SIEMonster

What is SIEMonster?

SIEMonster is a turnkey, open source, Enterprise grade Security Information and Event Management (SIEM), built on scalable, non-licensed components, fully documented and developed by Kustodian.

Kustodian has developed it for all companies as a viable alternative to commercial SIEM solutions. The product is free, fully documented, there is no data or node limitations. Kustodian will continue to develop SIEMonster for its existing clients and support SIEMonster with the community.

What’s a SIEM?

As a security professional, protecting your company’s assets from Cyber-attacks is a never ending complex task. It is crucial that you have visibility across your entire environment. It’s like having a house alarm, there is no point having some rooms with motion sensors and others without it.

All systems have the ability to let out an event or alert that something is going on but is there anyone listening to these cries for help. When you picture your environment, with internal and external servers, workstations, network appliances, printers, SCADA and other equipment they all produce events and alerts, but is anyone looking. On top of this all your applications are sending out alerts, including Web Servers, Active Directory, applications, Anti-Virus, Endpoint protection.

By using a Security Information & Events Management system (SIEM) we can capture all of these events and cries for help, separate the “Cry wolfs” from the real threats and alert the operator that an attack maybe underway. Security operators can be alerted via a Dashboard, SMS, SLACK channel or email for any suspect activity for investigation. Whether it is an administrator creating a privileged account or alerted when an executive is using email from a destination that is different from their current location. The rules and alerts to suit your business are limitless.

What are my Options?

There are a myriad of great commercial products out there such as HP ArcSight and SPLUNK but these solutions come with node/GB limitations and can be quite expensive as ongoing annual costs stack up.

You can always go the open source route, and use Elastic Stack Logstash and Kibana system or Cisco OpenStack – Apache Metron frameworks, but speaking from experience the time you have built the plugins, dashboards, parses to have a functioning SIEM you’re looking at a year’s worth of highly skilled documented development.

So WE BUILT One

Kustodian have done the development for you and built a SIEM using open source modules built on Elastic without the added price tag of Shield or Marvel. SIEMonster is a free open source unlimited use version comes with all the dashboards, plugins, incident response tools including ticketing systems to make a functioning SIEM and Security Operation Centre (SOC). SIEMonster is a commercial grade Enterprise SIEM with dashboard development and a suite of ISMS documentation (Standard Operating Procedures, Detailed Designs, DR fail over, Backups, installation guides etc.)

After the successful development and roll out of an Open source SOC into a multi-region stock listed company with over 20,000 seats it made sense to allow companies to use our system for their own environments.

The solution can be either onsite in a Data Centre or in the cloud such as AWS. This solution makes it simple for businesses to use open source SIEM technologies without the development headaches, documentation integration, and unlimited use and is completely free that commercial or open source SIEM products don’t provide.

SIEMonster Architecture with AWS integration

SIEMonster High Level Components

This SIEM solution includes the following high level open source components built in a Virtualized or Physical Server environment. The SIEM is built to provide 24×7 Security Event collection, correlation and Incident response, Risk Identification, Threat Intelligence via OSINT Palo Alto Networks MimeMeld, Visual alerting, Analysis and secondary SLACK/email/SMS alerts to the operator. Included is a Dashboard for or your existing vulnerability scanning tool incorporated into a world view dashboard revealing hot spots in your network and incident response ticketing system. You can use these or your existing vendor solution. Dashboards provide a visual representation of configured alerts and risks in the environment. Also included is OSSEC Wazhuh fork with PCI rulesets and alerting.

SIEMonster Open Source Modules

The solution had to be completely scalable, open source and completely free without exception so the open source modules below were chosen for this reason. Each module on its own does not make a SIEM, but by combining and developing them we have built a SIEM. Use SIEMonster with community support and you have a free SIEM with as many nodes/clusters as you need.

