Basic SEM for Windows?


  1. That Random Guy
    Posts : 47
    Windows 10 Pro x64 ( v. 2004)
       New #1

    Basic SEM for Windows?


    Hi,

    I'm in the need of a cheap (preferably free), low management overhead SIEM solution that can easily plug into a Windows environment. I don't really need it to be the full fledged Splunk, but it needs to have these three things:


    • Real-time log analysis
    • Alerting
    • Lightweight


    It's not like I haven't done my due diligence. I'm fully aware of the FOSS and non-free open-source alternatives out there.

    I've been on the very, very odd position where I've been the one chasing Splunk trying to get a quote for my small company (without luck).

    The whole point is to make sure this goes as smooth as possible just for the fact that we're heavily understaffed and I myself and constantly doing other tasks aside from sysadmin. In all respects, I am a glorified helpdesk that shares some basic rudimentary sysadmin tasks. This, on top of the fact I've been put on a contract and have things to do there as well.

    FOSS options would work under different circumstances if it weren't for the fact that leadership wants to make sure we're at very little risk for being left in the dark. In other words, there has to be some level of support being offered by the vendor where we aren't relying upon a community-base. This is for rational reasons as for (example) when I'm long gone, my replacement likely won't have a clue how to manage the shit I've done unless I've documented to the extreme.

    TL;DR:
    I was going to consider Splunk Cloud as the name suggests it would be simple. However, also knowing it is Splunk, my guess is that it would be expensive.

    What option do you recommend for a small company with around 10-15 servers on-premises?

    P.S. - Found this neat little PowerShell script that does scans for one thing that a SIEM would normally look at but if there's anything kind of like this, this would also suffice. If I can just take some scripts and put them into Task Scheduler, my job is done. As long as something is scanning the logs and triggering emails, that's all that needs to happen.
    Last edited by That Random Guy; 28 Mar 2020 at 12:50. Reason: lines
      My Computer
    Quote Quote

  3. kelv1n
    Posts : 1
    AmigaOS
       New #2

    Do you want this just for log-ingestion, light-investigations and some pretty dashboards? Or are you expecting a full-on security monitor with correlation, threat analytics and threat intelligence?

    For the former, something like Splunk will work great. Also if you have a specific use case, for example, predominantly Windows servers or desktops, then I would also recommend taking a look at the not-quite SIEM tools, such as LogEventAnalyzer and Firewall Analyzer from ManageEngine, or EventSentry etc. As whilst they're not quite as flexible, they are 1000x easier to setup and just work out of the box.

    But if its the later, do not under-estimate the overhead of deploying and managing a SIEM (even Splunk). It is not set and forget, it's usually a full time job (often requiring a dedicated team) and previous experience to write the parsers and correlation rules. There are very few small-businesses that have an IT team big-enough to do this successfully, and the SIEM becomes a wasted investment and waste of time - I speak from experience, having done this myself (and seen many others).

    The best advise I can give is this - SIEM is not a panacea, you get out what you put in. In fact, its the final-piece of the security stack, and should only be added once you've got all other-bases covered, for example properly tuned Nextgen Firewalls (Multi-zone network and Application Filtering), Endpoint security, Email Security, MFA, VPN, MDM, WAF etc. Also, if you have bespoke or in-house developed software, make sure this has proper logging in place (i.e. failed logins etc, pages viewed, downloaded data.. In my experience, developers rarely take this into account).

    If you're at that point, then reach out to some local MSSP's and see how they can help and get some pricing. There are many benefits to this model - Most offer a multi-tenant system (you don't need to buy a SIEM), you just send the logs - they then build the log parsers, they bring the threat-intelligence and deal with correlation, they have analysts monitoring and analysing the logs 24/7..

    Either way... Don't use a SIEM as a dumping ground, consuming logs cost money, only ingest what you need when you need it. Be tactical, identifying threats takes time and you cannot effectively monitor everything from day 1, so work out:

    • A few use-cases, what are the biggest targets (i.e. where are the company's "crown jewels", high-value data etc)
    • Are there any compliance requirements that require certain data or system to be managed
    • Consider what devices need to be monitored to detect attacks or threats on the above
    • Work out the volume of logs those devices generate per-day

    You can then use this, to get pricing from the SIEM providers or MSSP's.

    - - - Updated - - -

    Sorry looks like I skipped where you mentioned the support bit.. you 100% need to speak with an MSSP (Managed Security Service Provider).
    Last edited by kelv1n; 30 Mar 2020 at 12:01.
      My Computer
    Quote Quote

 

  Related Discussions
Hello forum users I recently upgraded to windows 10 to experience the new OS from windows 7 (updates ended Jan 14). I quickly realized that not only are the transparent aero themes are gone, the basic style is also gone, and I used this style. I...
Hello Recently I installed an old application that only ran well in 16 bit color for some reason and when I set it to the XP compatibility mode and 16 colors the windows aero basic theme was used (the theme from windows 7 with the light blue title...
For nearly the past 3 decades I have been working on Web Sites that honour WW2, in various aspects, local history of both where I grew up and where I now live, I have travelled hundreds of miles taking images as well as collecting images sent to me...
Well, after installing VB 5.0 in Win 10 all works well except the 'help' does not work. That occurred after installing it in Win 7 but I just copied the help dll files into the main VB folder and it worked fine. I like Win 10 okay and it works...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 23:31.
Find Us




Windows 10 Forums