If you have been in this business for a while you would have seen a full range of support tools designed to make a log and threat analysis easier emerge over the past two decades. Everything from the usage of IDS/IPS tools like Snort to the latest and greatest Next-Gen SIEMs that have been & continues to be used to assist with maintaining network security. In the beginning, the only widespread users of the emerging commercial SIEM tools that were available were the Big-Iron shops in the Fortune 500. The cost of these tools was prohibitive for most SMB shops. The big companies fueled the development & metamorphosis of this emerging toolset. As SIEM technology became more reasonably priced, smaller companies began to purchase these applications.
"As security teams became accustomed to the advanced collection, categorization, prioritization, and analysis of logs collected across the enterprise – they were able to mount credible mitigation efforts, and minimize overall risk to their organizations"
Over time the number of these tools provided vendors grew as did their capabilities. For the big shops it was an enhancement to a collection of other security tools in their arsenal, but for the small to medium sized businesses the SIEM became a vital part of their security monitoring efforts. With server logs reaching into the millions each day with a typical SMB – it became necessary to field one of these tools. As security teams became accustomed to the advanced collection, categorization, prioritization, and analysis of logs collected across the enterprise – they were able to mount credible mitigation efforts and minimize overall risk to their organizations. It quickly became obvious that the return on investment for a properly fielded SIEM application was huge in terms of breach detection, prevention, and threat mitigation.
In my own experience, I have used various SIEM Tools over the years. Some were highly reliant on hardware that shipped with the SIEM software, and others that have been largely HW agnostic. I believe today that a SIEM which is VM-based offers the most in terms of growth potential for expanding numbers of servers and workstations being pushed out over time within an enterprise. With VM offerings you are not tied down to any given HW implementation, and resources can be dynamically allocated in terms of storage, and CPU processing power. Additionally, restoring a damaged SIEM environment homed within a VM is as quick as a “VM Snap” restoration which takes considerably less time than restoring a physical server from backup media. Thankfully, many of the top SIEM vendors are now offering their toolsets in VM formats.
Some of the other aspects with SIEM selection are:
Does the SIEM come pre-configured with a baseline of recommended settings? These can be modified, and enhanced – but it is important to reduce field deployment time to minimize installation costs. Beware of Vendors that charge excessive fees for basic installation assistance. The purchase or licensing price might be fairly low – but what will the full installation & setup cost be? Look for a better baseline setup out of the box – and not one that has a huge setup penalty & cost ultimately.
If a managed SIEM is a consideration, look for vendors that offer 24x7 support. Just getting a few weekly or monthly assessment reports is pretty much useless in a rapidly changing threatscape. Many vendors now offer this service in cloud-based formats.
Also, look for a SIEM that offers automated mitigation as an option. This is a fairly new option among SIEMs, but many businesses that don’t have a 24x7 Security Operations Center might desire this feature. It follows a logical set of directives (if something happens and meets the criteria setting you choose, it performs a selected mitigation step autonomously via an installed agent). It might be something as simple as a technician alert, full antivirus scan, or even a system shutdown. It might seem a bit trivial, but if you have this type of automated tool available – you will rest much easier at night when you don’t have any techs on site, or on the job. EventTracker is one of the vendors that have successfully implemented this feature, and it has been honed with multiple upgrade cycles.
Consider that all modern SIEMs will analyze logs, and process them in some manner for display and alerts. Focus on the best analysis of security events as this feature sets some SIEMs far ahead of the pack. The top players in the market such as IBM, McAfee, RSA, all provide this, but also tend to be the most expensive amongst the available vendors. Excellent products from smaller vendors such as EventTracker, LogRhythm, and NetIQ will fit much better into SMB budgetary constraints.
To wrap up this perspective, the SIEM has morphed rapidly over time in capability and usability. The SIEM is not “dead” as some have proclaimed because when properly utilized it can be an indispensable tool for your network security efforts today, and well into the future