Is a commercial SIEM total overkill for an 11-FTE company? Help me satisfy auditors.
Hi
I'm the sysadmin in a full Linux environment of a small company (~11 FTE) which develops and provides services, software and devices for medical research, and thus be compliant to many regulations, we are ISO 27001 certified, and in the midst of obtaining ISO 13485 certification such it can also be warranted for medical use.
Now one area of improvement is active log monitoring, this also comes from feedback of audits and risk assessments performed by partners and clients (think of big pharma, national health institutes). Their CISOs and security advisors always steer to fully fledged commercial SIEM solutions, my boss and I agree but given our company size, budget and time constraints such solutions seem quite overkill and expensive.
How do you guys perform preemptive log monitoring for security events and anomalies? Preferably free / opensource / on-prem that works easily out of the box, and that integrates well with logs from common Linux services (LDAP, SSSD, SSHD, KEA / Bind9, NFS, etc...).
We already have a dedicated machine as a rsyslog collector for all our workstations and servers, which performs some basic custom pattern matching and alerting (not ideal, implemented by my predecessor).
I've been experimenting lightly with OSSEC, Wazuh and OpenObserve past weeks, great tools but requires a lot of attention and time to obtain a meaningfull use from it, and now I'm reading up on Graylog.
Thanks in advance for any feedback and suggestions,
G