We just raised a $30M Series A: Read our story

RSA enVision Questions

Miriam Tover
Content Specialist
IT Central Station

Hi,

We all know it's really hard to get good pricing and cost information.

Please share what you can so you can help your peers.

Julia Frohwein
Content and Social Media Manager
IT Central Station

How do you or your organization use this solution?

Please share with us so that your peers can learn from your experiences.

Thank you!

Julia Frohwein
Content and Social Media Manager
IT Central Station

Hi Everyone,

What do you like most about RSA enVision?

Thanks for sharing your thoughts with the community!

Miriam Tover
Content Specialist
IT Central Station

Please share with the community what you think needs improvement with RSA enVision.

What are its weaknesses? What would you like to see changed in a future version?

Julia Frohwein
Content and Social Media Manager
IT Central Station

If you were talking to someone whose organization is considering RSA enVision, what would you say?

How would you rate it and why? Any other tips or advice?

Security Information and Event Management (SIEM) Questions
Evgeny Belenky
IT Central Station
Nov 24 2021

Hi,

When would you suggest using an internal SOC and when SOC-as-a-Service? What are the pros and cons of each?

Shibu BabuchandranHello, Below there are views on the pros and cons of Internal SOC and… more »
Manuel GellidaEvgeny I think, SOC on-premise means a huge investment (=monthly payment)… more »
reviewer935298This is a truly good and difficult question.  If we could have MSSP that is… more »
Giusel
IT Engineer at UTMStack
Nov 24 2021

Hi community,

I'm working on a document about the Security Operation Center best practices, and I would like to get your inputs about it.

Thanks

Robert CheruiyotHi Giusel, From my little experience, it's always good to have a good working… more »
Shibu BabuchandranHi @Giusel ​, Some of the best practices that I feel is as below. 1. The SOC… more »
Steffen HornungSadly, I cant contribute due to lack of experience in that field. But I would… more »
Bravo Zilenn
User at Insight Alpha
Sep 25 2021

Hi,

Have you tried Google Chronicle? What's your opinion about it?

Thanks,

Chiheb Chebbi
Defender with 501-1,000 employees
Oct 05 2021

Hi community, 

What are your methods to automate Azure Sentinel content deployment? 

Are you adopting a Detection-As-Code approach? What main challenges have you faced? 

Thank you in advance!

Shibu BabuchandranHi @Chiheb Chebbi ​, Please find some of the automate deployment for Azure… more »
Ertugrul Akbas
Manager at a computer software company with 11-50 employees
Sep 13 2021
Hot data is necessary for live security monitoring.  Archive data (cold data) is not available fastly. It takes days to make archive data live if the archive data time frame is more than 30 days (in most of the SIEM solutions).  As an example, SolarWinds said the attackers first compromised its… (more)

Hot data is necessary for live security monitoring. 

Archive data (cold data) is not available fastly. It takes days to make archive data live if the archive data time frame is more than 30 days (in most of the SIEM solutions). 

As an example, SolarWinds said the attackers first compromised its development environment on Sept. 4, 2019. So, to investigate the SolarWinds case, we have to go back to Sept. 4, 2019, from now on (July 13, 2021). In this case, we need at least 18 months of live data.

Image: SolarWinds

The second example of why hot data is critical is from the IBM data breach report. The average time to identify and contain a breach is 280 days, according to this report.

Hot data gives defenders the quick access they need for real-time threat hunting, but hot data is more expensive than the archive option in current SIEM solutions. 

Keeping data hot for SIEM use is inevitably one of the most expensive data storage options.

What are your thoughts about it, dear professionals?

(less)
reviewer1469436We changed our model to be able to cover such critical long-term cases.  We… more »
Chiheb Chebbi
Defender with 501-1,000 employees
Aug 27 2021

Hi community, 

What is the best way to deploy agents/sensors (such as a SIEM agent) in large-scale Windows environments? 

Any hands-on tips or recommendations?

Thank you. 

