SAN FRANCISCO -- Security information and event management (SIEM) products are only as good as the policies and processes they support, and the analyst resources that a company can pour into them.
"In my experience the program around SIEM is vastly more important than SIEM itself," Dean said. "If you extracted SIEM from the program, the program would still operate in pretty good shape."
Dean said at first the SIEM tool produced a lot of information, including a number of alerts that didn't trigger action because there was no information management program to support them. His company used it as a forensics tool until "we started producing services around SIEM and an information management program as a whole."
While companies like Dean's get measurable value from SIEMs with the right kind of supporting information management program, the reality is that most companies have purchased products for compliance, plain and simple.
"PCI and other compliance initiatives drove the market," said John Kindervag, senior analyst with Cambridge, Mass.-based Forrester Research. "In Fortune 500 companies, SIEM for compliance is highly commoditized. They have lots of FTEs.
But how can smaller companies [without the staffing] leverage it? How do you derive value without analysts?"
"Vendors did a great disservice by claiming that this box could do everything," said Nick Selby, senior analyst with New York-based research firm The 451 Group.
Kindervag insisted SIEM is more of a reporting and compliance product than a security product. He suggested -- only somewhat facetiously -- the market would be better served with a new acronym, "SIRS" or security information reporting system.
SIEM can serve as a barometer for measuring increasing risk and as an indicator of what is going on across the environment, said Chris Leach, CISO for Affiliated Computer Services (ACS). In his view, compliance is of less importance.
"But we can have too much information," Leach observed, "That can be worse than not having enough."
Dean described SIEM as a fact-collection system to make better business decisions and monitor things like change management for compliance.
He cautioned, however, not to "get in people's knickers about stuff," but to attack the process that allowed this state of affairs.
Dean also advised that a security manager's job is to provide information for business people to make decisions. "You are not the risk manager," he cautioned.
ACS's Leach recommended that companies beginning a SIEM program learn from others who have gone through the experience, and set realistic expectations.
"Don't try to boil the ocean," he said. "Say, 'this is the piece I'm going to tackle now,' and stick to your guns."