A SIEM Solution is Like a Garden

gardenIf you expose the dirt on your lawn by cutting a big square out of your grass, you can’t just stop there and say “Done, I now have a garden.” In fact, all you have is a big dirt square that will eventually regrow the grass you just removed from it. In order to create an actual garden you need to build the foundation, plant the flowers, and maintain the garden so that it continues to flourish.

The same can be said with any Security Incident and Event Management (SIEM) solution you buy. Just because you purchase a box, or a piece of software, that the marketing material says is a “SIEM Solution”, doesn’t mean that racking it and turning it on is the end of the project life cycle. Just like a garden there needs to be proper preparation, implementation, and maintenance for the program to succeed.


Alright, so Vendor A calls you up and tells you how great their SIEM solution is, what it will do for your [security | compliance | log management] project, and why you should buy it before their end of quarter. That’s all well and good but you’ll also get the exact same calls from Vendor B, and Vendor C before the week is over all promising the same puppy dogs, ice cream and unicorns that the others were. The question is – Which one is right for my environment?

When you decide that you’re going to plant a garden, there are several factors you need to consider before rushing into it. The first question is – Where do I put it? This is a very important question because it will influence the types of plants that will grow in your garden. Most, if not all, plants and/or seeds you buy from a store will have some manner of instructions on them. Seeds will usually explain the conditions required for optimal growth on the back of the package while plants will usually have one of those plastic/paper inserts inserted into the soil. Some plants require full sun while others require some measure of shade. Do you put it out front where your kids play or out back where the dog, or other animals, might dig through it? How much natural rain water will the garden get or will you have to rely totally on manual watering?

These are the same kinds of questions you should be asking yourself when deciding on a SIEM solution. Not only do you need to read about what the product can do but you need to be able to distill what is important to your environment. If you are a predominantly Cisco and Microsoft Windows shop, what good is a product that prides itself on Juniper and Solaris integration but has serious deficiencies when it comes to Cisco and Microsoft integration? That is like planting a flower that requires full sun in the shade. It’ll look nice until it dies a horrible sunless death.

You also need to figure out where the best location is in your network for this solution. Most SIEM products are made up of collectors and centralized processing points. One thing you need to consider is if you put a collector in one [rack | building | city | country] will it be able to offer you the visibility that you’re looking for or will that location only be giving you a portion of the total picture? Maybe your collection infrastructure needs to be bigger or maybe, like a small garden, it can be built out over time.

Keep in mind that, like a garden, you’re probably not the first person to ever undertake such a project. When starting a big garden project you will typically ask the experts, such as greenhouse workers, friends, and colleagues, for their input. These people have valuable advice as they have made the mistakes already and can offer you advice on how to avoid the roadblocks that they encountered. Just as you would ask a greenhouse worker for advice, ask the vendor for references that you can speak to without the vendor on the phone. The reason you don’t want the vendor on the phone is because you want the people you are talking with to feel like they can discuss the solutions pros and cons without feeling cornered. Often, when the vendor is on the phone with them, they’ll hold their tongue and that doesn’t give you the full picture you’re looking for. You’ll also want to ensure you talk to both management references and technical references because each will have a different view on how the project progressed.

Hopefully this gives you some things to think about before rushing into purchasing a SIEM solution (or starting a garden for that matter). In my next post I’ll discuss the implementation phase of your SIEM project.

Written by Andrew Hay



Devastatingly handsome CISO @DataGravityInc.

Security, DFIR, DevOps, cloud, business, and BBQ renaissance man of most trades (master of some).