News Stay informed about the latest enterprise technology news and product updates.

SIEM: Not for small business, nor the faint of heart

Technologists say security information and event management success depends not on the product, but on the risk and information management program implemented with it. Also, small businesses lack the resources to get much value from SIEM systems.

SAN FRANCISCO -- Security information and event management (SIEM) products are only as good as the policies and processes they support, and the analyst resources that a company can pour into them.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
"We invested in SIEM four years ago, and it wasn't long before we realized it wasn't the nirvana we hoped it would be" said Denny Dean, CISO for a Fortune 500 insurance company, and a participant in a SIEM panel Tuesday at the 2009 RSA Conference.

"In my experience the program around SIEM is vastly more important than SIEM itself," Dean said. "If you extracted SIEM from the program, the program would still operate in pretty good shape."

Dean said at first the SIEM tool produced a lot of information, including a number of alerts that didn't trigger action because there was no information management program to support them. His company used it as a forensics tool until "we started producing services around SIEM and an information management program as a whole."

While companies like Dean's get measurable value from SIEMs with the right kind of supporting information management program, the reality is that most companies have purchased products for compliance, plain and simple.

"PCI and other compliance initiatives drove the market," said John Kindervag, senior analyst with Cambridge, Mass.-based Forrester Research. "In Fortune 500 companies, SIEM for compliance is highly commoditized. They have lots of FTEs.

But how can smaller companies [without the staffing] leverage it? How do you derive value without analysts?"

"Vendors did a great disservice by claiming that this box could do everything," said Nick Selby, senior analyst with New York-based research firm The 451 Group.

Kindervag insisted SIEM is more of a reporting and compliance product than a security product. He suggested -- only somewhat facetiously -- the market would be better served with a new acronym, "SIRS" or security information reporting system.

SIEM can serve as a barometer for measuring increasing risk and as an indicator of what is going on across the environment, said Chris Leach, CISO for Affiliated Computer Services (ACS). In his view, compliance is of less importance.

"But we can have too much information," Leach observed, "That can be worse than not having enough."

Dean described SIEM as a fact-collection system to make better business decisions and monitor things like change management for compliance.

RSA Conference 2009

For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

"I thought I would find bad guys, but in the end found good guys doing bad things," Dean said. For example, he found he was collecting "information about the ineffectiveness of my peers." He discovered 3,000 vulnerabilities in his company's systems, an indication that patch management was failing.

He cautioned, however, not to "get in people's knickers about stuff," but to attack the process that allowed this state of affairs.

Dean also advised that a security manager's job is to provide information for business people to make decisions. "You are not the risk manager," he cautioned.

ACS's Leach recommended that companies beginning a SIEM program learn from others who have gone through the experience, and set realistic expectations.

"Don't try to boil the ocean," he said. "Say, 'this is the piece I'm going to tackle now,' and stick to your guns."

Dig Deeper on SIEM, log management and big data security analytics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.