SIEMonster: Sample of what it can monitor and alert on

icons-single-turn-greenTurnKey – Kustodian have done the development for you and built a SIEM using only open source, built on Elastic without the price tag of security modules Shield or Marvel. The free open source version is called SIEMonster. SIEMonster is a free open source unlimited use version comes with all the dashboards, plugins, incident response tools including ticketing systems to make a functioning SIEM and Security Operation Centre (SOC). SIEMonster is a commercial grade enterprise SIEM with dashboard development and a suite of documentation (Standard Operating Procedures, Detailed Designs, DR fail over, Backups, installation guides etc.)

Free – The solution is completely free and has security researchers and analysts involved in the community support for further development. Kustodian have built commercial SIEM and SOC’s for enterprise clients that cost anywhere from 1 million dollars to 7 million dollars. This time we have built one for free using open source. The solution is yours, there is no licensing limitation. We chose these open source key players deliberately. The solution had to be completely scalable, open source and completely free without exception. Of course we could have chosen Shield or Marvel from Elastic, but that would incur license costs and limitation for node sizing. So we built our solution. Using SIEMonster you can use it for free and as many nodes/clusters as you need. Just download and get started.

Documented – Unlike most products, this solution and build is completely documented.  You have a choice, you can install SIEMonster from scratch on a Linux box, or you can use the images provided. Either way we have included build guides, maintenance guides, a full ISMS suite of documentation including High Level Designs, Detailed Designs, Build Guides, Maintenance and SOP (Standard Operating Procedures) and DIY dashboard and search guides.

Visual Security Risks – Dashboards to alert Security analysts of risks in the network. The Security Dashboards can alert your Security Operators to Active Directory Activity, Virus outbreaks, Attempted website hacks or failed logon attempts, All displayed in a customizable dashboard.

Vulnerability Scanning – If your company uses Nessus or McAfee or any other scanner these can also be configured into a viewable dashboard. Why look at 100 of pages of vulnerabilities when you can see them on an interactive map of Critical or High Risk issues only. If your company currently does not currently scan you can download and use free OpenVas can be used to find vulnerabilities with risks populated in the Dashboard. The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), All OpenVAS products are Free Software. OpenVAS is used to determine risks in a company’s network.

Incident Ticketing System – Record incidents response information for a 24/7 shift roster change. FIRis a tracking system used for Incident Response, help desk ticketing, customer service, workflow processes, change management, network operations. FIR has been included into SIEMonster to record, report, and escalate Incident Responses to other security analysts for example Level 1 support to Level 2 support. Also allows for stock answers, FAQ’s and best practice article storage.

Alerts – Alerts can go to the Dashboard or to an email or SMS when you’re not in front of a computer. We have even included SLACK integration so alerts can go to your private SLACK channel for all Security staff. Our customers wanted not only a Dashboard view but they also wanted email and SMS alerting, so we included this as well. This is great for when you outsource your security monitoring to a 3rd party but you can keep tabs when items come in.

Scalable SIEM – The SIEM is completely scalable. We recommend a dual cluster front and back end system to easily support any enterprise need, However if you need to grow, clusters can be scaled out to 4/8 nodes built with Apache Hadoop AWS Scaling in mind but unlimited growth.

Support Options for Enterprise – Need support? Kustodian will help you with your SIEM configuration, dashboards and updates. We realize that organisations need different levels of support for their SIEM, some are more than happy to use the community forums, others need custom modules written and Enterprise clients need 2nd and 3rd level product support and customized development. Choose the model that suits your organization.

Available on Amazon AWS – Use the preconfigured Amazon AWS AMI instances and roll out immediately. A lot of clients are now using Amazon AWS services, because of this we have setup instant AMI images of SIEMonster to get you using a SIEM in your organisation. We have also included archival scripts using Amazon S3 for when you want to archive and backup data as well as Amazon Glacier long term archival and backup scripts.

Built on Elastic / Apache Hadoop – the most common open-source log analytics trusted by Netflix, Facebook, LinkedIn, Cisco and Microsoft.

Threat Intelligence – Siemonster provides OSINT (Open-Source Intelligence) threat intelligence gathering from the Dark Web, Palo Alto Networks MimeMeld and support for Tardis, Bro and SNORT. OSINT data is sent to the SIEM and is used by security analysts for event context attack prediction, prevention and detective controls with real time visualization and alerting.