Six tips for getting the most out of your SIEM investment

Six tips for getting the most out of your SIEM investment

Security information and event management (SIEM) is one of the most well-established categories of security software, having first been introduced about 20 years ago. Nevertheless, very little has been written about SIEM vendor evaluation and management.

To fill that gap, here are six top-line tips on procuring and implementing a SIEM solution for maximum value.

SIEM software solutions are priced differently: either by the number of employees in the customer organization, by the rate of events per second or based on the log volume ingested. It’s important to figure this out early to get a rough idea of what you will pay over time. You’ll also identify the various data sources meaningful to your security operations center (SOC).

Buying a SIEM is a massive commitment: You and your organization will need to live with your decision for years to come.

If you already have a SIEM in place, give the vendor your current use cases and consumption, and they should be able to replicate it. If you don’t, you’ll need to do a little leg work. A good starting point is assessing the volume of logs you’ll send to the SIEM. Measure actual daily log volume from each source by checking out the locally stored logs for a “normal” day and tallying the results.

If the SIEM vendor charges by your number of employees, be wary. This is usually a way to charge more for the SIEM by counting employees who don’t generate any relevant data.

The next step is to conduct a proof-of-concept (POC); this should be a starting point for an eventual implementation, not a standalone, canned exercise. During this process, your vendor should demonstrate a service level that you’ll want to maintain post-sale. Here are some key questions to consider during this process:

Source @TechCrunch

Leave a Reply