5 Questions to Ask Before Choosing a SIEM Platform in 2021 and Beyond
Learn the top five questions to ask before choosing a SIEM platform in 2021 and beyond, and decide for yourself the appropriate label for any SIEM solution.
Join the DZone community and get the full member experience.Join For Free
You've probably never heard any company tout the fact that theirs is a "legacy solution." Of course not. The term legacy carries a negative connotation — it's the opposite of "new and improved" in the language of marketers. But, in reality, some solutions indeed are legacy, and others represent the next generation of technology.
Both next-gen and legacy are overused terms that have no consistently precise meaning. Marketing folks can use them however they choose. So how do you determine which SIEM platforms are deserving of either the legacy or next-gen moniker?
This article will explore the top five questions that should be asked before choosing a SIEM platform in 2021 and beyond. You can use these questions to decide for yourself the appropriate label for any SIEM solution.
Question 1: How Does Your Pricing Model Work?
This question about a vendor's pricing model is far more significant than it seems at face value. This question is not simply asking, "how much does it cost?" — as if it was a bicycle or a banana. Instead, it is trying to get at the root of what the costs will be when you scale your security operations. It is trying to uncover whether or not you will be able to afford to ingest all the data you need from all the sources you should and retain the data for as long as it is useful.
Another way of rephrasing this question is to ask, "Will I need to compromise my security in the future because your solution becomes too expensive at scale?"
Security data is growing exponentially, and teams need to ensure they aren't buried by the licensing cost of SIEMs that do not account for modern scales. Vendors need to think in terms of TBs and PBs and no longer GBs. Today's issue is that very high licensing costs disincentivizes teams to send all of the data they need to detect and respond appropriately.
Question 2: Is My Security Data Locked In?
Proprietary data storage formats prevent teams from performing custom post-processing, exporting data, or switching providers as needed. If there ever was a reliable clue to indicate whether or not a solution deserves to be labeled as "legacy," a proprietary data storage format is that indicator.
By choosing a SIEM backed by a cloud data warehouse, security teams gain the scale benefits of decoupling storage and compute, add the ability to share data externally with other organizations, and enrich their data. And, if, for some reason, security teams need direct access to the data, they can perform any additional processing.
Question 3: Which Compliance Certifications Do You Have?
SaaS services are only as secure as the team running them. Compliance standards like PCI, SOC, HIPAA, and others give you, the prospective customer, a higher level of confidence that the provider is doing their due diligence and has appropriate and tight security controls.
In most cases today, security teams can transfer the cloud hardening responsibility to the provider. Compliance frameworks, however, take continuous work and effort to uphold. Maintaining compliance standards is not the best use of the security team's time. Any solution deserving of being called next-gen should allow you to model policies standards as code to achieve compliance.
Question 4: How Customizable Are the Detection Capabilities?
Each SIEM solution takes a unique approach to detection. Some are more hands-on, enabling teams to fully customize by writing code or custom detection expressions. In contrast, others are "black box" and use technology like machine learning to detect destructive behaviors.
There's no silver bullet, but understanding exactly what the SIEM can or cannot do equips teams with the knowledge to appropriately use the tools at their disposal. It is crucial to find a solution that fits the skills and abilities of your team and the culture of your organization.
Ultimately, the most effective way to provide protection is to take a detection-in-depth approach where multiple signals are combined to increase confidence that something is bad. This foundational security principle is why it is so crucial that your solution gives you the broadest possible access to the largest amount of data and arms you with the most flexible methods to create detections and investigate alerts.
Question 5: What's the Interface to Query My Data?
Having robust and expressive investigation capabilities can significantly improve incident response. If analysts get confused by what they are looking at or don't know how to ask the questions for which they need answers, the power behind the interface is largely wasted.
Domain-specific languages (DSL) are designed to trade ease of use for flexibility. You can simply make routine queries but may not be able to get the information you truly need very easily.
An interpreted, object-oriented, high-level programming language with dynamic semantics, such as Python or even the high-level declarative computer language, SQL, will provide maximum flexibility and are commonly used by security teams. This familiarity combined with flexibility often provides the most effective solution.
The world might be a simpler place if we could count on marketing departments to apply accurate and well-defined labels to their products, but let's not count on that happening any time soon. In the meantime, it is up to each of us to ask the right questions and interpret and weigh the answers. Next time a vendor calls, remember the acronym PPPCI:
- Pricing — It's really about the cost to scale
- Proprietary — Don't let your data be locked in
- Performance — Increased speed will lower your operational overhead
- Customizable — Customize for detection-in-depth
- Interface — If you can't understand the interface, the power is wasted
By focusing on these critical aspects and asking the five key questions outlined here, you can get the information you need to make the best decision about a potential SIEM solution.
Opinions expressed by DZone contributors are their own.