Thoughts on Darktrace or MS Sentinel?
15h 52m ago by reddthat.com/u/Lemmert in cybersecurity@infosec.pub
Hey everyone,
for a secops class we're expected to do some preliminary evaluation of some SIEM and/or SOAR services. Some cybersecurity firm that gave a guest lecture was raving about both Darktrace and Sentinel, so our group figured we'll look into those at least.
Has anybody had any particular experience with those? Or if you have any other services in mind, that would also be helpful.
I have gone through their sites and I'm scouring through forums to have an idea on sentiment on the current services. (Which at the moment seems to be that none are exactly ... popular) I'm not trying to get others to do our work; we're basically only after actual user experience, which we can't really get ourselves.
Cheers!
I have used both. We did Sentinel at my organization for traditional SIEM. It was mostly for convenience since we were already ingesting Event Logs into Log Analytics. When I used it, it was mostly just traditional playbooks and rule based detections. It worked as well as any other SIEM at the time, required a lot of maintaining to keep up with latest TI. It was fine.
We ended up moving to Darktrace. It’s not really a replacement for SIEM although we more or less use it as such. It is more about ML and pattern based detections and so it requires less maintenance to configure playbooks and for it to take autonomous action. It also has an agent on each endpoints and has API integrations for it to be able to respond more holistically to detections and threats.
I would rave about both, they serve similar but distinct purposes. I’m glad to have both. If I could only have one, I would not be able to imagine our network without DarkTrace.
Wow, really thanks for the insight. That was already more than I expected! We'll definitely take that into account
What fucking kind of school allows sales pitches in classes? Alignment with corporations is bad enough.
In the real world, companies generally don't use them unless required. I'd recommend starting with the open-source products like wazuh.
Thanks for the recommendation! If it offers some relief, It's one of those "free" (as in easy) courses you have to take my university if you choose cybersecurity (If you're interested: https://onderwijsaanbod.kuleuven.be/syllabi/e/H04G4AE.htm). It's admittedly fairly empty course and I didn't feel like I learned much