That’s the title of a review by Greg Shipley over at Network World that evaluated SIEM / SIM products from several midmarket vendors such as NetIQ, TriGeo and Q1Labs. Long story short, the reviewed products didn’t live up to expectations:

“SIEM platforms help get logging and event data from distributed points A, B and C to a centralized point C, help store it, monitor it, report on it, purge it when the time comes, and ultimately — so the pitch goes — provide the situational awareness necessary to effectively manage IT operational risk.

But do they deliver? In a word: somewhat. It’s a crowded market full of players that make many promises. Unfortunately, none of them completely deliver the whole package at this point in time.”

Greg expands on this in detail, pointing out the issues he and his assistants ran into with the SIEM tools they tested. Most of the issues, like problems receiving and parsing events, reporting performance, even correlation and general usability, are the same that we see out in the field as an MSSP. Many of the companies we provide services to have come to us after buying a SIEM tool and having too much difficulty making it work well enough to satisfy their operational security needs. They wanted to be users of a SIEM, but didn’t want the management burdens.

In the review, Greg attributes the problems he had to SIEM products still being immature even though they’ve been on the market for 10 years. I believe that’s true, but I also think it’s because SIEM products – even those at the leading edge of their industry — require a good deal of up front customization and ongoing management to do what they are expected by many companies to do. At SecureWorks, we’ve always held that Security Information and Event Management (SIEM) is a process that takes constant care and feeding to do right. And that shows in the review with most of the issues having to do more with management and integration issues than identification and response to security incidents. Why is that important? Because how well the SIEM product is managed and integrated with your IT environment directly impacts the quality of detection and alerting. Just like other security devices or technologies, poor SIEM management results in poor SIEM performance.

Will SIEM product management get easier? Probably. They aren’t as challenging to implement as they were in the past, which has led to their increased adoption. And as long as there is a SIEM product market is around I’m sure there will be incremental improvements made to management consoles and GUIs. Will it ever be a hands-off technology? Nope. There are too many dynamic variables at play when it comes to collecting security data, correlating it and identifying security incidents. IT environments are always changing, attackers are always adapting and security requirements continue to evolve. Regardless of how SIEM products move forward, they will always need to be constantly tuned and managed to be effective.

Full Disclosure: Yes, we have an interest and occasionally compete with SIEM products to do business with companies that want to monitor their networks for security. We’ve been developing, managing and using SIEM technology for quite some time (10+ years) with our Sherlock Platform, which is the technology we use to monitor security activity for our clients. Because of this, I feel we’ve got some unique insight to provide that you won’t find elsewhere.

Tags: security information and event management, security management, siem

This entry was posted on Thursday, July 10th, 2008 at 11:59 am and is filed under General.