Some of the SIEM products are complex and require extensive training and regular access to vendor support. Too many SIEM vendors still operate their consulting and support capability from overseas and are unable to offer support within our local time zone, and consequently any on-site support and training can end up quickly eating into any IT budget you have left. For instance, if you need a new report, will your vendor work with you to develop this? What if you need a custom correlation rule or if you have a new data source that the vendor does not support? Or if you have a looming audit and need your vendor's guidance through the process?
Ask the vendor these questions. A trusted provider will be willing to give you value-added services without breaking your budget - this can often mean the difference between a good and a great project. I know a number of organisations that continue flying consultants from the vendor's head office to assist them with their ongoing SIEM operation.
Demand a flexible and agile solution
Security is about staying ahead of the game, so your SIEM solution needs to be very flexible in order to grow with your organisation. A universal reason for purchasing a SIEM solution is to tame the data overload problem. But as organisations gain a consolidated view of their logs, true management-use cases emerge. These include the ability to customise multiple areas in the product - such as data collection policies, correlation rules and associated actions, workflow, dashboards, reporting and investigation tools - to drive maximum efficiency.
Demand a proof of concept
As a customer, it's your right to ask for a trial with your live data across your security infrastructure. Typically, this takes only a week and is well worth the effort. This is your chance to see if the vendor's marketing message is consistent with the product capability (in my experience it never is, but some vendors come close). A live trial - one with real data representing extensive volumes of transactions with unique source devices and systems, and actual testing of real threats - helps organisations avoid the serious pitfalls that can arise from relying on canned product demonstrations.
Not all SIEMs are the same
Don't assume that all apparently-similar feature sets provide the same functionality. Vendors approach the same problem in their own unique way and as a result some are far superior to others. For example, I have seen some vendors only offer very basic correlation while others offer multiple advanced correlation techniques.
Another example is with asset integration, where many vendors claim to have asset integration but only allow you to manually load asset data, which is unacceptable for all but the smallest of implementations. Some SIEM vendors will only leverage asset information for historical reporting, unable to correlate asset information in real time for either security or compliance purposes. This is a major limitation and results in an inability to perform effective risk management. True asset integration, accessible by the real-time correlation engine, enables the SIEM solution to automatically prioritise workload by focusing only on the logs related to assets critical for PCI compliance, for example.
Make sure you get serious correlation
Like many SIEM terms, the word 'correlation' lacks standard agreement in principle and practice. SIEM technologies that claim to perform asset, vulnerability and threat correlation achieve this with varying degrees of success.
Without going into the details, the following are some of the questions you should be asking the SIEM vendors about their correlation capabilities: How does the product perform cross-device correlation? How does the product derive priorities? How does the product process identities and roles? How does the product incorporate asset value? How does the product track and escalate threat levels? Can the product perform correlation on both real-time and historical data? Can the product automatically discover unknown threats? How does the product deal with time in the correlation process? How easy is it to alter, tune and author new rules?
Appliance vs. Software
Generally, appliances are easier to set up and operate, while software-based solutions are far more functional and scalable. SIM platforms generally run on an appliance while SEM platforms are software-based.