Selecting SIEM Tools - Questions to Consider
So, you’ve done your homework, you’ve clearly defined business requirements, and you’ve decided to implement a SIEM solution into your organization. However, before you set out on this adventure there are a quite a few questions to consider.
Does my company really need a SIEM tool?
SIEMs are not plug-and-play solutions, and they are not cheap nor simple. Yet so many companies implement them. Why? Because they are is necessary. In a world of constant security breaches and attempts at breaking into sealed networks, having a quality SIEM tool at your disposal is the right thing to do. Apart from that, there are several other reasons why you should consider implementing this solution:
- Log management
- Monitoring and incident response
- Ticketing systems
- Policy violations and enforcement validation
- Compliance obligation (for example, HIPAA, PII, COBIT 5)
- Certifications (ISO standards)
Will the SIEM tool implementation be tricky?
SIEM implementations can be complex, which is why a lot of companies opt for bringing in either a vendor-supplied professional or an outside consultant to help them with their setup. If, on the other hand, you decide to implement it yourself, here are the basic steps:
- Determine the system architecture. Note dashboard and reporting systems, storage and indexing systems, and finally, log collection systems.
- Choose appropriate hardware. Take into consideration the number of log sources and a projected volume (events per second).
- Determine storage requirements and pick a suitable storage network infrastructure.
- Proceed with a server, software, and appliance installation.
- Configure the system. In this final stage you’ll need to make tweaks to set up dashboards, configure correlation rules, schedule reports, and enable alerts.
Will I need to hire more people?
According to the Ponemon Institute survey, approximately 2 out of 3 companies needed to bring in additional people to maximize the value of the newly implemented SIEM solution. Not only is there an implementation cost, but it’s highly likely you’ll either have to bring someone in or reassign one of your existing employees to the fill a SIEM-exclusive role in your organization.
There is another option though, which might interest you especially if you run a smaller company: you can opt to employ a managed security service provider (MSSP), essentially outsourcing the role. The provider monitors your system and acts on alerts by putting proactive and reactive safety measures in place.
Is a SIEM tool enough on its own?
SIEM tools are an excellent way to protect your network, but hardly sufficient on their own - they should always be “backed up” by other tools as well. You should always consider the integrational ability of the solution. Think about vulnerability scanners and ticketing services, as well as the patch management software--all of this is needed for your safety wall to hold.
For example, combining SIEM with log management solutions allows you to conduct further and deeper analysis and investigations of potential threats. These solutions capture all types of log data in a single hub and provide you with granular search capabilities as well as actionable steps for remediation.
What does a SIEM solution cost?
Great question! There are quite a few alternatives out there, some of them costing an arm and a leg, while others are not as expensive--some of these come as open source alternatives as well. And while the cost of a tool itself is not as scary as one might think, there are several additional costs you should be aware of:
- Implementation cost - We already mentioned that a vast majority of companies opt for bringing in an external advisor to set up the system. Even if you opt to deploy it internally, there will be expenses concerning time, manpower and additional training may it be required.
- Training cost – Keep in mind that after implementation your staff will need training, and then retraining if there is ever a change to the workforce.
- Additional staffing cost – Managing and monitoring a SIEM tool is often a full-time job, and whether done by an internal or external expert, both will cost.
- Recurring costs – These costs include ongoing tuning, licensing, upgrade, and bandwidth fees.
Will SIEM software work with my current system?
Usually, you’ll introduce a SIEM solution to an already set-up IT system, with devices and applications up and running. Apart from that, you must take into consideration the way the environment is built.
Find out about the collection methods--do they require installing agents or can be done remotely? Take note of the ports and the connections needed within and outside of your network. Also, keep in mind that for the most companies the solution that supports on-premises and cloud infrastructure is the way to go.
Which features should I be looking for?
Apart from forensic capabilities, reporting, security events correlation, alarms, grouping, and storage (all of which we mentioned in our SIEM Simplified post), there are some other features that would be (very) nice for your SIEM solution to have:
- User and Entity Behavior Analytics (UEBA)
In 81% of cases, network breaches are attempted using already compromised user authentication credentials, through their either stolen or weak password. For example, an individual who usually logs on to the system between 9am and 5pm during workdays trying to log in on Saturday at 2am is a giveaway that something is amiss. In this case, a SIEM’s user and entity behavior analytics would provide you with a warning that unusual or anomalous behavior is noted on your network.
- Security Orchestration Automation and Response (SOAR)
SOAR is a way of the system recognizing suspicious activity or threats and acting accordingly by automatically mitigating the threat. Example-wise, if the risk analysis and vulnerability scan system determines that one of the servers is a potential “breach risk,” SOAR automatically applies a third-party patch or activates an adequate tool to mitigate the danger.
- AI in Big Data Analysis
Both UEBA and SOAR are results of AI or machine learning integration into SIEM: automatic rule generation, advanced statistical analysis, and anomalous behavior are all designed to increase efficiency and lessen the rate of false positive threats.
Still, AI in the SIEM context is in its early days. There have been attempts at making it replace the existing methods, but no evidence has been produced that would substantiate such a move. Until then, a combination of machine learning and existing methods is the way to go.