Security information and Event Management (SIEM) is one of the most established categories of security software and was first introduced about 20 years ago. Nevertheless, very little has been written about the evaluation and management of SIEM vendors.
To fill that gap, here are six top-line tips for purchasing and deploying a SIEM solution for maximum value.
Evaluate and purchase a SIEM solution
Determine your expenses
SIEM software solutions are priced differently: either by the number of employees in the customer organization, by the number of events per second, or by the logged volume recorded. It’s important to figure this out early on to get a rough idea of what you’ll be paying over time. You also identify the various data sources of interest to your Security Operations Center (SOC).
Purchasing a SIEM is a huge commitment: you and your organization will have to live with your decision for years to come.
If you already have a SIEM, give the vendor your current use cases and consumption, and they should be able to replicate it. If you don’t, you’ll need to do some legwork. A good starting point is to assess the number of logs you send to the SIEM. Measure the actual daily log volume of each source by viewing the locally stored logs for a “normal” day and counting the results.
Be wary if the SIEM vendor charges based on your number of employees. This is usually a way to charge more for the SIEM by counting employees who are not generating relevant data.
Evaluate your supplier’s practices
The next step is to perform a proof-of-concept (POC); this should be a starting point for a final implementation, not a standalone, canned exercise. During this process, your supplier must demonstrate a service level that you want to maintain after the sale. Here are some key questions to consider during this process:
- Who will man your account? Ideally, a vendor will deploy skilled technical personnel to conduct both your initial evaluation and implementation.
- Who in your team will take the technical lead in the evaluation and who will ultimately implement it? Ideally, this is the same person or a small group of people.
- What’s on your roadmap after buying a SIEM? Hover? CSPM? Make sure your supplier can integrate with a wide range of technologies.
- It is critical to fully understand the vendor’s front and back-end software architecture. Some vendors that call themselves “true SaaS” or “cloud native” are not. Don’t lock yourself into a 12 month contract if you don’t know what’s going on under the hood.