A Security Information and Event Management (SIEM) solution collects and analyzes activity from numerous resources across your IT infrastructure. A SIEM can provide information of critical importance, but how do you find one that fits your organization?
To select an appropriate SIEM solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals in order to get insight to help you get started.
Jae Lee, Senior Director, Elastic Security
SIEM is a mature product category and continues evolving. However, SIEM needs to enable teams to evolve, as SecOps transforms from “traditional” to “adaptive.”
Let’s start with people — traditional skillsets are based on tools (e.g., vulnerability, firewall, IDS/IPS, etc.), but broader skillsets are needed to help practitioners adapt quickly. Manipulating and analyzing data, performing collaborative research, understanding adversaries/tradecraft — SIEM must help augment and develop these skillsets.
Next is process — with improved skills, alerts no longer rule (unless allowed to), and pre-defined, static SOPs / playbooks alone are not enough. Teams now require real-time analysis to hunt — including performing research, reverse-engineering and simulating threats, and more. Context is everything. Hunting and operationalizing effectively requires full visibility — not in a separate tool, but within the SIEM.
Finally, technology. Full visibility isn’t just broad coverage, but fast insights. Also, detections need to work OOTB. Consider endpoint — there, OOTB detections have high accuracy. The same principle should apply in SIEM, without requiring every analyst to be an expert rule author. SIEM isn’t just “technology” — it needs real-world-validated security content.
As SecOps matures, major investments are often required for the care and feeding of a SIEM. You have to stop threats and justify your investment. Give yourself the runway to be confident that once deployed the SIEM can meet your fast-evolving needs, and ask hard questions around scale and flexibility — from detections to integrations, to deployment options, to pricing metrics.
Christopher Meenan, Director, QRadar Product Management and Strategy, IBM Cloud and Cognitive Software
The first thing to think about is what use cases you need to address. Your requirements will look very different depending on whether you need to secure your organization during a cloud transformation, build a unified IT and OT security operations program, or simply address compliance. Your use cases will drive requirements around integrations, use case content, analytics, and deployment methods.
Ask the vendors how they can help address your requirements. Understand which integrations and use case content are included, versus which require a separate license or custom development. Understand what analytics are available and how those analytics are used to detect known and unknown threats. Ask what frameworks, such as MITRE ATT&CK, are natively supported.
If you’re like most companies, your team is understaffed – which means you need usable products that help shorten the learning curve for new analysts and make your experienced team members more efficient. Ask how each solution measurably increases efficiency during the detection, investigation and response processes. Also ask about SaaS deployments and MSSP partnerships if to reduce on-going management requirements.
Most importantly, don’t be shy. Ask for a proof of concept to make sure the tools you’re considering will work for you.
Stephen Moore, Chief Security Strategist, Exabeam
The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organizational alerts they receive in a day and that complexity – coupled with the inherent difficulties of detecting credential-based attacks – means many SOC analysts now experience several pains that traditional SIEMs can’t solve, including alert fatigue, a lack of skilled analysts and lengthy investigation times.
Many organizations are now migrating their SIEM to the cloud, which allows analysts to harness greater compute power, sift through, interpret and operationalize SIEM data. Now more of their time is spent finding bad things versus platform and server support. But to choose the right SIEM for ‘the business’ you need to consult with it. You need to align its capabilities to the goals, concerns and expectations of the business – which will undoubtedly have changed over the last few months. Above all else, this requires taking the time to ask the questions.
Then, make choices based on known adversary behavior and breach outcomes – focusing specifically on credentials – ensuring your platform is adversary adaptable and object centered. Ask, will it improve your time to answer (TTA) questions, such as ‘which account or asset is associated with this alert?’ or ‘what happened before, during, and after?’
Finally, any solution needs to help your SOC analysts focus on the right things. Key to this is automation – both in the form of incident timelines that display the full scope, acting as the storyboard of the incident, as well as an automated incident response capability for when action must be taken to return the environment to normal. Providing automation of the necessary investigation steps is the most important thing an incident responder can have so they may take action faster and most importantly minimize the risk of an incomplete response.
Wade Woolwine, Principal Security Researcher, Rapid7
While the term SIEM has “security” as the very first word, event and log management isn’t just for security teams.
When organizations look to invest in a SIEM or replace an existing SIEM, they should consider use cases across security, IT/cloud, engineering, physical security, and any other group who may benefit from a centralized aggregation of logs. Once the stakeholders have been identified, documenting the specific logs, their sources, and any use cases will ensure the organization has a master list of needs against which to evaluate vendors.
Organizations should also recognize that the use cases will change over time and new use cases will be implemented against the SIEM, especially within the security team. For this reason, organizations should also consider the following as hard requirements to support future growth:
- Support for adding and categorizing custom event sources by your own team
- Support for cloud based event sources
- Field searching level with advanced cross-data-type search functionality and regular expression support
- Saved searches with alerting
- Saved searches with dynamic dashboard reporting
- Ability to integrate threat feeds
- Support for automation platform integration
- API support
- Multi-day training included with purchase
Jesper Zerlang, CEO, LogPoint
As the complexity of enterprise infrastructures is increasing, a key component of a Modern SIEM solution is the ability to capture data from everywhere. This includes data on-premises, in the cloud, and from software, including enterprise applications like SAP. In today’s complex threat landscape, a SIEM that fully integrates UEBA and allows enterprises to relevantly enhance security analytics instantly is an absolute necessity.
The efficiency of your SIEM solution is entirely dependent on the data you feed into it. If the license model of a SIEM solution relies on the volume of data ingested or the number of transactions, the cost will be ever-increasing due to the overall growth in data volumes. As a consequence, you may select to skip SIEM coverage for certain parts of your infrastructure to cut costs, and that can prove fatal.
Choose a SIEM with a license model that that support the full digitalization of your business and allows you to fully predict the future cost. This will ensure that your business needs are aligned by your technology choices. And last but not least: Select a SIEM solution that has documented short time-to-value and complete your SIEM project on time. SIEM deployments, whether initial implementation or a replacement, are generally considered complicated and time-consuming. But they certainly don’t have to be.