Advice From The Community

Read answers to top Security Information and Event Management (SIEM) questions. 425,773 professionals have gotten help from our community of experts.
Rony_Sklar
Are event correlation and aggregation both needed for effective event monitoring and SIEM? 
author avatarDavid Collier
User

Both are techniques aimed at reducing the number of active alerts an operator receives from the monitoring tool.

I don't fully agree with the previous descriptions of correlation and aggregation, welcome though they are.

Let's take a typical scenario. Assume a network interface on a large switch fails to result in many systems experiencing a failure. In the 'raw' state, i.e. with no correlation or aggregation, the monitoring system would receive potentially thousands of events - possibly multiple SNMP traps from other network devices or servers, event logs records from Windows servers, Syslog entries from Linux, errors from the database management system, errors from web servers relying on that database and probably lots of incidents raised by users on the help desk. Good correlation algorithms will be able to distinguish between "cause" alarms and "symptom" alarms. In this scenario, the "cause" is the failing network switch port and the symptoms are the database failures and log file entries. Simplistically, fixing the cause will also address the symptoms.

Typically, aggregation is used to "combine" events into a single alarm. Again there are multiple methods to do this. A simple one would be - as previously described - duplicate reduction. In a poorly configured monitoring environment every check that breaches threshold results in an alarm. If monitoring is granular, say every 30 seconds the CPU utilization is measured and an alarm raised if it exceeds 80% then very quickly the operator would be overwhelmed by many meaningless alarms - especially if the CPU is doing some work where high CPU usage is expected. In this case, handling 'duplicates' is helpful when helping operators identify real issues. In this case, it may be enough to update the original alarm with the duration of the threshold breach.

There are many techniques for aggregation and correlation beyond identifying cause and symptoms events or ignoring duplicates. For instance, Time based event handling. Consider a scenario where an event is only considered relevant if another event hasn't happened in a given timeframe before or after the focus event. Or a scenario where avent aggregation occurs based on reset thresholds rather than alarm thresholds.

There are also some solutions that purport to intelligently correlate events using AI. Although, speaking personally, this seems more marketing speak than a one-click feature. In reality, these advanced (i.e. $$$$$$) solutions need to maintain a dynamic infrastructure topology in near-real-time and map events to service components in order to assess root cause correlation. In the days of rapidly flexing and shrinking infrastructures, cloud services, and containerization, it is extremely difficult to maintain an accurate, near-real-time view of an entire IT infrastructure from users through to lines of application code. A degree of machine learning has helped, but the cost-benefit simply isn't there yet for these topology-based event correlation features.

author avatarRandall Hinds
Real User

Agree on all the answers posted here, and I especially like Dave's explanation on the more advanced solutions available on the market. Excellent call outs on the need for deep & well maintained relationship mapping to enable an AI's algorithm to connect-the-dots between aggregated alerts firing from multiple separate source tools. Having a mature ITSM implementations with CI-discovery, automated dependency-mapping, and full integration between your correlation engine & CMDB will help too.

author avatarDaniel Sichel
Real User

Other answers are pretty much sum this up but there is one important point to make. In some technology it's important to take into account the number of events that got are aggregated and for your sim device to be able to treat them as individual events for the purpose of correlation.

author avatarJames Meeks
User

As previously mentioned, Correlation is the comparing of the same type of events. In my experience, alerts are created to notify when a series of these occurs and reaches as the prescribed threshold.

Aggregation, based on my experience, is the means of clumping/combining objects of similar nature together and providing a record of the "collection"; of deriving group and subgroup data by analysis of a set of individual data entries. Alerts for this are usually created for prognostication and forecasting. Often the "grouping" is not detailed information so there is a requirement for digging into the substantiating data to determine how this data was summarized.

Alerts/Alarms can be set for both, but usually only for the former and not the latter.

author avatarInformation security at a financial services firm with 1-10 employees
Real User

You can not process and generate advanced correlated alerts without aggregation: limiting your correlation to one set of source will let your SIEM blind and unaware
of global context.
So yes, to get an 'EFFECTIVE' event monitoring with the goal to correlate them, you need to aggregate many different sources.

author avatarAndreas Rühl
User

"Aggregation is a mechanism that allows two or more events that are raised to be merged into one for more efficient processing" from https://www.ibm.com/support/knowledgecenter/SSRH32_3.2.0/fxhdesigntutorevtaggreg.html
"Event correlation takes data from either application logs or host logs and then analyzes the data to identify relationships. " from https://digitalguardian.com/blog/what-event-correlation-examples-benefits-and-more

So yes you need both for siem. For simple monitoring you dont. Theres a big difference between what a siem does and that what simple event monitoring does.

author avatarRishan-Ahmed
Reseller

Simplly : Correlation is the process to track relation between events based on defined conditions. Aggregation is nothing but to aggregate similiar events. Both are required for effective monitoring.

author avatarLior Golshani
User

Aggregation is taking several events and turning them into one single event, while Correlation enables you to find relationships between seemingly unrelated events in data from multiple sources and to understand which events are most relevant.

Both Aggregation and Correlation are needed for effective event monitoring and SIEM; In Enterprise Security (ES) correlation searches can search many types of data sources, including events from any security domain (access, identity, endpoint, network), asset lists, identity lists, threat intelligence, and other data in Splunk platform. The searches then aggregate the results of an initial search with functions in SPL and take action in response to events that match the search conditions with an adaptive response action.

Aggregation example - Splunk Stream lets you apply aggregation to network data at capture-time on the collection endpoint before data is sent to indexers. You can use aggregation to enhance your data with a variety of statistics that provide additional insight into activities on your network. When you apply aggregation to a Stream, only the aggregated data is sent to indexers. Using aggregation can help you decrease both storage requirements and license usage. Splunk Stream supports a subset of the aggregate functions provided by the SPL (Splunk Processing Language) stats command to calculate statistics based on fields in your network event data. You can apply aggregate functions to your data when you configure a stream in the Configure Streams UI.

Correlation example - Identify a pattern of high numbers of authentication failures on a single host, followed by a successful authentication by correlating a list of identities and attempts to authenticate into a host or device. Then, apply a threshold in the search to count the number of authentication attempts.

Dr. Thulaganyo Rabogadi
I am the technical director of a science and technology division for the government.  Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack? Thanks! I appreciate your help. 
author avatarBrian Fortington
User

In response to your question, I can say I have worked with quite a few SIEM’s, ranging from Arcsight to Splunk. The ability to gain compliance to both compliance and regulation requirements for reporting is a must and how easy are they to get the compliance reporting out of the SIEM once running, there effectiveness in managing the large amounts of data that the collect and catalogue to produce the SIEM outcomes reporting and analysis that feed a SOC. The need to also address your NIST compliant can be address though this reporting as well.
I suggest you give some consideration to the Fortinet product call Forti-SIEM. It is very scalable and will feed the CDMB for a better control of the Assets in operation.

author avatarRuan Van Staden
Real User

We have been asking the same question for a while now and did a POC with a few freeware options. The best one currently on our list is AlienVaults OSSIM appliance which did give us the best feature set. The only issue we have picked up lately is that the risk database for OSSIM seems to be falling behind on updates. We are investigating why this is happening but this has made us start looking at other alternatives. To date, we have not decided on a final option but we have started looking at two other options namely OpenVAS and OSSEC but this is only in the preliminary investigation stage. We still have our OSSIM appliance active and it has helped us a lot with visibility.

author avatarAnthony Mack
User

SIEM tools offer critical insight for federal agencies into both current security posture and potential cyberthreats. Effectively deploying these tools at scale, however, demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.

As a result, agencies must find SIEM solutions that best match their current IT posture. I recommend an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.

To ensure federal SIEM deployments are effectively integrated into your IT environment and meet evolving policy guidelines, implementation efforts must address critical areas:
-Support: Infrastructure support and operational planning are essential to making the most of SIEM deployments. Knowing your environment in terms of scale and size to determine what kind of solution you need is very important. Just pointing all network logs at SIEM will create more noise and cost more money.
-Scalability: It is critical to deploy platforms capable of scalability, aggregating, and searching both on-prem and cloud-based event logs for SIEM success. Third-party applications, distributed databases, and single sign-on tools have become commonplace.
-Speed: Real-time data is essential for active threat response. SIEM solutions must deliver insight on demand, handle analytics, and aggregation at speed.
-Specificity: Important not every log is relevant, and not every incident requires a response. Agencies need to make meaningful decisions up-front rather than on the fly by planning to configure, optimize, and tune out information that won’t be useful or relevant to prioritize specific outcomes or meet regulatory guidelines.
-Segmentation: This is a critical step for organizations to define automation and orchestration parameters before deploying a SIEM solution.

The benefits and advantages for Federal Agencies at scale:
-Efficiency improvements: By aggregating multiple log sources, IT staffers get the big picture faster, making it easier to take-action and reducing the strain on IT departments already spread thin.
-Consolidated infrastructure: Single-source systems naturally consolidate data, limiting the risk of resource over provision and decreasing overall complexity.
-Response identification: Consistent, accurate log data helps IT teams identify the best response to IT security events and apply these responses at scale.
-Automation integration: Data generated by advanced SIEM solutions, underpins security orchestration, automation, and response solutions capable of handling low-level InfoSec incidents without human interaction.
-Threat intelligence: Combined with evolving artificial intelligence tools and machine learning algorithms, SIEM-generated data forms the foundation of actionable, agile threat intelligence to help federal agencies stay ahead of malicious actors.

Based on experience, the cyberthreat landscape is forever changing, and SIEM solutions must adapt at the speed of light. The SPLUNK solution tailored for agency requirements with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams.

Hope this provides insight and best practices.

author avatarAdam Sewall
User

We use and deploy AlienVault (now ATT), Splunk and have an Open Source version as well. All are good to a point but they need a quality SOC with a SOAR (Security Orchestration, Automation and Response) to respond and recover. In addition there needs to be in place active tools for protection of data in motion and data at rest for segregated back up/recovery and holistic back up and recovery. Splunk also is excellent but needs components such as AI/ML engines and developers/scientists to leverage its capabilities. I have not worked with the RSA SIEM but have also heard good things...the process and people doing the work is IMO more important than the tool itself. Hope this helps!

author avatarGregg Woodcock
Real User

I am admittedly biased but there are very good reasons that Splunk is the leader in this space. It all depends on your requirements if it is best for you. Splunk is pricey but I assume that budget is not really one of your concerns so that is good. The major strengths of Splunk include: flexibility, late-binding-shcemea (with the option to normalize with Common Information Model), ease of validation (everything is a search), speed of implementation (fast time to value), robust command set (you can do ANYTHING and it is FUN), the BEST documentation in all of tech, the most helpful community in all of tech, and an every broadening end-to-end ecosystem of features and products to feed the beast (although admittedly, as upsells).

author avatarAdrianMache
Real User

Depending on your goals in designing and implementing this resource, whatever you are choosing should deliver it's best, if configured properly. https://www.itcentralstation.com/products/comparisons/rsa-netwitness-logs-and-packets-rsa-siem_vs_splunk should give you an insight of the top 2 personal choices, and apps I've worked with: RSA Netwitness and Splunk. Having a history with both determines me to recommend RSA NW from the stability point of view. A broad discussion is listed in this topic and it's a must to answer those questions before deciding to pursue any step further. https://www.itcentralstation.com/questions/what-questions-should-i-ask-before-buying-siem

