A recent Gartner report revealed that without the proper planning, many organizations fail to deploy SIEMs properly...
because they lack the adequate resources to integrate and manage these systems. What kind of resources and support do SIEM systems need?
There's a saying that experience is something you don't get until just after you need it. I can't begin to tell you how many information security controls -- security information and event management systems included -- I've seen deployed first and planned for later. It happens in organizations both large and small, and I believe it's driven by two main things:
- The tendency for humans to be expedient and the immediate gratification payoffs gained by "checking that checkbox" in the name of compliance. The approach is often "hurry up and get it out there so we can please our auditors, regulators, business partners or whoever -- and then we'll fix it later."
- The realization by IT and security professionals that they don't have enough time to dedicate to the shiny, new system they just deployed and committed to managing.
I haven't met a single person in IT and security that's incompetent. I truly believe that if IT and security teams could step back, look at the bigger picture of what they're trying to accomplish, and then use their intellect to develop a smart approach to SIEM, they can make it happen. Time management experts say that for every minute you spend planning you can save you five minutes in execution. Anyone would be crazy to not take this approach.
Furthermore, regardless of what the vendors promise, SIEM is just like any other enterprise security control, it's going to take time and effort to install, tweak and manage -- likely more than you've bargained for. There's a law of time management that says if you take on something new, you're going to have to give something up; or hire someone to help. Your best bet will likely be to outsource SIEM altogether. Otherwise, if your organization chooses to handle it in-house, it will need to plan on adding some part- or full-time resources to manage such a system.
If your business is going to go it alone, it'd be well-served by working closely with the product vendor and/or outside consultant to ensure the system is properly designed, installed and implemented. Otherwise, odds are good you won't get the value out of the system that you're seeking.
Ask the Expert:
Want to ask Kevin Beaver a question about network security? Submit your questions now via email. (All questions are anonymous.)
Quiz: Is your enterprise getting the most out of its SIEM deployment?
Learn why SIEM processes matter more than SIEM products
Dig Deeper on SIEM, log management and big data security analytics
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading