SIEM Selection Guidance
April 17, 2012
Whether the need for a Security Information and Event Management (SIEM) is based on requirements for centralized repository and reporting or compliance-driven, clear steps and a strategy can help identify a solution best fit for an organization’s needs.
Requirements Discovery and Definition
- Identify business requirements: Often this is regulatory compliance-driven. For example, PCI requires organizations to track and report on all access to network resources and cardholder data.
- Technical requirements and examples: Technical requirements generally vary for every organization. Some key technical requirements include:
- Specific log source support
- Ease of integration
- Depending on size of an organization, a distributed solution with centralized management may be key
- Retention requirements
- Reporting and alerting requirements
Requirements Mapping to SIEM Technology Functionality
Once the requirements have been identified, ask specifically how each vendor satisfies these requirements. Failing to meet a critical requirement can help narrow the field. Example: Identify each type of log source and how the SIEM vendor supports the logs from each source. Native support is nearly always better than custom device support. Custom device support can result in additional cost in implementation and in future maintenance.
Proof of Concept Strategy
Enterprise Integration/Architecture and Device Support
Native Log Source Support
Consideration: Some solutions will support one technology better than others. For instance, some technologies are excellent for Windows environments, while others are better suited to support network-based events. Approach: Have the vendor explain how they can natively support all the technologies in play at your organization. Analysis: If the vendor discusses generic adapters or custom code, this might be a sign that the solution will have difficulty being successful at some organizations.
Consideration: SIEM solutions can require moderate to significant FTE involvement. Approach: Have the vendor explain FTE requirements to manage the entire solution. Especially consider requirements related to adding devices, reporting and maintenance. Analysis: Most likely, the initial involvement will need to be followed by additional FTE involvement. Consider needs based on post-deployment FTE involvement for more accurate FTE requirements.
Compliance and Reporting
Log Retention Consideration: Some solutions integrate storage with the solution provided, while others require storage to be provided or purchased. Approach: Have the vendor explain:
- How logs will be retained for the period required
- Archival methods
- Ease of archival reporting or restoration
- Estimated storage requirements
- Compression or normalization
Analysis: Consider storage costs for solutions that do not provide storage. Ensure that backup and archiving can be performed with relative ease for solutions providing storage.
Most solutions support a vast array of reporting capabilities. Some canned reports may be sufficient, but in most cases custom reporting is required. Approach: Have the vendor discuss canned reports and the ease of custom reporting capabilities. Analysis: Ensure that custom reporting does not require professional services or that it can be accomplished by existing staff members.
Security and Correlation
Many solutions integrate with Active Directory and/or include native authentication. Approach: Have the vendor demonstrate authentication and accounting within the system. Analysis: Ensure the system maintains a level of accountability and granularity for user activities.
Encryption can be applied at various levels within a solution. Approach: Have the vendor discuss encryption:
- From collection points to central logging
- From client to management console
- At rest, if applicable
Analysis: Ensure that at a minimum encryption is incorporated from client to console and from collection points to central logging. Also, ensure logs are tamper-proof once collected. Correlation Consideration: Most solutions should allow for correlation of events between devices. Approach: Have the vendor discuss correlation techniques, configuration and trending capabilities. Analysis: Ensure that correlation is not a highly complex configuration step. Trending within correlation should be flexible to meet needs.
Total Cost of Ownership
Consider all costs associated with the solution. There will be an initial cost to purchase hardware and possibly software, licenses and, perhaps, professional services. Identify maintenance costs for each year. Sometimes solutions have very high recurring maintenance costs. In some instances, this could be a "you get what you pay for" scenario. Other considerations include training and future expansion or upgrades.
A Security Information and Event Management system is an integral portion of an organization's security infrastructure. Through careful selection and proper integration, you can ensure the project is a success.