Thank you,
Adrian

author avatarGabriel Crespo
User

I think you are missing the point here. Many SIEM solutions will give you similar abilities, however, odds are that just one SIEM will perfectly fit your needs. Are you interested in NOC capabilities (device monitoring) or just security logs? Will you send flows to the SIEM? How many people are in your security team? How many servers/networks/devices... will be monitored? Answer that first, and you'll get the perfect recommendation.

author avatarDirector of Engineering at a tech services company with 201-500 employees
Real User

We need to understand SIEM from 2-3 dimensions

- Features [Real-time Security Monitoring, Threat Intelligence, Data and End User Monitoring, Application Monitoring, Analytics, Log Management &
Reporting, Deployment & Support Simplicity, Implementation Flexibility]
- Extensibility
- Price

Miriam Tover
SIEM is one of the fastest trending topics on IT Central Station. Why do companies need to purchase SIEM? Is it due to compliance reporting, system monitoring, intrusion detection, or something else? Why is it so important? Thanks for helping your peers cut through vendor hype and make the right decision.
author avatarSofiane Medhkour
Real User

SIEM provides real-time analysis of security alerts generated by applications and network hardware.
It’s important as it’ll be the centralized point where to get security event report of all the infrastructure and the place where to take the first action.

You can buy it as a software there’s a lot of solution, but you need a security analyst to follow it, or you can buy it as a service.

author avatarDAX Paulino
Real User

The answer is: all of the above.

From a technical point, if you have a lot of sources that generate security alerts/events, you will need a SIEM to help you manage these alerts (collect, analyze, correlate, etc) and determine how you can respond to them appropriately. Having this system will make it a lot easier for your team to identify and respond to incidents.

From the business view, it does support with preventing downtime due to incidents, identify problem areas in the network, even understand how the network and people operate normally on a daily basis. And depending on your company's industry (i.e. Finance, Telco), SIEMs are required for regulatory or industry standards. In some countries, banks are required to have a SIEM for the security of their network systems.

Though SIEMs seem to be a necessity with what it can do, it may not be for everyone. Small companies/networks may not generate many alerts/events so SIEMs will not be helpful. Also, consider the cost and operation of a SIEM. If you have a small network yet require SIEM for compliance, you may be better off with SIEM as a service.

author avatarThang Le Toan (Victory Lee) (Robusta Technology & Training)
Real User

A SIEM system provides real-time analysis of security alerts generated by applications tools, platform, network hardware, Virtual Network, Physical Servers or Workstation, and Virtualization VMs.
This term is somewhat of an umbrella for security software packages ranging from Log Management Systems to Security Log / Event Management, Security Information Management, and Security Event correlation.

We often divided into three groups of tools:
Group 1: collecting information, even real time, analyzing basic data in place (usually configuration information, software information, copyright) as a basis for fixed asset control information.
Group 2: In addition to the information collection feature, it also analyzes quickly, assesses the error status, incident information, records events and also monitors consoles, remote or has integrated tickets for KB, troubleshoot, chat conference, ITIL / IT Helpdesk platform.
Group 3: Integrating IPS, IDS, firewall, net flow, Squid proxy to help system log analysis, SSO Authenticate log, transaction log for server email, weblog, DC log, etc.
Therefore, depending on the needs of the enterprise, we choose the tools to suit each group, for example: Spiceworks, Manage Engine, SolarWinds Security Event Manager, Micro Focus ArcSight ESM, Splunk Enterprise Security, LogRhythm Security Intelligence Platform, AlienVault Unified Security Management, RSA NetWitness or IBM QRadar, VM Tubornomic, VeeamOne, etc.

author avatarSacha Lostun
Real User

A SIEM is an application that allows an organization to monitor network transactions from within their own network and also external sources.

SIEMs may provide many features, from basic logging of network transactions to alarms, automatic responses/actions to specific events – without the involvement of a human user.
Also, SIEMs may be acquired through ownership of the application or as a service. Supporting your own SIEM requires extensive security knowledge and 24 hours availability. As a service, the SIEM requires help with the configuration, periodic input with changes and adjustments, yet not a specific security knowledge or available people 24 hours a day. The cost varies based on features, service, support, and technologies.

While SIEMs are available on local servers within the organization, they are also available from the cloud. The cloud environment may be a more flexible and cost-effective option.

The SIEMs have at least two (2) main purposes: security and compliance reporting. Examples for security: external security breach attempts, internal data breaches, malware prevention, etc. Examples of compliance reporting: an organization may not be able to report anything regarding compliance if the organization is not aware of the transactions that occur on their network(s). There are other reasons why an organization may employ a SIEM, and these are addressed by additional features provided by the application.

The SIEM application is only one component that should be considered when addressing security and compliance requirements. Employing a SIEM by itself will not be a complete solution for the present security and privacy requirements. The SIEM should be considered as part of the solution, together with the following products or services:
- Policy and Governance (GRC applications/solutions)
- Vulnerability Risk Assessment
- Log retention (certain privacy and security legislation/policies ask for log history for compliance)
- Remediation services (once a security event happens – example a data breach, the network environment has to be restored to a safe original state); a SIEM provides the proper knowledge of what happened using forensic analysis on the logs generated and therefore helps in restoring the network environment to a safe state faster.
- Reporting and notifications in cases when a security breach happens.
- User training within consistent intervals (for example, once a month) – through automated training and at least twice a year, teacher assisted.

All the above are components of a complete solution. Considering, employing and preparing for each of these components assures an organization the value of their investment.

author avatarChris Potts
User

I try to relate SIEM to a person’s life to help to understand. Here’s how I explain:

What is SIEM:
* Security is mostly focused on “building a fence” around our IT environment with a combination of hardware and software solutions.
* That “fence” is being hit constantly by both legitimate users entering our IT environment and those trying to penetrate that have bad intent.
* SIEM deployed at the monitor/triage level is how we watch the “fence” to ensure that there are no holes that have opened, and no one has gone through a hole or around our “fence” that shouldn’t be allowed into our environment.
* Alerts from SIEM applications need to be triaged by individuals who understand what they are seeing in the alerts.
* Most alerts represent a legitimate business or non-threatening activity.
* Alerts that are not legitimate or dangerous are then handled appropriately. I recommend an escalation matrix that directs the type of response based on the type of threat, the impact of the machine(s)/device(s) affected, the risk of propagation in the environment and the impact to operations.
* SIEM, for the most part, is a reactive process but, it also identifies risk areas that should be acknowledged in a risk log and/or addressed with a proper solution.

Compliance/Legal:
* Compliance requirements are typically dictated by the type of business being conducted and requires careful analysis of any Federal, State, Local, International or other agency/association requirements.
* Utilizing SIEM to keep your “fence” in good health helps show that you are exercising sufficient “duty of care” in case you do have a breach and are sued.
Cost Decision:
* Any spending beyond a regulator requirement for security spending should have a risk/cost analysis.
* Spend too much and hurt your ability to be financially viable. Spend too little and risk losing your business.
* The decision is similar to how one might handle personal healthcare, nutrition, and physical training. I find that businesses tend to invest in security much like people invest in their health:
* Regulated Business/High Performance/High Risk:
* Pro Athlete: 100% medical coverage, nutritionist prepared training diet, private personal trainer.
* Strong/Successful/Growing Business/Medium Risk:
* Moderately Fit Lifestyle: Medical with a deductible, usually eats healthy, works out on regularly own or in group classes at the gym.
* Newer/Smaller Business/Low Risk:
* Casual Lifestyle: Medical with deductible, diet varies (sometimes focused sometimes not), casual activity, occasional gym.
* Low Margin/Income Business/Bankruptcy is the alternate plan for any major business challenges:
* Sedate Lifestyle: No medical insurance, diet varies, casual activity.

My website is being rebuilt and doesn’t reflect anything about our security services (or much else). I get all of my business from referrals and haven’t touched it in about 7 years. It’s getting a complete rebuild now because we are adding a client portal and bolting on a new front end at the same time that actually looks professional. not be copied or distributed without this disclaimer.

author avatarAvraham Sonenthal
Real User

Security Incident and Event Management (SIEM) is an automated way to detect patterns that might indicate a security incident. Usually, the SIEM product will collect logs from all the networking devices and resources in an environment, and use AI or other logic to correlate them and identify potential attacks. For example, a former employee might log in to the network, plus there is a failed access to a database using the same credentials. A SIEM can identify that as a suspected attack. The virtue of a SIEM is in its ability to spot these correlations. That is why it is good.

If your organization has a robust security department SIEM could be a good tool to have. It also may be required by audit. It would also be useful in the clearance space where defense and spy agencies may be subject to a hostile cyber attack. Engineering companies like Boeing or Rolls Royce would certainly need such a tool to identify attacks from rogue states such as China and Russia who are known to sponsor the theft of intellectual property from other nations. It requires someone at the organization to be trained on the SIEM and dedicated to monitoring it. Otherwise, it is of limited value except for audit requirements.

author avatarChristian Caldarone
Real User

It is so important because it will enable you to have this single pane of glass view onto all the security-related information from your infrastructure and even beyond. Getting an idea about the big picture is really essential for everything security, so a SIEM is a right tool to achieve this. Furthermore, it is hard to find (the right) patterns in millions over millions of lines of information without the help of a SIEM, because a SIEM usually provides the necessary algorithms and correlation rules to bring the patterns of a question to your attention. This is also often referred to as "finding the needle in the haystack".

author avatarJacob Hinkle
Real User

A SIEM is a tool which sorts logs and alerts on security-related events, customizable for a business’s needs and regulatory compliance requirements. Many certifications like ISO 27001 and SOC 2 require that there be active monitoring of networks and computer systems to ensure data confidentiality, integrity, and availability.

A good SIEM will update itself with new signatures and behavioral patterns to be able to identify malicious activities and behaviors or threat actors by collating logs from various devices and endpoints on your network. A SIEM can augment and enhance the work done by security analysts in identifying problems and prevent costly, damaging attacks like ransomware outbreaks, theft of intellectual property or financial fraud. They also have the benefit of being online 24/7 where a staff of at least three analysts would be needed to catch the same coverage.

Though a SIEM is primarily designed to catch security-related events, they can also be customized to monitor applications such as SQL or Financial software and alert on specific events such as disks being full, RAM usage or network outages.

Miriam Tover
There's a lot of vendor hype about SIEM solutions. SIEMs are not something you just install it and wait for great things to happen, right? What questions should someone ask before purchasing a SIEM? Help your peers ask the right questions so that they'll make the best decision.
author avatarCISO at a software R&D company with 51-200 employees
Consultant

Some areas and questions for evaluating a SIEM solution. These are some common things that come up from customers that we deal with. But there can also be a lot of others based on specific business needs.

