Modern IT infrastructure generates a wealth of data. A large or mid-size enterprise can generate petabytes and, in some cases, even exabytes of log and metadata. Hackers know this and intentionally target organizations that are sitting on data gold mines. And, depending on how the attacker plays their cards they can tap into this data with all types of social engineering tactics.
Security Information and Event Management (SIEM) solutions take all this device data and make sense of it with actionable insights. A SIEM solution helps an organization aggregate, monitor, and correlate the massive volume of logs generated from multiple security devices.
Evaluating SIEM solutions can be daunting though. There are over 20+ vendors in the SIEM market and each has its own unique features and capabilities. As you evaluate these vendors, it’s important to know what critical features to look for in a SIEM.
Here are some of the important questions and answers you’ll need to find the right SIEM solution for your organization.
What’s the end goal of our SIEM deployment?
Your security team needs to set proper expectations of what the outcome of your SIEM deployment will look like. Make sure to discuss what types of data will be collected and monitored, if the SIEM is used to detect threats, if your security team needs to detect threats in real-time, and if it will be used for regulatory compliance. These are all questions you’ll want to explore with how your organization will leverage the SIEM technology.
Who will support and manage the SIEM solution?
You need to pair resources who will manage, monitor, and optimize the tool. A SIEM should be well-supported in an established Security Operations Center with plenty of dedicated internal security personnel. You may require a team of analysts and a security manager dedicated to supporting it. Don’t forget to include training and development time to successfully deploy a SIEM solution.
Do we need a third-party for managed SIEM?
If your organization is short on security resources, you may need a managed security services provider to manage the SIEM solution for you. This enables you to offload the tedious work of setting up your SIEM properly and curtails the short-term need to hire, train, and develop internal resources. It also eliminates the need to configure the SIEM tool for the right security alerts. The MSSP’s highly skilled experts can help your organization avoid “alert fatigue” which is often created when a SIEM is first deployed out-of-the-box or improperly configured. The MSSP will manage setting up event correlation rules so that the organization is focused on meaningful alerts.
How do we simplify our SIEM deployment? How easy is it to deploy?
Often SIEM solutions are deployed hastily without regard to how much planning and preparation goes into a successful deployment. You’ll want to ask the SIEM solution vendor how the appliance or application will be deployed within your network. You may need new on-premise servers and storage to support an appliance. Or, you may need to configure your cloud environment to communicate with the SIEM as well as any data center equipment.
How do we make sure the SIEM is fined-tuned and generates the right alerts?
The organization wants to quickly find out answers within their security operations using SIEM. And, the team wants to find out which threats require immediate attention, what’s happening inside the network, if data is passed outside the network, and more. So, it’s important to find out how the event correlation rules and monitoring are setup from the start and how they can be customized for your organization.
Does the SIEM solution interface well with your cloud applications?
Many organizations are adopting the public cloud for a variety of computer and storage applications. As a result, your compute, storage, and data assets may reside either in Amazon, Azure, Google or another IaaS platform. These assets require security monitoring and management. Why? Because, these public cloud providers place the responsibility of architecting security in the hands of the customer.
It’s worth noting that some SIEM solutions are built in the cloud while others are deployed as an appliance with on-premise infrastructure. You’ll want to find out if in either scenario the SIEM tool can access data in the cloud and on-premise infrastructure. Bottom line – the SIEM solution should monitor and correlate data across any platform where you keep your data.
What level of investment should we commit to a SIEM purchase?
SIEM pricing can be a bit difficult to navigate. You might see pricing as a base price for the appliance plus a per user or node charge. You might also have costs for onboarding and additional on-premise server or storage equipment if deploying a SIEM appliance.
On the other hand, some SIEM solutions are offered as cloud-based subscriptions. These plans offer a more affordable solution for a small to mid-size organization looking to save money. The pricing on SIEM solutions typically comes down to what your business needs and the features necessary that will align with your long-term objectives using a SIEM tool.
Looking for More Answers on SIEM Solutions?
CIPHER, a global managed security services provider and security consultancy, can help you evaluate which SIEM solution is right for your organization. Our team has more than 18 years of experience managing over 2,000 different security environments. Let our security experts at CIPHER help you optimize your SIEM solution and improve the maturity of your security operations.