In the first part of this tip, I explained how a security, information and event management (SIEM) system can help an enterprise meet regulatory compliance. In this tip, I'll define the questions that need to be answered before purchasing an SIEM system and another set of questions that should be answered after implementation.
The first goal for an organization considering an SIEM system is a thorough risk assessment of all IT infrastructure, including documentation of internal and external threats. If the organization does deploy an SIEM system for regulatory compliance management, use the system to periodically verify that assessment.
After the risk assessment, gather feedback from inside the organization. Ask members of the compliance, security and IT departments the following questions:
- Is this enterprise ready to bring in a new technology that will consume more infrastructure resources? What about personnel resources?
- Would this technology address the needs of application owners? System owners?
- Does this technology overlap with other solutions that are in place?
- Who will own, maintain and operate this new technology?
- How much ongoing vendor support can the enterprise afford?
- Is the enterprise willing to spend the time to do it right?
- Do people in the enterprise have the skills necessary to support this project?
- Where does the greatest need exist to manage events? Infrastructure? Perimeter? Applications? Databases?
- Which area could benefit the most from such a solution?
Facts to assemble through due diligence
Due diligence might seem unnecessary, given volumes of reading material available on vendors websites and offers to conduct cost-benefit studies for free. It's not. Astute security managers and compliance officers know that deploying SIEM systems is a process, not an event. Regulatory compliance management is an ongoing challenge that SIEM can assist in accomplishing. Due diligence means taking the time to determine the following facts before purchase:
Cost: Determine both baseline and the incremental cost of purchasing the product.
Astute security managers and compliance officers know that deploying SIEM systems is a process, not an event.
Architecture: Determine where the product fits into the enterprise's overall architecture. Would it support an incremental build?
Interoperability: Determine integration requirements for other monitoring or logging tools used in the environment.
Security: Understand how the event data will be secured.
Development methodology: How much customization is needed? How will the product be tested?
Skills: Determine the skills necessary to develop, implement and operate the SIEM system. Also determine which professional services the enterprise would need to purchase.
Tuning: Understand how the alerts will be validated to ascertain their meaningfulness and how false positives will be eliminated. It takes time to correlate and process millions of events, regardless of the product chosen.
Given a thorough understanding of the proposed purchase and its target environment, compliance officers can set realistic goals for how SIEM systems will help with regulatory compliance management and look forward to achieving them.
SIEM systems won't deliver perfect security
Security challenges tend to be diverse, as the headlines from a recent issue of Computer Fraud and Security Magazine indicate:
- "ID theft levels rise unabated"
- "FTC fines child social networking site for privacy violations"
- "Systems administrator jailed for planting logic bomb at work"
- "Man pleads guilty to hotel keystroke fraud"
SIEM systems can help organizations manage security. They also have their limits. Correlation rules change, and so do the events. Realize that a SIEM system is only one tool of many. No single tool will solve all security problems that an organization may have. An SIEM system won't satisfy each and every regulatory requirement either, no matter how many regulations it's been mapped to by the vendor. Security managers and compliance officers are best served by remaining realistic about implementing an SIEM system to meet regulatory compliance mandates, asking tough questions and deploying resources based on a sound risk management practice.
Meenu Gupta, CISA , CISM, CISSP, CIPP, is president of Mittal Technologies. Gupta is currently consulting with several federal agencies, including the departments of Health and Human Services and Homeland Security. She is also an adjunct professor at University of Maryland University College, where she teaches information systems management. Let us know what you think about the story; email firstname.lastname@example.org. Follow @ITCompliance for compliance news throughout the week.