“So, what should I want?” – the allure of asking that question is truly irresistible when dealing with somebody who – presumably – knows more than you do about a particular subject. Lately, I experienced its force first hand when dealing with various contractors on swimming pool, flooring, A/C, remodeling – all new to me due to purchase of our first house. These insane words just roll off your tongue after a contractor explains 57 floor board options or 4 types of swimming pool heaters.
In light of this, I am not shocked when a SIEM prospect asks that question of a vendor sales guy or – slightly better – a field engineer. Have you ever caught yourself asking questions like:
- What log data I should collect first?
- What are the best reports I should run?
- Which correlation rules I should enable?
- What data I should search for?
- What is the best access control policy for my SIEM implementation?
That stuff happens out there every day! Despite all the evangelizing about “business requirements”, “use cases”, “focus on problems solved” and other words and phrases of wisdom, a lot of SIEM is purchased as described above.
Dear vendor, tell me what should I want?!
And you know what? If your organization is truly committed to the cause of furthering world’s idiocy, that may work! Asking the vendor is BETTER than just choosing at random (as I discovered with some of my house-related chores). Yes, on average, you’d get suggestions towards more expensive stuff (surprise!!), but vendor research + vendor opinion (IMHO) are better than no research + random choice.
And of course! The above point about that working (occasionally, somewhat…) does NOT remove the simple fact that:
THE RIGHT WAY TO PROCURE A SIEM IS STILL …
… THINKING ABOUT YOUR REQUIREMENTS AND THEN YOUR USE CASES. And then choosing a product.
Still, evil allure of “please tell me what I want?” is very hard to resist when looking for SIEM and log management tools.
BTW, On Choosing SIEM has the “less wrong” way described in more details.
Possibly related posts:
- On Choosing SIEM
- I Want to Buy Correlation” or How NOT to Pick a SIEM?
- The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
- Logging, Log Management and Log Review Maturity
- Log Management + SIEM = ?
- On SIEM Complexity
- SIEM Bloggables: SIEM Use Cases
- Whitepaper with detailed SIEM use cases (using a particular SIEM as an example)
- Log Management / SIEM Users: "Minimalist" vs "Analyst"
- All posts labeled SIEM