How To Choose The Best SIEM Software

How To Choose The Best SIEM Software

Get a clear, consolidated view of events and threats across your entire enterprise with SIEM (security and event management). Here’s how to select the best SIEM solution based on your company’s unique assortment of needs.

To protect your enterprise against security threats, you need maximum visibility. That’s the fundamental notion behind SIEM (security information and event management) software, which is essential to the security defenses of most large and many medium enterprises.

SIEM aggregates event and log data in real time from a range of network equipment, servers, system software, and other infrastructure to identify patterns, flag anomalies, and send alerts when potential threats are detected. SIEM can also play an important role in incident response.

This is a rapidly evolving space, as SIEM offerings move from on-prem to the cloud, integrate with threat intelligence systems, pile on the analytics, and add machine learning along with other new capabilities. Selecting the right SIEM for your business is a crucial decision because the investment is nontrivial—and because the configuration process is something you probably want to go through only once.

Cloud or on-prem?

Most of the modern SIEM solutions have moved to a SaaS model in order to more quickly iterate and add features. The endless capacity of the cloud also makes it easier for vendors to integrate machine learning capabilities, which require large quantities of reference data before they can identify anomalous behavior. The general consensus is that SaaS has made SIEM better.

Nonetheless, some businesses need to keep SIEM on prem—typically because they need to abide by regulations that stipulate log or related data reside on local infrastructure. A handful of options still enable customers to deploy SIEM entirely on prem.

Analytics capabilities

An SIEM solution is only as good as the information you can get out of it. Gathering all the log and event data from your infrastructure has no value unless it can help you identify problems and make educated decisions. Today, in most cases, the analytics capabilities of SIEM systems include machine learning to help identify anomalous behavior in real time—and provide a more accurate early warning system that prompts you to take a closer look at potential attacks or even new application or network errors.

Your SIEM analytics needs will depend on a variety of factors. What sort of systems are you monitoring? What skill sets do you have available to build dashboards and reports or to perform investigations? Do you have an existing investment in an analytics platform that you want to leverage? Each of these questions can help narrow down your platform options.

If you have no existing solutions or skills in place to drive the decision, your best bet may be to pursue SIEM solutions with an extensive dashboard library or managed services to help you build what’s best for you.

Log ingestion

Another practical consideration involves ingestion—that is, how your data is consumed by your SIEM. Generally, this involves a combination of push and pull: Software agents pull log and event data from some systems (particularly those located on-prem or in a private cloud) while network hardware and cloud applications send event data directly to the SIEM through an integration or an API.

One basic issue is whether the SIEM can properly identify key information from your events out of the gate. Ideally, your SIEM should be mature enough to provide a high level of fidelity when parsing event data from most common systems without requiring customization. You should also look for an SIEM that provides flexibility when you tune the way event data is processed after it has been captured, so you can remedy situations in which your log entries aren’t being parsed properly.

Configuring alerts

The primary reason to have a modern SIEM is for sophisticated real-time monitoring of your systems. But that has little value unless a human is monitoring the system for alerts or notifications (in the form of emails, text messages, or push notifications to mobile devices).

The problem with alerts and notifications, as any email user knows, is keeping the volume manageable. If users receive too many notifications, they will either disable them or ignore them. If too few, then critical threats may be missed. Look for flexibility in configuring alerts, including rules, thresholds (i.e., system was down for 15 minutes, 20 errors per minute for 10 minutes, tec.) and alert methods (SMS, email, push notifications, and webhooks).

Automated remediation

In a perfect world, computer systems would detect an attack or an application problem and automatically take steps to remediate the issue. While this isn’t fully possible yet, in certain scenarios, it’s appropriate to have certain events trigger an automated response (locking a user account, adding an IP address to a blacklist, etc.).

A key automation feature you should look for is the ability to grow into your rules, starting with monitoring and alerting (in order to fine tune conditions and limit false positives) and progressing into fully automated remediation once full confidence in your rule conditions are established.

How To Choose The Best SIEM Software

Role-based access

For large enterprises with diverse business segments, multiple application teams, or dispersed geographic locations, role-based access is imperative. Providing admins, developers, and analysts access to just the log events they need is not only a matter of convenience, but also requisite to the principle of least privilege—and, in some industries, certain regulatory mandates.

The events captured by an SIEM often provide a deep level of detail on application and service functionality or even how devices on your network are configured. Gaining illicit access to this event data can benefit malicious actors looking to infiltrate your systems, the same way thieves benefit from casing target before a heist. Limiting user access to SIEM event data is a best practice for a reason: it limits the impact of a compromised account and ultimately helps protect your network as a whole.

Regulatory compliance

Many industry regulations—such as HIPAA or Department of Defense STIGs (Security Technical Implementation Guides), to name just two—not only require the use of an SIEM or a similar utility, but also specify how the solution should be configured.

Study the relevant requirements for your organization in detail. Things to look for include retention periods, encryption requirements (for both data in transit and data at rest), digital signatures (to ensure event data is not modified in any way), and reporting obligations. Also keep in mind that most compliance regimens include an audit or reporting element, so make sure your SIEM solution can spit out the appropriate documentation or reports to satisfy auditors.

Event correlation

Perhaps the biggest reason to implement an SIEM is the ability to correlate logs from disparate (and/or integrated) systems into a single view. For example, a single application on your network could be made up of various components such as a database, an application server, and the application itself. An SIEM should be able to consume log events from each of these components, even if they are distributed across multiple hosts, and correlate those events into a single stream. This enables you to see how events within one component lead to events within another component.

The same principle applies to an enterprise network as a whole. In many cases, correlated event logs can be employed to identify suspicious privilege escalation or to track an attack as it impacts various segments of your network. This broad view has become increasingly relevant as organizations move to the cloud or implement container-based infrastructure such as Kubernetes.

SIEM ecosystems

An SIEM by nature depends on connecting with other systems from a variety of vendors. Of course, there are data exchange standards—from text-based log files to protocols such as SNMP (simple network monitoring protocol) or Syslog. If an SIEM can integrate directly (or through plugins) with other systems, that makes things much easier. An SIEM with a robust, mature ecosystem enables you to enhance such features as event collection, analysis, alerting, and automation.

In addition to the system enhancements to be had through an SIEM ecosystem, there are other business benefits to be considered as well. For example, a mature SIEM will often create demand for training, drive community-based support, and even help streamline the hiring process.

Interaction via API

An ecosystem offering extensibility is great, but it will not meet all the diverse needs of every business. If your business involves software development, and particularly if your company has invested time and effort in devops, the ability to interact with your SIEM programmatically can make a huge difference. Rather than spending development time on logging capability for the sake of security or debugging, an SIEM can ingest, correlate, and analyze event data from your custom code.

How much to pay for SIEM

Cost is a factor in your SIEM decision, of course, but calculating it involves nuance. SIEM platforms offered as a cloud service are almost always offered by subscription. But your bill may include usage charges, such as event data volume or the number of endpoints being monitored. The bottom line: Once you’ve narrowed down your SIEM candidates to those that have the features you need, compare in detail the subscription and usage charges you’re likely to incur. If you have a preference for a more expensive offering, consider how you might be able gain efficiencies or scale back a little.