The right SIEM tool varies based on a business’ security posture, its budget and other factors. However, the top SIEM tools usually offer the following capabilities:
A modern SIEM can scale into any organization — big or small, locally-based or operating globally. [1]
A modern SIEM manages events in a distributed manner for offloading the processing requirements of the log management system for tasks such as collecting, filtering, normalization, aggregation. This model also is the solution for security-related issues and incremental approach [2,3,36].
SIEM functions based not just on its correlation rules but on the data you feed it. Feeding your SIEM security-related data results in more accurate alerts.
Currently, most of the SIEM products support hundreds of log formats. If there is a log format that is not supported, there is an API for a custom log parser.
SIEM use cases or rules are 80% of the value of the product. Check the predefined rule list for the product and also check are there any restrictions. A Next-Gen SIEM correlation engine will be very helpful to analysts indeed. Not all SIEM correlation rules, use cases are created equal and it is hard to find a SIEM that supports both cores, advanced and intelligent use cases at an affordable price. [4,5,6, 7,8,18].
All the SIEM products have correlation but not all SIEM solutions are created equal. A detailed analysis is required to understand the difference in correlation capabilities. For example, most of the SIEM solutions have the watchlist or list management feature, but only some of them and A modern SIEM has multidimensional list management capability in correlation [33,34]. Some SIEM solutions update multiple lists, sets at the same time [34] while others have not.
Some correlation engines have restrictions like
Cross-Correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses.
Correlation and detection methods and correlation features diversity are important like detecting what never seen before and many others. A modern SIEM can play a huge role in making analysts’ jobs easier with modern detection and correlation features like never seen before type of rules [18].
Advanced features are the key features for successful detection. Sample distinguishing use cases:
Almost every company needs a solution for protecting its sensitive data and detecting suspicious activity in real-time. Besides, when an incident occurs, companies want to be able to provide digital evidence in the courtroom. Integrity is also critical. This is usually achieved by using integrity mechanisms, such as running hash checks on blocks of stored log data. Historical log data must be secured either with a checksum in the form of a popular hash — MD5, SHA1, SHA2, etc. — or with a digital signature.
Easily aggregate and search logs within a single platform is critical.
The latest study by the Ponemon Institute on behalf of IBM found that the average time required to identify a data breach is currently 197 days [35]. So having logs under hands at least 197 days is a good plus and makes everything easy for detection and forensic analysis. It is achieved by live search capability. Disk usage for live search is the most critical parameter. Every SIEM solution has its technology with advantages and disadvantages for live search. Some examples:
IBM Qradar:
How much space is used per day in bytes can be calculated with the following formula: [eps rate] * ([AveragePayloadSize in bytes] + [AverageRecordsSize in bytes]) * 86400 [9]
Splunk:
You can estimate how much index disk space you will need for a given amount of incoming data. Typically, the compressed raw data file is 10% the size of the incoming, pre-indexed raw data. The associated index files range in size from approximately 10% to 110% of the raw data file. The number of unique terms in the data affects this value [10].
McAfee SIEM:
Due to the number of enabled standard indexes on McAfee ESM, you can add only 5 indexes to an accumulator field. If you need more than 5, you can disable up to 42 unused standard indexes (such as sessionid, src/dst mac, src/dst port, src/dst zone, src/dst geolocation).
McAfee ESM uses standard indexes to generate queries, reports, alarms, and views. If you disable an index, McAfee ESM notifies you when it can’t generate a query, report, alarm, or view due to a disabled index, but it does not identify which index is disabled. Due to this limitation, do not disable standard indexes unless needed [11].
ElasticSearch (Lucene Based Solutions)
You can estimate how much index disk space you will need for a given amount of incoming data.
disk space used(original) = 1/3 original for each indexed field + 1 * original for stored + 2 * original per field with term vectors [12].
AlienVault:
Alienvault USM All-in-One has a limit of 200 million events in its database. There are not more than 200 million events in the Alienvault USM All-in-One SIEM database [13,14].
SureLog:
SureLog compresses indexes. Compressing indexes give SureLog the advantage of live search, real-time search capability for years. An example of a SureLog disk capacity requirement of a live search for 5000 EPS for one year is 5 TB. When SureLog disk usage for live search compares to Elasticsearch and Lucene-based systems, the result depicted in the below graph.
Real-time monitoring and dashboards permit visibility at the desired level via security-based, pre-defined and customizable analysis.
In addition, you can create real-time and easy reports by preparing dashboards and widgets which are appropriate for your new ad hoc requirements.
Dashboards deliver monitoring and reporting metrics to track the state of security throughout the network. These are simple to configure and user-friendly, while allowing users to read a summary of existing network infrastructure data using graphs and tables [15,16].
Threats are dynamic and attack vectors change constantly. Respond quickly and minimize damage by using the rich external context enabled by threat intelligence. Immediately know about dangerous IP addresses, files, processes, and other risks in your environment.