David SwiftMost SIEMs shouldn't require agents. You can generally configure Windows Event… more »
Jairo Willian PereiraSome products permit generating a native .MSI package. Sometimes, you can use… more »
Chiheb Chebbi
Defender with 501-1,000 employees
Sep 03 2021

Hi community, 

When one writes detection rules for SIEM solutions, what are the criteria of a good detection rule? 

Can you share any examples?

Thanks.

Shibu Babuchandran@Chiheb Chebbi, I hope the below test cases are helpful. Test 1 - Recon:… more »
Chiheb Chebbi
Defender with 501-1,000 employees
Aug 24 2021

Hi community,

Once a SIEM is deployed successfully, what are the top use cases you'd recommend to implement for the Microsoft environment? 

Thank you in advance!

Shibu BabuchandranSome of the use cases that are important and a good start would be: -… more »
Shibu BabuchandranSome of the Top use cases for SIEM:  1. Authentication activities Security… more »
John RendyThat's excellent, @Chiheb Chebbi. Now you would want to see if all your… more »
Felicia Jonelle
User
Aug 10 2021

Hi community,

Which SIEM for small/medium-sized companies do you consider the most economical?

Splunk, Security Onion, UTMStack, other? What do you like about it vs other ones?

Shibu BabuchandranPersonally, the way I have analyzed is depending on the requirement of the… more »
Jairo Willian PereiraELK, graylog, OSSIM and Apache Metron (or another Hadoop-like open… more »
Navin Rehnius
Security Engineer at a tech services company with 201-500 employees
Aug 12 2021

Hello,

Is Rapid7 InsightIDR an efficient solution (to be used in SOC as an analysis tool) in comparison with other SIEM products, such as IBM QRadar, Splunk, and LogRhythm NextGen SIEM?

John RendyNo, Navin,  The use of SIEM products will focus a lot broader on managing all… more »
Evgeny Belenky
IT Central Station
Aug 27 2021

Hi community members,

Let's discuss what are the main differences between UEBA (User and Entity Behavior Analytics) and SIEM (Security Information and Event Management) solutions.

Tjeerd SaijoenMany SIEM solutions like QRadar are using UEBA in a SIEM solution. User and… more »
Navin RehniusSIEM is the platform where we can see all of the security events. Here we can… more »
David SwiftSIEM vs UEBA 1. SIEM is designed to store events for extended periods… more »
Evgeny Belenky
IT Central Station
Sep 08 2021
Hi community, We would like to hear your insights on the latest trends in SOC. What are you seeing in the field or forecasting?  Please share your opinion on how these trends are going to influence the future of the relevant solutions, tools, etc. used in SOC. Looking forward to hearing your… (more)
Trends in Security Operations Center (SOC)

Hi community,

We would like to hear your insights on the latest trends in SOC. What are you seeing in the field or forecasting? 

Please share your opinion on how these trends are going to influence the future of the relevant solutions, tools, etc. used in SOC.

Looking forward to hearing your insights,

Thanks!

(less)
John RendyEvgeny,  My personal experience tells me that SOC will be driven by… more »
William Milton
User at VAE-MARMARA8

Hi, I'm looking for a technical comparison between Splunk Phantom SOAR and FireEye SOAR solutions.

Can anyone help with insights?

Electronics Engineering Lab Technician(R&D) at a engineering company with 11-50 employees
Aug 09 2021
I have slowly switched our entire network over to Fortinet products over the past few years and been pleased with the products overall.  I would like to utilize FortiSIEM for more robust monitoring and response, but the cost is extremely prohibitive for my company (<25 employees). Suggestions? (more)

I have slowly switched our entire network over to Fortinet products over the past few years and been pleased with the products overall. 

I would like to utilize FortiSIEM for more robust monitoring and response, but the cost is extremely prohibitive for my company (<25 employees). Suggestions?

(less)
Rony_Sklar
IT Central Station
Jun 28 2021
There are many cybersecurity tools available, but some aren't doing the job that they should be doing.  What are some of the threats that may be associated with using 'fake' cybersecurity tools? What can people do to ensure that they're using a tool that actually does what it says it does? (more)

There are many cybersecurity tools available, but some aren't doing the job that they should be doing. 

