Basic SEM for Windows?

  1. Posts : 47
    Windows 10 Pro x64 ( v. 2004)

    Basic SEM for Windows?


    I'm in the need of a cheap (preferably free), low management overhead SIEM solution that can easily plug into a Windows environment. I don't really need it to be the full fledged Splunk, but it needs to have these three things:

    • Real-time log analysis
    • Alerting
    • Lightweight

    It's not like I haven't done my due diligence. I'm fully aware of the FOSS and non-free open-source alternatives out there.

    I've been on the very, very odd position where I've been the one chasing Splunk trying to get a quote for my small company (without luck).

    The whole point is to make sure this goes as smooth as possible just for the fact that we're heavily understaffed and I myself and constantly doing other tasks aside from sysadmin. In all respects, I am a glorified helpdesk that shares some basic rudimentary sysadmin tasks. This, on top of the fact I've been put on a contract and have things to do there as well.

    FOSS options would work under different circumstances if it weren't for the fact that leadership wants to make sure we're at very little risk for being left in the dark. In other words, there has to be some level of support being offered by the vendor where we aren't relying upon a community-base. This is for rational reasons as for (example) when I'm long gone, my replacement likely won't have a clue how to manage the shit I've done unless I've documented to the extreme.

    I was going to consider Splunk Cloud as the name suggests it would be simple. However, also knowing it is Splunk, my guess is that it would be expensive.

    What option do you recommend for a small company with around 10-15 servers on-premises?

    P.S. - Found this neat little PowerShell script that does scans for one thing that a SIEM would normally look at but if there's anything kind of like this, this would also suffice. If I can just take some scripts and put them into Task Scheduler, my job is done. As long as something is scanning the logs and triggering emails, that's all that needs to happen.
    Last edited by That Random Guy; 28 Mar 2020 at 12:50. Reason: lines
      My Computer

  2. Posts : 1

    Do you want this just for log-ingestion, light-investigations and some pretty dashboards? Or are you expecting a full-on security monitor with correlation, threat analytics and threat intelligence?

    For the former, something like Splunk will work great. Also if you have a specific use case, for example, predominantly Windows servers or desktops, then I would also recommend taking a look at the not-quite SIEM tools, such as LogEventAnalyzer and Firewall Analyzer from ManageEngine, or EventSentry etc. As whilst they're not quite as flexible, they are 1000x easier to setup and just work out of the box.

    But if its the later, do not under-estimate the overhead of deploying and managing a SIEM (even Splunk). It is not set and forget, it's usually a full time job (often requiring a dedicated team) and previous experience to write the parsers and correlation rules. There are very few small-businesses that have an IT team big-enough to do this successfully, and the SIEM becomes a wasted investment and waste of time - I speak from experience, having done this myself (and seen many others).

    The best advise I can give is this - SIEM is not a panacea, you get out what you put in. In fact, its the final-piece of the security stack, and should only be added once you've got all other-bases covered, for example properly tuned Nextgen Firewalls (Multi-zone network and Application Filtering), Endpoint security, Email Security, MFA, VPN, MDM, WAF etc. Also, if you have bespoke or in-house developed software, make sure this has proper logging in place (i.e. failed logins etc, pages viewed, downloaded data.. In my experience, developers rarely take this into account).

    If you're at that point, then reach out to some local MSSP's and see how they can help and get some pricing. There are many benefits to this model - Most offer a multi-tenant system (you don't need to buy a SIEM), you just send the logs - they then build the log parsers, they bring the threat-intelligence and deal with correlation, they have analysts monitoring and analysing the logs 24/7..

    Either way... Don't use a SIEM as a dumping ground, consuming logs cost money, only ingest what you need when you need it. Be tactical, identifying threats takes time and you cannot effectively monitor everything from day 1, so work out:

    • A few use-cases, what are the biggest targets (i.e. where are the company's "crown jewels", high-value data etc)
    • Are there any compliance requirements that require certain data or system to be managed
    • Consider what devices need to be monitored to detect attacks or threats on the above
    • Work out the volume of logs those devices generate per-day

    You can then use this, to get pricing from the SIEM providers or MSSP's.

    - - - Updated - - -

    Sorry looks like I skipped where you mentioned the support bit.. you 100% need to speak with an MSSP (Managed Security Service Provider).
    Last edited by kelv1n; 30 Mar 2020 at 12:01.
      My Computer


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 03:49.
Find Us

Windows 10 Forums