It helps if they have a clear objective of what it is you are wanting. So review questions like the following:
* Is it just logs from a select few systems or all systems like servers, databases, applications, and desktops?
* Are all the users and systems internal or are they also mobile and could be working from home or over the Internet from a café?
* What operating systems need to be covered ie Windows, Linux, Solaris, Mac OSX, etc.?
* Do you want to collect syslogs from other devices like firewalls, routers, switches, wireless APs, etc.?
* There can be some discussions on Agents vs Agentless so there can be discussions on the pros and cons of these needs.
* Do you have compliance issues they need to manage ie like PCI DSS, ISO27001, HIPAA, etc.?
* What is it that you are wanting from the SIEM in reporting, there can be a lot of options on static reports, dynamic dashboards, PDF reports, correlation of log data with other systems like ticketing systems?
* Do you want to run a SOC or just get reports if and when they want to look at something, do you have the resources to monitor things or do you need to also work with an MSSP.
* What sort of alerting and threshold reporting do you want to get?
* Do you have complex network segments with multiple zones to collect and aggregate logs that they need to centralize to keep the logs away from the systems generating them and away from potential hackers?
* In general for those that are starting out for the first time, just stick to the core critical systems and collect logs from those systems until you understand more of what you are wanting to do with a SIEM collection and reporting. This helps to keep the project scope more controlled and confined so it's easier to manage. As you learn more then you can grow the scope later on.

Once you have a clearer idea on what you are wanting then it's looking to the vendors to download the software and see how well it works in your environment.
* How easy was it to get an eval license, did the sales and presales support help you get going quickly.
* How easy and quickly can you install the software and start to collect logs and then start to get some reports and visualizations on the data.
* How easy was it to identify problems and security issues, and what sort of value is that to the business.
* How easy is it to roll out, many large corporate environments can have complex change control processes and can the software easily fit within these processes.
* Cost is always a component to any solution so how well does it scale for your business, does it have known costs or are there variable costs like per GB of storage which often bites customers as there is always more data than you expect.
* How well can the solution scale out to hundreds or 10s of thousands of systems as the business needs change or the business grows.
* Can upgrades and license changes be done with minimal effort?
* What are the futures of the company do they invest in R&D to keep enhancing the product as there is always something new to do or OS version to support.
* How well does the vendor do support, do they only do internet only or do they allow you to talk to a real person that can understand you.
* Does the vendor play nicely with others, almost all customers have a mixed environment so being able to integrate and work other SIEM vendors always helps.

So having a clearer understanding of what they are wanting makes it easier to see “ yes this was a success” or ”no this was a failure” and did not meet the business objectives. Some use a scoring system in a spreadsheet to rank various areas from a scale of 1-10 with 1 being poor and 10 meets all needs. By doing this in a matrix it often helps to sort the good and bad more easily and the good from the very good as part of the review process. So having a bit of structure to the evaluation process helps with finding the right fit for the business.

author avatarRainier Varilla (IBM)
Vendor

Discovery questions you should ask any SIEM vendor:

-Would you like more insight into what’s going on in your network?
-Are your security-related compliance efforts manual and time-consuming?
-Would you know if an advanced threat went after your customer data or employee data before it was too late?
-Do you feel confident you're protected against stealthy, long term attacks that use social engineering tactics?
-Can you detect all the threats and risks taking place across mobile computing, social networks, and cloud environments?
-Do you find it difficult to keep up with constantly evolving threats, using limited staff and budget?
-Do you have a clear sense of what the risks are, associated with any vulnerabilities in your network, so you can build a prioritized plan of addressing the vulnerabilities?
-Are there any devices you’ve recently added or network changes you’ve made that impact your ability to ensure security and demonstrate compliance?
-Old ways of protecting networks can't keep up, and many organizations are looking for help in improving their security and risk posture. Is this a priority you are considering today?

author avatarWaleed Khalilieh (Securonix Solutions)
Vendor

The eight features of a modern SIEM based on an open, big data architecture:
-Leverages real-time behavioral analytics including machine learning.
-Enriches data with additional context to facilitate accurate prioritization of threats.
-Easy access to pre-packaged security content, relevant security use cases, and a support library with dynamic security content.
-Predictable cost and low TCO with a pricing model that is aligned with your business.
-Automated incident response capabilities through automated playbooks.
-Cloud-based SIEM deployment options for cloud or hybrid IT environments.
-UEBA, NTA, and SOAR capabilities available in the SIEM platform.
-Legacy SIEMs require a lot of manual work. Security analysts need to spend a lot of time switching between solutions and screens while hunting down threats, manually remediating breaches, and writing and tweaking the manual rules the SIEM relies on to find threats. A modern SIEM uses integrated SOAR to drive security response through automated case creation and management, ending swivel chair investigations and freeing up security analysts to focus on security.

Compared to a legacy SIEM, which struggles to meet today’s security challenges, a modern SIEM improves your security posture through improved detection, investigation, and response capabilities.

author avatarUmbertoAlloni
User

Before buying a SIEM solution first ask yourself the following question: For what purpose and for what requirement will I purchase a SIEM?

The scope:
- Will it only be for compliance (but then it could be sufficient to a good Log Management tool)?
- Does the scope also for security monitoring (correlation, investigation, analysis, and reporting) and then also SIEM make sense?

If you are in the second case you need to ask yourself a second question:
- Who will use your SIEM? Anybody thinking that the SIEM produces alone results and benefits (then you must abandon the idea of buying a SIEM)?
- Will there be a service/SOC outside?
- Will there be an internal SOC?

If you are in the last case (the one that justifies the purchase of a SIEM and not an MSSP) you need to think about the best purchase to maximize its potential that you have in terms of the number of operators/analysts and their automation and competence (*).

- How and in what time does the SIEM vendor support you in the post-sales phase for software issue (numbers and real cases)?
- How does the SIEM start to collect first logs and visualizations (numbers and real cases)?
- How many days of additional vendor professional services should serve for an average deployment (up to 5,000 EPS) and one large and complex (up to 10,000 EPS)?
- What is the vendor best practices for the roll-out of SIEM in an IT environment complex systems and processes (real cases of implementation)?
- How much do I have to consider me (*) independent in changes to configurations and evolution of SIEM finished roll-out?
- How to scale the license of SIEM to the increase of my IT environment to monitor (an example)?

