Logging and analysis of parameters, security incidents, risk indicators Windows and Juniper Networks SRX240

I serve a number of peer-to-peer networks with Windows workstations and a variety of firewalls.  
So, the focus of this question is on peer-to-peer networks - as there are many in operation and they represent an important market segment.
And, for now, I want to focus on the Juniper Networks SRX240 firewall - when that makes sense in the discussion.
I need to do things like detect anomalous activities, monitor for unauthorized users and devices, set alerts for infosec incidents, monitor performance as a risk indicator, etc.

I will accept that the capabilities are limited in a peer-to-peer network architecture - but won't give up using that as an excuse.
So please don't use up space and energy lecturing about changing the world (i.e. architectures).  It is what it is.  We work with what we're handed.   :-)

I see that there are a variety of products that will gather, analyze, report and alert.  
I'm wondering which such products are good for a small network with a limited budget?

Some background:
I'm currently using PRTG for network performance monitoring using SNMP for the network devices.  The sites are small enough that the free version is fine.
I like PRTG because it makes setup for performance monitoring easy.  But I'm willing to try other things where they might make sense.
(I tried Spiceworks once upon a time and found it too strange for me.  Maybe I didn't give it enough time.)
Going into this, I see ManageEngine EventLog Analyzer...
etc.

I am the IT staff for each system - so obviously part-time and mostly on call except for monitoring things like this which have to be handled ongoing.  So I generally don't have the luxury to develop capabilities that take a lot of time to get up and running.  There is limited time for "development".

I'm just starting this adventure so any suggestions, pointers, etc. would be appreciated!

Things I can imagine:
SRX logs with things like DOS attacks logged and collected.
Windows local logins logged and collected.
.
.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tmoore1962Commented:
Not familiar with  Juniper Networks SRX240 firewall but I would bet that it can be configured for a syslog server.  So you would want a open source syslog server installed on a device in the peer-peer network and send the firewall logs to that. Splunk or maybe sawmill comes to mind and should be sufficient for SB peer networks.
Fred MarshallPrincipalAuthor Commented:
I don't know about "open source" as a criterion....
So:
Splunk
Spiceworks
ManageEngine EventLog Analyzer
Sawmill

How to choose?
Fred MarshallPrincipalAuthor Commented:
Independent of the log gathering / analysis tool that's used (which I'd still want to hear opinions on), there is the whole aspect of what to set up at the other end (the sources), particularly Windows workstations.

What's recommended there?
How extensive would it be?
References?
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

btanExec ConsultantCommented:
I rather look into the siems since you somwhow has already sort of NOC with those prtg to monitor the health posture of the assets via snmp traps and probably wmi calls..SIEMS look into the SOC aspects which for small setup the Alienvault siems or ossim will be good starter and of more cost effective means to do a trial out first rather than big bangs.
https://www.alienvault.com/solutions/siem-log-management

But I do see the siems will value add beyond the health check you establish. The key is able to set.baseline and alert based of abnormal cases and threshold set for the perimeter srx and proxy equv
gheistCommented:
SIEM-s need lots of programming in cryptic languages.
graylog says me too...

to get windows logs into syslog server you may use rsyslog or syslog-ng forwarding agents.
btanExec ConsultantCommented:
agree with gheist. as saying goes  "garbage in garbage out", we are not going to have a point solution and flood or inundate ourselves with more "finding the needle in the haystack" effort as it is going to drain us up esp if the same team is doing the NOC and SOC part of it. Large part is who handle those security incident and network operation ideally should be separate teams - also good for accountability and timely escalation and oversight with domain experts.

I know from experience it will not even get small wins if we know "nut" about monitoring our network infra health - that is the basic of baselining your environment and then move on to really have rules to trigger the attack based (syslog format mostly)  sending to central syslog server such as the common kiwi sylsog server.

Thereafter, SIEMS kick in with rules that we need to craft and baseline for the SOC folks to triage based on severity and use case that end user need to be kept informed and mgmt are concern with - such as anomalous activities ingested that may hint of mass infection (log from security proxy AV server etc), data leakage (use of remote access, excessive outbound payload traffic into internet from file server, use of ext storage if policy stated all such media disabled etc)..SIEMS may have built in rules but need to work with principles to tuned to your environment on those device sources like Windows server policy, perimeter FW, NIPS(network) /HIPS (host) etc...

Indeed not straightforward, and it need time to learn and tune to run effectively for actionable things to be fulfilled. SANS has some good benchmarking material (pdf - https://www.sans.org/reading-room/whitepapers/analyst/benchmarking-security-information-event-management-siem-34755) for SIEMS which you may be interested in. Storage of such log can be an area for planning long term running a cost effective SIEMS - know the needs and wants use cases..

