SIEM: 14 questions to ask before you buy

Demand for security information and event management (SIEM) technology is high, but that doesn’t mean businesses are running these products and services smoothly.

According to a report from Gartner, large companies are reevaluating SIEM vendors due to partial, marginal or failed deployments. While the core technology has changed little in the last decade, its use cases and the pace at which businesses have adopted it have prompted a transformation, experts say.

“SIEM was a complex technology for the most entrenched, smartest companies, but today we see it adopted by less-mature organizations,” says Anton Chuvakin, research VP at Gartner. “That’s caused the evolution in the tech that we’ve witnessed recently. It’s getting more brain power.”

That brain power — largely in the form of big data capabilities — has pushed SIEM past its days as a long-term event archival system that businesses deployed to meet basic compliance standards. Now, the need to thwart enterprise threats is driving adoption.

“Today it’s used as a compliance tool, for security detection, for security analytics, forensics and as a big data platform,” says Joseph Blankenship, senior analyst at Forrester. “We’ve had this promise that SIEMs can now do a lot of things, but companies are experiencing a lot of pain getting them there — they just haven’t seen its full promise. That’s why we see this failure and the partial deployments.”

The root of problem, Chuvakin says, is shared between vendors and organizations. While some legacy SIEM products have struggled to scale and prove efficient, some businesses just aren’t equipped to properly manage the system. “SIEMs are not something you just install it and wait for great things to happen,” he says.

If your SIEM isn’t meeting your standards, start by examining your environment, needs and capabilities first — then choose the appropriate solution that will deliver. Here’s a look at 14 questions you need to ask both yourself and your vendor before you buy.

1. Is your current SIEM the problem? While some solutions are better than others, bad SIEMs are rare, Gartner’s Chuvakin says. If you’re not getting value from it consider why: Are you dedicating the appropriate resources? Do you have bandwidth to run it?

“A SIEM can work properly if trained, dedicated personnel are involved with tuning and running it,” he says. “If you don’t have a good team to run the SIEM, replacing it with something else won’t solve the problem.”

2. Can you afford it? Take a close look at your security operations to determine whether you can actually afford to operate a SIEM, Chuvakin says. Do you need to contract a managed services provider for monitoring? Or are you well-equipped to run it?

“This stems from the problem of a ‘bad SIEM’ not actually being bad — it’s just that you just can’t run it,” he says. “If you don’t have anyone who can watch the signals, it won’t achieve its potential.”

3. What do I want to monitor? Before you compare SIEM products, you need to understand the problem you want them to solve, Chuvakin says. “Don’t ask the vendor what you should want, you need to know for yourself,” he says. “Start with what you want to monitor and why.”

If you determine that a new SIEM is your best course of action, use the following questions to choose your vendor.

4. What’s your commitment to SIEM? Big SIEM vendors are relatively stable and have good financial backing, Forrester’s Blankenship says, but if you’re considering a smaller vendor — or a vendor whose sole focus isn’t SIEM — you need to know how it fits into the company’s big picture. “How much rigor has been put into the platform? Is SIEM an important or unimportant part of the company? Look for stability,” Blankenship says.

5. How will I be charged? Some SIEM licenses charge users based on the amount of log data they process using the SIEM. Adding devices that produce more logs and alerts can drive up the price, Blankenship says.

6. Where does security analytics fit in your roadmap? Because choosing a new SIEM vendor likely results in a long relationship — since SIEM isn’t something you want to rip and replace every few years — you need to understand where the vendor stands on security analytics today, and where it fits into their future roadmap, Blankenship says. “You want to find out how they are evolving from the very strict rules-based SIEM into the security analytics platform of the future,” he says.

7. How do you support cloud environments? If your business, like most, is moving more data and infrastructure to cloud providers, you want to have visibility into the cloud environment just as you would if it was in your own infrastructure, Blankenship says.

8. How will you enable automation in the future? Though security professionals may not like the disruption to their traditional roles, Blankenship says it’s essential to keep an eye to the future and embrace automation.

“Vendors are now looking at how to automate some of the processes. That’s part of the next wave as we get more and more comfortable with it,” he says. “Ask the vendor how you can embrace more automation. How are you setting me up so we can introduce automation into our workflows?”

9. Who are your partners? The vendor’s partners are an indicator of how easy or difficult it will be to integrate, Blankenship says. Ask, too, about the APIs that exist to tie in other technologies and features becoming available.

10. How will you advance the SIEM? Just as important as the vendor’s dedication to SIEM are the boundaries it’s pushing, Chuvakin says. “SIEM vendors are adding in more brain power, more analytics and algorithms to become an actual brain — not just an extension of a well-trained human brain,” he says.

11. I want to control the SIEM on-premise. What help is available? Security professionals have two mentalities in managing the SIEM, Blankenship says: Either you want to own and control it because you know security better than others, or you want to outsource it. If you’re the former, though, there’s still a case for asking for support, he says.

“There’s a use case for outside management to work with SIEMs to write protocol and provide training to make sure everyone is current,” he says. “There are ways to bring in support without the management being quite so significant.”

12. I want to outsource this. How will you support me? “When we talk about the failed and partial deployments, we see folks who say they can no longer support the SIEM on-premise,” Blankenship says. “If this is the case with you, you need to know if you can outsource the management of the SIEM.” This includes asking about consulting services that are available to you and whether you can make it part of your contract, he advises.

13. What training is available for my team? Ask about any in-person or online training resources that are available to get the security team proficient with the SIEM, and to train new employees as they join, Blankenship says. Is there a user community where people can ask questions?

14. Can you solve my specific use case? Whether a vendor can solve a problem like yours and how they solved a problem like yours will elicit different answers. Hone in on the proof the vendor has that problems could be — and have been — solved in environments similar to yours, Chuvakin says. “Ask the vendor for proof that they can serve the needs that you have. Take them up on the opportunity to call other customers to ask them about their experiences,” he says.

More on SIEM:

• What is SIEM software? How it works and how to choose the right tool
• ArcSight vs. Splunk? Why you might want both
• Evaluation criteria for SIEM
• SIEM: 14 questions to ask before you buy
• Log management basics
• SIEMs-as-a-service addresses needs of small, midsize enterprises