Morioh
Login
Agnes Sauer

Agnes Sauer

4 years ago

When putting together a SIEM, one of the first things that you need to decide on is the distributed architecture you’re going to choose. This means analyzing the resources available, as well as the needs of your SOC.

  • Are you monitoring 100, 1000, or 10000 hosts?
  • Do you have budget for commercial tools?
  • How heterogeneous is your infrastructure?
  • Are you just looking for security alerts, or do you also need persistent event logging for auditing purposes?
  • What type of granularity are you looking to achieve?
  • What response time do you wish to achieve? Do you need real time notifications?
  • Do you have time to improve/tune your solution or do you need something working 100% ASAP?

These are some of the questions you need to ask yourself. In our particular case, we needed to set up a SIEM for a network of about 20K hosts. We didn’t have a budget for commercial tools or licenses. We needed persistent logging for auditing purposes. This included logging every command executed in our infrastructure, while monitoring for malicious ones. We also wanted low level granularity in order to write custom rules. Basically, we wanted a top-level SOC without spending money. But this is not possible.

#blue-team #infosec #soc #siem #security

Building a SIEM: combining ELK, Wazuh HIDS

medium.com

Building a SIEM: combining ELK, Wazuh HIDS

When putting together a SIEM, one of the first things that you need to decide on is the distributed architecture you’re going to choose.

12.35 GEEK