Above is a great tweet by @varcharr asking a very simple question, but engaging quite a few people. The answers to this tweet astonished me; I truly didn’t know there were so many options to choose from. People said things like elasticsearch, splunk, qradar, rapid7, ELK, AlienVault, Security Onion, LogRhythm, Solarwinds, Elastic SIEM, NetWitness, Azure Sentinel, Helix and GreyLog, just to name a few. Now, I question some of these picks because, well, I’ve literally never heard of some of them. One thing for sure about the answers to this tweet, there are a lot of products out there and there are many opinions for a SIEM that would be best used for incident response.
I see this type of question often, not just in technology but other industries. Whenever a person starts looking into a task or project they ask this question: “What’s good for x,y and z?” What’s the best golf clubs to buy? What paintbrushes and paint do I need to be the next Bob Ross?
I’ve had conversations with people that say there’s no better product out there to manipulate photos than Adobe Photoshop. I see these same people take class after class to learn the ins and outs of Photoshop, but my dad who uses a program that came with his scanner and never took a class on it, can run circles around these Photoshop users. I believe when we start a new project, we want to ensure success and the best way to guarantee that is to ask questions and mimic people that have this shared interest. This ensures we’re starting on the right foot.
I ask, is this the question we should be asking? In particular, the question above about what is your SIEM of choice? From my point of view, it doesn’t matter. Now, I know it might be better to stay away from one SIEM for one reason or another, but as an analyst or as somebody that is going to respond to an incident, I really don’t care. There’s a few things around the SIEM that I feel are extremely important, more so than the product itself and that’s people building and maintaining the SIEM.
The people involved in the building and maintaining of the SIEM are the ones that determine if it’s a good SIEM. A good engineer will ensure the stability of the product by scaling appropriately and keeping up to date with new developments of the product. This engineer will make sure logs are placed into the SIEM when systems are deployed and ensure that the data is parsed. This engineer will work with the analysts to create detection and even help with automation. I believe a good engineer can take any one of the systems mentioned above and make it useful for an investigation.
I also believe an engineer can make any one of those products the worst an investigator has ever experienced. Just like with Bob Ross: I’m sure there’s paint and brushes he preferred, but I also believe he could make a beautiful painting out of any products he was given. So instead of asking what’s a good product, ask: do I have the right people to build and maintain this system? If not, then how do I get there?
Editor: Emily Domedion