choosing the SIEM solution, it’s important to evaluate your goals. Either if you need a SIEM to meet regulatory requirements or to use a SIEM to stay protected against emerging attacks; so u need one with high functioning normalization and extensive user-defined notification facilities

SolarWinds Log & Event Manager

SolarWinds equipped with extensive log management features and reporting.
The best things are that the LED well detailed and provides an intuitive dashboard that simplifies the identification of anomaly, as well the company offers 24/7 support so you can contact them for advice.
SolarWinds lower-cost SIEM option that processes up to 250 million events per day and allows for the automated incident response.

OS Windows

Source

HP ArcSight

ArcSight is one of the most popular tools on market, this ETRM (Energy Threat and Risk Management) platform provides all the needed future with the ability to compile log data and conduct extensive data analysis, you can have a real-time analysis from the system’s enterprise security manager.
This tool gives the ability to search to log and identify and track unwanted users on your network, it can ingest data from more than 350 sources and process up to 75,000 security events per second.

OS Windows

Source

Splunk Enterprise Security

What sets Splunk apart from the competition is that it has incorporated analytics into the heart of its SIEM.
Network and Machine data can be monitored on a real-time basis as the system look for potential vulnerabilities.
The user interface is incredibly simple that makes responding to security threats easier that help to have an overview before clicking through to in-depth annotations on past events, flagging malicious actions, and preventing future damage.

OS Windows and Linux

Source

LogRhythm Security Intelligence Platform

LogRhythm is compatible with a massive range of devices and log types, the user interface has a learning curve, but the extensive instruction manual helps, the best part here is that the instruction manual actually provides hyperlinks to various futures in order to aid you in your journey.
This tool can scale from mid-sized businesses up to large enterprises thanks to its decentralized architecture.

OS Windows and Linux

Source

AlienVault Unified Security Management

One of the more unique aspects of AlienVault’s platform is the Open Threat Exchange (OTX). The OTX is a web portal that allows users to upload “indicators of compromise” (IOC) to help other users flag threats. This is a great resource in terms of general knowledge and threats. The low price of this SIEM system makes it ideal for small to midsize businesses looking to upscale their security infrastructure. It can handle up to 15,000 events per second.

OS Windows and Mac

Source

RSA NetWitness

For larger organizations, this is one of the most extensive tools available on the market. However, if you’re looking for a product that’s easy to use, you might want to look elsewhere.
It’s a complete network solution, it can process 30,000 events per second, ingest up to 10Gbps and support up to 100,000 endpoints per system.

OS Windows

Source

IBM QRadar

The platform offers a suite of log management, analytics, data collection, and intrusion detection features to help keep your network infrastructure up and running.
QRadar boasts more than 400 support modules for ingesting data, which it can do at a rate of millions of events per second and billions of events per day, prioritizing risks into a manageable list.

OS Windows

Source

McAfee Enterprise Security Manager

ESM processes tens of thousands of events per second and can store billions of events and flows. It is particularly popular with the public sector, higher education, and healthcare companies, and McAfee has added specific capabilities to support those markets.

OS Windows and Mac

Source

+ 4 Best Open Source SIEM :

OSSIM :

The open-source version of AlienVault’s Unified Security Management (USM) offering, OSSIM is probably one of the more popular open-source SIEM platforms. OSSIM includes key SIEM components, namely event collection, processing and normalization, and most importantly — event correlation.
OSSIM combines native log storage and correlation capabilities with numerous open source projects in order to build a complete SIEM. The list of open source projects included in OSSIM includes FProbe, Munin, Nagios, NFSen/NFDump, OpenVAS, OSSEC, PRADS, Snort, Suricata, and TCPTrack.

OS Linux

Source

The ELK Stack

The ELK stack, or the Elastic Stack as it is being renamed these days, is arguably the most popular open-source tool used today as a building block in a SIEM system.
The ELK stack consists of the open-source products Elasticsearch, Logstash, Kibana, and the Beats family of log shippers.

OS Windows, Linux, and Mac

Source

OSSEC

OSSEC is a popular open source Host Intrusion Detection System (HIDS) that works with various operating systems, including Linux, Windows, MacOS, Solaris, as well as OpenBSD and FreeBSD.
OSSEC itself is broken into two main components: the manager (or server), responsible for collecting the log data from the different data sources, and the agents — applications that are responsible for collecting and processing the logs and making them easier to analyze.

OS Windows, Linux, Solaris and Mac

Source

Apache Metron

Evolving from Cisco’s OpenSOC platform and first released in 2016, Apache Metron is another example of a security framework that combines multiple open source projects into one platform.

OS Windows and Mac

Source

+ Conclusion :

No matter what SIEM tool you choose to incorporate into your business, it’s important to adopt a SIEM solution slowly. There is no fast track way to implement a SIEM system. The best method to integrate a SIEM platform into your IT environment is to bring it in gradually. This means adopting any solution on a piece-by-piece basis.
Doing so gives you the ability to take stock of your IT environment and to fine-tune the adoption process. Implementing a SIEM system gradually will help you detect whether you’re leaving yourself open to malicious attacks. The most important thing is to make sure that you have a clear view of the goals you’re looking to fulfil when using a SIEM system.
Once you’ve chosen a tool you want to use, commit to updating. A SIEM system is only as good as its updates. If you fail to keep your logs updated and refine your notifications, you’re going to be unprepared when an emerging threat strikes.
I would like to share with you those tables that I personally admire :

Source

References:

https://www.comparitech.com/net-admin/siem-tools/#tool%20list

https://www.esecurityplanet.com/products/top-siem-products.html

https://logz.io/blog/open-source-siem-tools/

Hey, I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^ ^

Cyber Security Architect