I would stress about the importance of obtaining from the vendor real numbers of real cases.

author avatarUlrik Rosendal-Jensen (IBM)
Vendor

-Ease of operation including patching and upgrades.
-Should ensure that all related suspect data (network traffic, user behaviour, ..) are gathered and presented as one suspect security incident to significantly reduce the analyst work.
-Provides an easily understood summary of each suspect security incident with prioritization and important details and drill down for all details to ensure more efficient handling of suspect security incidents.
-Broad out of box support (collect/receive, parse) for devices, applications including from cloud, os, security solutions which should be continuously and automatically updated (versions and new).
-Extensive out of box support for detecting suspect network traffic, suspect user behaviour (user behaviour analytics), continuously updated.
-Easy support for or builtin continuously updated threat intelligence.
-Out of box support for vulnerability scanners to provide better prioritization of suspect security incidents.

author avatarChrisTaylor (LogPoint)
Vendor

What questions should someone ask before purchasing a SIEM?

-Ask about and understand the ease of use.
-How long to implement and make the SIEM operational based on use cases?
-What compliance functionality is included for alerts, rules, and reports?
-Does the SIEM have a fully integrated and easy to implement UEBA component?
-Is the reporting tool native or is it an OEM solution?
-Can the SIEM run on-premise, in the cloud or in a hybrid mode?
-Is the solution sized accurately on both hardware and cost perspectives?
-Is the SIEM vendor-independent or from a multi-product company where additional components may be needed for full visibility across the network?

Help your peers ask the right questions so that they'll make the best decision.

author avatarTomWeizeorick (IBM)
Vendor

When moving ahead with a SIEM purchase you need to have clarity on your goals and requirements. Create a list and prioritize it in terms of importance:
Reasons for looking at a SIEM?
Key features you'd like to have.

Some reasons you might see:
Need to meet new compliance laws on logging and reporting.
Need to centralize all my security technologies to better access threats: Firewalls, Anti-Virus, End Point, etc.
Company execs are looking for use to beef up our security posture and we are unable to keep up with all the event logs and potential threats.

Key Features:
Support for existing technology: Firewalls, End Point, EDR, Anti-Virus.
Support for Network flows, User Behavior Analytics, Forensics, AI, etc.
Need to run in the Cloud. on AWS on Azure. Host on-prem in a virtual environment.
Need the option to start on-prem with ability to move another platform.
Offers 24/7 365 Managed Services for your SIEM.

This is just a good starting point. You can dig much deeper with building out a full requirements list by googling sample SIEM RFPs. Be careful not to get lost in the feature functionality loop. I've seen companies crippled by this as all vendors start to look the same on an RFP reply. Stick to your main reason above and then create a shortlist. Look to Gartner and Forester analysis to help get started on your shortlist.

author avatarSimo Sim
User

That is correct, you don't just install it and that is it. There is quite some work to do after installation:
* You need to get events into the system, they need to be normalized, this is dependent upon the vendor and how they offer support for it. Again this is also important where there is a version upgrade of the source device where log types change.
* You need to configure correlation content and tune it to fit your environment – remove false positives, add assets to the SIEM and so on
* Monitor the system what kind of alerts are generated
* Keep the system up to date with vendor-provided updated software

What questions should someone ask before purchasing a SIEM?
* Do you have an existing library of use cases?
* What kind of content is available?
* Is this content updated regularly?
* What kind of event sources do you support?
* What If I need to add a custom application?
* What is your license model? If I have a surge, will the system accept it – will anything be throttled as a result of license violation?
* How can I monitor for the availability of elements within the system – usually the collection layer and analysis/storage layer are separate – if the collection layer does not work that means the analysis layer has nothing to analyze. So how can I monitor that?
* Can I upgrade the system just by changing the license? Will the proposed solution limit us at some point and it will need to replaced as a whole – this is usually true with SIEM that is delivered as an appliance?
* Does the license limit me in any way as to how many different sources I can collect?

Nurit Sherman
There are so many SIEM solutions out there and so much vendor hype in the market. Conducting an effective trial is really important! A number of community members are currently evaluating solutions. Do you have any advice for them about the best way to conduct a trial or POC?  How do you conduct a trial effectively?  Are there any mistakes to avoid?
author avatarGary Kennedy
User

1. Understand your environment: Segments, microsegments etc. Know where everything is.

2. Understand what your trying to do: Why are you monitoring, regulations? Compliance?

3. Understand your retention requirements: Storage Cost!!! Your capturing events per minute, and it gets expensive.

4. Understand how you want to use the SIEM: Is it part of your SOC or NOC? How will your Security Analyst use it? Will it be monitored 24/7? Have a game plan on who and what to do with alerts.

5. There are two basic ways you will pay for it: Either by the amount of traffic, or by the # of employee’s in the company. Splunk uses the amount of traffic across the wire, Exabeam is by # of Employees.

6. Should you use VM’s or buy hardware. Hardware is cheaper in the short run, but in the long run, VM’s are cheaper and more versatile with storage.

7. Do you have C level buy in? This will cost, so if you don’t have that level of buy in you will not get what you want.

8. Narrow your choices down to three vendor/solutions and ask each to do a pilot program with no promise to purchase for 90 days if possible, shorter if needed. This will give you an idea of the amount of data you will be monitoring and give you a better idea of the cost. Set each solution on a different subnet of the network and then review the success or failure of the solution with those that have to use it. Don’t forget to get management to give their two cents worth. They will give you honest feedback on reports required etc. also, include your Auditing Dept. to make sure the solutions will meet their requirements.

