Arguments for Open-Source SIEM

Author: Andrew Mikhaliuk, CEO of CoreWin

In the beginning was SIEM. And SIEM was bad.

When SIEM first appeared on the scene in the mid-2000s, it helped organizations deal with numerous intrusion alerts by optimizing tasks that were previously performed by two separate technologies:

  • The Security Information Management System (SIM), which collected, stored, and analyzed log data.
  • The Security Event Management (SEM) system, which provided real-time monitoring, event correlation, and alerts.

However, the old SIEMs were expensive, difficult to set up and manage, and undoubtedly caused fatigue for analysts and response teams. But over the years, these systems have evolved. SIEMs are now based on big data infrastructure, allowing them to comb through huge data sets and provide users with a broad overview of everything that’s happening on their network. They combine all security-focused log sources: from firewall and proxy logs to domain controller and threat detection logs, into a single, centralized location. Finally, they use correlation and behavioral detection rules to show patterns and extract meaningful information needed for compliance reporting and threat alerts.

The cost, however, is still a problem for many.

Currently, the community is divided into 2 camps:

  1. Against Open-Source: The large-scale next-generation SIEM vendors that offer all these flashy new features like SOAR (Security Orchestration, Automation, and Response, which allows the SIEM to automatically respond to threats) and UEBA (User and Entity Behavior Analytics, a tool that uses machine learning to detect suspicious behavior patterns) often criticize open-source technology. They argue that open-source SIEMs do not offer adequate data storage and lack standardized capabilities. These large-scale SIEMs still come at a high price, which of course makes them difficult for small and medium-sized businesses to afford.
  2. On the other hand, talented cybersecurity engineers have explored the open-source technology landscape. Their goal was to save costs while providing flexibility and customization. They have implemented superior and much more affordable technology solutions in their SIEMs. These solutions significantly enhance visibility and improve incident response capabilities.

Pros

When it comes to open-source SIEM technology and software, the pros far outweigh the cons:

  • It’s becoming the norm. Amazon, IBM, Google. These companies and many more are using open-source technology software for their online businesses. In fact, open-source code currently powers approximately 90% of the Internet.
  • Community. Together, talented experts and hobbyists scrutinize, edit, and improve software and other resources developed by their peers.
  • Customizability. Open-source software is usually of high quality and well-designed. When you use open-source software, the source code is available for viewing and editing, which gives you more freedom and allows you to effectively eliminate “perceived flaws” in open-source.
  • Reliability. Support for open-source solutions is typically much more affordable. Often, the solution to a problem can be easily found in online communities. They are filled with people who have had similar experiences to yours and are willing to help you with any issue you may face.

Cons

A few disadvantages include:

  • Using open-source SIEM software can be labor-intensive. It’s true, but: If you take the time to implement open-source technology, your SIEM will be everything you want it to be. And by designing and implementing according to your unique needs, you’ll not only maximize your investment in staff, but also save on capital expenditures.
  • Open-source SIEM solutions lack some features of paid solutions. It’s true, but: you can integrate your open-source solutions without any license concerns, complementing the SIEM functionality. For example, you can integrate Wazuh’s SIEM and XDR system with a MISP’s incident investigation system.
  • Open-source SIEMs require a high level of knowledge and time to deploy. That’s true. But off-the-shelf solutions also require time and expertise to deploy. As even these types of solutions are not, and cannot be, plug’n’play.
  • Open-source SIEMs do not provide or manage storage. That’s true, but it’s not true for all solutions. You can install an enterprise-level solution in your company, but you are still responsible for managing your storage. Even if storage is “included” in the SIEM, you still pay for it. The cost may simply be included in the total price. And if you combine an open-source SIEM with a cloud-based storage solution (e.g., Amazon S3), you don’t manage the storage, it’s managed for a fee by the cloud provider.

Conclusion

Ultimately, if you decide to try an open-source SIEM solution, consider using a trusted partner, such as an authorized or certified integrator who is competent in your specific Open-Source SIEM. This way, you don’t have to worry about any of these “downsides”. Your system will be implemented and configured to provide the full scope of its capabilities that your business needs.

That’s what it really comes down to: A SIEM system is only as good as the people who implement and maintain it. Because whether you use an open-source SIEM or a paid solution from a well-known software vendor, your SIEM still needs people to implement and monitor it, and respond to alerts.

Subscribe to news