I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post. However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.
But the security posture (or lack thereof) is not what I want to talk about today. What I want to write about is that both of the educational clients I have seen over the last few days have been putting in SIEM evaluations. Actually, they are really doing Proof of Concept (POC) installs, which is a little more on the level of serious consideration of the product. And this is not just limited to our educationoal clients. We (meaning the Accuvant Dallas and Houston areas) have already done several evaluation and POC installs for Network Intelligence, er…. RSA enVision over the last few months, and I believe at least two of those have resulted in a sale, so this is something people are serious about.
A major complaint about SIEM is price. Often that results from companies that have a big enterprise and are in need of a distributed SIEM environment where there are collectors at mutiple sites and a brain in the middle to handle the sorting, correlating, etc. Also, big environments often need large amounts of storage for their logs, and this can also result in extra cost of they don’t have a good SAN infrastructure in place or want to isolate those logs. This a very valid comoplaint, but it seems to be one that os not going too go away very soon. The demand for this solution is not dwindling in my experience, so capitalism is in play. Of course, if someone wants to walk in with a good product and start undercutting everyone to gain marketshare, then I would think this is a great time to do it.
Another complaint is that the correlation just doesn’t work, that you can’t replace a human that knows the network with a computer that is limited to what rules you give it. From my point of view, this is getting better and better. I have seen some very nice examples of correlation (fairly simple examples, but the intelliegence is getting there), though there will always be that gap. Well, at least until we get to the level of C3PO or Data.
As a compliance widget, SIEM is often a good tool, if you can afford a tool that just gets auditors off your back. SOX requires companies to consolidate and review logs for controls over financial systems, so this can satisfy that checkbox if you just want a “good enough” scenario (which I recommend against strongly). Often the reports that come built in on these boxes give some good info, and they look for an auditor, but always remember that compliance does noot equal security. HOWEVER, if you are trying to get a SIEM solution in place to help your security posture and you need a reason that management might bite on, then compliance can often be what you are looking for.