Security information and event management tools are capable of much more than just collecting and storing a network’s log, alert and event information. SIEM products can also deliver high-level insights by keeping track of trends and pinpointing the proverbial needle in the haystack.
But SIEM has a reputation for high cost and complexity. What’s reality and what’s fiction? Here’s a look beneath the surface.
Fallacy: SIEM Is Expensive
That once was true of SIEM, but no longer.
SIEM products became popular in the early 2000s after a wave of compliance regulations swept through the United States and Europe. Organizations quickly discovered that their intrusion prevention systems could not give them the information they needed to manage security threats effectively, given heightened detection, measurement and mitigation demands. SIEM vendors quickly responded to that need.
During the past decade, the market has matured. Alternatives that are more than log managers, but less than high-end SIEM systems, are now reasonably priced. Some SIEM makers also offer to combine their products with open-source log management tools, further leveraging resources and helping stretch budget dollars.
Fact: SIEMs Must Be Customized and Configured Up Front
A SIEM product cannot be installed and run without customization and configuration, but the process is not arduous now. Though providers automate as much as possible — for example, including automatic detection of some security devices — during a SIEM deployment there is no escape from building in business intelligence and knowledge of both network topology and all of the existing security tools.
During early SIEM installs, experts would tightly customize the SIEM tool to the existing network. Today’s budget-minded IT managers can take a different approach by starting with a small degree of customization and building in additional rules and data sources as the IT team grows more comfortable with the SIEM product.
The basic customization of the product should happen early, but the next steps in the process — for example, building reporting and automated alerts — can wait until there is a particular need for them.
Fact: Adding Data Sources Has Become Easier
As log, alert and event sources are added to the SIEM configuration, the absolute minimum requirement is parsing and normalization. If the SIEM tool is not able to parse security messages to determine, for instance, source IP addresses from destination IP addresses or TCP/IP port numbers from event counts, then it isn’t delivering value.
Fortunately, SIEM vendors ship their products with parsing and normalization logic for common network and security devices. If automatic detection fails, then all an IT manager needs to do is match devices (usually by IP address) that have been added to the SIEM tool with basic inventory information: device type or model, vendor and firmware version.
There will always be exceptions to the rule, such as unusual devices or specific custom applications, but generally speaking, SIEM parsing and normalization features no longer pose a difficult challenge, nor do they require any esoteric knowledge or experience.
Fallacy: SIEM Is Useful Only in Security Operations Centers
SOCs may need SIEM, but a SIEM product’s utility isn’t limited to SOCs. Organizations can benefit from SIEM investments in many ways without using every SIEM feature available to them every day.
SIEM can help improve a company’s security posture and its exposure to risk. For example, a SIEM system may generate alerts on specific security conditions, such as intensive probing of a public web server from the internet or a high number of viruses being blocked by anti-malware tools.
In a perfect world, a business might want to examine each of these alerts and take action. But generally, there’s not enough time to investigate every internet attacker that comes to the virtual door.
That doesn’t mean other SIEM alerts, such as excessive password failures inside the network, should be routinely ignored. Choosing what is important is part of configuring a SIEM product, and letting some alerts go unanswered is a reasonable strategy when managing resources.
Similarly, SIEM features such as report generation (summarizing particular types of events over time) and intelligent event searching might remain unused until there’s a security incident to be investigated. When an intrusion is detected — or even suspected — the time spent properly configuring a SIEM up front will more than pay for itself. IT teams will be able to quickly figure out what happened, contain and remediate problems faster and return the organization to business as usual in less time.