Thursday, July 26, 2007

A Bit More on Log Management vs SIEM (and Semantics)

OK, I am using an unrelated article to go on a tangent here, but it IS an important tangent, which can save you both money and headache ...

So, this CW blog post has the following quote: "An example would be SIM vs. log management. If a client tells me that they want me to figure out a good SIEM for them, I will ask, "Do you need SIEM with correlation and alerting and all that, or do you just need something to gather your logs?" If he says, "I thought SIEM was log management," then we just avoided a semantical error. If I had just assumed that the client knew what SIEM was, then I could have wasted a lot of his and my time."

To start, here is a startling revelation: my first reaction was to kick the author of the above for that word "just" in "you just need to gather logs!" 'Cause if you can gather 75,000 log records a second for a few months and make all them quickly available, you can pretty much forget the "just" part: it is not trivial!

Overall, I've seen (and convinced!) my share of confused people. I have given interviews to explain it. I've written about it. I've quoted other people who wrote about it (e.g. browse here). Still, I see people who venture outside :-) trying to buy "a product" without clarifying this key distinction: WHAT on Earth are you trying to buy, a SIEM or a log management tool?

Here is a one-liner that will hopefully (nah, not really! not for all people! :-)) clear it:

SIEM is about "S" - security; log management is about "L" - logs.

Everybody needs log management: if you have logs, you need log management to collect and analyze them. And you do have logs, since everybody does. It is that simple. You also need log management, since some regulations (yes, that "C-word", compliance, again!) tell that you need to have it (examples are too numerous to list here).

On the other hand, unless you are very large, plan to build a SOC, have huge staff dedicated to near real-time security monitoring, you likely don't need a SIEM. Really! If you don't believe me, that's fine: just buy one without thinking how you plan to use it and be disappointed that you wasted $X,000,000 of perfectly good dollars and a good chunk of your life. At the same time, you might feel generous that you helped boost a failing market :-) Or, if you insist, you can buy a little toy SIEM or get one as a gift, which I've heard is pretty common :-)

So, if you are looking to collect, retain, review, analyze, and otherwise deal with all your logs for various uses, go for log management. If you are looking to build a SOC, you might need a SIEM (and, actually, log management since your SOC analysts will wants to see original logs pretty often)

Related posts:

1 comment:

Anonymous said...

It's a good distinction you've made. I've written about the need for log management tools in our organisation a number of times but finding a solution is not at all as straightforward as it should be. Some of the log management tools I've looked at seem to try and add frilly attempts at SIEM or even IPS but fundamentally a good, reasonably priced, piece of software to collect, organise, analyse and report on the huge array of logs we have (and we are only an SME) would be immensely useful.

Another useful distinction would be between a syslog and event log. Most of the network devices we operate can send operational data to a syslog whilst much more data is collected through software event logs, not just Windows Event Logs, but Mailsweeper, IIS, Payroll, TA, EDI, Firewall, Environmental Monitor, ERP, CRM, Email, etc, etc.


Dr Anton Chuvakin