We changed our name from IT Central Station: Here's why

Badges

User Activity

3 months ago
As several have said, it depends on quite a few factors. 1. What use cases are you trying to solve?  - Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk. - Threat…
3 months ago
@Norman Freitag It's not top rated by analyst firms. While it's easy to ingest data it takes a lot of care and feeding and licensing gets expensive as the size grows. Good for NOC use cases, much tougher for SOC, and requires expensive add ons like Caspida for Insider and…
4 months ago
You're describing the use cases for a Web Application Firewall. Web-specific IDS, injection, attack detection and mitigation.  Cloudflare is one you might look at. Imperva, Whitehat... several vendors and products to choose from. One in the cloud that also does DDoS…
4 months ago
Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage. Typical SOAR playbooks automate the…
5 months ago
It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but…
5 months ago
SIEM vs UEBA 1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data. 2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time…
5 months ago
@Shibu Babuchandran Splunk gets expensive as your size grows. It's the St. Bernard puppy.   ELK Metron, Greylog are the common entry log collectors if you have a minimal budget. But I would suggest small organizations should look to partner with an MSSP for managed SOC/SIEM…
5 months ago
As a rule, a SIEM correlation should:  1) Reduce events by 99.99% - raw events to correlations 2) Impact system performance by <1%  3) Produce Correlated Threats with >35% true positive rate on investigation - 33% are usually false positives or misconfigurations (not…
5 months ago
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.   We use NXLOG at Securonix.  I would suggest if you need to deploy…
5 months ago
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.  They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.  Success After Fail is another common…

Answers

3 months ago
Security Information and Event Management (SIEM)
4 months ago
User Behavior Analytics - UEBA
4 months ago
IT Alerting and Incident Management
5 months ago
Security Information and Event Management (SIEM)
5 months ago
Security Information and Event Management (SIEM)
5 months ago
Security Information and Event Management (SIEM)
5 months ago
Security Information and Event Management (SIEM)

Interesting Projects and Accomplishments