E-SPIN offers some practical tips on choosing a Security Information and Event Management (SIEM) system solution and addresses the question of whether you need one or alternative solution.
Enterprise, particular large enterprise will have the log management, archive, correlation, consolidation, forward security incident for further security investigation or practive action requirement.
Before we go further on the subject, let us define some key terms here first.
Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM)and security event manager (SEM). In general, it need to possess cerain key capabilities before we can classify them as SIEM system solution. The solution must have component or subsystem capable to provide the below listed capabilities or functionality:
Data Aggregation: Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
Correlation: looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
Alerting: the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
Dashboards: Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
Compliance: Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
Retention: employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.
Forensic Analysis: The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.
In general all the vendor package solution will be good at one particular capability and weak on another. Not all the scenario you need to have a full scale full suite package solution. For some scenario, you may even just pick the component you need or low cost alternative event log management (ELM) solution to fulfill the operation or regulatory requirement. On another scenario, it may make sense to subscribe SIEM-as-a-service rather than own it.
Do you need a SIEM solution?
Not all enterprise and organization require full scale solution, the operation and regulatory requirement from your industry and context may provide some guideline what really needed or what is nice to have features.
If you want no sure what really need and want to discuss with the solution vendor, please feel free to contact us solution consultant for your requirement.