SIEM Infrastructure design

lokmanopt · September 29, 2019, 10:47am

Dear Concern,
I want to implement SIEM solution for production. I need to ELK expert's help Please share Design for production environment.
I have more then 300 system and 300 router as well as 6 Cisco firewall.
So please give me appropriate solution for production scenario.

Regard's
Lokman Hakim

Mike_Paquette · September 30, 2019, 10:35am

Thank you for the post. The ELK stack is currently used successfully in many SIEM implementations. However, the right solution for you is going to depend on several factors that are specific to your requirements, such as these:

What is your motivation for implementing SIEM? Regulatory Compliance? Threat Detection? Incident Response? All of the above?
Are you willing and able to host the SIEM systems in your own data center? Or would you rather use cloud-hosted service for your SIEM?
Do you have staff that is trained at implementing and operating a SIEM? Do you have an existing security operations center (SOC)? Do you have a security incident response team in place?
Are you able to install and maintain agents on your 300 systems? Is there already a security agent (EPP or EDR) installed? Are these systems connected to your local network? Or available only over the Internet?
300 routers seems like a large number. Are these tied 1:1 to your 300 systems? Is there a third-party managing these routers? Do you have the ability to get logs and/or telemetry from these routers?

These are just a few of the very basic questions needed to make a SIEM recommendation. In the end, you may need some custom consulting to help you pick the right solution architecture for your SIEM.

After you've decided upon your approach to SIEM, you might find some of these blogs helpful to inform you about Elastic's SIEM solution:

Best Regards,
Mike P.

system · October 28, 2019, 10:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.