Finally, The Time For Security Information Event Management (SIEM)

The Time For SIEM

Security Information Event Management (SIEM) tools have been around for a long time. My first encounter with a SIEM vendor was about twenty years ago while being courted to resell their product. To this day, I still recall two vivid memories from that meeting; the product was very complex and quite costly to buy and implement.

security-information

I will never forget the salesman boastfully telling me the product would be great to help drive our service business. He went on to brag about the fact that for every dollar of software sold four dollars of service revenue would be required to implement. Promptly I inquired as to the average deal size. Again, he proudly answered the software portion was $500,000 to which $2 million in services cost would be required. Well as nice as that sounded, red flags began flaring in my head like fireworks leading to the thought that software requiring that level of service to implement was probably way too complex for the typical enterprise to implement and definitely not manageable on a day-to-day basis and thus would most likely end of as shelf ware. I never did partner with that vendor and in fact stayed clear of all SIEM solution during that time. My initial assessment was validated as our customers relayed stories of their failed or stalled SIEM projects.

The Time Has Come

Fast forward twenty years and a light at the end of the SIEM tunnel seems to have appeared. The time has come for SIEM implementations to live up to their initial promises and deliver increased security and a return on investment. The optimism is based on the following three reasons; maturity of products, availability of cost effective solutions and increasing compliance concerns.

 

After a twenty-year incubation period there are now SIEM products capable of being installed and delivering useful data within a few weeks. This is mainly due to the fact that these products now have an abundance of predefined correlation rules which dramatically ease the setup while reduce the customization required. Though greatly improved, there are still products out there that market themselves as “easy” while requiring a team of coders to create correlation rules – buyer beware. If possible, engage a trusted security partner to help navigate these waters and guide you to the appropriate SIEM. Even with a great SIEM product, an experience partner will take a few weeks to implement and customize a SIEM to the point where useful data is not cluttered by a plethora of false positive entries. Even at this point, continued fine tuning will be needed over the next 60-90 days to attain an optimal state.

SIEM SaaS Solutions

Some services greatly reducing the cost and staffing requirements of SIEM are SIEM SaaS (Software as a Service) and Managed SIEM solutions. By leveraging a SIEM SaaS solution, companies can reduce the burden of implementing and maintaining the base SIEM software platform. Typically, with SIEM SaaS, the customer merely installs a SIEM agent on their servers or directs the log files to the SaaS provider. Though the customer is still required to perform the task of policy setup and optimization, which should not be underestimated, at least some of the work is offloaded to the SaaS provider making for a more palatable undertaking. In the case of a fully managed SIEM solution, the managed service provider assumes the responsibility of getting the SIEM implemented, optimized and in most cases performs the initial incident response and forensic analysis. This path, though more expensive than SIEM SaaS solutions, provides the customers with many advantages. Besides the implementation and tuning now being one hundred percent handled by the provider, the monitoring and incident response role is also assumed by the provider. This greatly reduces the security staffing requirements and thereby cost while providing the hard to find security skills required on a 7*24 basis. For a mid sized company, the staffing cost alone on a SIEM implementation can be a deal breaker.

Compliance Requirements 

In today’s market, the most common reasons for SIEM is to address compliance requirements. Though many of the regulations like HIPAA and PCI have been around for awhile it appears that the auditors are now digging deeper into the technology infrastructure side of the IT shop and demanding proof of the required controls. By providing the ability to maintain logs, alert on breaches, enable incident response and forensic analysis – SIEM has become an integral piece of any compliance plan.

Though my perception of SIEM has changed and I believe it can deliver on the value promised years ago I do not want to leave you with the perception that SIEM is now a simple solution that provides business value out of the box. Along with the heightened interest in SIEM are vendors trying to jump on the bandwagon and retro fit their security product to be a SIEM. Most of these products do require sophistication and months of work to get implemented and optimized as they have not undergone the maturation process of the other products. Also, leveraging a partner with experience implementing SIEM can greatly reduce the speed of execution for these projects and deliver a solution which provides a high degree of value. In many cases outsourcing the SIEM solution to a managed service provider can enable a company to improve their security and meet compliance in a cost effective and efficient manner.

By Marc Malizia

Gilad David Maayan
Azure Storage Pricing Introduction to Azure Storage Services Azure Storage is a set of cloud storage services provided by Microsoft as part of the Azure public cloud. It offers highly scalable object storage, file systems ...
Cloudtweaks Comic Ai
How AI Is Important for Businesses Shifting to Remote Work The Coronavirus Pandemic has taught us that organizations must have remote work choices. It is no longer possible to work in a digital environment. The ...
Louis
Manufacturers’ Top Demands For Quality Software Competing on product quality has never been more urgent as rising raw material and component costs continue to squeeze manufacturers’ margins. At the same time, unpredictable supply chains make ...
Episode 16: Bigger is not always better: the benefits of working with smaller cloud providers
The benefits of working with smaller cloud providers A conversation with Ryan Pollock, VP Product Marketing and Developer Relationships for Vultr.com - Everyone knows who the big players are in the cloud business. But sometimes, ...
Bi Tools
BI Tools For Data Scientists Many data scientists prefer to use open-source framework to code scripts; after all, it’s something they already trust to work. Business intelligence tools like Qlik Sense, Power BI, or Tableau, ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.