Security Information Event Management (SIEM)

IRJ

https://www.elastic.co/subscriptions

https://www.elastic.co/blog/security-for-elasticsearch-is-now-free

JaredBusch

@IRJ said in Security Information Event Management (SIEM):

@JaredBusch said in Security Information Event Management (SIEM):

@IRJ said in Security Information Event Management (SIEM):

I'm surprised nobody has mentioned elastic yet.

There's an open source version and a free version (more features).

I did not mention it intentionally.

Because it is too complex to use as a SEIM unless you already know a lot about it.

Elastic basic (free) is pretty simple. Open Source version requires a bit more knowledge and integration

Setting up Elastic to ingest some basic logs? Simple. Setting up a SEIM with Elastic? Not so much.

JasGot

@JaredBusch said in Security Information Event Management (SIEM):

This is not because Elastic is bad, it is because it is complex. Which is why it is a poor solution for people like @JasGot
Unless a person has the time to really learn elastic and how to do things well, it jsut turns into a mess.

Yea, I'm not in the mood to learn something that complex for a one off.

scottalanmiller

@JaredBusch said in Security Information Event Management (SIEM):

@IRJ said in Security Information Event Management (SIEM):

@JaredBusch said in Security Information Event Management (SIEM):

@IRJ said in Security Information Event Management (SIEM):

I'm surprised nobody has mentioned elastic yet.

There's an open source version and a free version (more features).

I did not mention it intentionally.

Because it is too complex to use as a SEIM unless you already know a lot about it.

Elastic basic (free) is pretty simple. Open Source version requires a bit more knowledge and integration

Setting up Elastic to ingest some basic logs? Simple. Setting up a SEIM with Elastic? Not so much.

This. As straight log management, it's some effort, but like, half a day tops. SEIM with it, though, is an undertaking on top of that.

hobbit666

@JaredBusch said in Security Information Event Management (SIEM):

This is not because Elastic is bad, it is because it is complex.

Agreed, it's a beast of a system.
The SIEM part requires a "Basic" license, but seems to be around $200 / year.

hobbit666

What pricing are we looking at for other solution like
Arctic Wolf?
Rapid 7?
Azure Sential?

(Hate companies that don't show pricing, as if they are in £££££ range, the demo wont be install or tried.)

1337

@hobbit666 said in Security Information Event Management (SIEM):

Hate companies that don't show pricing, as if they are in £££££ range, the demo wont be install or tried.

They don't understand that they are losing business. They think they are getting leads into their sales funnel by not giving the price and forcing people to contact them. In reality some of their leads are actually dropping out, because they wont state their price.

A simple "from $xyz per month" would suffice.

Dashrender

@Pete-S said in Security Information Event Management (SIEM):

@hobbit666 said in Security Information Event Management (SIEM):

Hate companies that don't show pricing, as if they are in £££££ range, the demo wont be install or tried.

They don't understand that they are losing business. They think they are getting leads into their sales funnel by not giving the price and forcing people to contact them. In reality some of their leads are actually dropping out just, because they wont state their price.

A simple "from $xyz per month" would suffice.

Agreed - I'm sure they lose more leads than they gain this way...

dbeato

@hobbit666 ArticWolf is around 30k per site.

hobbit666

@dbeato said in Security Information Event Management (SIEM):

@hobbit666 ArticWolf is around 30k per site.

I'll Learn Elastic instead

nadnerB

SIEM is expensive. So if you go paid, prepare a seriously good business case.

JasGot

@nadnerB said in Security Information Event Management (SIEM):

SIEM is expensive. So if you go paid, prepare a seriously good business case.

That's the easy part. Corporate Mandate.

hobbit666

Everything we do here as a good business case. Just the board don't see the same lol

Obsolesce

You can also do a 31 day trial of Azure Sentinel to get a feel for how much data it may consume. You can also try Azure Monitor to get a feel for the data needs. Choosing the pay as you go option for both.

How much data per day do you imagine?

You need to account for both Sentinel and Azure Monitor.

hobbit666

@Obsolesce said in Security Information Event Management (SIEM):

How much data per day do you imagine?

For me no idea.

larsen161

A previous colleague of mine just joined https://www.claroty.com/ which I just started to check out. I have not used it though