Consolidated Logging / Syslog Solution (27001)
Went along to a local little conference/user group type thing the other week as one of the sessions was supposed to be on Azure with Sentinal, sadly it didn’t actually show much which was a shame as am very interested to see what it’s like and what it can do.
Yup if there’s even an inkling that you may want more than just log storage and search in future it can be good to start with something that does more in the first place, to save having to switch or integrate further products in future.
Not tried the free version of Alienvault out before, have heard mixed experiences from my customers who have used it. One benefit of that could be if it lets you migrate to the paid version without having to set it all up again (no idea if it lets you upgrade in this way), as the paid version is at the cheaper end of the market.
*edit* although looking at the Alienvault site looks like the free version doesn’t do log management?
https://www.alienvault.com/products/ossim/compare
As mentioned above Splunk and QRadar have a free offering you can try that are only restricted by capacity, not sure if Logrhythm has a free tier as well?
Yup if there’s even an inkling that you may want more than just log storage and search in future it can be good to start with something that does more in the first place, to save having to switch or integrate further products in future.
Not tried the free version of Alienvault out before, have heard mixed experiences from my customers who have used it. One benefit of that could be if it lets you migrate to the paid version without having to set it all up again (no idea if it lets you upgrade in this way), as the paid version is at the cheaper end of the market.
*edit* although looking at the Alienvault site looks like the free version doesn’t do log management?
https://www.alienvault.com/products/ossim/compare
As mentioned above Splunk and QRadar have a free offering you can try that are only restricted by capacity, not sure if Logrhythm has a free tier as well?
Yeah try something out and see if it works for you.
Feedback I’ve had from customers using ELK have been that it requires a fair amount of dev/customisation to get it to do what you want. It’s there as a platform, but you then have to develop the content yourself.
Now this was before ELK came out with their SIEM side to the product so this may have changed.
They also said that over the period they’ve had it, it’s cost them more than buying a ‘commercial’ SIEM tool once they’ve bought the required hardware, and paid for all the consultancy they needed (that was another gripe they had, availability of skilled resource).
They could make this comparison as they ran both ELK and another commercial SIEM tool within their company so could easily see the differences.
On the flip side, as they had to develop their use cases and content themselves they actually did things ‘right’ in properly threat modelling things to create content that was relevant to them, rather than just take off the shelf content and never touch it.
All of that is related to using the products as a SIEM, so not just log collection and searching/reporting.
Still not had a good play with ELK myself yet but keep meaning to
Feedback I’ve had from customers using ELK have been that it requires a fair amount of dev/customisation to get it to do what you want. It’s there as a platform, but you then have to develop the content yourself.
Now this was before ELK came out with their SIEM side to the product so this may have changed.
They also said that over the period they’ve had it, it’s cost them more than buying a ‘commercial’ SIEM tool once they’ve bought the required hardware, and paid for all the consultancy they needed (that was another gripe they had, availability of skilled resource).
They could make this comparison as they ran both ELK and another commercial SIEM tool within their company so could easily see the differences.
On the flip side, as they had to develop their use cases and content themselves they actually did things ‘right’ in properly threat modelling things to create content that was relevant to them, rather than just take off the shelf content and never touch it.
All of that is related to using the products as a SIEM, so not just log collection and searching/reporting.
Still not had a good play with ELK myself yet but keep meaning to
Thanks Ev0, really helpful, it's that age old balance isn't it. From a business perspective, as many do, my place falls into the category of only do what you 'have to' mainly because of our size but we all know that goes against a lot of what 27001 is about really.
Liking the sound of the threat model though, I've not really considered approaching it like that before.
My concern is on a day to day basis time, as always is limited. Any time spent here is probably me considering ways I can make my life easier doing the basic 27001 stuff whilst having the data there to go digging if I need to.
I had a very quick look at the community version of Alien vault but didn't take it much further at the time, I think the attraction to ELK is that I'm hoping I can get it to do the basics easily and any additional SIEM stuff is an added bonus as they enhance that, understand it's a pretty new feature for them at the moment?
Liking the sound of the threat model though, I've not really considered approaching it like that before.
My concern is on a day to day basis time, as always is limited. Any time spent here is probably me considering ways I can make my life easier doing the basic 27001 stuff whilst having the data there to go digging if I need to.
I had a very quick look at the community version of Alien vault but didn't take it much further at the time, I think the attraction to ELK is that I'm hoping I can get it to do the basics easily and any additional SIEM stuff is an added bonus as they enhance that, understand it's a pretty new feature for them at the moment?
The threat modelling thing was good for them to do as I see too many people just plugging the product in, and doing little else with it.
Yes most products will have content out of the box, but it’s important to make it relevant to you.
By forcing this customer to develop all the content themselves it made them think more about what it it they wanted/needed.
But the price for that is time and expertise, which ultimately costs one way or another, so there’s definitely a balance there.
Things I’d look at if you’re worried about time to implement and maintain would be around things like how are the logs going to be ingested, do you need agents everywhere, do you need to create all the parsers to make use of the data, what’s the breadth of support available for ingestion from cloud based services.
As well as the simple things of how do you just keep the platform up and running.
I don’t know much about ELK SIEM yet, probably got some documentation on it (I work for another vendor, so likely will have some competitive info somewhere).
Yes most products will have content out of the box, but it’s important to make it relevant to you.
By forcing this customer to develop all the content themselves it made them think more about what it it they wanted/needed.
But the price for that is time and expertise, which ultimately costs one way or another, so there’s definitely a balance there.
Things I’d look at if you’re worried about time to implement and maintain would be around things like how are the logs going to be ingested, do you need agents everywhere, do you need to create all the parsers to make use of the data, what’s the breadth of support available for ingestion from cloud based services.
As well as the simple things of how do you just keep the platform up and running.
I don’t know much about ELK SIEM yet, probably got some documentation on it (I work for another vendor, so likely will have some competitive info somewhere).
