Firewall, Active Directory, File Server, Auditing, Alerting, Reporting and log managment. SIEM or other tools?

After some advice

I have a requirement for Log Management, Reporting and Alerting on the following
Active Directory - Changes, Password Resets, Lockout, Logins ect
File Server - Changes, Access, Specific files/folders
Exchange -  Access, Changes, Statistics if possible
Firewalls
Proxies
Oracle Databases - Performance, Transaction issues ect
SQL Databases

Reporting is Key
Threat analysis is good to have

I have looked at Splunk, Alien Vault, Varonis and some other tools nothing does everything so the question is what is the best thing to do?
Do I go for say Alien Vault to take care of the log management and Threat analasys, firewall side of things ect and then use a product like varonis(ideally something cheap but does the job) to take care of the AD, File and Exchange side of things obviously having that tie into the SIEM solution, or should I just look at separate products?
Yusaf (Joe) Sneddon3rd Line Support EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechadminConsultantCommented:
Alien vault is good one.
0
btanExec ConsultantCommented:
ArcSight? but SIEMS as listed only best able to grab log event configured to send over and they have to correlate them. Splunk has Apps specific and as mentioned no all in one tool. SIEM is very much security centric and I see you need also SNMP traps send over (to like Solarwind etc) for the health status, the Windows log should not be an issue for Arcsight, or even RSA Envision (now they called Security analytics) and IBM QRadar. Or Nessus Security Centre.

But if you are into user activity and privileged account, best to have the PIM (CyberArk, Xceedium) as device sources to collate from its central mgmt. system to also send over its logs to SIEM and latter's rule has to work through the log format like syslog or CEF for the event correlation to produce your output desired. Device source event is critical to ensure such intelligence is feed into SIEM.

general logging req- https://www.owasp.org/index.php/Logging_Cheat_Sheet#Event_data_sources

Overall, the use case you are looking at cover widely inventory discovery (not part of SIEMS typically), log monitoring (part of SIEM) and analysis, stats & reporting (part of SIEMS). SIEMS has most of it but the specific drill down really depends on customised ruleset if default does not fit and the report/dashboard needed. But the reporting and health via SIEM can be misfit or lacking, hence other consideration is then the need the SNMP part as well (for health stats), and GRC type of soln (for compliance reporting and case mgmt.).
0
Yusaf (Joe) Sneddon3rd Line Support EngineerAuthor Commented:
For the health side of things we can use SCOM and have that feeding into the SIEM product.

If we do go for a SIEM solution, i suppose the question is what's the best product for AD, File Server, and Exchange Auditing to use in paralel to compliment the SIEM product and cover all our requirments.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

btanExec ConsultantCommented:
Each device source will then need to have an agent to pipe the log to SIEMS will be the practices to feed SIEM with intelligence, thereafter all the other soln in reporting and display for any GRC will then be deliberated and customised as desired. That is how the SOC does it as compared to just the NOC...of course there is the analytic portion of it...the agent can be SNARE, Syslog_NG etc..but I tend to find NXlog as the piping agent to cover more widely http://nxlog-ce.sourceforge.net/enterprise-edition
0
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Manageengine.com
Try their even log analyser. It will take logs from all your devices, run audits on them, present reports, alert you for specific incidents.
It can also run distributed, with an agent on a server to send logs to a remote host.
Excellent piece of software and tech support is very good indeed.
0
btanExec ConsultantCommented:
Suggestion
- target those device source in your list to send log to SIEM,
- have the agent install if it cannot natively config to pipe to ext log server or even impact their concurrent production task,
- log events should best be inclusive of those actions mentioned,

SIEM is focused on analysis of security information typically generated from security event logs. The data received is then analyzed looking for patterns to perform meaningful correlations. One advantage for having SIEMS as the overall dashboard or oversight is that it can normalize multiple event streams so that data formats and time stamps conform to a standardized format before being stored in a database.

SCOM has Audit Collection Services (ACS) (https://technet.microsoft.com/en-us/library/bb381373.aspx) which provides some of the functionality of a log manager and some of the functionality of a SIEM. ACS can be the "SIEMS" but limited to Windows Security event logs hence the vast data normalization requirements are minimal. But ACS may be a good fit if you already actively using SCOM (and used to it for shorter learning curve). However, just have to be savvy on some limitations such as support for non-Windows devices. ACS also does not collect data from network infrastructure devices, it does not include pattern matching algorithms that identify threats like malware infestation and wide network based attacking spread.
0
Naomi GoldbergCommented:
You might find real user reviews for all the major SIEM solutions on IT Central Station to be helpful: https://www.itcentralstation.com/categories/security-information-and-event-management-siem.

On the threat analysis and log management side of things, LogRhythm has had very positive feedback from users on our community.  This user writes, "We have made this the foundation of our security intelligence within our organization. It has allows us to detect and remediate Advanced Persistent Threats." You can read the full user review here: https://www.itcentralstation.com/product_reviews/logrhythm-review-34255-by-srmgrnwkops481
0
btanExec ConsultantCommented:
Suggest the query is advised with the option and approach especially noting the key is reporting from the post. SIEM is the recommended means for aggregated oversight for the situation awareness reporting of the organization security posture. For consideration on
ID: 40824275
ID: 40824592
ID: 40825796
ID: 40826261
ID: 41464378
0
btanExec ConsultantCommented:
Pls consider the feedback as per ID: 41770199
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
As per advised in ID: 41770199
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.