As of January 2014, Mosaic Security Research identified 86 SIEM products. -- Wikipedia
There was a question in last week's discussion. Basically how do we monitor and alert 24 x 7 on our precious logs that contain pertinent information, rather than on demand after an incident? How?
SIEM, the Security Information and Event Management, comes into the picture. We feed log data from security devices, network devices, and applications, etc. to SIEM and it provides real-time analysis of security alerts. Awesome, right? Yes! Does it do what is advertised? Yes! Many people were blown away by the things they discovered that happened in their network 24 hours after turning on SIEM. So, what's the catch?
Interestingly 'S' and '$' are interchangeable in SIEM. Not only SIEM has high price tag, but also it requires much effort and manpower in implementation. A few years ago, one of my colleagues met a SIEM engineer of an enterprise in a security conference. This fellow told my colleague that there were six full-time engineers/analysts dedicated to writing SIEM rules and reviewing events in the fellow's company. My team had six persons and my colleague was the only one assigned to SIEM. Thinking about his only "full-time" job, my colleague wanted to jump off the roof.
We need to know our enterprise or business well enough in order to define normality and construct proper threat detection rules. This is even more important when our SIEM has functions to prevent and automatically remediate malicious activities. It's great that we catch and prevent targeted attacks but somebody's job is at risk when our CEO's login from overseas is blocked.
Does your organization deploy SIEM? If so, how many persons are managing/maintaining it? If not, why not?
Do you use a commercial SIEM product or do you build your own SIEM due to budget constraint or any other reason?
What functions do you think a good SIEM should have?
P.S. My SIEM colleague didn't jump off the roof and we added more SIEM personnel.