Businesses should understand exactly what they want from a SIEM solution before they commit to it, says Nicolai Solling, director of technology service at help AG ME.
SIEM (Security information and event management) is a solution not yet fully understood by many organisations in the Middle East, and Solling said this must change.
“They should have a very good understanding of what they want from a SIEM solution. There is a lot of hype about what can be achieved with a SIEM solution,” Solling said.
“Even having a basic understand of what they want to achieve from the SIEM solution is very important. Then they should try and set up some success criteria for a SIEM deployment,” he added.
The SIEM solution brings together formerly disparate product categories SIM (security information and management) and SEM (security even management).
“We’ve had an explosion of the different kinds of security devices and solutions that we have to deploy for an enterprise to stay secure. As we saw an explosion in all of these devices, we also had an explosion in the number of events,” Solling said.
“Each of these devices would feed in information and say, we have a problem, and the security team needs to react to those. So a SIEM solution, and why it is very important, is it takes out all of those events and normalises them based on the risk levels identified by the enterprise,” he added.
SIEM really came on to the IT scene two years ago, and Solling said the misconceptions towards it led to later issues.
“Two years ago when people were talking about SIEM they were seeing it as a silver bullet in managing your IT security infrastructure. This is not the case. SIEM is not just a product that you have to deploy, but a solution that needs to be integrated into your environment,” he said.
“If we’re looking into where some of the SIEM solutions are failing, it’s not only due to technology, but people fail to integrate them decently into their infrastructure,” he added.
The most important thing when deploying a SIEM solution was being sufficiently prepared for what the solution really offers, Solling said.
“People should be realistic about what they will achieve from a SIEM solution. If you do not have any goal with your SIEM solution you can become a bit disappointed because if you don’t know what you’re logging on or what the requirements are to your SIEM solution, it will be very difficult to deploy it in the right way,” he added.
Solling said he believes one of the issues that arises in SIEM actually originates from vendors in the way they sell the solution.
“Far too often I see a project sold by a vendor when selling something else, because there was a requirement in that to do central log management. Then they say, by the way we have this SIEM solution we can sell to you,” Solling said.
“Actually SIEM as a technology deserves much more than just being a corner of a BOF (bill of quantity) that a vendor has set together for a customer. SIEM should be treated as a separate product and project because it is such a vast area to touch on,” he added.
Companies looking for SIEM should make sure they do not limit the solution to a particular vendor, Solling advised.
“One of my recommendations when I talk to customers is to not choose a SIEM solution that only works with a specific vendor. Make sure your SIEM solution is able to correlate information and understand the road map for doing so from multiple vendors. You cannot be vendor specific or vendor focused in a SIEM solution, you have to get events from a lot of different devices,” he said.