17

Each person in the company has a unique username/password, and nobody should log in with his username/password but him.

I want a program that would inspect the logs that includes a list of all the people that came to work today, and inspect the list of the logged in users (from the AD or wherever is), to find if there is someone in the logged-in logs that shouldn't be there (since he isn't in the first log). If the program finds that kind of inconsistency it should report immediately to the men in charge of the system.

The above manifest is what my boss wants, and he thinks that a SIEM system could give us that ability. That is just one example of log file cross-referencing that he wants us to have the ability to do.

Right now we have many systems (from many companies), and each one is inspecting different aspects of the company (for example, a system that give us reports from the file servers on what and whom has changed files, how much files, and any abnormality that it found; a system that checks USB insertion on PCs and so on). I would like to find a system that I can feed all of the reports to so that I can generate a cross-reference report.

As far as I have understand from the Wikipedia pages on SIEM (SIM, SEM), this system should give us that ability.

My question is, since I need to select one of the 86 different SIEM systems that are out there, and finally implement it at the organisation, I would like your advice on what is the the system that would fit to my above needs. It should also be easy to work with as much as possible, since at the end of the day someone will have to work with that system and if it doesn't have a meaningful interface and meaningful reports for example I wouldn't get the results I want.

In addition to the above, I would like to know what components I should be prepared for (computer client agent, server agents and so on).

bstpierre
  • 4,868
  • 1
  • 21
  • 34
Hanan N.
  • 1,129
  • 5
  • 12
  • 22
  • 1
    Nobody logs in remotely? You're comparing the physical access control system to the logical access control system and expecting them to match? That's great if you're running a 19th century company. – MCW Dec 22 '15 at 12:17

5 Answers5

7

Solely from the information in your question, narrowing down that list of 86 is not going to be easy - I had a quick flick through as I know a fair few of the top names. Some points:

  • SIEM solutions should all be able to run log correlation type activities
  • Most include device insertion logging and Tripwire type checks (or can incorpoprate Tripwire or any other SYSLOG logs)
  • Most of them have reasonable user interfaces
  • Most have scriptable command line interfaces

What you should do is list out the things you do want/need it to have and select on those items. If you can get it down to under ten you have a much better chance of being able to run comparison tests.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    Also having a general price point is going to help a lot. I've had some experience with the NitroSecurity SIEM and it worked well for our company. However if you are on a tighter budget, you may want to use some sort of combination of the free version of Splunk, OSSEC, OSSIM, etc. Software such as OSSEC has the built in HIDS, can send logs to a central location, and also does integrity checking. If you get the logs in a central location, the possibilities are limitless as Rory explained with scripting and some command line kung fu. – Eric Dec 12 '11 at 16:41
  • nice list. what you would like to have are some kind of free definable Agents that can alert you: if this kind of alert occures > 5 times in X seconds timeframe -> send me a mail/textmessage. or: tell me whwenever sudo is used on any of my servers. Splunk does this – that guy from over there Sep 12 '13 at 11:44
5

I personally use Splunk for this very thing. It has a robust search/correlation/dashboard functionality. Plus, it can run Python scripts natively so that you can generate your own data from custom sources.

For example, comparing a list of who is supposed to be working with the list of logged in users would be a trivial search.

Splunk is simply very powerful and helpful for me. It reduced 45 minutes of manual checks of various logs, reports, emails, etc down to an automatically generated email in pdf form.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 500 MB isnt much if you want to analyze webbased logs. additionally, if your face soem kinds of attacks and come over that limit for more than 5/7 days, your splunk will stop working COMPLETELY. it does not just throw events like it does for the first days, it disables your instance completely. i did not excpected that. – that guy from over there Sep 12 '13 at 11:48
3

Splunk has quite an exotic learning curve, with basic searches availabe in literally minutes, then it took me a day to understand how to build a complex search. Two more days to have a set of charts (timelines, breakdowns, gauges). I then realized that it makes more sense to create saved searches and work from thre (you can edit them more easily).

I would also suggest looking at the config files (transforms.conf in particular).

schroeder
  • 123,438
  • 55
  • 284
  • 319
WoJ
  • 8,957
  • 2
  • 32
  • 51
1

Since I am in SIEM business for 5 years I will make few statements hold up for me so far. In most cases SIEM is a political decision in company because company has some budget and wants to raise it's security awareness. Usually it comes to buying expensive product and then in the end neglecting it. So what I would look for in SIEM is options to extend it to fit your own needs as each company has it's own set of rules and security guidelines it must / wants to follow. With that in mind, to get most of SIEM you need:

  • open API

  • option to write your indexers

  • option to write custom reports

If you have sysadmins that don't want to invest too much time in it you will also need:

  • regular updates for security rules and indexers

Anyways, I don't know if what I am doing is fair because I am suggesting OTUS SIEM as our own product on which we spent 4 years so far but so far we got ton of user experience and we know with which expectations they start and what they settle with in the end.

damir
  • 121
  • 2
0

As other answers have covered the features you need to look for while finalizing an SIEM solution for your organization, I would only like to add a few important points about the implementation.

You have mentioned that your boss wants a certain piece of information about the employees and he is right when he thinks that an SIEM can do the required task. However before you go ahead with an SIEM implementation you need to consider a lot of other factors. The SIEM implementation can not be designed around giving your boss the kind of reports he wants. The main job of an SIEM is to detect and report security incidents and in order to do that in an efficient manner you need to first identify what are your key assets and how much you need to protect them.

I have seen instances where SIEM systems are used to enable policy compliance in organizations which sometimes defeats the core purpose of having an SIEM - Security Incident Detection. Overloading the SIEM with configurations that allow you to maintain policy compliance while overlooking the security incidents is not something you would want to end up doing.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59