Which SIEM system is right for regulatory compliance in my company?

In the first part of this tip, I explained how a security, information and event management (SIEM) system can help an enterprise meet regulatory compliance. In this tip, I'll

    Requires Free Membership to View

define the questions that need to be answered before purchasing an SIEM system and another set of questions that should be answered after implementation.

The first goal for an organization considering an SIEM system is a thorough risk assessment of all IT infrastructure, including documentation of internal and external threats. If the organization does deploy an SIEM system for regulatory compliance management, use the system to periodically verify that assessment.

After the risk assessment, gather feedback from inside the organization. Ask members of the compliance, security and IT departments the following questions:

  1. Is this enterprise ready to bring in a new technology that will consume more infrastructure resources? What about personnel resources?
  2. Would this technology address the needs of application owners? System owners?
  3. Does this technology overlap with other solutions that are in place?
  4. Who will own, maintain and operate this new technology?
  5. How much ongoing vendor support can the enterprise afford?
  6. Is the enterprise willing to spend the time to do it right?
  7. Do people in the enterprise have the skills necessary to support this project?
  8. Where does the greatest need exist to manage events? Infrastructure? Perimeter? Applications? Databases?
  9. Which area could benefit the most from such a solution?

Facts to assemble through due diligence

Due diligence might seem unnecessary, given volumes of reading material available on vendors websites and offers to conduct cost-benefit studies for free. It's not. Astute security managers and compliance officers know that deploying SIEM systems is a process, not an event. Regulatory compliance management is an ongoing challenge that SIEM can assist in accomplishing. Due diligence means taking the time to determine the following facts before purchase:

Cost: Determine both baseline and the incremental cost of purchasing the product.

Astute security managers and compliance officers know that deploying SIEM systems is a process, not an event.

Architecture: Determine where the product fits into the enterprise's overall architecture. Would it support an incremental build?

Interoperability: Determine integration requirements for other monitoring or logging tools used in the environment.

Security: Understand how the event data will be secured.

Development methodology: How much customization is needed? How will the product be tested?

Skills: Determine the skills necessary to develop, implement and operate the SIEM system. Also determine which professional services the enterprise would need to purchase.

Tuning: Understand how the alerts will be validated to ascertain their meaningfulness and how false positives will be eliminated. It takes time to correlate and process millions of events, regardless of the product chosen.

Given a thorough understanding of the proposed purchase and its target environment, compliance officers can set realistic goals for how SIEM systems will help with regulatory compliance management and look forward to achieving them.

SIEM systems won't deliver perfect security

Security challenges tend to be diverse, as the headlines from a recent issue of Computer Fraud and Security Magazine indicate:

  • "ID theft levels rise unabated"
  • "FTC fines child social networking site for privacy violations"
  • "Systems administrator jailed for planting logic bomb at work"
  • "Man pleads guilty to hotel keystroke fraud"

SIEM systems can help organizations manage security. They also have their limits. Correlation rules change, and so do the events. Realize that a SIEM system is only one tool of many. No single tool will solve all security problems that an organization may have. An SIEM system won't satisfy each and every regulatory requirement either, no matter how many regulations it's been mapped to by the vendor. Security managers and compliance officers are best served by remaining realistic about implementing an SIEM system to meet regulatory compliance mandates, asking tough questions and deploying resources based on a sound risk management practice.

Meenu Gupta, CISA , CISM, CISSP, CIPP, is president of Mittal Technologies. Gupta is currently consulting with several federal agencies, including the departments of Health and Human Services and Homeland Security. She is also an adjunct professor at University of Maryland University College, where she teaches information systems management. Let us know what you think about the story; email editor@searchcompliance.com. Follow @ITCompliance for compliance news throughout the week.

This was first published in February 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.