Badges
60 Points
3 Years
User Activity
Over 2 years ago
Answered a question: Looking for SIEM use cases and triggers
You may also want to consider the MITRE ATT&CK framework.
https://attack.mitre.org/
Over 2 years ago
Answered a question: Looking for SIEM use cases and triggers
Best Practice Papers
Additional detail is available in several public papers vetted by SANS that have become industry best practices
A Process for Continuous Security Improvement Using Log Analysis
https://www.sans.org/white-pap...
#33824
Successful SIEM and Log…
Over 2 years ago
Answered a question: Which reliable and cost-effective SIEM product would you recommend in 2022?
It's best to start your search based on the use cases/problems you need to solve.
Each product has strengths and weaknesses. I'd suggest you may want to consider UEBA and SOAR in the decision.
Our SOC teams just don't have enough people, and SIEM rules turn out high…
Almost 3 years ago
Answered a question: What are the main differences between XDR and SIEM?
SIEM focuses on correlation - detection, both known (and with UEBA), unknown/0 Day anomalies
XDR focuses on blocking - usually of only known patterns - If on Threat Intel List, block - much like implementing AV at a firewall/network level, not entirely dissimilar to IPS.…
About 3 years ago
Answered a question: Which is the best SIEM solution for a government organization?
As several have said, it depends on quite a few factors
1. What use cases are you trying to solve?
- Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk.
- Threat…
About 3 years ago
Replied to Norman Freitag Which is the best SIEM solution for a government organization?
@Norman Freitag It's not top rated by analyst firms. While it's easy to ingest data it takes a lot of care and feeding and licensing gets expensive as the size grows. Good for NOC use cases, much tougher for SOC, and requires expensive add ons like Caspida for Insider and…
About 3 years ago
Answered a question: Monitoring Web Hosted Servers for unwanted guests
You're describing the use cases for a Web Application Firewall. Web-specific IDS, injection, attack detection and mitigation.
Cloudflare is one you might look at. Imperva, Whitehat... several vendors and products to choose from. One in the cloud that also does DDoS…
About 3 years ago
Answered a question: What is an incident response playbook and how is it used in SOAR?
Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS). The playbook outlines what to do at each stage
Typical SOAR playbooks automate the…
Over 3 years ago
Answered a question: What is a better choice, Splunk or Azure Sentinel?
It would really depend on (1) which logs you need to ingest and (2) what are your use cases
Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but…
Over 3 years ago
Answered a question: What are the main differences between UEBA and SIEM solutions?
SIEM vs UEBA
1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data
2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time…
Over 3 years ago
Replied to Shibu Babuchandran Which SIEM for small and medium-sized companies do you consider the most economical?
@Shibu Babuchandran Splunk gets expensive as your size grows. It's the St. Bernard puppy.
ELK Metron, Greylog are the common entry log collectors if you have a minimal budget. But I would suggest small organizations should look to partner with an MSSP for managed SOC/SIEM…
Over 3 years ago
Answered a question: How to evaluate SIEM detection rules?
As a rule, a SIEM correlation should:
1) Reduce events by 99.99% - raw events to correlations
2) Impact system performance by <1%
3) Produce Correlated Threats with >35% true positive rate on investigation
- 33% are usually false positives or misconfigurations (not real…
Over 3 years ago
Answered a question: How to deploy SIEM agents in large scale Windows environments?
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.
We use NXLOG at Securonix.
I would suggest if you need to deploy…
Over 3 years ago
Answered a question: What are the top use cases to implement after deploying a SIEM?
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.
They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.
Success After Fail is another common…
Projects
Over 3 years ago
GSEC, GSNA, GCIH, GCIA, CISSP, MCSE, MCNE, ACTP,GSEC, GSNA, GCIH, GCIA, CISSP, MCSE, MCNE, ACTP, CCNA...
Answers
Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
Security Information and Event Management (SIEM)
Over 2 years ago
Security Information and Event Management (SIEM)
Almost 3 years ago
Security Information and Event Management (SIEM)
About 3 years ago
Security Information and Event Management (SIEM)
About 3 years ago
User Entity Behavior Analytics (UEBA)
About 3 years ago
IT Alerting and Incident Management
Over 3 years ago
Security Information and Event Management (SIEM)
Over 3 years ago
Security Information and Event Management (SIEM)
Over 3 years ago
Security Information and Event Management (SIEM)
Over 3 years ago
Security Information and Event Management (SIEM)
Interesting Projects and Accomplishments
Over 3 years ago