1. Scalability — Ensure the solution has the capability to accommodate the current and the projected growth

2. Log compatibility — Ensure that the solution is compatible with your logs

3. Correlation engine — Does the solution have the ability to search across multiple devices and logs

4. Forensic capabilities — Does the solution offer forensic analysis capabilities from the event source

5. Dashboards — The solution must provide the ability to easily create dashboards and reports

6. Threat intelligence — Find out if the solution has the ability to integrate with internal/external intelligence sources

7. Compliance Reporting

8. Incident response

9. Machine Learning. Can the system improve its own accuracy through machine learning and deep learning?

10. Performance

Scalability

SureLog can scale into any organization — big or small, locally based or operating globally [1]. ANET SureLog “Hierarchical Master-Slave Model” manage events in a distributed manner for offloading the processing requirements of the log management system for tasks such as collecting, filtering, normalization, aggregation. This model also is solution for security related issues and incremental approach. The main advantage of “Hierarchical Master-Slave Model” is easily extendable and scalable by adding regional SIEM implementations. [2,3]

This article may interest you

SQL Streaming Based Thread Detection in SureLog SIEM

Log compatibility

SIEM functions based not just on its correlation rules but on the data you feed it. Feeding your SIEM security-related data results in more accurate alerts.

Currently, most of the SIEM products support hundreds of log formats. If there is a log format that is not supported, there is an API for custom log parser. SureLog has nearly 500+ supported device.

Correlation engine

SIEM use cases or rules are the %80 of the value of the product. Check the predefined rule list for the product and also check are there any restrictions. A Next-Gen SIEM correlation engine will be very helpful to analysts indeed. Not all SIEM correlation rules, use cases are created equal and it is hard to find a SIEM that supports both core, advanced and intelligent use cases at an affordable price. [4,5,6,7,8,18].

All the SIEM products have correlation but not all SIEM solutions are created equal. Detailed analysis required to understand the difference of correlation capabilities. For example, most of the SIEM solutions have watchlist or list management feature, but only some them and SureLog has multidimensional list management capability in correlation [33,34]. Some solutions like SureLog update multiple lists, sets at the same time [34] while others have not.

Correlation and detection methods and correlation features diversity are important like detecting what never seen before and many others. SureLog can play a huge role in making analysts’ jobs easier with many modern detection and correlation features like never seen before type of rules [18].

Advanced features like

· Never seen type of rules

· Trend rules

· UBA rules

· Anomaly detection rules

· Change comparison rules

· List management

· Taxonomy rules

are the key features for a successful detection. They are all supported by SureLog. Sample distinguishing use cases supported by SureLog:

• Returns days where a user accessed more than his 95th percentile number of assets

• Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week

• If a user number of failed authentication ratio to number of successful authentication is %10, alert

• Data loss detection by monitoring all endpoints for an abnormal volume of data egress

• Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade

• DGA detection

• Failed logon to an asset that a user has previously never logged on to

• First time user is performing an activity from a country

• First VPN connection from a device for a user

• First connection from a source IP

• First access to a device for a user

• First access to database MSSQL for peer group HR

• First access to database MSSQL for user

• First mail to/from a domain for the organization

• First access to this web domain which has been identified as risky by a reputation feed

• First execution of a process on a host

• First access to object fdghsdydhas

• First access from a host to a database for a user

• First access from source zone Atlanta office to a database for a user

• Suspicious temporary account activity

• Abnormal account administration

• Unusual account privilege escalation

• Unusual file modifications

• Abnormal password activity

Forensic capabilities

Almost every company needs a solution for protecting its sensitive data and detecting suspicious activity in real time. Besides, when an incident occurs, companies want to be able to provide digital evidence in the courtroom. Integrity also critical. This is usually achieved by using integrity mechanisms, such as running hash checks on blocks of stored log data. Historical log data must be secured either with a checksum in the form of a popular hash — MD5, SHA1, SHA2, etc. — or with a digital signature.

Easily aggregate and search logs within a single platform is critical.

The latest study by the Ponemon Institute on behalf of IBM found that the average time required to identify a data breach is currently 197 days [35]. So having logs under hands at least 197 days is a good plus and makes everything easy for detection and forensic analysis. It is achieved by live search capability. Disk usage for live search is the most critical parameter. Every SIEM solution has its technology with advantages and disadvantages for live search. Some examples:

IBM Qradar:

How much space is used per day in bytes can be calculated with the following formula: [eps rate] * ([AveragePayloadSize in bytes] + [AverageRecordsSize in bytes]) * 86400 [9]

Splunk:

You can estimate how much index disk space you will need for a given amount of incoming data. Typically, the compressed rawdata file is 10% the size of the incoming, pre-indexed raw data. The associated index files range in size from approximately 10% to 110% of the rawdata file. The number of unique terms in the data affect this value [10].

