SIEM Projects Require Enterprises Understand Security Needs

Security analysts weigh in on the process of selecting a security information and event management tool and staying above the vendor hype.

Security information and event management (SIEM) tools are on the spending lists of many companies concerned about security and compliance.

But getting down to the business of choosing and deploying a tool can be fraught with complications ranging from dealing with hype from vendors to expectations about what the technology will do.

"Internally, managing expectations about what the tool will do and when is absolutely critical and also brutally difficult," said Mike Rothman, an analyst with Securosis. "Everyone wants information important to them, but that creates a situation where you've got to boil the ocean. ...Externally, wading through all the vendor propaganda, hyperbole and competitive positioning is very difficult. In a reasonably mature market, all of the vendors say they do everything and the competition stinks. If you indulge the vendors and let them drive the process, your head may explode."

Organizations need to be clear on what their requirements for SIEM systems are-and that begins with bringing the right people to the table early on, several people told eWEEK. There are many potential stakeholders for the technology, from the security team to network administrators to the business side of the house.

"There is too much of what I would consider 'magical thinking' among organizations about SIEM," opined Scott Crawford, an analyst with Enterprise Management Associates. "The roots of the technology are in taming the huge volumes of data generated by security and other point products in order to determine the threat needles in many haystacks. Unfortunately, this has led too many organizations to assume that SIEM will therefore automate security event analysis in ways that only human analysts can.

"Almost every aspect will require tuning for a specific organization-from the point tools with which SIEM is integrated to the specific aspects of correlation and drill down desired," he added. "And correlation is no magic bullet-you're basically talking about a system for recognizing what is known, even though some attacks specifically target what is difficult to see or determine without human analysis."

According to Chris Poulin of Q1 Labs, customers sometimes purchase log management or SIEM to solve tactical needs such as regulatory compliance, but implement it without regard to enterprise need. Then sometime down the line, an executive demands to know what value the solution is providing and stirs things up, he added.

"Once they get the solution in place, they have to get buy-in from the owners of log sources and network activity to solve the compliance problem, not to mention get incremental value out of the solution once the compliance checkbox is filled," said Poulin, chief security officer at the company.

Organizations should establish a procurement committee to choose a tool and take a "phased implementation approach" so the vendor understands what needs to be done and how the tool will be used strategically over time, Rothman advised.

"Wading through the vendor crap requires discipline and a few trusted parties-[such as] resellers, analysts, peer networking groups-to keep everything honest," he said. "Don't trust the vendor references ... and ultimately pick a short list and then test each of the products in your environment. That's really the only way to know if the product can really work for you."