2 minute read
SIEM checklist: Questions for SIEM vendors
What can I do if I don’t have all the external security technologies in place that can feed the SIEM (e.g. asset inventories, IDS, vulnerability scans, etc.)?
Ask during the initial review phase: Any SIEM vendor who assumes you have these tools already in place likely doesn’t have the breadth of functionality you’ll need for fast answers. Eliminate from consideration; it’s not worth your time. Why is this important? It takes a lot of time, staff, and resources to purchase, install, and configure the essential security controls to feed your SIEM. You can accelerate this with a SIEM platform that includes these capabilities.
Advertisement
What is the anticipated mix of licensing costs to consulting and implementing fees?
Ask during the initial review phase: Find out what the ratio is. If implementation costs 30-50% of the overall cost of the investment, walk away. Fast. Why is this important? This question gets to the heart of how challenging the deployment process will be. It will also expose if their claims of “out-of-the-box” functionality are truly solid.
How many staff members or outside consultants will I need for responding to SIEM alerts and managing the system overall?
Ask during the initial review phase: The answer to this could inform whether or not you’ll need to outsource SIEM management to an MSSP, or explore some degree of MSSP support. Why is this important? If your team can’t realistically respond to alerts in a timely fashion, it may be time to consider an MSSP to manage your SIEM platform.
How long will it take to go from software install to security insight?
During the trial/proof of concept (POC) phase: Ask them, and then make them prove it. Document how long it takes to install the software, detect data sources (is it automated?), pull and analyze log data from at least three data sources, and start issuing alerts and running reports. Why is this important? Speed of detection is the number one success factor for preventing a data breach.
During the trial / POC phase: Include at least 1-2 external data sources to pull data from. Document how many people it takes for the work, and how long it takes (and multiply that by all the other sources you’ll need).
Why is this important? Fast integration with your entire ecosystem is a critical factor in providing for a complete security picture.
Do alerts and alarms provide step-by-step instructions for how to mitigate and respond to investigations?
During the trial/POC phase: Recreate an event that you would expect would trigger an alert, and evaluate how much info is provided to fix the issue. Why is this important? Cryptic alerts that leave no indication of what to do slow down incident response and increase risk.
Bottom line: After thorough evaluation, your final SIEM selection decision will likely be based on a combination of objective and subjective criteria such as perceived value, trust and credibility in the vendor, as well as how easy it is to get started and manage over time. Good luck and good threat hunting!
