What Should I Want? Or How NOT to Pick an SIEM

Friday, November 12, 2010

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

So, what should I want?” – the allure of asking that question is truly irresistible when dealing with somebody who – presumably – knows more than you do about a particular subject.

Lately, I experienced its force first hand when dealing with various contractors on swimming pool, flooring, A/C, remodeling – all new to me due to purchase of our first house.

These insane words just roll off your tongue after a contractor explains 57 floor board options or 4 types of swimming pool heaters.

In light of this, I am not shocked when a SIEM prospect asks that question of a vendor sales guy or – slightly better – a field engineer.

Have you ever caught yourself asking  questions like:

  • What log data I should collect first?
  • What are the best reports I should run?
  • Which correlation rules I should enable?
  • What data I should search for?
  • What is the best access control policy for my SIEM implementation?

That stuff happens out there every day! Despite all the evangelizing about “business requirements”, “use cases”, “focus on problems solved” and other words and phrases of wisdom, a lot of SIEM is purchased as described above.

Dear vendor, tell me what should I want?!

And you know what? If your organization is truly committed to the cause of furthering world’s idiocy, that may work!

Asking the vendor is BETTER than just choosing at random (as I discovered with some of my house-related chores).

Yes, on average, you’d get suggestions towards more expensive stuff (surprise!!), but vendor research + vendor opinion (IMHO) are better than no research + random choice.

And of course! The above point about that working (occasionally, somewhat…) does NOT remove the simple fact that:

THE RIGHT WAY TO PROCURE A SIEM IS STILL …

…THINKING ABOUT YOUR REQUIREMENTS AND THEN YOUR USE CASES. And then choosing a product.

Still, evil allure of “please tell me what I want?” is very hard to resist when looking for SIEM and log management tools.

BTW, On Choosing SIEM  has the “less wrong” way described in more details.

Cross-posted from Security Warrior

Possibly Related Articles:
8579
Network->General
Security Strategy Log Management SIEM Vendor Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.