Article

SIEM: Not for small business, nor the faint of heart

Neil Roiter
SAN FRANCISCO -- Security information and event management (SIEM) products are only as good as the policies and processes they support, and the analyst resources that a company can pour into them.

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
"We invested in SIEM four years ago, and it wasn't long before we realized it wasn't the nirvana we hoped it would be" said Denny Dean, CISO for a Fortune 500 insurance company, and a participant in a SIEM panel Tuesday at the 2009 RSA Conference.

"In my experience the program around SIEM is vastly more important than SIEM itself," Dean said. "If you extracted SIEM from the program, the program would still operate in pretty good shape."

Dean said at first the SIEM tool produced a lot of information, including a number of alerts that didn't trigger action because there was no information management program to support them. His company used it as a forensics tool until "we started producing services around SIEM and an information management program as a whole."

While companies like Dean's get measurable value from SIEMs with the right kind of supporting information management program, the reality is that most companies have purchased products for compliance, plain and simple.

"PCI and other compliance initiatives drove the market," said John Kindervag, senior analyst with Cambridge, Mass.-based Forrester Research. "In Fortune 500 companies, SIEM for compliance is highly commoditized. They have lots of FTEs.

But how can smaller companies [without the staffing] leverage it? How do you derive value without analysts?"

"Vendors did a great disservice by claiming that this box could do everything," said Nick Selby, senior analyst with New York-based research firm The 451 Group.

Kindervag insisted SIEM is more of a reporting and compliance product than a security product. He suggested -- only somewhat facetiously -- the market would be better served with a new acronym, "SIRS" or security information reporting system.

SIEM can serve as a barometer for measuring increasing risk and as an indicator of what is going on across the environment, said Chris Leach, CISO for Affiliated Computer Services (ACS). In his view, compliance is of less importance.

"But we can have too much information," Leach observed, "That can be worse than not having enough."

Dean described SIEM as a fact-collection system to make better business decisions and monitor things like change management for compliance.

RSA Conference 2009

For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

"I thought I would find bad guys, but in the end found good guys doing bad things," Dean said. For example, he found he was collecting "information about the ineffectiveness of my peers." He discovered 3,000 vulnerabilities in his company's systems, an indication that patch management was failing.

He cautioned, however, not to "get in people's knickers about stuff," but to attack the process that allowed this state of affairs.

Dean also advised that a security manager's job is to provide information for business people to make decisions. "You are not the risk manager," he cautioned.

ACS's Leach recommended that companies beginning a SIEM program learn from others who have gone through the experience, and set realistic expectations.

"Don't try to boil the ocean," he said. "Say, 'this is the piece I'm going to tackle now,' and stick to your guns."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: