ottoe57 t1_iuxnnzj wrote
Thank you for doing this AMA.
What are your thoughts on SIEM technologies? There doesn't seem to be a single security professional that loves their SIEM. They are noisy. They are overly complicated. They are expensive. They require more care and feeding than a newborn. Are they only a necessary evil? Or do they really provide value?
Offsec_Community OP t1_iuxpin2 wrote
Great question. Some SIEMs are the worst and some are great. I like Splunk a lot because it is easy to use. I think it is something that is needed in an enterprise network. They are as good as you set them up to be. A lot of places just sent logs to their SIEM and thats it. They do not tune their logs or anything. You have to spend time making it work correctly. You have to spend the time making worth while alerts and dashboards. When we would deploy to a network the first thing we would do would be is fine tune our SIEM. Making sure the correct logs are going in and not just all the logs.
long answer short is they are as good as you let them work. Spend the time to tune them and make them work well for your organization.
Viewing a single comment thread. View all comments