Executive summary: you need to procure services when you buy a SIEM tool, if you don’t – you’d be sorry later.
Even if you are amazingly intelligent and have extensive SIEM experience – see above. Even if you saw a successful SIEM project that didn’t include vendor or 3rd party services with your very eyes – see above. Even if your SIEM vendor tells you “you don’t need services” – see above. See above! See above!! See above!!! 
Let’s analyze this “SIEM services paradox.” A lot of organizations – way too many, in fact – balk at the need to procure related services before, during and after their SIEM purchase. The thinking often goes like this: we need a SIEM and this box <points at the appliance still in the box> is a SIEM. That’s all we need. What services? Why services? Huh?
In reality - and this is what I sometimes call “secret to SIEM magic” – that box is not a SIEM. That box, when racked and connected to your network, is STILL not quite a SIEM. Only when you “operationalize” it (see picture), then you can say that you have Security Information and Event Management (SIEM) capability in your organization and that you do “real-time” security monitoring.
Now, be honest, do you know how to deploy a SIEM tool and then figure out the shortest path to its operational success? Probably not… thus services/consultants who will work WITH you to make it a reality by arriving at the best possible way of benefitting from SIEM in your environment. Which use case give you the best bang for the SIEM buck? Which one will show a “quick win” to your management? Which one is more likely to detect an attacker in your network?
When a SIEM vendor tries to sell you services, it is NOT vendor greed – but simply common sense. And if you say “no”, it is not “saving money” – but being stupid. SIEM success out-of-the-box (while real, in some cases!) is a pale shadow of what a well-thought through deployment looks like! My [broken] analogy is: you buying a nice shiny Aston Martin and then only using it to commute to a train station 1 mile from home. Will it work? Yes. Is this a good investment and a good experience? Hell no!
So, no, SIEM is NOT useless without services, but it is unlikely to reach its full potential. Pitfalls to SIEM success are many, and navigating them requires help.
And, no, outsiders alone cannot do it. You will need to help them help you.
This also leads to the rise of managed or co-managed SIEM options (which are NOT MSSPs, BTW!) as more people realize that a) they need a SIEM and b) they cannot handle a SIEM. Future cloud SIEM will (when it emerges) try to tackle the same problem of being simpler to operate and thus simpler to operationalize.
Today, most SIEM vendors offer an extensive menu of services to go with a product, and there are also some smart third parties. Many services around SIEM can be organized as follows.
Pre-sale services examples:
- Product selection help
- Vendor differentiation analysis and shortlist definition
- Regulation analysis and business cases review
- Product strengths/weaknesses analysis
- Product fit for type of project
- Product fit for vertical / business type
- RFP definition assistance
- Current tools vs requirements gap analysis
Services offered during SIEM acquisition and deployment:
- SIEM implementation
- SIEM project planning
- Proof-of-concept deployment management
- Product testing in production environment
- Data source integration and collection architecture
- Default contents tuning
Post-sale, operational services:
- SIEM analyst training
- Performance tuning and capacity planning
- SIEM project management
- Custom content creation
- Custom device integration
- SOC building
Vendors and consulting firms offer other types of services as well all the way up to “co-managed SIEM” where a 3rd party firm manages your SIEM deployment for you. Will future SIEM work better out of the box? Yes, I think so. Will SIEM ever be as simple as a firewall? No, never: it is inherent complexity of security monitoring that cannot be squeezed out even by creative engineering…
Enjoy ... as this was my final blog post on SIEM.
Possibly related posts on SIEM:
- On Broken SIEM Deployments
- Top 10 Criteria for a SIEM?
- Algorithmic SIEM "Correlation" Is Back?
- How Do I Get The Best SIEM?
- Log Management->SIEM Graduation Criteria: Violate at Your Own Peril!
- How to Replace a SIEM?
- SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?
- How to Write an OK SIEM RFP?
- On Choosing SIEM
- "So, What Should I Want?" or How NOT to Pick a SIEM-III?
- The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
- I Want to Buy Correlation” or How NOT to Pick a SIEM?
- Log Management + SIEM = ?
- On SIEM Complexity
- SIEM Bloggables: SIEM Use Cases and Whitepaper with detailed SIEM use cases
- Log Management / SIEM Users: "Minimalist" vs "Analyst"
- All posts labeled SIEM
