The following is an excerpt from Solutions Review’s 2016 SIEM Solutions Buyer’s Guide.
In 2015, SIEM and security analytics are seen as necessary parts of any significant enterprise security effort, but choosing the right SIEM solution for your organization isn’t easy. SIEM has a reputation as a complex and convoluted product, and implementation is a daunting process that can take weeks or even months to complete. Rush that process and you could end up with massive cost overruns or worse, an expensive, failed deployment.
To help you evaluate prospective SIEM solutions, here are five questions you should ask yourself before choosing one. If you find these questions helpful, check out Solutions Review’s free 2016 SIEM Buyer’s Guide, which features five more questions for prospective vendors, and profiles of the top 24 solutions in the SIEM and Security Analytics solutions.
How will we support our SIEM Solution?
SIEM only works if you work it, and a typical SIEM deployment can require a team of up to eight full-time employees to properly manage it. A SIEM without a dedicated team of security analysts is like an empty castle: it may seem imposing, but it’s not stopping anybody. A SIEM is not a substitute for a security department, it’s a tool, and it needs a good technical expert and ongoing to work properly and deliver value. Before considering which SIEM is right for you, make sure your organization is prepared to properly manage one. Do you have the resources and personnel to effectively manage SIEM? Can you hire and train the staff necessary to support SIEM? If not, you may be better off considering a managed services offering.
What does my organization want to get out of SIEM?
It may seem obvious, but you MUST know your requirements when evaluating SIEM or Security Analytics solutions. You wouldn’t buy a car without knowing what horsepower you need, or how many it needs to seat, and yet, many businesses rush into the buying process without fully considering their own needs. Before beginning the evaluation process you should rank your needs and your business drivers for adopting SIEM. What data sources do you need to log? Do you need real-time collection? Do you need to collect all security data or just a subset? What do you need to archive? For how long? How will you use data once collected? For Forensics? Detecting threats? Auditing and Compliance?
Do we need a full SIEM solution, or is log management sufficient?
SIEM systems are highly capable, but they’re also costly and complex. If your organization is window shopping for complex SIEM solutions without a complex use case, then you may want to reconsider. For example, many regulatory compliance requirements can be met with traditional log management solutions. If you find yourself more concerned with log management than with correlation, SEM, and SIM, this may the right move for you.
Do we need ‘Security Analytics’ or traditional SIEM?
“Security Analytics” solutions, which leverage big data technologies and new analytic algorithms, are making a major impact on the SIEM market. They are extremely effective solutions, but they are also quite complicated. Organizations with mature, well-funded and dedicated security operations teams should investigate these kinds of solutions, which can recognize security threats better and reduce the workload on the analysts tasked with monitoring your systems. Be wary, though—if your organization is having trouble with its current SIEM deployment, it’s doubtful that you could handle a big data security analytics system. As Gartner Analyst Anton Chuvakin has said, “do not pay for the glamor of big data if there’s a low chance of benefiting from the investment.”
How much are we willing to spend?
For many, this is this first and most important question asked. Basically, how much are you willing to spend to achieve the above?
Traditionally, SIEM costs money. Lots of money. There are the initial license costs, often arranged as base price plus user or node, there are database costs for servers, the costs of training personnel, and often additional external storage. Then there’s the ongoing cost of the personnel required to operate a SIEM effectively. A full-blown, enterprise-grade SIEM system can cost your business hundreds of thousands of dollars when all is said and done, and while that will give you top-of-the-line capabilities, not all business are capable of spending that kind of money. Some SIEM vendors offer a lightweight version that gives basic log management and reporting capabilities without the advanced analytic capabilities and other features that other SIEMs support. These lightweight SIEMs are considerably less expensive to acquire than other SIEMs, and could be a good alternative for businesses looking to save money.
Latest posts by Jeff Edwards (see all)
- Securonix Releases Big Data Security Analytics Platform - February 17, 2017
- Symantec Joins Splunk’s Adaptive Response Initiative - February 15, 2017
- 17 #InfoSec Podcasts You Should Be Listening to - February 14, 2017