Hey folks! I'm trying to find the sweet spot with managing public-facing Linux server environments. Right now, I'm torn between sending all logs to a central SIEM for thorough analysis versus relying more on an Endpoint Protection Platform (EPP) to quietly manage threats at the edge. We've shifted towards EPP to prevent frequent alerts that disrupt our SOC at odd hours, but I'm concerned that this 'silent kill' strategy might leave us blind to larger, coordinated attacks that a SIEM could detect if we fed it all our logs. For those managing exposed nodes, are you pushing everything to a SIEM despite the costs and alert tuning, or are you letting EPP handle the exec layer with fewer alerts? How do you cope with the anxiety of not knowing what your edge agents are blocking?
1 Answer
I really can't imagine running public-facing servers without integrating them with a SIEM. While I understand security and can build our infrastructure securely, I don’t think I can match what a SIEM does in terms of potential issue analysis and alerting. Sure, it costs money, but thinking I could handle that part of the job too is unrealistic.
Agreed! It's crucial to distinguish between configuring your systems and monitoring them properly. I've seen too many people treat their SIEM as a 'set it and forget it' system, only to ignore vital alerts later on because the noise was overwhelming. We're trying to let the EPP manage the obvious threats to keep the alerts in check for our SIEM. Do you get a lot of actionable insights from your CDN logs?