SIEM for SMB in 2020

Security information and event management (SIEM) software gives security professionals both insight into and a track record of the activities within their IT environment.

SIEMs are for

Incident Detection Regulatory Compliance

Efficient Incident Management

When considered SMBs, the thing is the price. They are an SMB, with not a great deal of funding available. Modern small and medium businesses (SMBs) operate with limited staff and budgets. Today’s business environment requires businesses to do more with less. An SMB looks for a cost effective solution.

First come to mind is SaaS SIEM.

SaaS SIEM services are now popular and considered a cheaper solution. There’s no software to purchase, cybersecurity professionals to hire or additional training needed to bring staff up to speed. But you have to consider log shipping costs, data sensitivity, data sovereignty as potential cons with this approach. One of the biggest problems is “What happens at the end of the agreement?”. You have to keep those logs for years to comply with regulations. Some SAAS SIEM solutions offer to send a copy of the logs to an AWS S3 bucket that you control on a daily basis. This is a way to have a copy for specific retention regulations. But this is an additional cost. Also, you have to manage those raw logs. And, you have to find a way to search billions of lines when required.

Disadvantages of SaaS SIEM

Security and data concerns — Access management and the privacy of sensitive information is a major consideration around cloud and hosted services.

Difficulty with Regulations Compliance — When your business critical data is stored in the service provider’s data center, it is difficult to comply with the government’s data protection regulations. Your company will need to learn which rules apply to your business, ask the right questions from your service provider, and address any kind of inconsistencies in the process.

Low Performance — A browser-based application running on a remote data center may lack in performance when compared to a similar application running from your employee’s desktop. Companies therefore need to invest in a fast and reliable internet connection to negate this factor and also use tools for application performance management to know how their SaaS apps are performing over time.

Lack of control — In-house software application gives businesses a higher degree of control than hosted solutions where control resides with a third party.

Connectivity requirement — Since the SaaS model is based on web delivery, if your internet service fails, you will lose access to your software or data

Data localization — Complicated because depending on the type of data and country where the data is located standards can restrict transfer, govern storage, or expand customer rights.

The second option is Open Source SIEM products. Open Source SIEM products are available but generally not as feature-rich as commercial offerings and require significant human capital and skills to implement and maintain effectively. No one is obligated to help you unless you pay for this service.

The third option is to use a SIEM product which is also suitable for SMBs and hire a service to manage it. It is called Managed SIEM. Hiring one to manage your current cybersecurity or SIEM solution is a very different scenario than selecting one to deploy the solution for you. Many SIEM solution providers offer managed security for both options, so this should also factor into your considerations. This is in contrast to a full SaaS or “black box” solution in which security-oriented traffic is shipped off to a service totally owned and operated by the provider. Most important requirements for cost-effective SIEMs are:

Also, advanced SIEM features for enterprises as a module is a great plus for SMBs.

System requirements are important not to invest more in HW/VM environment [1].

The online search capability is one of the most used features of SIEM solutions. Real time search is a must. SIEM allows you to view log data in real time, providing the ability to quickly analyze and solve problems as they occur. The online search period should be more than six months. When you need logs from 9–10 months before, you should find them immediately. These historical logs allow management to look back at previous activity from any point in time recorded, as if it occurred just a moment before.

Your selected SIEM should search trillions of logs with small resources immediately. There should be no limits. Otherwise, you need to buy some extra modules [2,3].

Disk usage and disk management for online and archive management is critical. Each user has its way and technology for this [4,5,6, 7,8,9]

SIEM use cases or rules are the %80 of the value of the product. Check the predefined rule list for the product and also check are there any restrictions.

Sample use cases to be considered:

SIEM may appear complicated and overwhelming to your small business. Yet without it, you leave yourself at risk for hackers.

References

1. https://www.slideshare.net/anetertugrul/siem-surelog-arcsight-qradar-logrhythm-alienvault-solarwinds-lem-performance-comparison
2. https://cdn5.alienvault.com/docs/data-sheets/usm-appliance.pdf
3. https://cybersecurity.att.com/documentation/usm-appliance/events/event-storage-best-practices.htm
4. https://www.ibm.com/support/pages/qradar-how-determine-average-event-payload-and-record-size-bytes-updated
5. https://docs.splunk.com/Documentation/Splunk/6.6.0/Indexer/Howindexingworks
6. https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Estimateyourstoragerequirements
7. https://docs.mcafee.com/bundle/enterprise-security-manager-11.0.0-installation-guide-unmanaged/page/GUID-2F189D5A-AC92-4965-80A4-03EE2272F37C.html
8. https://lucidworks.com/post/estimating-memory-and-storage-for-lucenesolr
9. https://medium.com/@eakbas/surelog-disk-kullan%C4%B1m-avantajlar%C4%B1-5111335b8416

Originally published at https://www.peerlyst.com on February 3, 2020.