What are some of the threats that may be associated with using 'fake' cybersecurity tools?

What can people do to ensure that they're using a tool that actually does what it says it does?

(less)
SimonClark Dan Doggendorf gave sound advice. Whilst some of the free or cheap… more »
Dan DoggendorfThe biggest threat is risks you think you have managed are not managed at all so… more »
Javier MedinaYou should build a lab, try the tools and analyze the traffic and behavior with… more »
Rony_Sklar
IT Central Station
Aug 09 2021
How do log management and SIEM differ? Is it necessary to have separate tools for each function or can these functions be rolled into one solution? Which products are best for SIEM, and which are better for log management? Do you have recommendations of products that effectively combine both log… (more)

How do log management and SIEM differ? Is it necessary to have separate tools for each function or can these functions be rolled into one solution?

Which products are best for SIEM, and which are better for log management? Do you have recommendations of products that effectively combine both log management and SIEM?

(less)
Lindsay MiethRony, Daniel's answer is right on the money.  There are many solutions for each… more »
Daniel SichelLog Management is just that, it looks at logs from devices and attempts to make… more »
David Rivas HueteIn short, Log Management refers to the collection, storage, and organizing of… more »
Rony_Sklar
IT Central Station

Do you have recommendations for the best SIEM tool to invest in for a large financial services provider? What particular features of your recommended tool make it the best choice?

Abhishek RVRK SharmaHello, First off, look for a SIEM that offers customized content for financial… more »
Daniel SichelI would take a long hard look at IBM QRadar. The user behavior analytics will… more »
Dan Feraru
Owner at Infodava

I'm the owner of a small tech services company. 

I'm looking for help with a template for a SIEM PoC (high-level, generic document). Can anyone help? 

Thank you, Dan

Abhishek RVRK SharmaHello Dan,  Most SIEM vendors have a PoC script that they will run you… more »
Rony_Sklar
IT Central Station
Sep 07 2021

Hello community, 

What are the differences between how NDR and SIEM work? 

What are the pros and cons of each? Is it necessary to have both types of tools?

DK ShrivastavaNDR is just analysis of network behaviour and forms a part of SIEM strategy. it… more »
Jairo Willian PereiraSIEM aggregates data from multiple systems (like an EDR solution, IDS/IPs etc.)… more »
Lindsay MiethYour SIEM should receive and process traffic generated by your NDR as well as… more »
Sanguan Treejareonwiwat
President at Chunbok Company Limited

Can anyone advise on which SIEM will work best with Palo Alto Cortex XDR?

Thanks!

Jairo Willian PereiraI think most of them understand "de-facto standards" very well (including Palo… more »
Michael DeanI would advise not using LogRhythm. They do not have a log parser for the… more »
reviewer1406157 Palo Alto Networks and IBM have partnered to deliver logging extensions for… more »
Malola Varadhan
User at First Abu Dhabi Bank P.j.s.c
Nov 16 2021

I work at mid-sized enterprise bank. I am researching SIEM solutions. Which is the best tool for security information and event management: Arcsight or Securonix?

Abhishek RVRK SharmaThat is kind of like asking - I want a car, what would you recommend? your… more »
Consulta85d2Neither, or both.  Having done literally thousands of SIEM deployments, I can… more »
Himanshu ShahArcsight is a legacy SIEM a Ro-bust log management tool however works on EPS (… more »
Rony_Sklar
IT Central Station
Aug 31 2021
SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security? If you've been working in cybersecurity, you've likely come across SOAR and SIEM technologies. There are differences between their capabilities, although they have a fair amount of… (more)

SIEM and SOAR have a lot of components in common. How do they differ in the role they play in Cyber Security?

If you've been working in cybersecurity, you've likely come across SOAR and SIEM technologies. There are differences between their capabilities, although they have a fair amount of commonalities. They both collect data, but the quantity of data, type of data, and type of response is where they differ. As threats have advanced, security professionals may be in need of both.