9. After the test, evaluate the solution with the same criteria for each solution: Make a list of requirements and grade them all with the same criteria.

10. Check the cost against what you can afford, and remember, the cost will go up 10-20% each year due to the newer technology will give you more visibility into the network.

11. After running the system for a year, re-evaluate the solution: Did it do what you thought it would? Does it meet your needs? Do you need to enhance it?(buy more modules) etc. or do you need more training.

author avatarMohamed OTHMAN
Real User

When speaking SIEM it should be (probably) one of the last solutions that with you will reinforce your Cyber Security Defense. Remember SIEM is not EQUAL to secure.
I don't think that a PoC is something that will help you with a purchase: All SIEM today are intelligent, with powerful correlation engines, rules, and options. You need to find documents on the internet showing differences:
https://www.esecurityplanet.com/products/top-siem-products.html

One important question you should ask and find the answer: budget (sizing)? Do you really need a SIEM solution on-premises? What about the cost? What size of IT infrastructure you have: small, medium, big? You will need staff for management, incident handling, etc., it should be 24X7. I will not buy a SIEM just for 8 hours per day. What about SIEM as a service or CO-Managed?

If you already have those answers and need a SIEM on-premises, the following factors will make sure your SIM project is a success:
-Events Per Second (EPS)
-Storage
-Parsing
-Filtering
-Management
-Accountability
-Automation
-Forensics
-Threat intelligence
-Easy to use: friendly user
-Compliance

I suggest that you try an open-source SIEM like Graylog (not a lot of intelligence) but it will help you even for sizing, and options.

author avatarSiddhant Mishra (NETMONASTERY Inc.)
Consultant

Hi Rhea,

When it comes to evaluating a SIEM solution, there is a bit of research and evaluation required from the customer or your end as well - these mostly includes answering questions like: What is the business objective that you want the SIEM to fulfill? Is it compliance? or threat hunting? Do you have enough resources to man the SIEM? and many more....there are few things that you need to evaluate on your end before going all out on vendors as to what there solution is capable of.

Here are some resources that will help you plan or evaluate a SIEM vendor in the most effective manner and help you answer the Why, What and How for your SIEM deployment:
- How much does a SIEM Cost: https://dnif.it/siem/blog/how-much-does-siem-cost.html
- Why you need a next gen SIEM: https://dnif.it/resources/why-you-need-a-next-gen-siem.html

author avatarProduct Marketing Intern with 501-1,000 employees
Vendor

I agree with Chris and would like to elaborate even more. Understanding your own use cases before the POC is key to then generate the test cases you would like to evaluate.
1) What data sources are required to collect from to support this use case? Does the SIEM support collecting from these data sources? Does the SIEM only present raw log data or generate additional contextual information from these data sources?
2) What built in analytics are available in the SIEM to support my use cases leveraging these data sources? How easily can I customize the analytics aligned to my specific needs or environmental/organizational nuances?
3) How easy is it to interpret results and to differentiate from other observations/alarms generated by the SIEM?
4) How actionable are results? Meaning, how quick/easy is it to advance the investigation to the next step? How easy it it to pivot on search results and/or lookup additional contextual data (what is the reputation of the external IP? what is the role of the host and its vulnerability state? who is the user? etc)
5) What guidance/capabilities does the SIEM have to lead or even automate steps of the investigative process for my use case?
6) How can I perform a retrospective on how the use case was fulfilled? Does the SIEM capture the details of the investigative process to be able to self-assess and improve?

author avatarSenior Analyst with 51-200 employees
User

There is a lot of prep-work that can be done. I worked on a document about 10 years ago and have posted it here: https://www.dropbox.com/s/iatpmdwcw1pxxw8/SIEM%20Requirements.docx?dl=0 for a while if anyone wants to get a copy, feel free. It is 10 years old but should get you off to a good start in prepping for a POC.

author avatarChingiz Abdukarimov
User

If you need a SIEM for compliance, connect as much log sources as possible from your production environment, and pay attention to storage architecture, parsing non-standard/non-typical sources, licensing moments for network devices and hosts.
If you need a SIEM for threat hunting or risk assessment, then pick up a small environment where you can generate a lot of logs/events with all possible severities. Then you can check system for ease of administration, tuning, creation of correlation rules, event/alarm handling, orchestration. Check for usability and preferrable behavior, analysts will spend a lot of time with a system after all.

author avatarCISO at a software R&D company with 51-200 employees
Consultant

Some options for doing a POC. These are some common things that come up from customers that we deal with. But there can also be a lot of others based on specific business needs.

