Recent figures from industry observers including Gartner have shown that SIEM projects have a surprisingly higher failure rate compared to other projects. Does that mean the SIEM concept is flawed? Not at all – otherwise companies wouldn’t even be attempting SIEM deployments. The benefits of SIEM are clear: rapid ROI, ongoing savings in manpower and equipment, more effective security management, and compliance with key legislation.
No, the failures simply highlight the fact SIEM is one of the most ambitious and far-reaching projects that can be undertaken by a company. Because SIEM ties together so many disparate technologies, and working groups – from specialised IT teams to C-level board executives, including risk control groups, compliance executives and HR on the way, project success is inevitably based on careful preparation and planning.
Points of failure
So what are the reasons behind the project failures? Gartner, McKinsey and other sources state that the leading reasons were, not altogether surprisingly:
- No cross-function steering committee was appointed at the outset
- Project owners did not have clearly defined roles
- Projects had no defined timescale, or where too ambitious for the timescale
- Requirements were poorly defined
- Poor planning for continuity or remediation.
But where should the planning and preparatory effort be directed, to minimise both risks and costs in a SIEM deployment? I believe there are four key steps which should underpin preparation work.
Before we get to those four steps, let’s first recap what a SIEM system is. It’s software that takes input logs and alerts from a range of systems (firewalls, routers, anti-malware, servers, etc) and informs IT teams of unusual occurrences which warrant further investigation.
As well as collecting and storing this raw log data, the system safeguards the data for subsequent audit needs and for compliance-aligned reporting. This same source data satisfies multiple needs and functions, in that the security team will use it to see if any breaches have occurred; the IT team will check to see if network devices are working correctly; the compliance team will check to see that security breaches have not occurred, and so on.
Crucially, SIEM cuts information overload by reducing false positives and negatives, excluding “normal” activities from view (so reporting by exception), consolidating logs from different systems into single “alerts”.
In effect, SIEM improves the signal to noise ratio for IT teams, enabling them to more easily identify “real” threats from false alarms. This means a team of a given size can do the work of a larger (and possibly more skilled) team. It’s all about getting the most out of the people on the IT security team. So, before you begin, make sure everyone you’ll be working with is onside.
SIEM deployments cut across organisations’ boundaries. In IT you can expect to involve stakeholders in architecture, operations, help-desk, and security functions. Within business management, you may need support from finance, HR, compliance, risk management, and the sponsoring C-level executive. It’s essential that any SIEM project secure buy-in from all stakeholders before work begins in earnest. Once the team is assembled, you’re then ready for the 4-step process to perfect SIEM preparation.
Step 1: assess
This step is all about gather as much relevant information on key stakeholder requirements and thoroughly auditing your existing IT and security arrangements.