That's where SOAR and SIEM come to the rescue, although there has been some confusion as to the difference between the two. The two technologies have different competencies, but can be combined to increase a security team's or SOC's effectiveness.

We've evaluated the differences of the best SIEM tools and top SOAR tools to clear up the differences between each.

SIEM vs SOAR

In short, SIEM aggregates and correlates data from multiple security systems to generate alerts while SOAR acts as the remediation and response engine to those alerts.

SIEM is the collection and aggregation of security data sourced from integrated platforms logging event-related data - firewalls, network appliances, intrusion detection and prevention systems, etc. - then correlates data across devices, categorizes, and analyzes incidents before issuing alerts. The alerts are identified by using sophisticated analytical techniques and machine learning, which require fine tuning. This leaves a lot of alerts for a security team or SOC to prioritize and remediate; a difficult, time-consuming process.

SOAR, on the other hand, is designed to help security teams automate the response process by gathering alerts, managing cases, and responding to the endless alerts generated by SIEM. With SOAR, security teams can integrate with security alerts and create adaptive, automated incident response workflows. This gives SecOps the ability to prioritize threats and deliver faster results.

(less)
reviewer1510752SIEM involves in collection, correlation and aggregation of security logs and… more »
Marcus GaitherWhat is SIEM? Firewalls, network appliances, and intrusion detection systems… more »
Hasan Zuberi ( HZ )It's not easy to understand the key differences when looking at SOAR vs. SIEM… more »
Rony_Sklar
IT Central Station

Are event correlation and aggregation both needed for effective event monitoring and SIEM? 

David CollierBoth are techniques aimed at reducing the number of active alerts an operator… more »
Ertugrul AkbasThey are not same. For evet monitoring (log management) aggregation is enough… more »
Willa OuYes, both of them are needed. Since their concepts have been well discussed… more »
Dr. Thulaganyo Rabogadi
Director, Technical at a government with 201-500 employees
Oct 29 2021

I am the technical director of a science and technology division for the government. 

Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack?

Thanks! I appreciate your help. 

Gabriel CrespoI think you are missing the point here. Many SIEM solutions will give you… more »
Gregg WoodcockI am admittedly biased but there are very good reasons that Splunk is the leader… more »
AdrianMacheDepending on your goals in designing and implementing this resource, whatever… more »
Miriam Tover
Content Specialist
IT Central Station
Jul 26 2021
Hi dear community members,  There's a lot of SIEM solutions. SIEMs are not something you just install and wait for great things to happen, right? What questions should someone ask before purchasing a SIEM? Help your peers ask the right questions so that they'll make the best decision. Thanks… (more)

Hi dear community members, 

There's a lot of SIEM solutions. SIEMs are not something you just install and wait for great things to happen, right?

What questions should someone ask before purchasing a SIEM?

Help your peers ask the right questions so that they'll make the best decision.

Thanks

(less)
reviewer1057374Some areas and questions for evaluating a SIEM solution. These are some common… more »
Rainier VarillaDiscovery questions you should ask any SIEM vendor: -Would you like more… more »
Simo SimThat is correct, you don't just install it and that is it. There is quite some… more »
Nurit Sherman
Content Specialist
IT Central Station
Nov 01 2021
There are so many SIEM solutions out there and so much vendor hype in the market. Conducting an effective trial is really important! A number of community members are currently evaluating solutions. Do you have any advice for them about the best way to conduct a trial or POC?  How do you… (more)

There are so many SIEM solutions out there and so much vendor hype in the market. Conducting an effective trial is really important!

A number of community members are currently evaluating solutions.

Do you have any advice for them about the best way to conduct a trial or POC? 

How do you conduct a trial effectively? 

Are there any mistakes to avoid?

(less)
it_user8441461. Understand your environment: Segments, microsegments etc. Know where… more »
Siddhant MishraHi Rhea, When it comes to evaluating a SIEM solution, there is a bit of… more »
Mohamed OTHMANWhen speaking SIEM it should be (probably) one of the last solutions that with… more »