A Security Incident and Event Management (SIEM) tool ingests logs from your environment, correlates the data and can disseminate insights via alerting, visual dashboards or reports. SIEMs normalize data into a readable format for the common layman.
SIEMs, however, are inherently complex tools. Utilizing a SIEM effectively involves understanding the logging required by the company’s security policies/procedures and if government compliance is involved in the form of PCI, GLBA and other standards. The logging, parsing and content built around these concerns further compounds the knowledge required of anyone utilizing a SIEM.
Factors like the team strength, compliance requirements and budget all inform the decision on how to deploy. Answer these 6 questions to get a recommendation on where to deploy your SIEM.
There are three general ways a SIEM can be deployed:
Internal: This method relies solely on internal resources for both staffing and ownership. The business will be responsible 24x7x365 to monitor and defend the network. Going on your own keeps the knowledge internal and might cut out on some costs, but there must be a high level of expertise and planning.
Co-Managed: You share the resources and responsibility with your service provider. This model allows your staff to focus on other strategic security projects where time could be spent better. Sharing some responsibilities offloads the intensive job of monitoring and managing security events during non-business hours.
External: Your partner manages the software and data from your SIEM. This is a great option for CISOs that would like to hold off on purchasing security tools and hardware or don’t have internal support to manage an array of the latest technologies. Using an external resource makes scaling operations simpler and provides more flexibility.