Security information and event management (SIEM) is one of the most well-established categories of security software, having first been introduced about 20 years ago. Nevertheless, very little has been written about SIEM vendor evaluation and management.
To fill that gap, here are six top-line tips on procuring and implementing a SIEM solution for maximum value.
Evaluating and purchasing a SIEM solution
Size your spend
SIEM software solutions are priced differently: either by the number of employees in the customer organization, by the rate of events per second, or based on the log volume ingested. It’s important to figure this out early to get a rough idea of what you will pay over time. You’ll also identify the various data sources meaningful to your Security Operations Center (SOC).
If you already have a SIEM in place, give the vendor your current use cases and consumption, and they should be able to replicate it. If you don’t, you’ll need to do a little leg work. A good starting point is assessing the volume of logs you’ll send to the SIEM. Measure actual daily log volume from each source by checking out the locally stored logs for a “normal” day and tallying the results.
If the SIEM vendor charges by your number of employees, be wary. This is usually a way to charge more for the SIEM by counting employees who don’t generate any relevant data.
Evaluate your vendor’s practices
The next step is to conduct a proof-of-concept (POC); this should be a starting point for an eventual implementation, not a standalone, canned exercise. During this process, your vendor should demonstrate a service level that you’ll want to maintain post-sale. Here are some key questions to consider during this process:Who will staff your account? Ideally, a vendor will commit skilled technical staff to both execute your initial evaluation and conduct an implementation. Who from your team will take the technical lead on the evaluation, and who’ll ultimately implement it? Ideally this will be the same person or small group of people. After you buy a SIEM, what’s next on your roadmap? SOAR? CSPM? Make sure your vendor can integrate with a broad range of technologies. It’s critical to fully understand the vendor’s front- and backend software architecture. Some vendors calling themselves “true SaaS” or “cloud-native” are not. Don’t lock yourself into a 12-month contract when you don’t know what’s going on under the hood.