10 questions for a conscious choice of SIEM system

Translator Note: The original 2017 document also provides a brief overview of 24 SIEM solutions and related technologies. Additionally, I recommend the Gartner report for 2014 , 2015 and 2016 .

Security Information and Event Management is a complex and expensive solution for collecting, normalizing, analyzing and correlating information from the log files of all IT systems, however, the results of its operation, when properly used, are outstanding. The Solutions Review portal has prepared a list of 5 questions for yourself and 5 questions for a potential supplier, collecting answers to which you can more consciously choose the right SIEM system for implementation in your organization.

5 questions to your own team before choosing SIEM

Question number 1. How will we configure and use our SIEM?

SIEM fully works only in the hands of professionals and, when installed in a large organization, may require a team of 8 dedicated employees. Such a complex system without attendants is similar to an uninhabited fortress - seemingly impregnable, but does not interfere with the attacker. SIEM does not replace the Information Security department, but is a tool that requires highly qualified specialists to achieve significant results.

Make sure your organization is capable of using SIEM. Are the necessary resources and staff available? Can you hire and train new employees? If “no,” then perhaps the best solution for you would be to consider services from third-party service organizations (integrators and / or MSSP).

Question number 2. What does my organization expect from SIEM?

This seems obvious, but you should know the requirements when choosing your SIEM or analytic security system. Prioritize the requirements of the Business and Security Department before starting the process of testing and evaluating systems. What systems will be the source of the logs? Is real-time event collection required? Do all logs need to be collected, or only from critical subsystems? What needs to be archived and for how long? How will the collected data be used for investigations? search vulnerabilities? audit and compliance audits?

Question number 3. Do we need a complete solution, or is a log processing system enough?

The capabilities of SIEM solutions are impressive, but it is an expensive pleasure for the Business and, moreover, difficult to maintain. If you look at the “coolest” system, but have not yet thought about how to write / get “cool” Use Case'ov to it [scripts, rules, visualization], then you should reconsider your approach.

For example, many requirements for compliance with security standards can be easily met by a “simple” log management system (collection, storage, analysis and search capability). Therefore, if your main task is to process the logs, and not to correlate security events, do not buy an excess solution.

Question number 4. Need traditional SIEM or Big Data security analysis?

Systems for processing large amounts of data and searching for hidden patterns are gaining their place under the sun in the SIEM market. These are very efficient systems, but even more complex ones. Therefore, they are “tough” only to companies with sufficient funding and a mature and staffed Information Security Department, in such conditions they are able to show all their strengths.

Be careful - if your company has a risk not to overpower SIEM, then there is even less chance that big data security analytics will work fine. Gartner analyst Anton Chuvakin advises “not to pay for the glamor of Big Data if there is little chance to justify the investment.”

Question number 5. How much money can I spend on buying and configuring the system?

Serious SIEM requires serious money. This is the cost of the license for the product itself (and, possibly, integration and configuration services), and the costs of related IT infrastructure (databases, storage systems, etc.), and the cost of staff training. The total cost can easily reach hundreds of thousands of dollars, depending on the specified parameters.

As an option to save, you can consider truncated versions of SIEM from eminent manufacturers or full-fledged, but inexpensive ones from niche players. You will not get any advanced functionality, but you can still solve most of the tasks for SIEM facing the information security department.

5 questions to the possibilities of the chosen SIEM and the supplier

Question number 6. How will their product cover requirements for compliance with IS standards and audits?

The task of meeting the requirements of various IS standards is one of the most common reasons for acquiring SIEM. Therefore, most of the solutions are already out of the box with support for auditing and reporting according to the most popular standards, such as HIPAA, PCI DSS and SOX. The company will significantly save time and resources using such automatic reporting by SIEM, but first make sure that the report you need is in the supply and suits you. What other pre-configured reports are out of the box? What are the possibilities for their independent adjustment?

Question number 7. What is the vendor’s expertise in deployment and configuration? Staff training?

The risk of failure to implement such a complex system as SIEM is rather high. In a 2014 report, Gartner analyst Olifer Rochford said that between 20% and 30% of customers are dissatisfied with implementation results. And when successfully deployed, the SIEM system will require qualified security personnel to work with it daily. Ask your provider what support they can provide when implementing the solution and, if necessary, in training your employees.

Question number 8. Does this SIEM support cloud and Big Data platforms? Those. will the solution purchased today work with systems purchased tomorrow?

Cloud (Software, Platform, Infrastructure) -As-A-Service products and Big Data processing platforms are already used in your organization or will be used literally tomorrow. If you spend a serious amount on buying SIEM today, then you definitely want to be sure of the possibility of integration with new systems tomorrow.

Question number 9. How many log sources does SIEM already support? How difficult is it to connect a new little-known?

SIEM will be inferior if it cannot accept logs from an important event source in your organization. Make sure that most of your systems will be connected to SIEM by regular means, and the complexity of connecting specific equipment (or a self-written application) will not be high.

The main sources of logs will be information security systems (such as firewall, IPS / IDS, VPN, mail server, anti-virus protection system, etc.), as well as client and server operating systems.

Question number 10. What are the capabilities of the data analysis system?

In addition to the basic functions for alerts and reporting, SIEM should provide the operator (an information security analyst) with tools for viewing and analyzing events in the logs to investigate the incident and develop a response to it. Even the smartest and most tuned SIEM system is worse than the smartest analyst. After all, the system will not work if there is no corresponding rule, it will not be able to suspect something was wrong without the context of what is happening. Therefore, manual analysis is still in demand and the system should provide the analyst with convenient tools. Advanced search and visualization capabilities clearly contribute to the success of an incident investigation.