At this year’s RSA Conference, I was struck by the number of times SIEM was mentioned. In every discussion on data, incident response, and/or compliance, I heard “well, you’ve got to do something with it, and a good SIEM can help.” If we rewind the clock 10 years (when several SIEM vendors got their start), or even five years (when the value proposition for SIEM began to gain traction), SIM/SEM/SIEM (or even Log Management) was barely in the IT/security dictionary – even though there were plenty of people from the SME to the Enterprise actively using these products on a daily basis.

One of the first presentations at RSA was titled “Mature SIEM Implementations at Five Years: If We Knew Then What We Know Now” (also discussed over at Dark Reading).

It’s always interesting to hear real-world case studies, and this one shines a pretty big spotlight on the complexity of many Enterprise SIEM deployments. This complexity not only leads to long deployment cycles, but also failed implementations, frustrated IT and security staff, wasted time, and honestly, less buy-in from management that SIEM delivers real business value.

Here are some of the interesting highlights and misconceptions about SIEM deployments:

• Most of the mentions of SIEM at RSA, were very large-scale, enterprise-focused. Statements like “engage your SAN team,” conversations about Oracle deployments, minutes spent discussing custom code and “prioritization algorithms,” and comments about the number of incidents your “analysts” can handle are intimidating if you’re going into a SIEM pilot project/evaluation as a large enterprise (or deploying to a division of a large enterprise).

Let’s face it – talk like this scares the pants off of the SME! (See The Midmarket View for additional commentary on Enterprise versus Midmarket SIEM perspectives).

• The presenters recommended a six-month “infancy” stage when implementing SIEM. Their suggestion: try to accomplish as little as possible, as successfully as possible. Focus primarily on collecting data (they also mentioned turning off 95% of the defaults out of the box).

Are you serious? I’m not sure about any of you, but if I told my management they had to wait six months to get anything out of an investment on the scale of many SIEM products (relative to the size of the business), I’d have a serious uphill battle ahead.

• The presenters were spot on with their statement that the goal is to “add context to data and make it actionable”.

But why can’t we eat the elephant one bite at a time? A more reasonable approach: identify the problems you’re trying to solve with your SIEM implementation, and start with the easy (easier) ones. Learn as you go. Think iteratively, but on a smaller scale – the reality is that a lot of us are resource-strapped and it may take six months to become confident in a system, but most of us also can’t wait that long see real value and a return on the investment.

• During the session I also heard about the complexity of pricing models when looking at SIEM, and recommendations that you might want to outright negotiate pricing that factors in your growth and future deployment options, not to mention accounting for the services engagement that might be required.

That’s only part of the story. The challenge to the customer is to see the total cost of ownership: is the product you’re investing in appropriate for your environment? Do you understand the initial and ongoing commitment in time and dollars? This isn’t new, but SIEM can be a tough nut to crack – it’s not something we’re already familiar with, so we have a challenge when it comes to understanding something new AND making a good decision.

• Despite the difference in size, there are some interesting commonalities in the value proposition for SIEM for both the enterprise and SMEs. Examples of use cases for SIEM were mentioned in not just the SIEM-specific presentation, but also in presentations where SIEM was mentioned in relation to IDS, AV, and DLP.

These examples are present in every size organization: peer to peer or botnet activity, ancient viruses, access to unexpected ports from unexpected locations, data exfiltration, third-party breaches, phishing attacks. The reality is you don’t need a six month deployment or complex implementation or SIEM X.0 to detect most of this stuff.

If we can identify 80% of the breaches with 20% of the complexity (at 20% of the cost and in 20% of the deployment time) – I call that a success.  Your implementation can always grow to use those cool features on the glossy pages that may (or may not) be useful, but in the meantime is your data is walking out the front door?

The SIEM Revolution starts with the customer. SIEM as a market has matured to the point that if the enterprise products are still doing things wrong after 10 years, they deserve to be called on it.  As we face more complex, more distributed, and more targeted threats, there’s no reason to settle for the same old thing.

*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Nicole Pauls. Read the original post at: http://blog.trigeo.com/2011/rsac-2011-siem-revolution/