Pardon me if I digress from what you are expecting as I went more into the SIEMS - assuming your NOC aspect more or less is settled and well understood
Fred MarshallPrincipalAuthor Commented:
btan and all:  I understand and appreciate the comments.
The challenge here is that there are no "teams".  And, neither the NOC nor SOC activities will be full time - even combined.  So, while some suggest otherwise,  it makes sense for one person to do the whole thing.  If recent history is any measure, the NOC work is quite minimal - no changes and no issues of note.  So, it's boiled down to monitoring of boring, normal stuff.

Yes, it appears that implementing the SOC tools and activities will take some learning up front (and no doubt continuing), a fair bit of development (and evolutionary changes in the first year or two).  Thereafter I'd rather expect it to be like most other things of this nature: fairly uneventful and lacking change requests - except for the world evolving of course.  But I'm well-prepared for a higher pace of activity if that's how it turns out.

Right now I'm evaluating ManageEngine EventLog Analyzer in my lab.  I don't have it working completely yet but it seems very likely I'll get past the current issues quickly.  It seems that the price could be acceptable but I've not been able to get what covering our needs would actually cost on their sliding scale of prices.

I've also talked with Alienware and they mention OSSIM.  Since my time is a cost item, I'm concerned that working to adopt this would be more self-serving than I could stomach - and fraught with challenges as time goes on.  Any comments on OSSIM?  I'm told it has "no logger" so I guess I could use Kiwi for that?  But then how about setting up the sources?  And it's limited to (I think they said) 45 Corrrelation Directives .. if I care?
It doesn't sound promising.
This discussion reminds me of setting up SNMP.  All kinds of arcane "techie" information and approaches which were wiped off the table by using PRTG.  So I'm wanting to avoid the former and discover something like the latter for SIEM.
So, I doubt that "free" is attractive and perhaps "more expensive" in the end.

Comments?
gheistCommented:
If cow has the milk somebody comes and milks it.
Every paid software forces you to go through learning cryptic ruleset language unique to their product, and worst of all you feel attached to the product because of money paid for nothing.
btanExec ConsultantCommented:
prtg is god for snmp so I see that you already cover those and part of your routine checks as mentioned. SOC is a step ahead if you are going for changes and of course devoted to get the changes in place which you are doing by asking what and how to change.

No magic about all this but trial and error since we are still leveraging other technology. No one size fit all solution either and the fit for design in term of your risk appetite determine how involved and the sort of device sources that you need to monitor and triage for response. Check back first whether there is some form of escalation of such security events too - no point the delving deep while no one appreciate and close those up (unless everything is under you and your team - dual hatted).

OSSIM indeed do not have (or need) the logger per se and means of having the log send over to it is achievable either through the OS rsyslog like for linux or using snare of kiwisyslog forwarder to send windows events to OSSIM. In fact OSSIM is supposed to be "free" (the in built parser to interpret the syslog for the list of device may not be comprehensive ...) since it s DIY from its birth, so s kiwisyslog as it prime to gather and then forward to the centralised SIEMS - i see it neater rather than all device sources sending directly to OSSIM...even kiwisyslog has a free and licensed version
http://www.kiwisyslog.com/help/syslog/index.html?configuringsnaretocapturew.htm
http://www.kiwisyslog.com/help/syslog/index.html?kiwi_syslog_daemon.htm

This blog has a series of OSSIM setup - good as starter
http://santi-bassett.blogspot.sg/search/label/ossim

There are free open log management engine to handle those gathered log such as Graylog (package for non-Windows only) for a small play as compared to SIEM. GL can forward to SIEMS too..but it also requires some dive in.. http://docs.graylog.org/en/1.2/pages/architecture.html
Fred MarshallPrincipalAuthor Commented:
"money paid for nothing"??
gheistCommented:
There is no relative advantage in buying product vs free product.
btanExec ConsultantCommented:
actually if you are interested to drill into SIEMS (with some budget), it is good to explore some reviews shared - it is not to be relied on solely as the end user is yourself and I believe you know what best fit for your case. The reviews are more to open up further areas not looked into during the usage and implementation experienced by others in term of each provider strengths and weakness. (see the reviews) http://www.itcentralstation.com/categories/security-information-and-event-management-siem/reviews

No silver bullet. Importantly new "shiny devices" introduced into the environment must not conflict and jeoparised the risk appetite of the end user and mgmt. Values for the budget spent need to be justified as ultimately that differentiate why go beyond the current status quo which is supposed not to be worst off vs enhanced situational awareness that can transform into saving (like faster response to prevent or reduce damages etc).
Fred MarshallPrincipalAuthor Commented:
It appears that none of the leading products are affordable.
I've been evaluating ManageEngine EventLog Analyzer and it appears to do "something" at least.
I mentioned it earlier but have no responses so far.

gheist says "buying product vs. free product" provides no relative advantage.  Did I get that right?  What about our time?
btanExec ConsultantCommented:
I see it from more on how dependent on the vendor support we wanted to get these siems up and running soon compared to the DIY doing using the open sw. Of course there will be still the learning curve steeper for the open ones since we are totally new to those stuff implementations, we need to spend more time on the setup of the open with own doing if that is fine with time to answer back to mgmt.
gheistCommented:
It is about the same complexity to link logs from multiple systems in splunk or graylog.
The "support" does not do that for you.
Fred MarshallPrincipalAuthor Commented:
I'm going to be the "support"..... except for EE and such communities now and then.

