Security information and event management software was once synonymous with event log management, but it has become...
far more capable and feature-rich. This benefits organizations looking for new functions and software options.
With open source SIEM tools, organizations can test out certain capabilities and reduce cost barriers before expanding their product investments. Depending on what functions you're interested in, there is a variety of software to choose from.
One popular option is ELK Stack. It is made up of three separate open source SIEM tools that collectively provide functionality: Elasticsearch, Logstash and Kibana.
Elasticsearch is ELK Stack's core layer, and it functions as a search and analytics engine. It can run on a modestly equipped PC or a 300-node cluster and indexes hundreds of petabytes of data. Elasticsearch is also designed to help spot trends within incident and alert data.
Logstash is the ELK Stack component that parses log data, pulls data from a variety of sources -- such as logs spread across multiple servers -- and sends the data to Elasticsearch for indexing.
Kibana is a business intelligence engine. It enables you to create dashboards that use a variety of visualizations to display data. Besides making it easy to visualize your data, Kibana also uses machine learning to spot anomalies. These capabilities enable using ELK Stack for business analytics despite it being a security monitoring and enhancement tool.
Another choice for open source SIEM tools is Apache Metron. ELK Stack is a general purpose log and data parsing tool; Apache Metron focuses squarely on security.
Apache Metron provides four main capabilities. First, it offers long-term, cost-effective storage of telemetry data through its security data lake feature. Second, it features an extensible framework that collects data from a variety of sources and supports any future endpoints. Third, Metron performs normal SIEM tasks, such as data ingest and threat alerts. The fourth capability is threat intelligence driven by machine learning-based anomaly detection.
The OSSEC Project
Like Apache Metron, the OSSEC Project is designed to function as a security tool. Because the OSSEC Project does perform log file analytics, it primarily acts as an intrusion detection system. Log file analytics contribute to the tool's overall ability to detect attempted security breaches.
Other capabilities of this open source offering include file integrity checking, rootkit detection and policy monitoring. In the case of an attempted security breach, the software alerts you in real time.
The OSSEC Project's architecture is designed to be scalable, and it offers multi-platform support. OSSEC is host-based, which enables you to simultaneously monitor multiple systems. Furthermore, the OSSEC Project provides intrusion detection capabilities for Linux, OpenBSD, macOS, Solaris and Windows operating systems.
Open Source SIEM (OSSIM) is best described as a light version of AlienVault's Unified Security Management tools. AlienVault's USM Anywhere software is cloud-based and is billed annually. In contrast, OSSIM is open source and designed for on-premises installation.
OSSIM performs many of the same functions as AlienVault's paid offering, but it is only available on one server. These open source SIEM tools perform asset discovery and inventory, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM event correlation.
Organizations that require more advanced log management will need to upgrade to the cloud-based version. This version supports capabilities that expand on open source SIEM tools -- such as security monitoring for AWS, Azure and cloud apps -- and that can integrate with third-party ticketing software.