Showing results for 
Search instead for 
Did you mean: 
Create Post

Top Three Challenges SMBs Face With Security Information & Event Management Solutions (SIEM)

Product Manager

Over the last decade, cybercriminals have gained the necessary resources to make it easier and more lucrative for them to attack small-to-medium-sized businesses. The 2019 Cost of a Data Breach Report not only shows the odds of experiencing a data breach have gone up by a third in less than a decade, but the cost of these data breaches is also on the rise. Additionally, small businesses face disproportionately larger costs than their enterprise counterparts when an attack is successful. This report highlights the importance of SMBs being prepared, now more than ever, to quickly identify and respond to potential cyberattacks.

One common way businesses increase their security posture is by implementing, and using, a Security Information and Event Management tool—SIEM for short. A SIEM solution at its core, aggregates and normalizes log and event data from across an entire network making it easier to identify and respond to attacks, compromised data, and security threats.

However, many SMBs feel a SIEM solution is out of reach for their organizations for three main reasons:

  1. Complexity
    The complexity starts right away with most traditional SIEM vendors. Connecting different log sources often requires building parsers or writing (and possibly learning) RegEx to ingest and normalize log data. Once the data has been consolidated, recalling the data adds another layer of complexity. For example, wanting to see logins from a particular user can require writing a query in language created specifically for their SIEM. Additionally, feature bloat often makes it difficult to know how to find answers to simple questions.

  2. Expertise Requirements
    A SIEM is only as effective as the rules put in place to identify, alert on, and respond to potential threats. Without a deep understanding of the types of activities captured by logs, and the behaviors indicating malicious or risky behaviors, setting up the rules can be daunting. Especially if the SIEM doesn’t come with any pre-built rules. With limited time, and a scarcity of available security professionals, setting up a SIEM can seem like too big of a project to take on

  3. Expense
    Aggregating all log and event data in one place is ideal. However, the licensing models of many SIEM solutions can quickly price out SMBs. Many of the most common SIEM solutions on the market are SaaS products. The price changes based on log volume being sent to the product. This leads to two main problems, pricing being unpredictable and/or IT pros needing to cherry pick which logs they will collect and store…hope you pick the right ones.

At SolarWinds we understand how important it is for IT pros at SMBs to gain valuable time back and automate as much as possible—including threat detection and response. That’s why we built Security Event Manager (SEM). It’s a SIEM solution built for resource-constrained IT pros needing to advance their organization’s security beyond patching, backups, and firewall configurations. SEM is designed to provide the most essential functions of a SIEM to help improve security posture, more easily meet compliance requirements, and reduce the time and complexity of an audit.

How Does SolarWinds Security Event Manager Differ From Other SIEM Products?

  1. Easy to Deploy and Use
    Deployment is flexible via virtual appliance potentially located on-premises or in the public cloud (such as Azure or AWS). Many users report SEM is up and running within fifteen minutes, no professional services required. Log collection and normalization is done by either enabling one or more of the hundreds of pre-built connectors and sending logs to SEM or by deploying the SEM agent.

    It has a simple and clean UI, focused on the features SMBs find most important. Such as the dashboard to help visualize important trends and patterns in log and event data:
    As well as a quick and easy keyword search providing faster log recall without the need to learn specialized query languages:

  2. Provides Expertise and Value Out of the Box
    Finding value with the tool will not be an issue. An integrated threat intelligence feed and hundreds of pre-defined filters, rules, and responses, not only make it faster and easier for users to identify threats, but also automate notifications or corrective actions.
    Beyond identifying and responding to threats, the pre-built reports make demonstrating compliance a breeze.
    The best part is users aren’t confined to out-of-the-box content. As their organizations needs change and grow, or as they become even better acquainted with the tool, the pre-defined content, visualizations, and reports are flexible.

  3. Priced With SMBs in Mind
    SolarWinds® Security Event Manager has a simple licensing model. SEM is licensed by the number of log-emitting sources sent to the tool. No need to pick and choose which logs to send, and no need to worry about a large influx of logs breaking your budget. Users get all the features of SEM and industry leading support for a single price. The pricing model is built to scale with the user’s environment, the price per node dropping at higher tiers. For those looking to monitor workstations, infrastructure, and applications, special discounted pricing is available. Same deal, one price for all features, for each workstation.

If you’re an IT pro at an SMB looking to get a better handle on cyber security or compliance reporting, give SEM a shot. You can download a free, 30-day trial here.


