6 point SIEM solution evaluation checklist

Over the years, security information and event management (SIEM) tools have matured to keep pace with the ever growing number of log-generating devices, as well as provided value additions to compliance and regulatory efforts. Considering the cost and wide range of SIEM solutions, we will look at the things to keep in mind while procuring an SIEM solution.

SIEM is the extension to an organization’s log monitoring capability. SIEM solutions bring in the advantage of automation and intelligence in terms of analysis. Correlation is one of the most important functions provided by SIEM solutions. Earlier, with syslog servers, analysis was performed manually — an impossible task today.

From a business perspective, SIEM is usually a compliance and regulatory requirement for most certifications. One of the major advantages gleaned from implementing an SIEM solution is the perspective it brings to the organization’s security posture, accessibility and the usable metrics it generates. All analysis and dashboards are available on a single console to aid decision making.

Given the security edge an SIEM solution it gives an organization, careful consideration is due prior to procurement. The following points should be kept in mind while investing in an SIEM solution.

1. Device support:

While selecting an SIEM solution, you should pay close attention to the devices supported by the solution. Ensure that the tool can understand logs/events generated by devices in use. It should be able to analyze logs from devices like firewalls, routers, Unix/Windows servers, antivirus console, IDS/IPS and VPN devices.

A customizable option that allows the creation of your own device category is a good feature. The SIEM tool should be able to support logs from unknown devices like legacy devices and applications, which generate logs in their own non-standard formats.

2. Integration with other applications/tools:

Yet another important aspect to consider while shopping for an SIEM solution is integration with existing applications and tools. A tool that only supports independent operation is redundant, and will not give an extended view of the organization’s risk posture.

Integration with existing tools like vulnerability scanners, the work-flow/ticketing system supporting automation, mail/SMS alerting system or even with the Active Directory (for user management) is a good capability to have in an SIEM solution. These will extend SIEM functionality and scope.

3. Support for groups:

Your prospective SIEM solution should be able to support multiple groups, and restrict access on a need-to-know basis for alerts and events. Segregation of groups based on departments and geographic location allow clarity and efficiency while dealing with incidents.

For instance, an incident management team in China need not track incidents in India. If all incidents are fed into the same system, chaos and confusion will be inevitable. One of the basic information security tenets is access on a need-to-know basis.

4. Reporting:

Reporting capabilities of an SIEM solution are the next evaluation criteria. The solution should be able to generate reports/views for various levels of personnel like technical, mid-level and executive management.

From an operational standpoint, different levels need distinct perspectives to make decisions and perform duties. Management is concerned with business issues and high-level summaries — they do not need a technical readout. Similarly, security technicians may need to go in-depth, through regular reports that span thousands of lines.

5. Regulatory/standards requirements:

Check if the SIEM solution supports and understands parameters required to be monitored as part of regulatory requirements of certifying authorities like PCI DSS and ISO 27001. This also holds true for certifications that your organization may be thinking of pursuing, and will help to generate the required reports in the correct format to be submitted as evidence for certifications.

6. Criticality of devices/servers:

Several SIEM solutions provide an option to define criticality of the devices/servers. This is a good-to-have feature, as it helps rate severity of alerts based on the device’s criticality. Events can be sorted to achieve the maximum efficiency, and reduce the turn-around times for critical incidents.

For instance, a medium severity alert on a high critical server will be rated higher, and take precedence over a high severity alert on a less critical server. This helps reduce the overall risk to the organization and address serious issues on a priority basis, efficiently leveraging the available time and resources.

Finally, vendor support is critical to be able to make optimal use of your SIEM solution. This is all the more important when it comes to customization of SIEM to your organization’s needs.

About the author: Satish Jagu is the senior manager for corporate information security at Genpact. With more than 12 years of professional experience in IT, Jagu has expertise in security, network and system administration on UNIX/Windows platforms, security systems and Internetworking devices. He has TCP/IP network experience in design, in addition to implementation of Internet and Intranet services. Jagu has worked on ISO 27001 implementation and certification projects, as well as SAS 70 and SoX IT controls.