When many companies think about log management, they immediately jump to SIEMs, or Security Information and Event Managers. You’ll also find many in the infosec community who jump to the conclusion that a SIEM is the right solution for the problem, when they haven’t really even taken the time to set requirements, expectations and understand what it is they are trying to achieve.
I was reminded of this today when a client needed a refresh and storage update of their pre-existing SIEM solution. The quote was $77,000 (USD). They are collecting logs from about 300 servers and running daily reports of successful and failed logins. That’s it.
I couldn’t help to think, what is so special about this solution that they need to spend $77,000 for another log collector appliance (which is really just a Dell server with Windows installed on it) and about 2TB of storage? If they are paying this much for a simple upgrade, what was their initial investment? If it’s like most companies who buy SIEMs, they didn’t get out of the room for under six figures.
To be clear, a good SIEM does more than simply collect logs and allow one to run reports. It can correlate log and vulnerability information, elevate alerts based on asset value, identify suspicious patterns and integrate with ticketing and incident response systems.
The question is: who is sufficiently advanced in their security program to make use of such capabilities? Furthermore, what regulations, contracts or risk programs require this level of sophistication? The answer, based on my experience, is very, very few.
Does that mean having all of this wouldn’t be a good thing? Of course not. In a perfect world, security ninjas would be able to make these things sing and dance in all kinds of cool ways. But most of us don’t live in that world. We live in a world where management gives us conflicting priorities, doesn’t adequately staff the security team and turns down our requests to limit user access.
So I am here to tell you that you probably don’t need a SIEM. And here are the top five reasons why I think so:
- They are ridiculously expensive. Sure, the cost of security should be commensurate with the risk. But when you’re talking about laying down six or seven figures for a tool, you better be damn sure it is going to pick up your toys and call you sweetheart.
- The requirements often don’t necessitate it. But I have SoX, HIPAA and PCI requirements! Bah! I have been in all of those environments and, in most cases, a SIEM was nowhere to be found. Most of them had simple syslog servers with daily reports sent out by scripts. They passed the audits just fine.
- It may never be fully deployed. SIEMs are complex beasts. They are also often buggy, frail and slow. To properly deploy, integrate and test a SIEM can take a team months or even years. The most often line I hear with SIEM administrators is, “We haven’t gotten to that part yet.”
- They often provide little value. If the cost were high and the value was high, maybe the price wouldn’t be so much of an issue. But the bang for the buck you get is often very low beyond what you could do with a solution that costs one-tenth of the price, or less. I have seen many SIEMs that don’t even alert you to multiple failed logins to a single host. You have to configure these yourself. That means each analyst at each company becomes a research analyst, and has to do their own threat modeling. You should get the experience and expertise of the SIEM vendor from day one.
- You’ll experience vendor lock-in. Now that you have all of this data in the SIEM, how do you get it out should you want to change course? or will you be forced to pay the piper when you need an upgrade?
Now, obviously, I have come down pretty hard on SIEM vendors here. I expect someone will come along and want to refute my assertions. I most definitely welcome that.
There’s a missing market in the log management world. It lies somewhere between solutions like OSSEC and syslog-ng, and Arcsight. It’s a market which would offer intelligent log collection, analysis, correlation and alerting, combined with valuable reports made available through a nice front-end. And there’s no reason a product like this should cost more than five-thousand dollars, at most.
Note to prospective SIEM employers if I am ever looking for work–just kidding! :)
