Comments on: A response to Andrew Hay’s response to my SIEM post http://infosecplace.com/blog/2007/05/09/a-response-to-andrew-hays-response-to-my-siem-post/ Commentary on the State of Information Security Thu, 02 Feb 2012 20:22:19 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Andrew Hay http://infosecplace.com/blog/2007/05/09/a-response-to-andrew-hays-response-to-my-siem-post/comment-page-1/#comment-19084 Andrew Hay Wed, 09 May 2007 18:46:54 +0000 http://infosecplace.com/blog/2007/05/09/a-response-to-andrew-hays-response-to-my-siem-post/#comment-19084 Hey Michael, I probably shouldn't have lumped you in with "everyone" but I guess I went off on a "Richard Bejtlich-ish"..."Bejtlich-like"...."Bejtlich-style" (yes that one will do) rant when it hit close to home :). "A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result. And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects." Very true. However, what I should have said was a lot of enterprise customers are looking for a way to avoid having to hire people to dedicate to log collection and correlation duties. They'd prefer to have a solution that allows them to meet their compliance commitments and prevent the need for additional head count to do it. "And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn’t quantify (and I should have - sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices “should” be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That’s what I meant when I said we will always have that gap." AI is on it's way into this space to try and take the human factor out of the equation as much as possible, but I would not expect to see it any time soon. On the plus side your comments gave me more to talk about in my "suggested blog reading" post than the usual "Good post" or "I agree" :). Hey Michael,

I probably shouldn’t have lumped you in with “everyone” but I guess I went off on a “Richard Bejtlich-ish”…”Bejtlich-like”….”Bejtlich-style” (yes that one will do) rant when it hit close to home :) .

“A fact is that many companies do not have a dedicated resource to check logs now, so when they buy a SIEM, they are looking at pure dollars of the project, not a comparison to what it would cost to hire someone to do it. Most companies I work with never even consider that cost savings because they know it is not possible for a human to watch all of that and have a meaningful result.

And honestly, if they do have a resource looking at logs, do you think most companies go into a SIEM deal thinking about laying off a bunch of people when they implement it? Not the companies I deal with. Maybe the gargantuan enterprises do, but most reassign those people to other security and network tasks. So there is no tangible savings other than they have resources to put in other projects.”

Very true. However, what I should have said was a lot of enterprise customers are looking for a way to avoid having to hire people to dedicate to log collection and correlation duties. They’d prefer to have a solution that allows them to meet their compliance commitments and prevent the need for additional head count to do it.

“And when it comes to correlation, yes the brains are there if you setup the rules correctly. What I didn’t quantify (and I should have – sorry) is that people want the intelligence more built in, with a way of discovering and mapping out the network and having more intelligence on knowing what devices “should” be considered important. Kind of a suggested model and then let you cut it back and change it how you see fit, rather than a complete blank slate. That’s what I meant when I said we will always have that gap.”

AI is on it’s way into this space to try and take the human factor out of the equation as much as possible, but I would not expect to see it any time soon.

On the plus side your comments gave me more to talk about in my “suggested blog reading” post than the usual “Good post” or “I agree” :) .

]]> By: anonymous http://infosecplace.com/blog/2007/05/09/a-response-to-andrew-hays-response-to-my-siem-post/comment-page-1/#comment-19083 anonymous Wed, 09 May 2007 18:45:58 +0000 http://infosecplace.com/blog/2007/05/09/a-response-to-andrew-hays-response-to-my-siem-post/#comment-19083 Every bald guy that I met say the same thing: Bald is beautiful... Every bald guy that I met say the same thing: Bald is beautiful…

]]>