Are you considering purchasing a SIEM? Here are the top questions to ask to help you the make the best decision for your organization.
What is a SIEM (Security Information and Event Management)?
A SIEM provides an overall look at an organization’s security posture and helps correlate security events to discover threats.
A SIEM centrally collects data from multiple devices on your network, including your existing security appliances. Through an advanced correlation engine, it is able to proactively identify security events not otherwise detected by standalone security technology.
A SIEM centralizes logging capabilities on security events for enterprises and is principally used to analyze and/or report on the log entries received. The analysis capabilities of SIEM systems can detect attacks not discovered through other means and can direct the reconfiguration of other enterprise security controls to plug holes in enterprise security. Some of the top SIEM products — assuming an attack is still in progress — can even stop detected security breaches.
Read more: https://cybriant.com/managed-siem-faqs/
Questions to Ask Before Purchasing a SIEM
The first set of questions is for your internal purposes. A SIEM is not only a financial committment, but it is also a commitment in time and resources. Whether you are replacing a SIEM or investing in SIEM technology for the first time, these questions will help set you on the path to success.
- It’s important to understand why you need a SIEM. Is it just for compliance or do you need to have a better idea of the events coming in from your servers, databases, applications, and desktops?
- Will you be monitoring users internally or are your users mobile and working over VPN or internet?
- Which operating systems need to be covered?
- Do you need to collect information from firewalls, routers, switches, wireless APS, etc?
- Do you have compliance regulations that need to be met? For example, PCI DSS, ISO 270001, HIPAA, etc.
- What reports are required from your organization?
- Do you have the internal expertise to manage a SIEM 24/7? Will you provide ongoing training? Who will react to incoming threats? What alerting thresholds does your organization require?
- What is the cost of the license of the SIEM? What storage retention requirements do you have and what is the cost for those?
- What integrations are needed?
- What steps will you take when a threat is realized?
When you are selecting the SIEM that is right for your organization, it’s important to do your homework.
- Is the SIEM an on-premise tool, in the cloud, or hybrid?
- Which integrations are available?
- What threat intelligence is available?
- What does the console or dashboard look like?
- Does it identify Zero-Day attacks?
- What steps will you take when a threat is realized?
- What forensic capabilities are offered?
- Will they support outsourcing?
Consider a Managed SIEM
A SIEM is a complex tool that requires expertise to implement and maintain. To be effective, a SIEM must be constantly updated and customized because external threats and internal environments are constantly changing. It requires experienced security engineering to tune the SIEM to minimize false positive alerts and maximize the efficient detection of real breaches or malicious behavior.
Let’s look at circumstances that make security monitoring vital for an organization.
#1. Lack of internal expertise
Your organization can’t just throw people at security monitoring; you need the right people there. The right people are those with expertise in triaging alert, closing complex problems and understanding when they should alarm the incident response team. So if your organization has no sufficient internal expertise, you need a managed security monitoring
#2. Compliance Requirements
Virtually every regulatory mandate requires some form of log management to maintain an audit trail of activity. Ticketing and alerting capabilities also satisfy routine log data review requirements. Simply having a SIEM doesn’t mean it is effective, which is the point of the compliance requirement. Many companies prefer to outsource the management of the SIEM so it is used effectively.
#3. Advanced persistent threats
New attack vectors and vulnerabilities are discovered every day. Your organization likely has firewalls, IDS/IPS, and AV solutions installed that look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks and advanced persistent threats
#4. Around the clock monitoring
If you want 24/7 security monitoring, you will need more staffing to carry out the job, but managed services already have employees monitoring their security monitoring platform 24/7. That is why managed service is the better option when it comes to round the clock monitoring. Check out our document Insource vs. Outsource, a cost comparison for building a 24/7 security operations center.
Use cases where managed security monitoring is commonly used
- Advanced detection
- Device monitoring/alerting
- Compliance reporting
- And much more
No matter the size of your organization, you need to protect your data. And failure to protect your data puts the company at the risk of financial issue, loss of goodwill and legal liability.
Should You Consider Managed SIEM?
Utilizing and managing a SIEM in-house is typically reserved for large organizations that have the budget for developing a large, specialized team.
Deploying a fully managed SIEM also means that your team consists of security analysts that oversee your system around the clock and calendar. This is their one and only dedicated job, and not an additional task for an already overworked engineer.
One thing that most people in the industry can agree on – SIEM implementations are tough, invasive, and time-consuming. Each device must be touched, configured, and coordinated – this is a painstaking step that can’t be avoided. Then, the data starts flowing and you must have the expertise to use it.
Along with volumes of data come alerts, which in improperly tuned environments are often false alarms. When you work with Cybriant, our security engineers will tune the environment to squelch the noise created by false alarms, then on an ongoing basis, our analysts will determine which alarms are critical alerts.
Our team will look at any suspicious activity and determine which level of alert this activity falls under. When we identify a critical alert, we will open a ticket and follow a pre-defined escalation path informing the appropriate people in your organization with the information they need to take effective action.
When you are purchasing a SIEM, consider outsourcing the management of that SIEM to Cybriant. Our team will help guide your effort in choosing the best SIEM for your organization.