I could not agree more with the statement : "A SIEM is only as effective as the rules put in place to identify, alert on, and respond to potential threats."

Challenges faced in creating rules -

  • Cryptic log messages
  • In-built rules (within the SIEM tool) difficult to comprehend
  • Mapping rules to the customer environment

The best tool is the one that you will actually use. I've found that there are a lot of very powerful tools out there (In the SIEM world and many others) but you have to be very knowledgeable on the tool, willing to do a lot of custom work or pay someone to maintain it. None of these options are good for the SMB (or any organization really) I will gladly give up some advanced features for a product that the staff actually uses. If you are actually using the product then you are getting value and will find more uses and ways to watch your network. I like the SolarWinds SIEM tool because you get immediate value, the product is easy to use and understand and if the person supporting it leaves, gets promoted, etc. Then the next person coming along can pick up the product and move forward - it doesn't take a long learning curve or retraining a new person.

Level 12

We're just getting up and running, so this comment might be better suited to the product forum, but...

We'd like the ability to filter based on user group memberships. For example, if a call center employee authenticates at 2am, since we don't run 24x7, I'd like that to generate an alert based on the fact that they are a member of "CallCenterStaff".

We've tried to use "UserLogon.DestinationAccount", but this is not correct. I don't see anything for membership.

Perhaps the better question is, is there a comprehensive guide to what all of the Field types are and the data they should contain?

Product Manager
Product Manager

You are on the right track using the UserLogon.DestinationAccount field but you will need to use a group which contains all the CallCenterStaff usernames. You can create a User Defined Group, which allows you to manually input the usernames (or import via .CSV) or alternatively you can use a Directory Service Group if you have an AD Group which contains all the Call Center Staff. There's a predefined rule called 'User Logon After Hours', that'd be a great starting place.

This rule monitors for user logons from Admin Accounts, where a user has used their mouse/keyboard to logon or has unlocked their machine, outside of business hours.

Screenshot 2020-01-06 at 14.12.35.png

Level 12

Appreciate the super prompt reply! Please bear with me, as we are definitely still coming up to speed.

I tried a very simple rule to try and just make sure that it's triggering. My (very new and basic) understanding of the rules is that on any domain admin trying to login with the below, should trigger the rule. It is enabled, and not in test mode. We are not getting the emails desired, nor do I see anything under "Rule Activity" on the events page.

Again, appreciate the help!

EDIT: Apparently I got the group part right, but problem is with detecting interactive. I deleted that and blamo, tons of events. Re-add it, nothing.

2020-01-06 10_30_04-Window.png

Product Manager
Product Manager

Glad to hear you managed to to make some progress with the rule triggers. If your Audit Policy is generating events for sucessful/failed logons, it should be also picking up logon type 2 (interactive logons). If you like, we can set up a quick call to test an interactive logon event to make sure those events are hitting your SEM. I can DM you to schedule something.

Level 8

Thanks for this post

Level 12

We use the product more and more because of the ease of use.

Level 20

Getting ready to upgrade right now to 2019.4... I hope it fixes some weird issues I've had with current old version I'm on.  I've had issue where some tomcat log files sometimes fill up /var for no apparent reason and will blow up my entire datastore.  I always have rolled back after this happened because LEM wouldn't boot with a full datastore.  Thanks God for backups is all I can say... take snapshots and back up your appliance peeps!  I'm a few versions back right now so hopefully this fixes things for good... plus I can't wait for the HTML5 updates I've been watching for a while and finally now can take advantage of!  Node management in HTML5 is big if I can select more than one node at a time.  The UX team has worked hard on this I know!

Product Manager
Product Manager

We've added some under-the-hood improvements with 2019.4 that should prevent that happening. Sorry to hear you ran into some trouble with the tomcat logs!

Level 20

The upgrade to 2019.4 on this information system (which is a bigger one) went well.  I'm monitoring this SEM from Orion over snmpv3 so hopefully if /var get's big again I'll know it.  I'm hoping this will just magically make this tomcat issue just disappear.  I like the new interface and I can imagine doing more things with the dashboard now.  As we've discussed and I brought up at SWUG to a bunch of people we need more flexibility with licensing so we can cover many small information systems.  I have networks with less than 10 nodes that have AD and servers with small number of clients that really need SEM.  One thing is for sure... SEM is much easier to buy and use than splunk.