Recent figures from industry observers including Gartner have shown that SIEM projects have a surprisingly higher failure rate compared to other projects. Does that mean the SIEM concept is flawed? Not at all – otherwise companies wouldn’t even be attempting SIEM deployments. The benefits of SIEM are clear: rapid ROI, ongoing savings in manpower and equipment, more effective security management, and compliance with key legislation.
No, the failures simply highlight the fact SIEM is one of the most ambitious and far-reaching projects that can be undertaken by a company. Because SIEM ties together so many disparate technologies, and working groups – from specialised IT teams to C-level board executives, including risk control groups, compliance executives and HR on the way, project success is inevitably based on careful preparation and planning.
Points of failure
So what are the reasons behind the project failures? Gartner, McKinsey and other sources state that the leading reasons were, not altogether surprisingly:
- No cross-function steering committee was appointed at the outset
- Project owners did not have clearly defined roles
- Projects had no defined timescale, or where too ambitious for the timescale
- Requirements were poorly defined
- Poor planning for continuity or remediation.
But where should the planning and preparatory effort be directed, to minimise both risks and costs in a SIEM deployment? I believe there are four key steps which should underpin preparation work.
Before we get to those four steps, let’s first recap what a SIEM system is. It’s software that takes input logs and alerts from a range of systems (firewalls, routers, anti-malware, servers, etc) and informs IT teams of unusual occurrences which warrant further investigation.
As well as collecting and storing this raw log data, the system safeguards the data for subsequent audit needs and for compliance-aligned reporting. This same source data satisfies multiple needs and functions, in that the security team will use it to see if any breaches have occurred; the IT team will check to see if network devices are working correctly; the compliance team will check to see that security breaches have not occurred, and so on.
Crucially, SIEM cuts information overload by reducing false positives and negatives, excluding “normal” activities from view (so reporting by exception), consolidating logs from different systems into single “alerts”.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.