McAfee SIEM:

Due to the number of enabled standard indexes on McAfee ESM, you can add only 5 indexes to an accumulator field. If you need more than 5, you can disable up to 42 unused standard indexes (such as sessionid, src/dst mac, src/dst port, src/dst zone, src/dst geolocation).

McAfee ESM uses standard indexes to generate queries, reports, alarms, and views. If you disable an index, McAfee ESM notifies you when it can’t generate a query, report, alarm, or view due to a disabled index, but it does not identify which index is disabled. Due to this limitation, do not disable standard indexes unless needed [11].

ElasticSearch (Lucene Based Solutions)

You can estimate how much index disk space you will need for a given amount of incoming data.

disk space used(original) = 1/3 original for each indexed field + 1 * original for stored + 2 * original per field with term vectors [12].

AlienVault:

Alienvault USM All-in-One has a limit of 200 million events in its database. There are not more than 200 million events in the Alienvault USM All-in-One SIEM database [13,14].

SureLog:

SureLog compresses indexes. Compressing indexes give SureLog the advantage of live search, real-time search capability for years. An example of a SureLog disk capacity requirement of a live search for 5000 EPS for one year is 5 GB. SureLog live search disk usage performance is the best among competitors. When SureLog disk usage for live search compares to Elasticsearch and Lucene based systems, the result depicted in the below graph. It is shown that SureLog compress much more than Elasticsearch and Lucene.

Dashboards

Real-Time monitoring and dashboards permits visibility at the desired level via security-based, pre-defined and customizable analysis.

In addition, you can create real time and easy reports by preparing dashboards and widgets which are appropriate for your new ad hoc requirements.

The SureLog application features dashboards on various security topics. Dashboards deliver monitoring and reporting metrics to track the state of security throughout the network. These are simple to configure and user friendly, while allowing users to read a summary of existing network infrastructure data using graphs and tables [15,16].

Threat intelligence

Threats are dynamic and attack vectors change constantly. Respond quickly and minimize damage by using the rich external context enabled by threat intelligence. Immediately know about dangerous IP addresses, files, processes, and other risks in your environment.

SureLog combines multiple threat intelligence feeds and generates alerts for the benefit of the security team. SureLog uses this data to reduce false-positives, detect hidden threats, and prioritize your most concerning alarms.

Compliance Reporting

Regulatory compliance is necessary. SIEM will help to save time and ensure compliance with predefined reports. Creating a productive SIEM environment requires plenty of predefined reports you need on a daily, weekly or monthly basis and also easy to create reporting infrastructure [16].

SureLog has more than 1400 predefined reports and very easy &fast reporting infrastructure [16,17,18,19].

Incident response

Incident response is an action that SIEM takes in response to suspicious activity or an attack. Active response actions include the Block IP active response, the Disable Networking active response, the Log off User active response, the Kill Process active response and so on. SureLog also supports to execute any executable file as a response with parameters from detection rules [20,21]

Machine Learning

Machine learning in SIEM takes cybersecurity rules and data to help facilitate security analytics. As a result, it can reduce the effort or time spent on rote tasks or even more sophisticated duties. With the right configurations, machine learning can actually make decisions based on the data it receives and change its behavior accordingly. SureLog has many ML models [22,23,24,25,26,27,28]. Some of the ML models used by SureLog

· Detecting tools used by cyber criminals

· Hunting critical process masquerade

· Hunting malware and viruses by detecting random strings

· Domain generation algorithm (DGA) detection

· Profiling user and entity behaviour

Performance

The performance analyses of SIEM products are very important in terms of evaluation.

The running performance of SIEM products, the resources which they require (CPU, RAM, DISK) and how they will show performance in the EPS value needed is very important. There are two kind of evaluation parameters:

· Limits and recommendations

· Requirements

Many SIEM products documented limits and recommendations like:

AlienVault:

AlienVault USM Appliance All-in-One has 1000 EPS data collection and 1000 EPS correlation limits or restrictions [13,14]

Solarwinds LEM

A properly configured LEM can handle up to 200 million events per day, or 2,500 EPS (events per second). Conversely, limiting the ‘reservations’ (appropriate CPU and RAM) will result in poor performance and instability. While the maximum EPS limit is 2500 EPS the requirement for 2500 EPS is 96–128GB Ram 16-CPU @2Ghz [30].

McAfee

Maximum Ingestion Events Per Second (iEPS) describes peak advertised EPS for this appliance. iEPS is based on out-of-box settings with no adjustments to default event or flow aggregation and very Stilted overall SIEM user activity (Users, Alarms, Reports, loCs, etc.). Any customization in the configuration or increase in user activity may result in reduced observed EPS rates [31]. Maximum Ingestion Events Per Second (iEPS) is 1500 for VM version of McAfee SIEM [31].