This content is part of the Essential Guide: How to assess security information and event management systems
Get started Bring yourself up to speed with our introductory content.

SIEM evaluation: Questions for SIEM vendors, enterprise stakeholders

Before taking a dive and purchasing a security information and event management system, be sure to ask these need-to-know questions to potential vendors and enterprise stakeholders.

The security information and event management marketplace is a vast space, filled with multiple vendors, products...

and features.

Making a SIEM purchase isn't as easy as pulling a product off a shelf; a critical analysis of the different vendors and their products is necessary to find the one that best suits your enterprise's needs. It is also important to ask your organization's stakeholders a number of questions regarding the investment before proceeding.

Below are start lists of questions to consider when evaluating potential vendors, as well as questions to ask stakeholders to ensure your SIEM purchase will do all it is meant to do.

Questions to ask

Ask these critical questions of your potential vendors when evaluating a security information and event management platform:

  1. Can you show a clear mapping between industry compliance and your bundled policies and rule sets?
  2. Do you offer assistance with deployment plans, with estimates for installation and tuning, as well as manpower estimates to complete tasks?
  3. Can you describe how integration with other supporting applications (i.e., syslog, API, etc.) occurs?
  4. What assistance do you provide with capacity planning, both for processing of events and data storage requirements?
  5. What are your plans for supporting public and private cloud, virtualization platforms and big data environments?
  6. What professional service options are available? Do you offer security operations as a service?
  7. Can you demonstrate features/functions missing from legacy log management systems within your environment?
  8. Do you offer training for resolving alerts that are issued by your system?
  9. Can you provide a reference account that will be willing to speak to my organization?
  10. Are you capable of performing the deployment and tuning of your product for my organization?

Ask these critical questions of your internal stakeholders when evaluating a SIEM platform:

  1. Have you fully scoped your internal requirements for security, compliance and operations -- including all of the stakeholders who rely on SIEM in the discussion?
  2. Do you have "request for information" or a set of questions to ask SIEM vendors that reflects your core business needs, and have you outlined a proof of concept that will vet vendor claims?
  3. Can you hire and/or train the staff required to support a SIEM platform yourself, or should you consider a managed service offering?
  4. Do you have a data breach response plan, and if so, is it reflected in your SIEM specification for forensic auditing and reporting?
  5. Have you called your peers to ask about their experiences with SIEM products? Have you spoken with third-party service providers to see what they use?
  6. Do you really need full SIEM -- along with the associated complexities -- or is log management sufficient?
  7. Have you documented the integration points for your help desk, GRC, workflow, configuration management and identity management systems?
  8. Do you have a security management platform in place today, and if so, will you be integrating or replacing that system?
  9. What does your network topology look like? What types of data do you need to collect and how do you envision a SIEM deployment in your environment?
  10. Which is the focus and priority: real-time event analysis, operational efficiency or compliance?
  11. Have you estimated the costs of acquisition and ongoing maintenance, and do you have a (ongoing) budget to undertake the project?

About the author:
Adrian Lane is CTO of Phoenix-based analyst firm Securosis. Adrian specializes in database security, data security and software development. He is a former executive at security and software companies such as Ingres, Oracle, Unisys and IPLocks, and is a frequent presenter at industry events. Adrian is a graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University. Reach Adrian via email at

Next Steps

Get an overview of the SIEM market

Learn about SIEM in the cloud

This was last published in December 2014

Dig Deeper on SIEM, log management and big data security analytics

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Add to our list! What questions would your organization ask?