Given that I spent this entire week getting back into a SIEM-building game [don’t ask :-)], a few thoughts on the state of Security Information and Event Management have dawned on me.
Some security technologies – like network firewalls - are getting pretty darn close to being commoditized and differences between products are ever-so-close to being wiped out.
SIEM, let me tell you, is nowhere near this. Maybe this also has something to do with the fact that Gartner SIEM MQ 2010 (see this fun commentary from Rocky and his view on SIEM history) contain so many players for so many years. To follow up on this, here is a fun quote from Gartner MQ on SIEM: “There are signs of general convergence on a core set of [SIEM] capabilities.”
Do you know WHEN the above was written? March 2003!
2003! In other words, full 7 (!) years after first SIEM products were built. And also - full 7 (!) years ago. Look to the right to see how SIEM realm looked back then [yes, Brian, I just reread all SIEM MQs from 2003 to 2010 – just for fun :-)]
Today, in 2010, there is still NO “best SIEM for everybody” and there is NO feature parity even across key capabilities.
Yes, there is a SIEM tool that seems better for large enterprises with unlimited budget. But overall “best SIEM"? Nope.
In fact, I bet that …
If you pick five top SIEM requirements AND 5 “top” SIEM vendors, then at least one of the tools will REALLY SUCK on at least one of the key requirements.
The reality is that after so many years, all – well, most - SIEM tools actually “run” - but do they always “work?” Let me explain the difference between a software that RUNS from the one that WORKS. “Runs” means that code compiles and, when executed, does not throw an exception. On the other hand, “works” means that it delivers value to its buyer. For example, rule-based correlation runs (well, unless it runs out of memory…oops!), but doesn’t work in many environments (see recent Securosis piece on that). Real-time dashboards run, but aren’t even utilized in many environments. Visualization tools run, but often users cannot get them to work. Risk scoring / statistical correlation runs, but often doesn’t deliver useful results.
And you known, believe it or not, SIEM vendors are NOT the ones to blame for it. Many are honest in saying that “Yes, to succeed, a SIEM project takes work BY it’s buyer/user.” So, your SIEM likely will WORK, if you WORK on it.
Now, let’s turn this into something practical and useful? What’s a poor SIEM buyer – whether enterprise or mid-market - to do? How to pick the right SIEM?
The only choice I see is the one that won’t surprise my readers: focus on requirements, define your SIEM use cases – and then test the products. Buy the one that WORKS FOR YOU! Some ideas on the selection process can be found here.
Possibly related posts: