How to select a SIEM solution

'SIEM' and 'SIM' are terms I first came across close to nine years ago when I was looking at setting up my company, earthwave - an MSSP (Managed Security Service Provider) that focuses on delivering real-time threat analysis and incident response services. Back then, the technology was in its infancy and there were no vendors with any local presence, so I was forced to spend three months in the U.S. evaluating products before investing my life savings into this technology.

At the time we were certainly an early adopter of what would have been version one of almost all of the six products we evaluated, of which only two remain 'pure play' vendors in that space, while others have been acquired by larger vendors.

Growth in SIEM solutions in recent years has been almost meteoric, with some vendors experiencing growth rates of 30 to 60 per cent over the past three years. In the meantime, Australian companies are pouring millions of dollars into these SIEM projects without the return that they anticipated.

The aim of this piece is to use my experience in the SIEM space to provide potential SIEM buyers with a guide for defining requirements, evaluating SIEM solutions, the technology options available, and deployment considerations, together with real world examples. 

Before I start it is important to make a clear distinction of the terminology as it relates to functionality and respective products in the market. The products I cover here are those that I have had either project or lab experience with as a result of earthwave's Australian customer deployments. 

Security Information Management (SIM) - These products provide reporting and analysis of data to support regulatory compliance initiatives (such as privileged user and access monitoring and compliance reporting), internal threat management, and security policy compliance management.

They provide strong log management capabilities and have the capacity to store multi-terabyte logs over very long periods of time. The reason for this is that they either use a flat file system for storing the logs and as a result they generally can compress logs on a 10:1 ratio. Searching through the logs and reporting is also super fast when compared to SEM platforms, again as a result of storing logs on a flat file system and using indexes.

Most tier-1 MSSPs have developed their platforms internally based on this architecture but with more 'fancy' portal interfaces, and as a result they do not have any advanced correlation, threat analysis or visualisation capabilities.

I consider the following products to be in the SIM category: Splunk, ArcSight Logger, Log Logic, RSA envision, NetIQ Security Manager, IBM TCIM and the eIQnetworks range.

SEM - Security Event Management - These products provide strong event management, real-time threat analysis, visualisation, ticketing, incident response, and security operations. They are typically based on enterprise SQL databases such as Oracle.

SEM products are ideal for running security operations such as an MSSP. Unlike SIM products, SEM-based products are not ideal for log management and long-term storage of excessive amounts of logs as they are poor at log compression. They are slow when producing reports and rely on a massive index to allow for database queries.

I consider the following products to be in the SEM category: ArcSight ESM, netForensics, Novell Sentinel, Intelitactics, Cisco MARS and IBM TSOM.

SIEM - Security Information & Event Management - These products combine SIM and SEM capabilities, however, they generally excel in only one of these categories. SIM products are simple to deploy and operate while SEM products are more complex. It's a bit like comparing financial applications MYOB to SAP.

The following list of best practices will assist organisations in making the right SIEM choice for their environment.

Take Project Ownership
A significant number of SIEM deployments fail due to a lack of project involvement and ownership from the organisation. Too many organisations throw money at the problem thinking that it will provide the solution.