* It helps if they have a clear objective on what it is they are wanting. So review questions like the following:
* Is its just logs from a select few systems or all systems like servers, databases, applications and desktops
* Are all the users and systems internal or are they also mobile and could be working from home or over the Internet from a café.
* What operating systems need to be covered ie Windows, Linux, Solaris, Mac OSX etc
* Do they want to collect syslogs from other devices like firewalls, routers, switches, wireless APs etc.
* There can be some discussions on Agents vs Agentless so there can be discussions on the procs and cons of these needs
* Do they have compliance issues they need to manage ie like PCI DSS, ISO27001, HIPAA etc
* What is it they are wanting from the SIEM in reporting, there can be a lot of options on static reports, dynamic dashboards, PDF reports, correlation of log data with other systems like ticketing systems.
* Do they want to run a SOC or just get reports if and when they want to look at something, do they have the resources to monitor things or do they need to also work with an MSSP.
* What sort of alerting and threshold reporting do they want to get
* Do they have complex network segments with multiple zones to collect and aggregate logs that they need to centralise to keep the logs away from the systems generating them and away from potential hackers.
* In general for those that are starting out for the first time, just stick to the core critical systems and collect logs from those systems until they understand more of what they are wanting to do with their SIEM collection and reporting. This helps to keep the project scope more controlled and confined so its easier to manage. As they learn more then they can grow later on.
* So once they have a clearer idea on what they are wanting then its looking to the vendors to download the software and see how well it works in their environment
* How easy was it to get a eval license, did the sales and presales support help you get going quickly
* How easy and quickly can you install the software and start to collect logs and then start to get some reports and visualisations on the data
* How easy was it to identify problems and security issues, and what sort of value is that to the business.
* How easy is it to rollout, many large corporates can have complex change control processes and can the software easily fit within these processes.
* Cost is always a component to any solution so how well does it scale for their business, does it have known costs or are there variable costs like per GB of storage which often bites customers as there is always more data than they expect.
* How well can the solution scale out to hundreds or 10s of thousands systems as the business needs change or the business grows.
* Can upgrades and license changes be done with minimal effort.
* What are the futures of the company do they invest in R&D to keep enhancing the product as there is always something new to do or OS version to support.
* How well does the vendor do support, do they only do internet only or do they allow you to talk to real person that can understand you.
* Does the vendor play nicely with others, almost all customers have a mixed environment so being able to integrate and work other SIEM vendors always helps.

So having a clearer understanding of what they are wanting makes it easier to see “ yes this was a success” or ”no this was a failure” and did not meet the business objectives.
Some use a scoring system in a spreadsheet to rank various areas from a scale of 1-10 with 1 being poor and 10 meets all needs. By doing this in a matrix it often helps to sort the good and bad more easily and the good from the very good as part of the review process. So having a bit of structure to the evaluation process helps with finding the right fit for the business.

author avatarCraig Humphreys
User

Yes, SIEM solutions are intended to have two types of values:
Provide a comprehensive and accurate view of an organization’s security posture
Correlate and intelligently analyze security events to find (and act on!) threats that would otherwise go unnoticed

So, integration and ease of automation are every bit as important (more important) then a
big list of features.

There is no easy way to “trial” an SIEM solution and get any idea other than how hard the
initial integration into security event feeds is going to be. Unless the solution has built-in
automation/learning (like LogRhythm and QRadar), you just won’t get that insight for a long
time. Weeks to months.

Biggest mistake is to believe a short-term trial equates to long-term experience. My clients
for whom I’ve done SIEM solutions have opted for efficient and automated - LogRhythm and QRadar
for every one of them. They are all delighted. My clients who chose their own path for SIEM
ended up with complex solutions from ArcSight, AT&T, NetWitness, etc… Splunk is becoming
a full SIEM solution and also deserves some careful consideration.

I recommend NOT trialing the different SIEM solutions in a bake-off. You will be comparing
several unbaked cakes, although I pushed that analogy to its absolute limit. Instead, find
a solution that is affordable and offers ease of integration and correlation/detection automation
that your organization values. Do a POC with that solution. If successful, do a fun deployment.

Or, just buy LogRhythm or QRadar ;-)

See more Security Information and Event Management (SIEM) questions »

Security Information and Event Management (SIEM) Articles

Miriam Tover
Content Specialist
IT Central Station
Check out the latest advice from the community about how to trial SIEM. Our favorite tips: “I recommend NOT trialing SIEM solutions in a bake-off. You will be comparing several unbaked cakes.” And: “Check if a cloud version of the tool is available. Some SIEM's offer a free trial period for their… more»
Russell Rothstein
Founder and CEO
IT Central Station
Here are the week’s top briefs about the SIEM market.   Elastic launches free SIEM Elastic, known for Elasticsearch and other tools, has beta launched a free SIEM solution.   AWS new Security Hub offers SIEM-like capabilities Customers pay only for the compliance checks performed and… more»

What is Security Information and Event Management (SIEM)?

What is SIEM? A Security Information and Event Management (SIEM) system gives security managers a holistic overview of multiple security systems. SIEM tools centrally store and analyze log from different locations in order to spot patterns and trends that might signal an emerging security threat or attack. SIEM security combines a security information management (SIM) system with security event management (SEM) to form a single SIEM software solution. In this way, SIEM blends the best of event management tools with security event and incident management technologies.

There are multiple SIEM vendors competing in the market today. IT Central Station members offer a number of recommendations for those considering SIEM solutions.

One phrase that comes up repeatedly in IT Central Station dialogues about SIEM products is “real time.” According to reviewers, SIEM technology should possess real-time threat analysis and reporting capabilities. Solutions should offer real time security related logs and incident reporting. Reports need to specify possible risks and damage to infrastructure. A SIEM tool should ideally provide real time gathering of logs and Log Correlation. Notification event Triggering and the availability special Event Collectors with different environment is viewed as a most important criterion.

Some IT Central Station members stress the importance of SIEM being able to combine information from multiple sources. The solution has to be capable of intelligent queries on these combined sources. Put another way, SIEM must offer compatibility with diverse security data sources and be able to adapt to new or unknown sources. Then, the SIEM solution should perform multilevel correlation on those sources of data.

Efficient use is important. A SIEM tool must be easy to deploy, configure and use. SIEM can be more effective if it integrates with Identity and Access Management.  Alerting and workflow integration adds to administrative efficiency.

Specific features recommended include packet analysis, audit trail creation, threat intelligence and search. Users encourage potential buyers to have confidence in the power of a SIEM solution’s search performance and the performance of its threat intelligence engine.  The solution should be capable of parsing any log format.

Find out what your peers are saying about Splunk, LogRhythm, IBM and others in Security Information and Event Management (SIEM). Updated: June 2020.
425,773 professionals have used our research since 2012.