Open Navigation

Six tips for getting the most out of your SIEM investment

Eric Thomas 11 months
Eric Thomas Contributor
Eric Thomas is vice president of security GTM at Logz.io, an open source observability platform for DevOps teams.

Security information and event management (SIEM) is one of the most well-established categories of security software, having first been introduced about 20 years ago. Nevertheless, very little has been written about SIEM vendor evaluation and management.

To fill that gap, here are six top-line tips on procuring and implementing a SIEM solution for maximum value.

Evaluating and purchasing a SIEM solution

Size your spend

SIEM software solutions are priced differently: either by the number of employees in the customer organization, by the rate of events per second or based on the log volume ingested. It’s important to figure this out early to get a rough idea of what you will pay over time. You’ll also identify the various data sources meaningful to your security operations center (SOC).

Buying a SIEM is a massive commitment: You and your organization will need to live with your decision for years to come.

If you already have a SIEM in place, give the vendor your current use cases and consumption, and they should be able to replicate it. If you don’t, you’ll need to do a little leg work. A good starting point is assessing the volume of logs you’ll send to the SIEM. Measure actual daily log volume from each source by checking out the locally stored logs for a “normal” day and tallying the results.

If the SIEM vendor charges by your number of employees, be wary. This is usually a way to charge more for the SIEM by counting employees who don’t generate any relevant data.

Evaluate your vendor’s practices

The next step is to conduct a proof-of-concept (POC); this should be a starting point for an eventual implementation, not a standalone, canned exercise. During this process, your vendor should demonstrate a service level that you’ll want to maintain post-sale. Here are some key questions to consider during this process:

  • Who will staff your account? Ideally, a vendor will commit skilled technical staff to both execute your initial evaluation and conduct an implementation.
  • Who from your team will take the technical lead on the evaluation, and who’ll ultimately implement it? Ideally this will be the same person or small group of people.
  • After you buy a SIEM, what’s next on your roadmap? SOAR? CSPM? Make sure your vendor can integrate with a broad range of technologies.
  • It’s critical to fully understand the vendor’s front- and back-end software architecture. Some vendors calling themselves “true SaaS” or “cloud-native” are not. Don’t lock yourself into a 12-month contract when you don’t know what’s going on under the hood.

Don’t be fooled: Know the total cost of implementation

When discussing the total price tag, be sure to know the total cost of implementation. Watch out for these potential surprises; for example:

  • Many vendors will wait until purchase time to tack on an additional 15%-20% in professional services setup costs.
  • Some SIEM vendors, especially legacy players, charge tens of thousands of dollars to move off their platform.
  • If a vendor wants to charge you for an evaluation or POC, walk away. (You wouldn’t buy a car from a dealer that charges you $500 to take it for a spin!)

Implementing a SIEM for maximum value

Prioritize your data sources

Develop a multiyear implementation plan to work through your data sources in ROI-priority order to ensure that your project adds iterative value over time.

  1. Prioritizing easy-to-parse, low-volume logs will allow you to provide immediate value without a lot of effort. Start with authentication logs for your high-value data sources [e.g., Active Directory, Single Sign-On (SSO)] then move on to authentication for high-profile cloud apps (e.g., Salesforce.com, Google Workspace).
  2. Once you have those in place, start thinking about the trickier stuff, like endpoint protection tooling and system-level logging. These will take more finesse to parse, filter and visualize.
  3. Save application logging for last. Your SOC team will need help from developers in your organization to parse these logs and interpret the results.

Know your long-term considerations

As you work through the technical implementation, be sure to create a set of processes to sustain the SIEM for the long term. Here, runbooks are your friend. They give the development team a coherent set of standards to follow. The format doesn’t really matter; the important thing is to focus on invoking the right processes and providing bare-bones guidance on how to follow them.

The long haul: Working with your vendor post-sale

There is an art to vendor management after the deal is in place. The most important practice is conducting quarterly business review meetings to assess all aspects of the collaboration between vendor and customer. First, you provide feedback to the vendor regarding its product, service or commercial engagement. Next, the vendor shares its roadmap and receives your feedback. Then together you discuss company-level collaborations like co-marketing (case studies, for example) or partnerships (getting your SIEM vendor to play nicely with other your security vendors).

Summary

To get the most out of your SIEM investment, follow these six top-line tips:

  1. Carefully prepare for your evaluation with a comprehensive sizing exercise.
  2. Conduct an evaluation that exercises all aspects of the vendor’s SIEM practice.
  3. Capture all costs of implementation.
  4. Prioritize your data sources and prepare a one- to two-year plan for ingesting data.
  5. Thoroughly document SIEM workflows and runbooks.
  6. Establish quarterly meetings with your vendor’s executive team to address outstanding issues and align on strategy.