There are a lot of considerations when choosing a Security Incident and Event Management (SIEM) Solution for your business. That’s why users on IT Central Station often turn to our community to ask for advice.
In this week’s Q&A round-up, we’re going to take a look at some of the insights about SIEM that have emerged in our community. We’re going to focus specifically on the tips and insights that users have shared for successfully implementing a SIEM solution.
SIEM solutions are as good as the people implementing them
Many users turn to our community to ask for SIEM recommendations – some general and some more specific. Although fellow users are happy to make product suggestions, a common theme emerges in many of the answers: The solution that you choose is only as good as the team behind it.
Simo Sim, a Systems Engineer, notes, “besides the technology you also need the manpower behind it.” Another user, Aji Joseph, says that successful SIEM implementation “depends a lot on the expertise of the SoC team that will be managing the alerts generated by SIEM solutions.”
A consultant who appears on our Threat Intelligence Leaderboard echoes this sentiment, adding that it’s important to realise that one needs to actively manage whatever SIEM solution is chosen. He notes, “The critical choice is in the resources and commitment to manage and use the system. I’ve seen countless SIEM implementations fail over the longer term, including all of the big names, because too many people treat it like a “set it and forget it” system…A SIEM or UEBA platform is a tool that must be monitored, tuned, and used every day. So I would recommend to you that you spend less time figuring out which technology is the “best” and more time building a plan to integrate it, manage it, and fully utilize it. Or selecting a good team to do that for you.”
But how do you choose a SIEM solution that you know your team can handle?
Anthony Mack notes that effective implementation (particularly at scale) ”demands adoption and integration best practices that both account for existing resource environments and prioritize value-driven compliance outcomes.” He suggests that one should choose a solution that matches one’s current IT posture. To do this he recommends “an evaluation of what your existing teams have experience with and what integrates best, followed by a live-production evaluation of best-of-breed solutions.”
Tips for choosing the right SIEM solution
As with any enterprise tech solution, it’s important to spend time doing your research and POC, so that you know that you’re spending on the right product. We sifted through some of our users’ answers to summarize some of the best tips.
- Define your goal
Before starting to evaluate solutions, It’s important to define what you want to accomplish with a SIEM. Marty Baron says, “Every SIEM has different strengths and weaknesses so you need to know what is most important to you in terms of goals, so you don’t waste time looking at something that can’t do the thing you need it to do.”
- Limit your options
As one of your users says, “Review a finite number of products, otherwise you’ll never finish”. Although it’s important to spend time doing due diligence, you need to get to the point of implementation. If you have too many options, it will take too long to make a decision. Users suggest making a shortlist of options that meet your technical requirements, speak to your goal, and match your budget
- Create a framework for your POC
Once you’ve narrowed down your options, it’s time to trial the shortlisted products. Users recommend putting a framework in place to guide the POC. This way, you can evaluate your options systematically.
One user, DAX Paulino, suggests “creat[ing] a checklist of features that you need, from the basic (i.e. interactive dashboards, ease of integration, Threat Intelligence), to the more advanced (i.e. Automated response, Behavior Analytics, etc.). Give each item on your checklist a score so that you can weigh in on each item as a measure of your decision. Don’t forget to factor in usability and support.”
More advice about SIEM solutions from our user community
If you’re researching SIEM solutions, there’s a wealth of information on our site that can guide you in your research. You can read in depth reviews of SIEM solutions, and also explore the other questions and answers about SIEM from our user community.
If you don’t find the exact answers that you’re looking for, you can also post a question and get answers from your peers.
IT Central Station is here for you, to learn and help your peers. In a market full of vendor hype, we enable you to get real, unbiased information from people like you.