Without good logging, it's really hard to troubleshoot anything - if you're not looking for problems you simply cannot see them. This applies to everything from Virtualization to Storage to Windows and Active Directory. In particular, it can be tough to know if you've had a security incident or not - the current trend towards "Threat Hunting" leans heavily on using logs intelligently. Our smart logging approach helps you quickly configure your logging to a central solution - one where over time the "good" events stop demanding your attention, and you are left with only those that might indicate a problem, or events that are new (and likely also should be looked at). This uses keyword filtering, so there's no machine learning or SIEM magic. That being said, in almost every case we find things that need fixing as we implement smart logging.
Once in place, you have full logging of all the targeted systems, along with identified alerts
SIEM solutions take large amounts of logging and other data and promise to collate that data to useful information, information that indicate security or operational problems. While commercial SIEM products do often work well, they tend to take large amounts of time to manage, and the pricing tends to go up steeply as log volumes go up. Almost without exception, customers tend to find themselves deciding what events should not go to the SIEM, just to keep the budget numbers workable.
At Coherent Security, we approach these issues in a couple of different ways. To manage subscription costs, we use open source solutions for SIEM functions to deliver feature parity at much lower costs. Both on-premise and cloud implementations are available.
We can also help in reducing the time overhead involved in managing a SIEM. In many cases, this is ad-hoc assistance in helping determine "what does this or that event mean, should I be worried?". In other cases, we can help review logs or findings on a periodic basis, simply as a second set of eyes to ensure that events of interest are caught, and dealt with appropriately. Our end goal is normally to ensure that over time your organization becomes more self-sufficient in managing your security events and infrastructure.
Network Managmeent Systems (NMS) have been with us for 20+ years, and still we struggle with basic issues in that space. It seems that the further down the path we go, the more complex our management solutions become. Getting an NMS to give us basic answers can sometimes be a real challenge - answers to questions like:
When did that device configuration last change, and who changed it?
Did the change we scheduled in this week's Change Control actually happen within the window?
Where can I find the latest backup for the router/switch/firewall that just failed (or needs to be restored from last week's config)?
Why is that link slow? Who is using all my bandwidth up, and with what application?
Or maybe that link isn't slow, how do I prove that the problem is in the application?
Using a variety of tools, we can nail all of these answers down (along with a long list of others), and make finding those answers simple.