I finally looked at Graylog.  Like all the others, pricing is obscured.  What does it cost?

Nothing wrong with it but what's the big deal about open source? Why are they crowing about that?  Lower cost is implied .... so?  

Now and then I used to see products that advertised "written completely in C++" - and I would ask myself: "so what?".  I'm not going to be reprogramming it.
btanExec ConsultantCommented:
Graylog does not requires licences purchase for production or non production setup. But they do have support packages if needed as extended help with SLA. Kinda like splunk support too
https://www.graylog.org/support-packages/

It is java7 based but it do have some extensive document and community to leverage on
http://docs.graylog.org/en/1.1/pages/installation/manual_setup.html
Fred MarshallPrincipalAuthor Commented:
Thanks for the suggestions and information!
My take on Graylog is that I would end up having to "build" (or "prepare") too much stuff.  This coming from an experience base that's limited with Linux and all the things that Graylog requires be tacked on the front and at the end.
Yet, it seems evident that no tools are going to be without a fair investment to get things useful.
So I continue on with ManageEngine EventLog Anayser.  Yes it costs something but it also seems to offer some out-of-the box capability that just works without messing with a bunch of add-ons that are necessary to just start out.
Or, am I off base?

To add: For me, doing some of these things might be fine for a full-time employee who gets paid whether they are learning or being hands-on productive.  I get that.  It's appropriate.  But I have to decide into what to invest my R&D bandwidth.  If something is going to be rarely used or one-off then it's more likely the customer will pay even if we share the cost.  If that's the case, as it is here, then my time is going to be part of the total cost.  We can't afford to reinvent the wheel.
btanExec ConsultantCommented:
Not surprise that it has in build ones like reports, parsers for the device sources and probably ready queries to search and create adhoc stats and reports. This should be expected since cost is involved.

Eventually besides the ROI, as long as we are clear on the outcome and effort maximised to avoid such treatment of our needs - biased vision seeing all problems as the same "nail heads" - which we should avoid the "hammer" syndrome for effective remediation instead. Staying complacent with quick patch work is not doing us good in long run.

Regardless, we are not worst off.. someone must appreciate your KPI.
Fred MarshallPrincipalAuthor Commented:
Yeah, they do.

The key question was, and I realize that the answer has to be subjective or at least based on one's own experience base:

Is doing Graylog more a lifelong project or is it a weekend?
btanExec ConsultantCommented:
The project team may see it one off after system commissiin - doubt can be short period sibce we are new to this creature. I see it an always ongoing operation to maintain the rules and changes to the environments
Fred MarshallPrincipalAuthor Commented:
Does anyone have experience with ManageEngine EventLog Analyzer?
btanExec ConsultantCommented:
some feedback include
the “Need Help?” tab
You can click that at any time and it slides out a little dialog box where you can type in your question, your email address and phone number.
A quick and straightforward mean to contact ManageEngine for support -at least not left scrambling for help and hunting around. They also have a Support link that similar stuff to get help which offers a means to go into a live meeting to interact to troubleshoot and probably make request on enhancement..

Since it is software based like most SIEM, scalability & performance for huge log will be challenging unless some hard clustering and HA is done. But I guess it is alright with the right hardware size up. Importantly, it is has to also have alert profiles for specific security-related events that you like to track daily or as a regime. For ME, it can set the occurrence rate i.e., number of occurence within a specific time frame. This may be handy to tone down the false positive - need to set a baseline threshold first for the environment.

there are  predefined reports and means to produce your required custom reports e.g. generate from the results from a free-form search of the logs and even trend report - hourly and weekly, both current and historical.

Collection of is mainly agentless and uses WMI/DCOM - so if those scripting base is disallowed then agent can be installed into device source. Overall, I do sense that it focus a lot on user friendliness and guided user with point to ask for help and find info much easier at that moment of time. For the actual wide use, probably not for huge environment but a test environment will be good to find out more on it functionality first...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalAuthor Commented:
OK.  Thanks.
Well this is a very modest-sized network with no more than 50 computers.
So, I imagine that's not a "huge environment", eh?
It sounds promising at least.
btanExec ConsultantCommented:
should not be an issue but just have to be savvy and manage the central backend log size and measure up any breaking point when host increased beyond the current number
https://www.manageengine.com/products/eventlog/help/installation/eventlog-system-requirements.html#ram_size
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.