Open source SIEM solutions provide basic functionality that can be great for smaller organizations that are just beginning to log and analyze their security event data. But over time, many IT pros find that open source SIEM software is too labor-intensive to be a viable option as the organization grows.
In short, many organizations simply outgrow their open source solution.
Recent changes in regulations like PCI-DSS and the European Union’s GDPR have made it essential that system and application log events are extracted from individual servers or virtual machines and stored securely for analysis and action. This is no longer an option—it’s a must-do activity to protect your business.
As technology has advanced, SIEM solutions have mainly consisted of high-end software aimed at enterprises. These solutions have a robust set of features, but the complexities of implementing and maintaining them tend to turn off smaller organizations.
If you’re not looking for an enterprise-level SIEM, you might be considering and comparing open source SIEM tools, such as Nagios Core or Alien Vault’s OSSIM. These solutions are great for experimentation—to figure out what you really need to monitor and track, and take action when you identify suspicious behavior.
This comes with a warning, though. Starting a purely open source project can take six to 12 months to set a baseline for your operational and security alert needs. Few organizations can spare the headcount for this type of project.
However, if your organization is currently looking at implementing a SIEM solution, you have a few different options to consider.
Upgrade Your Open Source SIEM Tool
Wrap the open source solution in an integrated service. A service provider will bugfix (essential), pre-build integration (a major time saver), and provide consulting to get you live as quickly as possible.
This is particularly useful if you are chasing a drop-dead compliance date. For example, GroundWorks Software wraps Nagios with other tools into Groundwork Monitor, and AlienVault provides its commercial edition of its solution.
Invest In an Enterprise-Level SIEM
A small number of enterprise-level SIEM solutions now offer cloud-hosted editions that may suit your budget. Keep in mind you may have data privacy issues with moving data to the public cloud. Check with your auditors before you select a vendor. Some major players do not provide cloud editions, but in certain geographies licensed service providers do package a solution for use this way.
Try Out a Mid-Market SIEM
Look at the latest generation of mid-market SIEM solutions that are advanced yet lightweight. This type of project is ideal for organizations that don’t have the manpower or the budget for a full SIEM. There are a variety of mid-range SIEM solutions on the market that are easy to use and provide better value than some of the heavy-weight options—and without the complexity.
One option to consider is Event Manager, a SIEM solution that’s easier to implement than an enterprise-level option. Event Manager escalates critical events in real time, separating them from the ones that don’t require attention. Data from different sources is translated into a common format, which accelerates response and resolution time. Event Manager also provides a complete audit trail of security events, investigations, closed cases, and reported incidents.