Tuesday, October 26, 2010

“So, What Should I Want?” or How NOT to Pick a SIEM-III?

So, what should I want?” – the allure of asking that question is truly irresistible when dealing with somebody who – presumably – knows more than you do about a particular subject. Lately, I experienced its force first hand when dealing with various contractors on swimming pool, flooring, A/C, remodeling – all new to me due to purchase of our first house. These insane words just roll off your tongue after a contractor explains 57 floor board options or 4 types of swimming pool heaters.

In light of this, I am not shocked when a SIEM prospect asks that question of a vendor sales guy or – slightly better – a field engineer. Have you ever caught yourself asking  questions like:

  • What log data I should collect first?
  • What are the best reports I should run?
  • Which correlation rules I should enable?
  • What data I should search for?
  • What is the best access control policy for my SIEM implementation?

That stuff happens out there every day! Despite all the evangelizing about “business requirements”, “use cases”, “focus on problems solved” and other words and phrases of wisdom, a lot of SIEM is purchased as described above.

Dear vendor, tell me what should I want?!

And you know what? If your organization is truly committed to the cause of furthering world’s idiocy, that may work! Asking the vendor is BETTER than just choosing at random (as I discovered with some of my house-related chores). Yes, on average, you’d get suggestions towards more expensive stuff (surprise!!), but vendor research + vendor opinion (IMHO) are better than no research + random choice.

And of course! The above point about that working (occasionally, somewhat…) does NOT remove the simple fact that:

THE RIGHT WAY TO PROCURE A SIEM IS STILL …

… THINKING ABOUT YOUR REQUIREMENTS AND THEN YOUR USE CASES. And then choosing a product.

Still, evil allure of “please tell me what I want?” is very hard to resist when looking for SIEM and log management tools.

BTW, On Choosing SIEM  has the “less wrong” way described in more details.

Possibly related posts:

Enhanced by Zemanta

Dr Anton Chuvakin