Security Information and Event Management Series Part 4: Selecting a SIEM vendor

SIEM Series Part 4 Selecting a SIEM vendor

In this last part of our series on SIEM, we will try to provide recommendations on selecting a SIEM vendor. In the first part of this four-part series, we covered the need for SIEM solutions and explained the fundamentals. Then, in the second part, we covered different types of SIEM solutions out there.

Following with the third part, we discussed main capabilities of SIEM to consider. To recap, these were the most important:

  • Log collection and processing
  • Searching and reporting
  • Real-time monitoring and threat identification
  • End-to-end incident management
  • Threat intelligence
  • User and Entity Behavior Analytics (UEBA)

 

Have an internal SOC, but not enough qualified staff to triage SOC alerts? Leave the heavy work to LIFARS, your trusted cybersecurity advisors with our Managed Incident Response.

 

Selecting a SIEM vendor: Questions to Consider

Our experts recommend that you should ask the following questions before selecting a SIEM solution:

  • How does your SIEM solution provide contextual information about security events?
  • Does it support UEBA? If yes, what is the accuracy of inbuilt algorithms?
  • What are the log sources supported by your SIEM solution?
  • Where does your log solution store log data? Does it provide data compression and encryption for
    archival?
  • Does your SIEM solution detect gaps in line with MITRE ATT&CK framework or any other similar
    framework?
  • Does your SIEM solution’s detection capability evolve with time?
  • Is your SIEM solution capable of detecting emerging and zero-day threats?
  • What is the investigation procedure in your SIEM solution after it flags a security event?
  • Does your SIEM solution support any threat intelligence methodology?
  • Can we contact your support team for assistance any point in time? If yes, what is the availability of your support team?
  • What is the pricing model offered by you?

Ending notes

Choosing a SIEM solution is an important decision for an organization’s security posture. An organization should not select a SIEM solution because it merely requires some of its capabilities. The ideal goal should be maximum utilization of their SIEM solution’s capabilities. Organizations should also note that the accuracy of a SIEM solution evolves over a period. Initially, SIEM became popular due to reporting and fulfillment of compliance requirements; but vendors have continued to improve detection capabilities of SIEM solutions. Considering that a SIEM solution provides a single pane view to an organization’s security posture, it is reasonable to expect that it will play a pivotal role in your security operations.

References

Definition of Security Information and Event Management (Gartner)
Data Breach Response Times: Trends and Tips (Varonis)