Chris Crowley, Summit Chair, SANS Institute
Craig L. Bowser, Sr. Security Engineer, Dept. of Energy
Justin Henderson, Instructor & Course Author, SANS Institute
Dave Herrald, Staff Security Strategist, Splunk
SIEMs have been a central tool of SOCs for at least a decade. There are currently a significant number of vendors in this space, each of whom offer different strengths that appeal to different organizations. While there are many measures that can be used to compare each vendor (i.e. Gartner magic quadrant, Proof of Concepts, or personal experiences), we want to focus on what they all do: help SOCs monitor and find “bad.” This will show that even if your SIEM doesn’t look like someone else’s SIEM, you can monitor and detect the bad guys just as well as anyone else. To demonstrate this fact, we will take several SMEs, knowledgeable on different SIEM vendors, and give them two use cases each. They will demonstrate how each SIEM can be configured to monitor for an alert on that specific activity in an enterprise. This will include information about the level of effort needed, the data sources required, and a list of steps that you can use for implementation in your environment. The goal of this is not to bash competitors, but to encourage SOCs not to view their tool as a handicap, but to be inspired to find creative solutions.