Midmarket companies can be overwhelmed by the cost of SIEM products and the resources they have to implement them. This tip will explain the benefits of managed SIEM services and how to select a good service provider.
Don't buy more SIEM than you need
"When you're up to your neck in alligators, it's easy to forget that the initial objective was to drain the swamp."
SIEM products are expensive, hard to implement and require constant monitoring. Cost for a midmarket company can start at $30,000 or more just to buy the SIEM, and the cost quickly mounts. Setup requires a fair amount of planning, installation and systems integration, training and writing of customized rules for unsupported devices. It's easy to forget, however, about the compliance benefits of security information and event management technology.
Managed services can include anything from tightly focused monitoring and reporting for regulatory compliance to full-blown enterprise caliber SIEM, with extensive feeds from diverse data sources, risk assessment and business intelligence analysis. If you are only concerned about say, PCI compliance, you get and pay for only what you need.
"With a managed service, you only get certain use cases that cost a lot less" said Adam Hils, principal research analyst for Gartner Inc. "They have the trained resources; you're fed the information you need rather than trying to make sense of a whole bunch of data."
Be prepared for work upfront
Although ramp-up time is faster for a service than a product installation, implementing a SIEM service, even for a relatively narrow scope, is not plug and play.
Regulations you have to comply with. This determines, in part, what information needs to be analyzed.
Devices in scope. Again, this may depend, in part, on the regulations, so, for example, you will need to include firewall logs for the network segment that houses credit card data for PCI DSS, as well as other logs for devices controlling access to patient information for HIPAA.
Reports. The service provider's stock reports may well be sufficient for your needs, but you should review them with the executives responsible for compliance and perhaps your auditors to see if they need to be modified.
Unsupported devices or applications. SIEMs support hundreds of devices and applications out of the box, but unsupported devices or custom applications will require extra work to accommodate the log formats.
Mechanism/process for change. There should be a portal that allows you to add new devices, for example. You may discover -- or your auditor might point out -- particular kinds of events that need to be highlighted in reporting. Determine if the change process is easy enough and what, if any, additional costs are involved.
Look for MSSP expertise
An experienced MSP should have a well-developed, tested process for rapidly deploying the service. Review that process before you commit. Look for some history with SIEM.
The service provider should have verifiable expertise in the compliance mandates you are liable for; experience with your vertical and your size of company is especially valuable. If you are a healthcare organization, review a number of similar companies. Your organization will benefit from the service providers' experience with rules that have been tested in the field and an understanding of the business and technology needs. Take time to talk to service provider references in your vertical; even if they are happy with the service, you'll learn from their experience about how to avoid missteps and maybe pick up some tips to improve your compliance program.
"It's critical that they understand your vertical -- setting up SIEM in a healthcare environment is different than retail," said Diana Kelley, partner and co-founder at consultancy Security Curve. "They've learned something over time about what's going on in that kind of organization and can reuse some of those correlation rules and give that benefit."
Finally, make sure the service provider is going to handle your logs securely. Will you have to open up your firewall to allow collection? Is there mutual authentication to make sure data is going out in a trusted way? Kelley noted that there's a lot of information in those logs an attacker could use against you.
"Find out if they have been through audits," she advised. "They know what all your vulnerable points are. Logs have a huge amount of data about your security posture -- 90% of how an attack occurred is visible in log files."
A good SIEM service provider should meet most, if not all, of a midmarket company's compliance needs without a lot of customization.
Send comments on this technical tip firstname.lastname@example.org.
This was first published in March 2010