Andrew Hay took me to task a bit on my recent post about another SIEM eval install at an educational institution (it is a “suggested blog reading” post, so you will have to go down a bit to find his response to me). Andrew does work for Q1 Labs, which builds a SIM solution called QRadar. What Andrew said was that I was complaining about the price of SIEM without considering the cost savings it introduces, and I wasn’t being fair on the correlation issues. Here is what he said:
Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.
Here’s part of my response that I posted as a comment on his blog:
Andrew,
I never complained about the cost of SIEM, and I fully understand the load it can possibly take from having a dedicated resource watching logs. I am speaking from the standpoint of a reseller, and I am referring to what I hear from clients. Heck, I used to be a client, and I complained about it then as well.
A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result.
And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects.
And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn’t quantify (and I should have – sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices “should†be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That’s what I meant when I said we will always have that gap.
Oh, and Andrew, nice picture on your about page. 
I am sincere when I say that. Bald is beautiful.
Vet
Hey Michael,
I probably shouldn’t have lumped you in with “everyone” but I guess I went off on a “Richard Bejtlich-ish”…”Bejtlich-like”….”Bejtlich-style” (yes that one will do) rant when it hit close to home
.
“A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result.
And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects.”
Very true. However, what I should have said was a lot of enterprise customers are looking for a way to avoid having to hire people to dedicate to log collection and correlation duties. They’d prefer to have a solution that allows them to meet their compliance commitments and prevent the need for additional head count to do it.
“And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn’t quantify (and I should have – sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices “should†be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That’s what I meant when I said we will always have that gap.”
AI is on it’s way into this space to try and take the human factor out of the equation as much as possible, but I would not expect to see it any time soon.
On the plus side your comments gave me more to talk about in my “suggested blog reading” post than the usual “Good post” or “I agree”
.
Every bald guy that I met say the same thing: Bald is beautiful…