Ok you got a SIEM but, does it collect effectively?

The security information and event management system or simply the SIEM solution has become a necessity for a fully functional security management cycle. A SIEM solution is a software, hardware or a mechanism which collects real-time data from your IT infrastructure, analyzes, correlates and provides reporting to further a responsive action, it simply provides a clear insight into the security posture of a company. You cannot dream of achieving a compliance, security automation or incident handling without a thorough SIEM implementation. Every security aware corporate realizes the need for a SIEM and there is a large traction in the market in this space. The biggest challenge when buying a SIEM is the implementation as this can be a nightmare if not done appropriately. And we have seen a lot of incomplete and haphazard implementations where the client’s are experiencing a tough time and eventually drop the existing SIEM to pursue another product.

Developing or adopting a tried and tested use case in a SIEM implementation is a wise way of making sure your implementation yields the results you want.


So what is a use case?

A use case is a process which addresses what do you exactly want to monitor? what parameters are going to trigger the monitoring of a particular event? What will be the data sources you will pull the information from? developing the correlation rules, establishing operational procedures for the case, what will be the action plan/mitigation strategy?

SIEM use case briefly involves the following:

  1. Identify the goal for each event correlation rule (and use case).
  2. Determine the conditions for the alert.
  3. Select the relevant data sources.
  4. Test the rule.
  5. Determine response strategies, and document them.

Technically, make sure the SIEM solution meets a certain criteria:

  • Make sure you have an idea of how many EPS (events per second) does your environment generate and how much it will increase over the next few years (keeping the ROI in mind). A SIEM solution is gauged on the basis of how many EPS it can process. Do the sizing correct.
  • Make sure you have appropriate storage planned for the SIEM backup. You have processed logs and Raw logs presented to you by every SIEM. Depending on what is your requirement, make sure you have an appropriate storage strategy in place to store the logs.
  • Does high availability make sense to you? if it is an absolute must to you, then don’t forget it.
  • Make sure your SIEM sits aptly into your business continuity plan.
  • Make sure the reports can be tailor made for you. Don’t end up buying a SIEM that has rigid reporting templates with limited customization capability.
  • If your aim is security automation, make sure it integrates well with your service management tool and test every possibility beforehand.
  • A SIEM is your stepping stone towards building a SOC (security operations center), make sure it integrates well with a front-end SOC solution or it is easy to develop an API for them to compliment each other.


3 thoughts on “Ok you got a SIEM but, does it collect effectively?

  1. Nice. Any favourites among SIEM vendors?


  2. Very helpful. Can you provide any sample use cases? any recommendations?


    1. Hi Abdullah, I have worked on arcsight, RSA and McAfee nitro. And all have their own inherent issues. I favour the McAfee nitro but beware as high availability is still not available and it is too rigid when it comes to reporting as of the latest 9.3 version, customizing templates leaves you with little options. But indexing, aggregation, custom parser creation is impressive and fairly easy. In the end making sense of what a SIEM collects is what matters and having tailor made use cases will win the battle for you.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close