Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

SEM: a quick reality check

By Christophe Briguet

SIEM products are intended to target mature companies that understand log management and SEM, and want to add real value to their data by deploying a system for correlation and analysis. Ideally, the deployment of a SEM solution is the ultimate stage of log monitoring; security information is monitored in real-time for immediate alerting and incident response.

In reality, things are a bit different. The top benefit of SIEM products has been the subject of much debate. Depending on the vendor, SEM can fall under log management, IDS, or NBA, which obscures the market. Many attempts to deploy all-in-one log management or SEM solutions that collect logs, archive, index, correlate and report have failed miserably.

Companies don’t always understand exactly what they want from a SEM or log management suite, just that they need to be compliant to auditors. Too often, companies fail to identify their specific needs and simply buy the “easiest” SIEM to deploy. Only after do they realize that their solution requires additional data sources to confirm the value of the event, which may not be supported by the product. Other companies have a solid understanding of their security concerns and how to address them, but have unrealistic goals that even the most powerful SEM cannot handle. They enable correlation rules that require too many resources, resulting in dropped messages and/or significant delays in the alerting process. 

To address these issues, businesses should deploy SEM solutions that have a strong and scalable log collection layer with a few critical functions:

  • Auto-identification of log types
  • Chronological log classification to extract the actual meaning of the log
  • Deep log filtering - the ability to forward a subset of logs (20%?) to the correlation layer for real-time alerts and critical event notification
  • Visibility into the actual EPS value and the log type to define unique correlation scenarios

Companies should seek a multi-layered approach to SIEM that includes a strong log management capability and a flexible correlation engine to address specific use cases. This allows IT managers to gradually deploy SIEM, experiencing early ROI, but allowing them to tailor and deploy customized use cases and address their overall security needs in the future.

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.