At least this is what AlienVault, an American private software development company based in San Mateo, California, Silicon Valley and offices in many countries around the world, says.
But, first of all, what is a SIEM?
SIEM is the acronym of Security Information and Event Management that is, Security of Information and Event Management.
OSSIM is therefore a SIEM Open Source, as the acronym says: Open Source Security Information and Event Management... system.
Leaving aside the acronyms and speaking to be understood, an SIEM is nothing more than an information system that allows you to perform security analysis and manage events through the collection of information on security events, the normalization of data collected and their correlation.
To achieve the purpose for which OSSIM was created, the software uses some functions that it has, among these, the main ones are:
- asset discovery, that is, the automatic search of the IT resources of an organization;
- vulnerability assessment, that is, control of vulnerabilities in the information system;
- Intrusion Detection, namely the search for any malicious activity by unauthorized users or software;
- behavioral monitoring, ie the behavioral control of users of a system;
- SIEM, the true security event management feature.
Of course, as the market is careful to tell us the free stuff I'm not always up to what's paying for ... but will it be true then?
It is a fact that there are many manufacturers in the SIEM market, including IBM, CorreLog, RSA, Splunk, Symantec, to name a few. Of course, each of them, to hear them, always has something more or better than their competitors. There are some who are better in log analysis, who is more experienced in collecting information, who claims to be the best in correlating data, and so on.
All these products, be they Open Source or provided under a paid license, employ an organization capable of providing and gathering information, adapting software to business needs, or providing paid security services, ultimately what really counts are the people behind it and the their ability to analyze and make "network".
You can understand this when you try to configure yourself any kind of system yourself. Often there is a need for ingenious engineering knowledge that alone can not be combined. Then we turn to communities, support groups, who often give their contribution free of charge, by passion.
However, it is not always wise to turn to a community, in particular it is not always appropriate to do so in the field of security and is even less when information about an organizational structure is at stake.
So how should we behave?
Spend a lot of money in licenses and assistance or save using products Open Source?
Personally I think there is a middle ground.
Use products open source you can, provided that the organization that employs them invest in internal staff who must be able to understand the operation and use of software possibly participating in the first person within the development community.
So what really makes the difference in Cyber Defense is not software, but the ability of engineers to configure software depending on the different situations and the ability of analysts to "read" the information that is hidden behind huge amounts of data collected, thanks to their experience and knowledge of the organization they work for.
It is they who still make the difference today: men with their knowledge, their skills and their inventiveness.
Sources:
- https://www.alienvault.com/products/ossim;
- http://searchsecurity.techtarget.com/essentialguide/The-top-SIEM-product...
- https://www.splunk.com/en_us/resource/video.ltc2VpbzpiffiI6q6mOCggCf7sYA...
- http://www.securityweek.com/keyw-corporation-acquire-siem-vendor-sensage...
- https://www.gartner.com/doc/1679814/magic-quadrant-security-information-....
