Tips To Buy And Implement SIEM Solution

Use following checklist to make sure you are on the right track to choose your first or next SIEM solution. The whole process takes 1-4 weeks based on your dedication and vendor availability. Remember the worst thing is being in rush in five four steps:

  • Write a plan

Write down all the steps you anticipate and maintain documentation and progress during all stages. Put rough deadlines and start communicating to stakeholders.

  • Justify the need
Security Information and Event Management (SIEM) Implementation
Effectively manage the security information and events produced by your network…

This will help you have a better understanding of criteria later but generally, i would recommend this for any type of information security project. This step will assure you are not going to have SIEM just because it’s out there or even just because you have some spare money and other resources to spend.

You would ask yourself or your IT team, even your manager who has assigned you with the task: why we need SIEM? What type of problem is going to be resolved? What our world will look like after SIEM? Is this for sake of compliance, customer expectation, market urge, or as an enhancement to visibility of your environment.

  • Scope

Scoping gives you more understanding of the environment. Specifically with a concept like SIEM, the moment you start thinking about scope, you realize how much you might be behind the preparation of your environment.

  • Budget based on Risk

Budgeting based on your pocket is like overeating by intention when you know it’s bad for you. Budgeting without risk consideration will neutralize all the other steps. I consider this step so fundamental and ignoring it shows there is no understanding of the whole subject of information security within an organization.

A simple risk assessment can give you the right budget, but unfortunately that assessment most of the time does not exist so you have to create something from scratch just to support SIEM budgeting. We need to assess risk of not having enough visibility and detection in certain areas of IT operation and evaluate the risk factors. Once you start this process you will realize how most SIEM solutions in the market right now are naive and designed with a narrow vision.

  • Define criteria

During previous steps you should be able to compile criteria list. The more precise criteria, the easier to choose vendors initially. Without criteria there is no meaning to even browser a vendor website. With having criteria in hand, you easily check them in and out in next step.

You should compile a list of things like what is the primary objective, compliance, risk or threat management, architectural things like is it going to be managed or self, on-premises or cloud, interface and performance, type of log and data collection, integration considerations, correlation capabilities, intelligence feed, how about remediation and response and…

  • Identify targeted platforms

First you need to list SIEM vendors, there are tons of them out there and don’t think that good SIEM is a matter of how long a company has been doing this or how the brand is known, although this could be part of your criteria because vendor reputation is somehow a big factor, but do not confuse it with brand, not all know brands are necessarily better. Research and learn from vendors, we need to read all the white papers they provide and if they are not willing to share via website, it is not a good sign but don’ be discouraged and go for a meetup. Here is an staring list of vendors/solutions:

AlienVault, Cygilant, EventTracker, HP, IBM, LogRhythm, McAfee, NetIQ, Proficio, Rapid7, RSA, Solarwinds, Stratozen, Splunk…

…remember all are good and all are bad, it depends to your criteria.

  • Meetup with vendor
Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan
Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure…

Nothing is better than a short call, if you get the signal, go for a video presentation and have them demo. Never direct vendor, let them manage the meeting and content, listen to their question and start your evaluation from first call. Most vendors do not reveal anything alerting with email or regular phone calls so insist to have a demo and meet their technical team. Ask about your criteria but in the meantime listen to what and how they reveal. Based on your situation you may be more focused on how they execute or help you setup and run on-premises.

  • Lunch trials

Trials are best time and tool for evaluation, also it’s a sign of how much a vendor is comfortable and confident. I personally would not even thinking a solution if they are not willing to give a chance to try. Trials are not just for finding glitches, they are mainly to refine your criteria and turn expectations to real world scenarios. Always let vendor know if you go for a different one, you will never know what is going to be the next time to call them so be professional and respect marketing manners.

  • Evaluate

Now it is time to evaluate. Materials, meetings and trials, most of the times you get the answer by first 3-4 days of trial. Justify if you need to compromised any predefined criteria and never hesitate to re-define and refine new one but never forget justification. You have to sometimes re-assess a risk if you need to revise your criteria.

  • Prepare environment

Jumping in implementation without preparing your environment is not a good idea. Now it is time to go for all details and technical requirements which you should have planned for during scoping. Prepare VMs, Cloud apps and smallest things like SNMP and Windows Event Forwarding, this is the time for your technical team to show off. You should not have any problem if scoping was rational, but most companies have multiple issues in this stage because of lack of scoping in early stage.

  • Implement

Meet the deadline and kick off, this is going to be a big milestone with your IT Security operation.

  • Tune

Noise is the nature of SIEM so consider tune up based on size of the company and/or scope of system. This should be part of your baselining process anyway (if you have), without proper baselines your team will be confused and stresses for a longer time.

  • Leverage

What is going to happen after this is what you should have seen and anticipated during your planning phase. Whether your team is going to tackle other tasks by adding SIEM, or it is going to be independent or… all depends on your plan. Never accept something from a solution/vendor as a ‘want’ or good to have, unless there is an actual ‘need’ for it.

Stay tuned for explanation of a fully native free SIEM, security information and event management system, a solution for 80% of environments!

Five Reasons to Start Your SIEM Initiative Today

Regardless of how SIEM in today’s cybersecurity marketing campaign is driven mainly by Compliance, which solutions is the best, and whether it should be managed or on-premises, Security Information and Event Management is conceptually accepted among security professionals so here’s my top reasons to consider SIEM implementation as one of your cybersecurity initiatives:

  1. Another tool for Management
    Seems obvious but not many realize SIEM is a management tool at the first place. It means it does not have and does not need to have active o pro-active capabilities. All it has to be capable of, is ability to deliver right Security Information from the right Security Event to the management, even not necessarily security management.
  2. It is all about visibility
    Remember SIEM itself does not provide visibility but it is a technique to take “Visibility” to a different level. So if you already do have Visibility over your network and systems, then SIEM is like an interface to enhance the way you see events, not really more revealing facts about security of your systems.
  3. Correlation is heart of the matter
    The main purpose behind a functional SIEM is ability to correlate events, otherwise the main purpose is ignored by solution designer or you. any security program knows in real word, there is no meaning behind each security event unless being correlated and overlapped with other events, and for that matter, SIEM is where you should be able to harmonize your flow of security information; needless to say, it is the job of SIEM solution provider to make sure system is capable to direct you.
  4. Combining older systems
    Not all users of the SIEM are genuinely looking for this management system just because of its native features. One of the main drivers to upgrade to SIEM has been presence of older SIM and SEM. So whether you are forced or just want to combine two management systems, SIEM is the most popular way of SIM and SEM integration.
  5. Intrusion comprehension
    This is totally different than intrusion Detection, Response or Correlation capability and it is about origination of incident and the level of intelligence behind root causes and indirect role of systems to shape the final tangible incident. This is absolutely one of the hidden benefits of a well-designed SIEM within a well-managed security operation.
    There are other benefits like Auditing, Policy enforcement validation, security certification…which could be addressed potentially and based on how you are going to execute your SIEM. But remember the main essence of your SIEM is in the details of operation, and none of the benefits would come out of the box with any solution in the market.