How to choose a SIEM solution: An overview

IT organizations, faced with an increasing volume of logs from multiple sources are turning to Security Information and Event Management (SIEM) solutions to help manage the flood of information and at the same time, analyze it in order to find evidence of security incidents. Implementing a successful SIEM solution, however, is not an easy project. Here we will examine what to look for in a SIEM product and provide some guidance for a successful implementation.

What is SIEM?

SIEM is the combination of two different types of products, SIM (Security Information Management) that gathers and creates reports from security logs and SEM (Security Event Manager) that uses event correlation and alerting to help with the analysis of security events. On the other hand, traditional log management tools only collect and report on the captured log data.

In order to benefit from the features of a SIEM solution, an organization has to be able to monitor and respond to the events discovered in the security logs. As a minimum, a log review process (like the one described here) should already be in place to ensure that the appropriate resources are committed to a regular review of the security logs and that investigations of anomalous events can be carried out in a timely manner. Ideally, an incident response process should also be in place, with corresponding policies and resources to respond to security incidents.

Another important consideration is that the organization must be willing to commit resources to the maintenance, adjusting and evolution of the tool. Event correlation, one of the defining characteristics of a SIEM product, will not turn raw log data into actionable information by itself. Most tools provide a generic set of default correlation rules, conditions or dashboards that in most cases are not the perfect fit for your organization. Your organization's analysts must customize and continually improve the rules, reports and dashboards and adapt them to the organization's needs. If the resources for the regular "maintenance" tasks of the tool are not available, the value the SIEM tool might bring will be easily lost.

What to look for in a SIEM solution?

Now that we know what a SIEM is and the resource commitments it requires, we can take a look at various features and characteristics that you should pay attention to when choosing a product:

Licensing and scalability: Different SIEM vendors license their products differently. Some of the most common licensing modes are:

• Number of monitored computers/devices
• Number of events per day/hour/minute and log volume size (in MB). If you have a baseline of the logs you wish to monitor, you should already know most (if not all) of this information beforehand.

Be aware that some products may limit functionality (or worse - like stopping event logging) if you exceed your license, particularly those whose license is based on a given number of events or volume.

Make sure you verify that your selected product is able to accommodate future growth, especially in the storage department. You must be able to expand the storage available for both the parsed (or normalized) events as well as the raw logs.

Log compatibility: Since there is no single accepted log standard, not all SIEM products are able to capture events from every log source conceivable. You must ensure that the product is compatible with all of your required logging needs and that they can be parsed and normalized. Since you may need to add logs in the future from new unknown sources, the product must provide you a way to integrate these new logs or you should ask if the vendor can do it for you upon request. The correlation engine: The correlation engine depends mainly on rules the product can use. The ease of their creation for those rules is critical. The search function available for events is also very important, as you will need the ability to search across multiple devices, logs and timeframes. Ideally, the search results will allow some manner of drilldown all the way to the raw log data. Dashboards, reporting and general user interface: The tool must provide the ability to create your own dashboards and reports. Ideally, the dashboards should operate in real-time and provide drilldown capabilities. The ease to create custom reports is also important, as well as their timely performance. Since the SIEM product will be one of the main tools used during the investigation or analysis of any security incidents, its performance and general UI design should be intuitive enough so as to not slow down the operator.

Do you need a SIEM solution?

As described here, a SIEM solution requires resources that not all organizations may be ready to commit. You can always evaluate tools that can perform log management and offer the compliance level you require, but allow you to grow into a full SIEM installation later on.

SIEM is not a silver bullet that will on its own solve all your security issues, but when properly staffed and supported, it can provide an excellent way to quickly identify and act on security threats.