3 Questions to Ask SIEM Vendors — And 3 to Ask Yourself

The best vendor evaluations are standardized. Develop a checklist for your requirements and desired outcomes. It helps to have a trusted advisor to help you through this process, as it’s easy to become enamored with certain features and functions that really don’t matter.

In this post, you’ll learn the right questions to ask your prospective vendor — and yourself — throughout the process of buying a Security Information and Event Management (SIEM) solution.

Deconstructing the Alphabet Soup of Information Security

The security industry sure loves acronyms. Here are a few that you’ll commonly come across.

Questions You Should Be Asking a Prospective SIEM Vendor

1. How much data do I need to send to you?
   It’s not so much about the amount of data, but rather the right data. Windows Event Logs, all authentication logs, and security events (EDR, AV, NSM, etc.) are a great start. One common problem is trying to introduce high-volume sets of data (like web gateway logs) too quickly, because that’s the old-school way of thinking. Next-gen SIEMs and XDRs leverage machine learning and analytics to baseline an environment so that anomalous behavior can be quickly and easily detected.
   
2. Are the actions I take using your tool repeatable?
   As mentioned above, it’s not so much about the amount of data as it is about the right data and the right platform to process that data to get you the outcome you’re looking for. It’s also about being able to repeat the same process the same way each time.
   
3. How does this product integrate into my existing security portfolio?
   If your vendor makes unbelievable claims about the problems they solve without asking you what problems you have, they are missing the point. Vendors should take an outcomes-based approach to solving their customers’ challenges. Even then, some vendors will deviate from addressing your particular needs and instead focus on what they think is best. There are some pretty cool solutions out there that do some pretty awesome things, but if they are offering you a Band-Aid for a cut you don’t have, then you are being distracted from your objectives.

The Three Hallmarks of SIEM Success

When it comes to evaluating SIEM vendors, there are three categories of questions you should be asking yourself.

1. Integration – Am I able to dump in all the logs I wanted to, and can I establish what normal behavior of that stack looks like across all those tools?

2. Analytics – Do my people have to learn Snort rules in order to find out what happened in a log, or is it laid out for them? If I’m rich in people but poor in capital expense, that’s fine, but if I am turning help desk workers into forensic analysts, I need some tool help and analytics.

3. Automation – What automation is available? Can I sort and automate anything? Does the tool help with threat hunting or just give me a command-line interface (CLI) for self service? If I have a particularly low-level SOC, can I automate ticketing to appropriate teams for certain classes of events? 

Next-gen SIEMs have identity data, network data, and endpoint data all in one place. Ideally, your tools should do the work for your analysts. They should always enforce and support processes — repeatable work streams that happen every day — because the SOC gets a lot of alerts. The way that data is sorted, how the details about context are enriched, knowing

risk, and having playbooks makes training go faster. With the right tools, you can spin up a competent SOC analyst in a matter of weeks rather than months.

Future-proof Your SOC Success with the Right Analytics in Your SIEM

The number one reason for monitoring your security ecosystem is to defend against the bad guys — usually organized crime or a nation-state actor. In the end, it’s all about money in one way or another. The good news is that if you have your tools set up correctly, you’re already one step ahead, even when something goes terribly wrong.

Attack vectors keep changing. In 2001, Code Red worms spread across the planet by time zones, and as each new geo came online and turned on their systems…Poof! Proliferation galore. Two years later, it was Slammer. In 2016 and 2017, it was Petya, and then the destructive NotPetya. The minute hackers get their hands on any new exploit code, it’s off to the races.

It takes less than a minute for a newly-stood-up box/honeypot to start being scanned for vulnerabilities, even on a smaller or less significant ISP. It can take less than half an hour for the attacks to start.

The behavior stays the same. People attack infrastructure, third-party libraries, application logic faults, or plain old unpatched software. Whatever the nasty wrapper that originates the path of the attack, the vast majority of attacks have similar paths to proliferation through the system and persistence — namely, compromised user or service accounts. 

Remember the high-profile Apache Struts issues in 2017, and the software supply attack in 2020 called Sunburst? And, of course, there’s the zero-day Log4j exploit that dropped on a Friday afternoon, killing the weekend for hundreds of thousands of people across engineering, support, and development — not to mention the poor SOC people being asked hourly for reports they’d never had to produce before.

Thankfully, it’s now possible to see identity events mapped into network activity.

TDIR must, above all, find a way to link related events by causality to identify each major step of the adversary’s actions. Events do not happen in isolation from one another, so the data should support identifying what came before as well as what happened next. 

This is why seeing “normal” and identifying anomalies is far more powerful than older, signature-based detection. You definitely need data from your identity provider, Active Directory, and so on, to correlate against network and endpoint detection technology. If you’re

not pulling those logs in off your Active Directory now, you’re missing a big piece of the puzzle.

Modern SIEMs must be able to put all related events together, sort by timestamp, and add some sort of actual risk scoring that takes in the data from the device or sensor, and adds intelligence across your reporting stack.

If you don’t know the MITRE ATT&CK framework, spend some fun time clicking through their attack chain and focus on all of the tactics, techniques, and procedures (TTPs) used to proliferate, spread laterally, and persist in your network. There are so many places where seeing anomaly behavior will give you the edge to find an infection, a compromised user or service account — those behaviors are consistent.

This is going to remain. “This is the Way.” This is the value of your SOC, of your SIEM and XDR tools, the value of doing more with less — or rather, the value of doing things consistently, in a programmatic way. And your SIEM should be there, supporting you every step of the way.

Summary

Now you’re armed with some of the right questions that will be most useful to you when talking to your Board, your fellow stakeholders in the organization, your vendors, and — most importantly — your team of analysts doing the daily work.

Watch the Webinar

For more insights, watch the on-demand webinar, “The 5 Claims Your SIEM Vendor Should Never Make… And They Did.” Learn about the questions everyone should be asking their security teams, potential vendors, and management.