How to Select A Security Information and Event Management (SIEM) Product

Updated: May 26, 2010

First, let me refer to my classic deck on SIEM and log management "worst practices." The first two practices are related to choosing a SIEM product and are shown below:

WP1: Skip need determination step altogether - just buy something

- "My boss said that we need a correlation engine" (more about this mistake)

- "I know this guy who sells log management tools …"

WP2: Define the need for SIEM in general

- "We need, you know, ‘do SIEM' and stuff"

These situations are actually quite common and most unquestionably wrong; and many a SIEM project has been slaughtered as a result.

In any case, what IS the least wrong way? How about this flow (drastic oversimplification alert!):

1. Do you really need a SIEM? Or do you want a SIEM? Figure this one out please….
2. If you need a SIEM to solve a particular problem, what would it cost (time, staff time, money) to solve it with SIEM and without SIEM? Which is cheaper, better, faster?
3. What problems won't you solve due to engaging in a multi-month SIEM project? Is this acceptable?
4. Next, will a simpler - and cheaper!- log management tool do the trick?
5. Are existing SIEM solutions actually capable to solving that problem you have? At a cost you can afford to pay?
6. Will existing SIEM solutions work in your organizations: politically, culturally, geographically, etc?
7. Are you prepared to WORK (yes, w-o-r-k!) to make SIEM solve your problem? What exactly is your expectation, SOC-in-a-box, perchance?
8. How about open source SIEM combined with other tools and integration services?
9. Only here you can start planning the deployment, phased approach, log source integrations, correlation rules, dashboards, etc.