How to Select A Security Information and Event Management (SIEM) Product

Updated: May 26, 2010

First, let me refer to my classic deck on SIEM and log management "worst practices." The first two practices are related to choosing a SIEM product and are shown below:

WP1: Skip need determination step altogether - just buy something

- "My boss said that we need a correlation engine" (more about this mistake)

- "I know this guy who sells log management tools …"

WP2: Define the need for SIEM in general

- "We need, you know, ‘do SIEM' and stuff"

These situations are actually quite common and most unquestionably wrong; and many a SIEM project has been slaughtered as a result.

In any case, what IS the least wrong way? How about this flow (drastic oversimplification alert!):

  1. Do you really need a SIEM? Or do you want a SIEM? Figure this one out please….
  2. If you need a SIEM to solve a particular problem, what would it cost (time, staff time, money) to solve it with SIEM and without SIEM? Which is cheaper, better, faster?
  3. What problems won't you solve due to engaging in a multi-month SIEM project? Is this acceptable?
  4. Next, will a simpler - and cheaper!- log management tool do the trick?
  5. Are existing SIEM solutions actually capable to solving that problem you have? At a cost you can afford to pay?
  6. Will existing SIEM solutions work in your organizations: politically, culturally, geographically, etc?
  7. Are you prepared to WORK (yes, w-o-r-k!) to make SIEM solve your problem? What exactly is your expectation, SOC-in-a-box, perchance?
  8. How about open source SIEM combined with other tools and integration services?
  9. Only here you can start planning the deployment, phased approach, log source integrations, correlation rules, dashboards, etc.
Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more