It seems that in the world of information security and specifically Security Operations Centers, having a Security Information and Event Management system is an essential item. If you happen to be in the SOC business (Director, Manager, Analyst or other) one of the first questions you might be asked by a peer from another SOC is the official opening question of most SOC discussions, “What SIEM are you guys running?”

The questions we need to ask ourselves at this point is, “Do we really need a SIEM?” In some cases the answer is absolutely still, yes. However, there are other cases where I would actually advise against. Cases where I believe a SIEM may do more harm than good for a growing and maturing SOC.

There is no doubt that Security Event Management in some cases is an essential piece of the puzzle in solving the Security Operations problem. However, the way in which we are solving may need some analysis itself these days.

Security Operations has become a quintessential big data problem. Massive amounts of data, huge amounts of intelligence to compare against and an unknown or undiscovered number of use cases. It has the classic three “V”‘s of a big data problem; volume, velocity, and variety. So why is it that the leading tools are still approaching this problem with a traditional database model? In my opinion the answer is simple, they want you to do the work. The traditional SIEM model provides the framework for a organization to build a SIEM solution. They are not, however, a solution in and of themselves. They require custom parsing, asset modeling, threat intelligence integrations, correlation rule development, database management and that’s just a few of the largest problems (I won’t get into performance management and custom tools). All of the “solution” pieces of the SIEM, will either be purchased as additional bolt-on content, professional services engagements or operational cost (internal resources hired, trained and hours spent on SIEM development).

So what does a traditional SIEM provide? Power and flexibility would be the standard answer. There are few problems you can’t solve when you are writing the parser, filters, rules and actions within a SIEM. It is a framework for use case development, provided that you have the resources to deploy, maintain and operate it. With the proper skill and effort it can solve nearly any security problem that data can be collected for. It does not do this without a cost unfortunately. Traditional SIEMs are expensive, difficult to deploy and even harder to maintain. If you have the trained resources, go for it, but if you think they could be better spent actually investigating incidents instead of maintaining a system to investigate on… it may be time to take another look at this problem.

If you would like to talk to us about your Security Operations Center, SOC Build-Out or SIEM deployment. We would love to provide you our opinion and expertise on the topic. Contact us at [email protected] .