I’d be the first to admit that SIEMs (Security Information Event Management) made my career what it is. The first centralized logging platform for continuous monitoring I had the fortune to build was Intel Security McAfee SIEM. The server was under requirements and I had to rebuild it every 8 hours.

Since then I’ve trained up to the Splunk Architect level and have had my hand in engineering some of the largest enterprise SIEMs for SOCs (Security Operation Centers).

Even still I hate SIEMs. Not the technology or the processes that keep the system running, but the marketing for the 100s of SIEM options that now plague the market. Please do something else now.

With all that in mind, I did my research regarding current SIEM tools:
You have many more options if you have the engineering skills and time. GreyLog, Blumira, and Log.IO are great options for those of you who don’t mind building and troubleshooting.

Some of you have deep pockets and can afford a Splunk or CyberArk build. Let’s be honest plenty of budgets have suffered at the contracts of the industry leaders. The money goes to providing better tools. Also, a $28 Billion acquisition would require a flexible business tool with more than one revenue vertical, right?

Keeping this startup-friendly (aka financially challenged for the time being) let’s use a SAAS cloud deployment of the ELK (Elastic, Logstash, and Kibana a trio of software used to make an open data analytics tool) stack. This way we get cloud resiliency with the double-edged sword of Pay As You Go subscription. This would be a good project to demonstrate good log discipline. Without log discipline, my Elastic SAAS tool cost will balloon, and because I am partial to Azure that means I am also partial to being slapped with bills.

In this case, the data ingest is far easier to control than with a large enterprise. That means my bill is far easier to control as well. Keeping scalability in mind as well, as my infrastructure grows so will my billable hours. Keeping a small project online should be cheap. I’ll keep you guys posted either way.

Sometimes simple is the best way.