Wednesday, June 30, 2010

Choosing the right SIEM Solution

It's really hard to choose the right SIEM solution nowadays. With so much features available on these products, it's getting hard to choose the appropriate solution, especially regarding complex environments consisting of several sources of information.

In this post, the idea is to propose some important questions that we can use to help choosing the right solution. There are questions regarding technical and non-technical aspects as, for example, support, training, user interface, etc. Using this questionnaire it's possible to prepare a scorecard to obtain a best comparison. We can assign the following values: 0 for Absent, 1 for Limited Functionality, 2 for Complete Functionality and 3 for Exceeded Expectations.

  1. How many pre-existing parsers does the solution have (this is very important so it will be not necessary to develop new parsers to extract the log content)?
  2. How easy for creating new parsers?
  3. User Interface (intuitive? easy to operate?)
  4. Ability to collect events (volumetry)
  5. Storage of events (compression, file system type, external storage, cryptography)
  6. Event correlation process (is it easy to create correlation rules?)
  7. Normalization of logs
  8. Solution scalability (architecture, collectors, databases etc)
  9. High Availability
  10. Security in the communications between the components of the solution
  11. Reports (pre-existing, customization, compliance reports)
  12. Position in the Gartner's quadrant
  13. Ticketing system integration (integration with Remedy, for example, or an internal ticketing framework)
  14. Is it possible to filter events at the collectors (without sending some type of events to the infrastructure)?
  15. Possible to correlate information from IDS/IPS with Vulnerability Scanners?
  16. Possible to segregate functions inside the console?
  17. Technical support (other language options: portuguese/spanish/french/etc?, 24x7? SLA's?)
  18. Training (localized training?)
Any other suggestions?

No comments:

Post a Comment