Is a commercial SIEM total overkill for an 11-FTE company? Help me satisfy auditors.
Posted by Cultural_Eye_4460@reddit | sysadmin | View on Reddit | 28 comments
Hi
I'm the sysadmin in a full Linux environment of a small company (~11 FTE) which develops and provides services, software and devices for medical research, and thus be compliant to many regulations, we are ISO 27001 certified, and in the midst of obtaining ISO 13485 certification such it can also be warranted for medical use.
Now one area of improvement is active log monitoring, this also comes from feedback of audits and risk assessments performed by partners and clients (think of big pharma, national health institutes). Their CISOs and security advisors always steer to fully fledged commercial SIEM solutions, my boss and I agree but given our company size, budget and time constraints such solutions seem quite overkill and expensive.
How do you guys perform preemptive log monitoring for security events and anomalies? Preferably free / opensource / on-prem that works easily out of the box, and that integrates well with logs from common Linux services (LDAP, SSSD, SSHD, KEA / Bind9, NFS, etc...).
We already have a dedicated machine as a rsyslog collector for all our workstations and servers, which performs some basic custom pattern matching and alerting (not ideal, implemented by my predecessor).
I've been experimenting lightly with OSSEC, Wazuh and OpenObserve past weeks, great tools but requires a lot of attention and time to obtain a meaningfull use from it, and now I'm reading up on Graylog.
Thanks in advance for any feedback and suggestions,
G
RepulsiveDuck331@reddit
Wazuh is honestly fine for your size if you commit to tuning it. We deployed it for a 20-person biotech last year, single all-in-one node, agents on every Linux box, feeding from rsyslog where agents weren't practical (network gear, BIND, Kea). Took maybe two weeks to get the noise down to actionable.
What saved us was being ruthless with the default rulesets. Disabled half of them, kept SSH auth, sudo, LDAP/SSSD failures, file integrity on /etc and binaries, and audit rules for the medical data paths. Auditors loved the built-in PCI/HIPAA/GDPR compliance dashboards even though none applied directly, just showed intent.
Graylog on top if you want better search ergonomics, but Wazuh alone covered our 27001 surveillance audit no problem.
pizzacake15@reddit
Find a managed service for this. Some EDR solutions offer MDR (Managed Detection and Response) services that will handle at least L1 triage.
cwk9@reddit
If you're an Azure/365 shop you might want to check out Azure Sentinel. It can scale down well for smaller orgs with lots of 365 stuff ready to go out of the box. Another option is a MSSP you can ship your logs and have them deal with then SIEM and monitoring in their SOC. Open source stuff is great but with a small number of people you risk it being a big distraction from all the other stuff you need to get done.
alphaxion@reddit
You can easily run your own Elastic stack in-house and use that for your SIEM for free. An enterprise license is needed for more advanced features and for support, but you would have full control of your solution by self-hosting.
hoinurd@reddit
One more upvote for Huntress. You may have problems with getting only 11 licenses though. Every company has minimum numbers.
screampuff@reddit
Buy it from a MSP.
Head_Personality_431@reddit
Hey G, for ISO 27001 your auditors mainly want to see that you have a documented log monitoring process and evidence that you're actually reviewing alerts, the specific tool matters less than you'd think. Wazuh is honestly a solid choice for your situation and I've seen smaller orgs get through audits with it just fine, the key is tuning it to reduce noise so your team can actually act on alerts. For 13485 you'll also want to make sure whatever you pick supports your audit trail requirements around medical device software, so keep that in mind when evaluating. Happy to chat more about what auditors typically look for if that helps.
screampuff@reddit
Is a SIEM overkill? No
Is trying to manage it yourself the wrong way to approach it? Yes.
networkn@reddit
Find a partner who uses Huntress or Blumira. Sleep well knowing people who do this for a living have your back.
Arudinne@reddit
We just got something like this set up. It would definitely cost several times as much to make sure we had 24/7 coverage, especially since we aren't a 24/7 company and I imagine it would be extremely boring for the night shift.
networkn@reddit
I mean it's really unthinkable at under 500 pax people IMO.
gangaskan@reddit
Taking this on in its own is massive.
I agree, pay a 3rd party to do it, in the long run, it's 100000% worth the investment
Kamikaze_Wombat@reddit
I haven't used Huntress' SIEM product but I like all their other products and their support team, and their SIEM product looks to have inexpensive pricing.
networkn@reddit
It's a pretty easy decision if you know their other products.
pkvmsp123@reddit
Another vote here. Outsource, and sleep well. Plenty of established providers who do a great job. Blumira is great. Huntress is a fantastic option as well. You can also consider BlackpointCyber.
Craig__D@reddit
I second the Blumira suggestion
signamax@reddit
So my thoughts are mixed, and depends on what you are looking for.