A modern SIEM combines multiple threat intelligence feeds and generates alerts for the benefit of the security team. A modern SIEM uses this data to reduce false positives, detect hidden threats, and prioritize your most concerning alarms.
Regulatory compliance is necessary. SIEM will help to save time and ensure compliance with predefined reports. Creating a productive SIEM environment requires plenty of predefined reports you need on a daily, weekly or monthly basis and also easy to create reporting infrastructure [16].
A modern SIEM has more than hundreds of predefined reports and a very easy & fast reporting infrastructure [16,17,18,19].
Incident response is an action that SIEM takes in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Logoff User active response, the Kill Process active response, and so on [20,21].
Machine learning in SIEM takes cybersecurity rules and data to help facilitate security analytics. As a result, it can reduce the effort or time spent on rote tasks or even more sophisticated duties. With the right configurations, machine learning can actually make decisions based on the data it receives and change its behavior accordingly. A modern SIEM has has many ML models [22,23,24,25,26,27,28,37]. Example of the ML models:
The performance analyses of SIEM products are very important in terms of evaluation.
The running performance of SIEM products, the resources which they require (CPU, RAM, DISK), and how they will show performance in the EPS value needed are very important. There are two kinds of evaluation criteria:
Many SIEM products documented limits and recommendations like:
AlienVault:
AlienVault USM Appliance All-in-One has 1000 EPS data collection and 1000 EPS correlation recommendations.
Solarwinds LEM
A properly configured LEM can handle up to 200 million events per day, or 2,500 EPS (events per second). Conversely, limiting the ‘reservations’ (appropriate CPU and RAM) will result in poor performance and instability. While the maximum EPS limit is 2500 EPS the requirement for 2500 EPS is 48–256GB Ram 16-CPU @2Ghz [30].
McAfee
Maximum Ingestion Events Per Second (iEPS) describes peak advertised EPS for this appliance. iEPS is based on out-of-box settings with no adjustments to default event or flow aggregation and very Stilted overall SIEM user activity (Users, Alarms, Reports, IoCs, etc.). Any customization in the configuration or increase in user activity may result in reduced observed EPS rates [31]. Maximum Ingestion Events Per Second (iEPS) is 1500 for the VM version of McAfee SIEM [31].
All of the SIEM tools has system requirements like:
Arcsight
System requirements for Arcsight [32]
SureLog
System requirements for SureLog All-in-One is 16 core, 32 GB Ram for max 2500 EPS with 100 correlation rules activated.
This is a very common question. Sometimes, businesses run multiple security solutions which are not integrated. They are not able to get the full picture of their risk exposure. This can cause serious problems, especially since cyber-attacks are not just limited to security anymore. The best way to know your risk exposure is to use a single solution. ACE-Managed SIEM is a single solution with a full set of features. You can use it to monitor your network traffic, log files, and other data. Also, it helps you to be compliant with regulations, such as PCI DSS, HIPAA, SOX, and more.
As a network security administrator, it is crucial to pick the best SIEM solution as it will save you time and money and will help you better comply with industry regulations such as PCI and SOX. ‘SIEM’ stands for Security Information and Event Management. However, these acronyms may represent different things for different companies. The main function of a SIEM is to gather and analyze event logs from firewalls, routers, IDS/IPS, syslog servers, etc., but some SIEMs can also provide forensics and compliance. It is important to select the right SIEM solution for your company as it will have a direct impact on your network security.
There are multiple aspects to consider when selecting a SIEM.
So, what to look for in a SIEM provider?
1) Deployment- make sure that they offer cloud-based deployments as well as on-premises options.
2) Cost- make sure that they have reasonable pricing packages that meet your budget needs.
3) Security expertise- make sure that they have a deep understanding of using the tool as well as expertise in deploying and integrating it with your infrastructure.
4) Integration - make sure that the solution integrates easily into your environment, so you don't need to do any extra work once it's set up.
The following article will guide you through the process of choosing the right SIEM for your enterprise. A Guide to SIEM(Security Information and Event Management) Security (acecloudhosting.com)
Having the SIEM as a central feeder is a traditional solution architecture. The question can be asked , do I have the right security platform ?. As the interconnections to this traditional centralized solution will always need maintaining. In the case of a Security platform this effort is removed.
@Mike Kehoe There is no technical solution that does not require maintenance. You can outsource it or use a cloud-based solution. If you use a cloud-based solution, you have to check issues like compliance, regulations and ownership of the logs.
A good Security Platform includes SIEM, UEBA, NTA, and SOAR! on a single pane of glass, but I agree all security platforms require constant maintenance to remain viable as a part of the security posture!
@John Stanford, you are right. A good Security Platform includes SIEM, UEBA, NTA, and SOAR. But most of the time, you have a limited budget, and you should select the best solution according to your budget. Especially for small businesses, budget is critical. If there is no budget for more than 5000-25000 USD for a security platform, you need to select your solution according to this budget.