We have learned about Security Information & Event Management (SIEM) however there has not been a lot said about why you might want to have one. There are tons of articles out there on SIEM solutions, why they are needed and so forth all written by marketing or product managers. Perhaps the most compelling and simple reason can be summed up in a single question:

When you suffer a breach and you will be asked "What happened?", no one wants to answer "I don't know".

To be transparent though with everything we have shared on security so far how would you know? You could watch the "log messages" in your firewall, server, application etc... but unless you happen to "see" the breach live your you are going to miss it. That is, of course, assuming that you can even read and understand the log messages your seeing and are the worlds best speed reader. One final wrinkle you are not 7x24x365 are you, no one can be, so we need a SIEM.

The most fundamental function of a SIEM is gathering all the raw security data logs from an organizations firewalls, wireless access points, servers, applications, cloud instances, security cameras, and any other infrastructure device you can think of. The SIEM doesnt just log events, it is customized to detect suspicious activity and recognize actual threats but gathering all the log events together is where it all starts and there will be a lot of log events.

This is the most compelling and fundamental reasons there are a few others as well that drive the need for a SIEM. The second biggest reason is Regulatory Compliance which you will deal with if you work in healthcare, retail, finance, just to name a few industries, as they all have legal compliance requirements. They also get audited regularly, which if failed could mean a loss of business, revocation of certification and frankly a hefty fine. All of a sudden the cost of a SIEM seems like a great insurance policy. Incident management and the development of an After Action Report (AAR) from a security breach are also going to come from the information contained within the SIEM. These reasons will also once understood give you the insight needed to correct the gap which allowed the breach to occur.

SIEMs were initially only for the good organizations with a dedicated team of security professionals, this has changed and now the many different solutions out there allow for everyone to benefit. This is going to form the basis of our discussion.

Discussion Scenario & Question

Your organization does not currently have a SIEM solution and it is becoming very apparent that without one to help your team have a better eye on the security of the organization you could be missing events. You have been tasked by your manager to research SIEM solutions and make some recommendations on which solutions your team should consider. Your team has come up with the following questions that should be part of your research and report.

• Should the SIEM be based in the cloud or on-premise in your organization?
• What methods allow information (Syslog) to be sent to the SIEM? Are there other ways supported?
• Can the SIEM be integrated into other systems? If so which kinds?
• Is the SIEM capable of improving its operation and accuracy, perhaps via machine learning?
• How can the SIEM alert you when it detects something notable?
• What training is available free and paid to help the team implement the SIEM and operate it correctly?
• Does the SIEM offer compliance reports? If so what kind?
• What is the cost of the SIEM? Are the annual costs?
• What support options are available? Is there an active user community?