Security Information and Event Management (SIEM) is one of the most well-established categories of security software, having been first introduced about 20 years ago. However, very little has been written about evaluating and managing SIEM providers.
There are six basic and key tips on purchasing and implementing a SIEM solution to get maximum performance.
Evaluation and purchase of a SIEM solution
Measure spending
SIEM software solutions are priced differently: either by the number of employees in the customer's organization, by the rate of events per second, or based on the volume of logs. It is important to resolve this as soon as possible to have a rough idea of what will be paid over time. The various representative data sources for the Security Operations Center (SOC) are also identified.
Purchasing a SIEM is a huge commitment – you and the organization will have to live with your decision for years to come.
If you already have a SIEM deployed, provide the vendor with your current use cases and consumption, and they should be able to replicate it. A good starting point is to evaluate the volume of logs that will be sent to the SIEM. Measure the actual volume of daily logs from each source by reviewing locally stored logs on a “normal” day and counting the results.
If the SIEM provider charges for their number of employees, be cautious. This is usually a way to charge more for the SIEM by counting employees who do not generate any relevant data.
Evaluate your provider's practices
The next step is to perform a proof of concept (POC); this should be a starting point for eventual implementation, not a stand-alone canned exercise. During this process, the supplier must demonstrate a level of service that they will want to maintain after the sale. Here are some key questions to consider during this process:
- Who will manage the account? Ideally, a vendor will commit qualified technical staff to execute their initial assessment and perform an implementation.
- Who on the team will take technical lead in the evaluation and who will ultimately implement it? Ideally, it will be the same person or a small group of people.
- After purchasing a SIEM, what's next on the roadmap? ¿ Security Orchestration, Automation and Response (SOAR)? Cloud Security Posture Management (CSPM)? …You have to ensure that the provider can integrate with a wide range of technologies.
- It is critical to fully understand the vendor's front-end and back-end software architecture. Some providers that call themselves “true SaaS” or “cloud native” are not. Don't lock yourself into a 12-month contract when you don't know how the new vehicle's engine works.
Don't be fooled: know the total implementation cost
When discussing total price, make sure you know the total cost of implementation. Be on the lookout for possible surprises; For example:
- Many vendors will wait until the time of purchase to add an additional 15% to 20% in installation costs for professional services.
- Some SIEM providers, especially traditional players, charge tens of thousands of dollars to leave the platform.
- If a provider wants to charge for an evaluation or POC, they should be avoided. (You wouldn't buy a car that they charge you to test drive!)
Implementing a SIEM to get maximum value
Prioritize data sources
Develop a multi-year implementation plan to work with data sources in order of return on investment (ROI) priority to ensure the project adds iterative value over time.
- Prioritizing low-volume, easy-to-analyze records will allow you to generate immediate value without much effort. Start with authentication records for your high-value data sources [e.g. Active Directory, single sign-on (SSO)] and then move to authentication for high-profile cloud applications (e.g. Salesforce.com, Google Workspace).
- Once that's in place, start thinking about the more complicated things, like endpoint protection tools and system-level logging. It will take more finesse to analyze, filter and visualize them.
- Save the application log for last. Your SOC team will need help from the organization's developers to analyze these logs and interpret the results.
Know the long-term considerations
As the technical implementation progresses, ensure that a set of processes is created to sustain the SIEM in the long term. Here, manuals, the set of standardized written procedures to complete repetitive information technology (IT) processes within the company, are the great support. They give the development team a coherent set of standards to follow. The format doesn't really matter; The important thing is to focus on invoking the right processes and providing basic guidance on how to follow them.
The long term: working with the supplier after the sale
Supplier management is an art once the deal is closed. The most important practice is to conduct quarterly business review meetings to evaluate all aspects of the supplier-customer collaboration. First, provide feedback to the supplier about the product, service or business commitment. The supplier then shares the roadmap and receives feedback. Then together you discuss enterprise-level collaborations, such as joint marketing (case studies, for example) or partnerships (getting the SIEM vendor to work well with other security vendors).
Summary
To get the most out of your SIEM investment, these six tips may be useful, adapted to the reality of your organization:
- Prepare carefully for the evaluation with a comprehensive sizing exercise.
- Conduct an assessment that executes all aspects of the vendor's SIEM practice.
- Obtain all implementation costs.
- Prioritize data sources and prepare a one- to two-year plan for data ingestion.
- Thoroughly document SIEM workflows and manuals.
- Establish quarterly meetings with the supplier's executive team to address outstanding issues and align with strategy.
