10 questions for the informed choice of the SIEM system

Note of translator: The original document of 2017 also provides a brief overview of 24 SIEM solutions and related technologies. Additionally, I recommend the Gartner report for 2014 , 2015 and 2016 .

Security Information and Event Management is a complex and expensive solution for collecting, normalizing, analyzing and correlating information from the log files of all IT systems, however, the results of its work with proper operation are outstanding. Solutions Review Portal prepared a list of 5 questions for yourself and 5 questions for a potential supplier, having collected answers to which you can more consciously make the choice of a decent SIEM system for implementation in your organization.

5 questions to your own team before choosing SIEM

Question number 1. How will we customize and use our SIEM?

SIEM fully works only in the hands of professionals and, being established in a large organization, may require a team of 8 dedicated employees. Such a complex system without maintenance staff is similar to an uninhabited fortress - it looks impregnable, but does not interfere with the attacker. SIEM does not replace the Information Security department, but is a tool requiring highly qualified specialists to achieve meaningful results.

Make sure your organization is able to use SIEM. Are the necessary resources and staff available? Can you hire and train new employees? If “no”, then perhaps the best solution for you would be to consider services from third-party service organizations (integrators and / or MSSP).
')

Question number 2. What does my organization expect to gain from implementing SIEM?

This seems obvious, but you need to know the requirements when choosing your SIEM or analytical security system. Prioritize the requirements of the Business and Security Department before starting the process of testing and evaluating systems. What systems will be the source of the logs? Is event collection required in real time? Do all logs need to be collected, or only from critical subsystems? What is required to archive and how long to store? How will the collected data be used - for investigations? search for vulnerabilities? auditing and standards checking?

Question number 3. Do we need a complete solution, or is the log processing system only sufficient?

The capabilities of SIEM solutions are impressive, but this is not a cheap pleasure for Business and, moreover, difficult to maintain. If you look at the “coolest” system, but did not even think about the way of writing / getting “cool” Use Cases to it [scripts, rules, visualization], then you should reconsider your approach.

For example, many requirements for compliance with safety standards can be easily met by a “simple” log management system (collection, storage, analysis and searchability). Therefore, if your main task is to handle logs, and not to correlate security events, do not buy a redundant solution.

Question number 4. Need a traditional SIEM or security analysis in Big Data?

Systems for processing large data sets and searching for hidden patterns are gaining their place under the sun on the SIEM market. These are very efficient systems, but even more complex. Therefore, they are only “in the teeth” for companies with sufficient funding and a mature and staffed Information Security Department, in such conditions they are able to show all their strengths.

Be careful - if your company has a risk of not overpowering SIEM, then there is even less chance that big data security analytics will work normally. Gartner analyst Anton Chuvakin advises “not to pay for Big Data glamor, if there is little chance to justify the investment.”

Question number 5. How much money is there an opportunity to spend on the purchase and setup of the system?

Serious SIEM requires serious money. This includes the cost of the license for the product itself (and, possibly, integration and configuration services), the cost of the associated IT infrastructure (databases, storage systems, etc.), and the cost of personnel training. The total cost can easily reach hundreds of thousands of dollars, depending on the specified parameters.

As an economy option, you can consider trimmed versions of SIEM from well-known manufacturers or full-fledged, but inexpensive, from niche players. You will not get some advanced functionality, but you will still be able to solve most of the tasks for the SIEM, standing before the department of information security.

5 questions to selectable SIEM and vendor capabilities

Question number 6. How will their product close the requirements of compliance with IS standards and audits?

The task of complying with the requirements of various IB standards is one of the most frequent reasons for acquiring SIEM. Therefore, most of the solutions already have out of the box support for auditing and reporting on the most popular standards, such as HIPAA, PCI DSS and SOX. The company will save a lot of time and resources using such automatic SIEM reporting, but first make sure that the report you need will be in the delivery and is right for you. What other pre-configured reports are out of the box? What are the possibilities for self-tuning?

Question number 7. What is the supplier's expertise in deployment and configuration? Staff training?

The risk of failure to implement such a complex system as SIEM is quite large. In a 2014 report, Gartner analyst Olifer Rochford said that between 20% and 30% of customers are dissatisfied with the results of the implementation. And being successfully deployed, the SIEM system will require qualified security personnel to work with it daily. Ask the supplier what support he can provide when implementing the solution and, if necessary, when training your employees.

Question number 8. Does this SIEM support work with clouds and Big Data platforms? Those. Will the solution purchased today work with systems purchased tomorrow?

Cloud (Software, Platform, Infrastructure) -As-A-Service products and Big Data processing platforms are already used in your organization or will be used literally tomorrow. If you spend a serious amount on the purchase of SIEM today, then clearly you want to be sure of the possibility of integration with new systems tomorrow.

Question number 9. How many log sources already support SIEM? How difficult is it to connect a new little known?

A SIEM will be defective if it cannot receive logs from an important source of events in your organization. Make sure that most of your systems will be connected to SIEM with standard tools, and the complexity of connecting specific equipment (or a self-written application) will not be high.

The main sources of logs will be information security systems (such as firewall, IPS / IDS, VPN, mail server, anti-virus protection system, etc.), as well as client and server operating systems.

Question number 10. What are the data analysis capabilities of the system?

In addition to the basic functions of alerts and reporting, SIEM should provide the operator (analyst of the information security department) with tools for viewing and analyzing events in the logs for investigating the incident and developing a response to it. Even the smartest and tuned SIEM system is worse than the smartest analyst. After all, the system will not work, if there is no corresponding rule, it will not be able to suspect that something was wrong without the context of what is happening. Therefore, manual analysis is still in demand and the system should provide the analyst with convenient tools. Enhanced search and visualization of data uniquely contribute to the success of the investigation of the incident.