The promise of Security Information and Event Management (SIEM) solutions is easy to grasp. They tie together your detection and monitoring systems, along with device logs, to give you a clear overview of alerts and security events. Realizing SIEM’s promise can be somewhat challenging in real life, however. A range of nuanced differences between solutions can affect the technology’s impact on your security posture. Customization is one example. Users like David S., an IT security analyst, feel that customization is the most valuable feature of his SIEM. He can “build it out to do whatever I want,” such as creating rules for cryptomining and cryptojacking.
This article explores the top success factors for SIEM solutions, based on reviews of the LogRhythm NextGen SIEM on IT Central Station.
Security Information and Event Management Economics
Security operations (SecOps) can be a heavy budget item for a business, so SIEM economics matters when assessing whether a SIEM solution is doing its job. A security engineer analyst admin at a 1,000+ employee aerospace firm was convinced by flexible LogRhythm pricing, and put it, “My advice would be to definitely look into it [LogRhythm]. I’ve used other SIEMs that were vastly oversold and cost way too much money.” A security operations center manager at a financial services firm with over 1,000 employees echoed this sentiment, stating, “In comparison to the competition, they are more affordable. This allows us to do more with less.”
Cost was also an issue for Kevin M., a security manager at a manufacturing company with over 1,000 employees. He compared LogRhythm vs. Splunk, and chose LogRhythm. Here’s why, “From a Splunk perspective, cost. Cost to build it out and then cost of licensing, it’s just unattainable for us.” James W., a Security Administrator at a nonprofit with more than 500 employees, shared his SIEM economic metrics, commenting, “The most valuable feature has just been the log reporting. Within three hours of installation of LogRhythm, we were pulling error reports that actually indicated we had a switch about to fail. It saved us about ten thousand dollars of a potential failed switch.”
Better Event Classification
Security operations center (SOC) team members need to move quickly when they become aware of a security event. Better event classification thus differentiates an effective Security Information and Event Management solution from its competitors. According to David S., “From the administration side as well, it’s a lot easier to use than other products that I’ve had and it has all the built in knowledge, whereas with some tools you dump all your data into it and it’s up to you to do that classification and indexing and understanding of that data, where the value that LogRhythm’s gonna provide for you is that prebuilt classification for all the data sources in your environment.”
Integrated Automation
In addition to the goals of speed and SOC team efficiency, automation is a critical capability for a security information and event management solution. The more automation, the better, according to end users, especially when it’s integrated into the system’s functionality. For example, a senior security engineer at a healthcare company with over 10,000 employees said that his SIEM has provided his team “with increased staff productivity through orchestrated, automated workflows.” Rob H., a Security Engineer at US Acute Care Solutions, a healthcare company with over 1,000 employees, similarly noted, “The solution has provided us with consistency and increased staff productivity through orchestrated automated workflows by at least 20 percent.”
Other notable comments about automation included:
“We integrated it in with our ticketing system, so if an alarm fires, it raises a ticket in our system. Therefore, if I find somebody needs to action other things on it, I can just forward the ticket along. This is all done via email, which is pretty slick.” – Kurt S., a senior security engineer at a manufacturing company with more than 5,000 employees
“The solutions have been great for us. We use the SmartResponse to do most of our automation work for us, to block attacks, and to kick off users if they’re doing anything malicious. It’s saved us a lot of man hours. Based on MTT and MTRs for us, we’ve saved a lot of considerable time.” – Punit P., a senior SIEM engineer at a financial services firm with more than 500 employees
“We plan on using the playbooks, and the value I think we’ll get is automating or scripting the responses that our analysts use, rather than using our existing playbooks, which are somewhat incomplete.” – Security admin at a company with over 1,000 employees
Incorporation of Key Security Tools and Capabilities into One Solution
Centralization of SecOps functionality into a unified solution ranks high among users as a driver of preference for a SIEM solution. As Alex W., a systems CSO at a manufacturing company with over 1,000 employees, revealed, “It’s our central security monitoring platform. It’s where we bring all of our events together so we can monitor our network.”
“I think the biggest way that it’s improved us from an organizational standpoint is giving us a single view into all of our log sources and all of our infrastructure devices,” said Steve B., an information security manager at a healthcare company with over 1,000 employees. He added, “Whereas before we didn’t ever have that. It was always a hodgepodge of stuff put together, so I think it’s the best thing is that it brings everything together so that we can all one view of it.”
A security admin at a company with over 1,000 employees remarked that “LogRhythm SIEM has improved our organization by allowing us to bring in very widely diverse log sources, correlate them, and very easily create rules around alerting. We also use the case management features of the product to easily integrate both products into a single pane of glass for our analysts so they don’t have to use two different products.”
The Ability to Solve a Wide Range of Use Cases
SIEM solutions have to be adaptable to solve a wide range of use cases. IT Central Station members report putting their SIEM solutions to work across many different SecOps workloads, including:
- “Correlate events across all our infrastructure with a small staff.” – Senior Architect at an energy/utilities company with over 200 employees
- “Log collection and threat identification.” – Rob H.
- “Allowing us to say that we are compliant with HIPAA, PCI, etc.” – Wadson F., an information security engineer at Seminole Tribe of Florida, a government agency with over 1,000 employees
- “Trying to get all the logs collected, see how things can be integrated or what’s happening through the different products.” – Senior security engineer at a healthcare company with over 10,000 employees
- “Law collection aggregation for all of our Windows machines — hooked into Office 365 with the API to manage our cloud environment, and it’s performed phenomenally.” – Jacob H., a security engineer at Managed Technology Services LLC, a tech services company
Stability
Finally, SIEM solutions are critical for SecOps, so stability is highly valued by end users. “In the three weeks that we have had it, we have had 99 percent uptime. It is a very stable platform,” said Wadson F., an information security engineer at Seminole Tribe of Florida, a government agency with over 1,000 employees. The financial services security operations center manager also found his SIEM stable, revealing “We haven’t had any major problems.” Jacob H., a security engineer at Managed Technology Services LLC, a tech services company, simply stated, “It has been completely stable. We have had it in for a little over a year now, fully in production, and it has never gone down once.”
To learn more about what real users think about LogRhythm NextGen SIEM, visit IT Central Station.