How to do SIEM on a Shoestring Budget

By Nicole Pauls, Director of Product Management, Security, SolarWinds

Security information and event management (SIEM) software can seem like the perfect solution to smaller IT shops where resources are at a premium and where IT pros are constantly asked to do more with less. However, the reality they encounter is often anything but.

Sure, the one percent of organizations with money to burn might find traditional SIEM meets their needs, but we’re talking about the 99 percent. For these IT pros, their opinion of most SIEM solutions usually ends up starting with the word “expensive” and ending with “time consuming and difficult to use.”

So, what’s the average IT pro to do? How do they find a SIEM suitable for the masses? Here are a few tips that might help. A SIEM buyer’s guide for the 99 percent if you will.

Don’t Write off SIEM Just Yet

First and foremost, IT pros shouldn’t give up on SIEM just because they’ve heard horror stories or had one bad experience. True, traditional SIEM can be expensive and time consuming, but this is largely only true with enterprise SIEM products. Today, there are SIEM options available for organizations of all sizes.

Understand the Needs

It’s important for IT pros to recognize that when exploring SIEM options, they will encounter distractions in the form of vendor-induced confusion. IT pros should arm themselves against this by identifying their objectives of adopting a SIEM. This will likely include compliance reporting, internal monitoring, stronger attack recognition capability, IPS alert validation and incident response management.

Beyond that, chances are those in the 99 percent will want to set the SIEM up as a virtual SOC—having it churn through data while identifying and prioritizing security issues for follow-up. If this is the intent, IT pros should put an emphasis on simple out-of-the-box functionality with less of a focus on customization.

Find the Right Fit

Most SIEM vendors focus on enterprise-level organizations, so their SIEM products and solutions are often too costly or challenging to manage for small IT security departments. How can SMB and other resource-constrained IT pros sniff out a bad fit before getting too far down the bath with the wrong partner?

They should look at potential vendors’ websites. If most of their marketing materials and messages are about big data, SOC operations, highly customizable risk management engines or “enterprise” anything, they’re probably not a good match. Instead, such IT pros should look for a focus on virtual SOC deployments for smaller security programs.

Get Back to Basics

Closely related to understanding specific needs is avoiding being distracted by edge use cases. SIEM products have a lot of appealing features. The configuration possibilities and use cases of SIEM are endless. There’s no question that a highly customizable system might be useful at some point, but it’s also important to be realistic about the level of customization and subsequent time commitment required.

If an IT pro is struggling just to maintain the minimum levels of security they need with current resources, they should focus on the basics when evaluation SIEM. By doing so, they’ll accomplish what they need without biting off more than they can chew.

Make the Ability to Take Action a Priority

Above all else, IT pros need to realize that at some point—if they haven’t already many times over—they’re going to need to ask the question, “OK, we have a security issue, now what should I do?” Most SIEM technologies point out issues, in a way, that only fully resourced SOCs following their well-planned, multi-step incident response processes can easily respond to. So, in addition to the intelligence, efficiency and automation that nearly all SIEM tools can provide, a SIEM with the ability to take action can be a boon to SMB IT. IT pros should place a priority on value-added functions such as blocking, quarantining and other active protections, both automated and on demand.

At the end of the day, security is only going to become more important, and IT budgets are what they are. SIEM can go a long way to making up the difference, but only if done right. Resource-constrained IT pros should put an emphasis on usability, ease of deployment and out-of-the-box value while avoiding complexity through prioritizing the features and functions they truly need.

Nicole Pauls is director of product management at SolarWinds where she helps bring accessible IT management software to the masses, with a specific focus on IT security management. Her experience includes tier 3 technical support, software development and network/security/systems administration. She joined SolarWinds in 2011. Prior to that, she was the director of product management at TriGeo Network Security.