If you need real active monitoring of the data and help managing the tool, Your best option may be to find a quality MSSP you can contract with to outsource the entire issue.
If however you are looking for something you can do yourself onprem and have available, id lean towards Gravwell. Gravwell handles unstructured data, which makes it very easy to get information into the tool. Structure is done on read (like splunk) and the query language is pretty easier to learn. (Pipe modules together like a linux command line, and among the tools are fully compatible versions of Grep and Awk which really lowers the entry bar for people already familiar with tradition linux tools). Their licensing is also very generous for a commercial tool, so your company size probably falls under the free Community Edition (advanced?) limits. Self hosting is pretty easy with basic config files and the components available via docker, .deb, or .rpm packages.
Ultimately the real cost with any SIEM is the care and feeding. Its the tuning of alerts and actually looking st the data you ingest which is the real hidden cost in resources and time. Thats one reason outsourcing may be the best option for many people.
lynniegreco@reddit
From an HR lens, outsourced SIEM makes sense here. Auditors care about accountability, not just tech. Paying a vendor shifts liability and gives you a throat to choke. Worth the cost.
discosoc@reddit
Logging basically has nothing to do with the size of your company head count, for what it’s worth. Factor costs against potential revenue.
unix_heretic@reddit
The reality is a bit in-between.
Your current solution isn't necessarily sufficient, in the sense that it's going to take a lot more evidence for your solution to satisfy auditors, and from your post, the current solution isn't cutting it at all.
On the flipside, it is unreasonable to expect you to spin up and babysit a full Splunk estate.
There is a middle-ground: there are smaller SaaS offerings for SIEM and similar solutions. The SaaS provider will sign off on any sort of BAA (if you're in the US) or the equivalent in your compliance jurisdiction. You might maintain some centralization, but you basically end up shipping the logs to the provider - they can handle retention, security of the logs, aggregation, alerting, etc.
soul_stumbler@reddit
The two free SEIMS I've used in the past are graylog and gravwell. Both have their own pros and cons.
graylog has been around forever and has a paid model if you end up needing to go that route all be it not cheap. It is a traditional SEIM for structured defined data but there are a lot of good resources of AD log dashboards, major firewall providers, ect... I've used it to satisfy multiple audit and legal requests in the past with the free version
Gravwell is much newer but has a much different approach to data. It will accept anything and everything you throw at it, from install. Now there are some performance hits, and you can tune it to expect json, csv, xml ect... but from an administrative stand point for a SEIM it's super convenient and easy to use. The support is incredible and I currently use it in my 9-5. I was a long time graylog fan and at this point, with a small team I would recommend gravwell.
Again, both are good and solve different issues but both are very viable options.
For log forwarding we use nxlog which also has a free version.
phunky54@reddit
There are log aggregation tools like greylog that have open source versions. You can tune it to alert on any specific log entries that you are looking for. Keep in mind, this will take a while to setup and tune to your needs but it might be cheaper than buying a bigger product.
CantPullOutRightNow@reddit
It is not overkill. You are high risk because of the industry the company is in. If you do not have a SOC provider, start evaluating them.
OkEmployment4437@reddit
Nah, a full SIEM for 11 people is probably solving the wrong problem. Auditors usually don't care that much about the logo on the tool, they care that logs are retained, somebody reviews meaningful alerts, there's an escalation path, and you can prove it happened.
If your rsyslog setup already centralizes the right events, I'd narrow the scope hard: auth events, privilege changes, endpoint alerts, admin actions on critical systems, then document who checks what and how fast. If you can't staff that consistently, buying monitoring as a service makes more sense than buying a giant platform you won't tune. The failure mode isn't "open source", it's "nobody owns it."
LeaveMickeyOutOfThis@reddit
Any SIEM is going to take time to tune in, regardless of whether it’s commercial or open source. Sure there are some pros and cons with each, but ultimately you need to put in the work, especially when it comes to regulatory compliance for your specific environment.
The question becomes two fold. First, do you need third party support and contractural accountability, and how much care and feeding are you willing to invest initially and long term. Answering both of these in the context of your business will help narrow down the options.
Low-Branch1423@reddit
Open source sounds like an easy option for a Linux house?
You just need bulk cheap storage, filters for wheel access alarms and config changes, and a retention policy.
freethought-60@reddit
You probably won't like the answer, but the point is that you may find yourself in a position to invest (and swallow the bitter pill) in a commercial product with the precise intent of satisfying your customers request first, who in turn have to satisfy someone else. The reason why it is not at all uncommon to be forced to implement a commercial product is that behind a commercial product there is someone who can be held accountable.
Anthropic_Principles@reddit
Probably necessary given your business, and given your size probably something that should be outsourced.