When I see a project of this complexity advertise itself as "open source' these days my first thought is the rug pull. Will this STAY free, or turn into an eventual cash grab one it's insinuated itself so deeply into your environment that it would be hard to replace?
I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.
The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.
Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.
I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.
They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.
You have different areas of security. Sadly our space is full of grifters and wanna be security "experts". For a very technical security podcast I recommend Critical Thinking Bug Bounty [1].
TIL that SIEM, SCA, XDR (and more?) exist. Now to go and find out what they actually mean (and please don't point out that SIEM is already explained on their page).
Clearly parent could have phrased it more explicitly that he knows nothing about this field. But I also see downvoting him as a form of gatekeeping.
When I see a project of this complexity advertise itself as "open source' these days my first thought is the rug pull. Will this STAY free, or turn into an eventual cash grab one it's insinuated itself so deeply into your environment that it would be hard to replace?
This is built upon OSSec[1]. While it works ok, with Elastic underneath it's far too much maintenance for my 30 servers.
[1] - https://www.ossec.net/
There is a hosted offering https://wazuh.com/cloud
I run an in-house deployment using the Docker conf they supply. It requires a couple of hours per month and mainly a lot of disparate skills.
The real thing that takes time is the installation and configuration of the rules and agents. That’s something that you have to do for any SIEM really, irrespective of open source / paid: you have to understand your nominal feed and that takes time.
Sadly OSSEC is largely abandoned. Back in the day it was very good for a lightweight and effective security system for those that didn't want to install full-blown antivirus on everything. I wish they would donate the project to Linux Foundation or CNCF, but it seems destined for decline.
Spoiler alert: agent based. Ran it before, was a maint burden of the first order.
It's not exactly the surprise of the century that running your own services, let alone a security platform, requires maintenance.
What was it specifically that made it a "maint burden of the first order?"
I have first hand experience with this product for over 2 years. It is a PITA from a SRE/Devops Security point of view. Things constantly break, the indexes, emailing reports, just general bit rot. The source code is at best a good first attempt, but sorely lacking.
I have built from ground up 2 SIEMS.
I know of no similar package that isn't agent based, at least when it comes to endpoints. I'd be happy to hear an alternative, though.
There is an agentless option that just requires ssh access. Not something I’d prefer from a security point of view, but it’s possible.
Agent based is not really a big burden, most monitoring systems work like this (Prometheus). Companys use Ansible etc.
Why was it a burden?
Did you think it was set and forget? There is a reason companies have entire SOC teams only looking at EDR and SIEM.
What SIEM did you move to that was less of a burden?
It is mind-blowing that such a good SIEM (Security information and event management) software can be free.
I'd like to give you a virtual cookie, for being the only person in the comments so far to spell out what SIEM stands for.
I appreciate you.
Seriously, this is getting out of hand in the cybersecurity space. SAST, DAST, SBOM, WAF, SOAR, TPRM, NGFW, MSSP...
I noticed that in ‘22 there was a solid shift from three letter acronyms to four. Madness.
I am not familiar with the term.
"Universal agent" is some form of antivirus, ransomware software like ESET, or McAffee?
Or does the universal agent listen to "endpoint security, somebody elses antivirus that reports what it finds up the chain?
And the next step is that the data gets to the server, is parsed, stored etc and present on a nice gui?
"Someone proped computer3 with a known exsploit at (somedatetime)" ?
They're implying that you have a single agent which does the EDR (antivirus) and SIEM (logging) functionality instead of two separate agents. This is becoming more commonplace throughout the security industry as multiple agents can be burdensome from both a security and maintenance perspective.
As far as I know it's just a node exporter, similar to prometheues node-exporter
What is the good alternative to this? McAffee? AVAST? Kaspersky?
Can some folks in the cybersecurity arena recommend some good email newsletters, websites, blogs, accounts, etc to follow to keep up in the space?
I have slowly been aggregating various blogs in the cybersec realm at https://securityblogs.xyz/
I add new blogs as I run into them on twitter/reddit/HN/etc
Do you have an OPML feed for that?
I do not, but I can add that later today.
That's would be great :)
https://tldrsec.com/
I'm not in cyber but "Risky Business" ( https://risky.biz/ ) is a good podcast to keep up to date.
They always have a lot of outgoing links in their show-notes that should get you started with the rest.
This blog is nice https://blog.badsectorlabs.com/
You have different areas of security. Sadly our space is full of grifters and wanna be security "experts". For a very technical security podcast I recommend Critical Thinking Bug Bounty [1].
[1] https://www.criticalthinkingpodcast.io/
Building on top of elastic was an easy win. However, SCAs need a lot more love. Some of them are wrong/outdated, while many are missing.
What net benefits does a full blown "SIEM" add over a simple log database w/ alerting support?
> Unified XDR and SIEM protection for endpoints and cloud workloads
Guess IDC ABT this. Jokes aside, read the page, still don't know if I care about this or need it...
TIL that SIEM, SCA, XDR (and more?) exist. Now to go and find out what they actually mean (and please don't point out that SIEM is already explained on their page).
Clearly parent could have phrased it more explicitly that he knows nothing about this field. But I also see downvoting him as a form of gatekeeping.