BuzzSec

November 04, 2019

I had a customer ask me today if there were any gotchas I'm seeing with SIEMs right now that a prospective buyer should be aware of. It's a great question and wanted to share the answer with you all.

The biggest gotchas are 4 things I'm seeing

Can you use it to do threat hunting in your environment? Can you explore each finding well in the SIEM?
Can you get other threat intelligence feeds, paid and community, and can you put your own rules in with Yara or something similar?
Does the database support the amount of data you will have in there? Take the amount of logs in a month times 13 months and make sure the performance isn't going to lag.

For logs you're going to want VPN, IDS, IPS, Firewall in and out, web filtering, switches, Active Directory, data store file systems like SANs, email, databases, and any other high importance VMs in your enterprise. Also, make sure you can result your vulnerability scanning both active and passive in there.

If you have cloud resources, you'll want to monitor those as well.

Some vendors that do it for you in the cloud won't support threat hunting. Some vendors only allow their threat intelligence feeds. Some vendors have horrible database performance when there is a lot of data present. Some vendors do not have ANY cloud visibility.

Search This Blog

BuzzSec - SIEM Gotchas

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

The Hacker News - ⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More

KnowBe4 - CyberheistNews Vol 16 #01 AI & Cybersecurity in 2026: Top 10 Predictions for Threats and Defenses