The CISO's guide to choosing the right SIEM

In 2023, Chief Information Security Officer (CISO) continues to be an important role with a broad reach for securing every aspect of a business, their people and systems. The security team reporting to the CISO is responsible for protecting thousands of IT devices and systems dispersed across broad geographic areas from attackers who also may be anywhere on the planet. Additionally, modern infrastructures are dependent on sophisticated security technologies to monitor traffic and distinguish between normal, everyday activities and potentially malicious activity due to the ongoing threat of attacks.

The security information and event management (SIEM) tool is one of the security team’s most crucial. With a large market of SIEM vendors, the type of SIEM that CISOs decide to deploy is highly flexible and must be aligned to the business that the CISO protects. It’s important for CISOs to fully evaluate the business and their unique goals to develop the criteria they need in a SIEM.

SIEM Market Landscape

While some SIEM solutions come as a full platform, others are divided into independent applications created by a wide range of suppliers. Some SIEMs are designed to be fully on-premise, while others may be designed to be run on a platform in a cloud or as a fully independent Software as a Service (SaaS), each with their own degree of responsibilities shared by the vendor and the client. Price varies significantly as well, with some providers basing their fees on the volume of data the system must process. It is useful to establish fundamental SIEM evaluation criteria to determine which product is suitable for your organization.

• On-premises SIEM: These are installed, maintained, and operated by the company's IT or security staff on its own infrastructure. These platforms often have high initial hardware, software, professional services, and maintenance expenditures. Salaries for platform management professionals as well as the price of updating hardware and software are examples of ongoing expenses.
• Cloud-based SIEM: These are managed by the SIEM vendor or a third-party supplier and hosted in the cloud, which enables businesses to outsource some of the maintenance and management work. Since there is no need to buy hardware or software licensing, these platforms frequently have cheaper upfront costs. Initial costs are typically related to the cost of the subscription as well as services and efforts to ensure systems are communicating efficiently with the SIEM. On-going costs include managing back alerts the system generates that might not actually represent an incident. As an alternative, businesses often pay a subscription fee based on the volume of events they process.
• Managed SIEM: Typically, these are cloud-based SIEM solutions that are run by a third-party supplier that assumes control of monitoring and handling responses to security incidents on the organization’s behalf. Because these platforms offer extra services like security incident monitoring and response, their prices could be higher. The client will still have the responsibility of making source data available to the managing team and helping the managing team 'learn' the business so that alerts are appropriately aligned to incidents. Additionally, organizations might have to pay for extra features or services like threat intelligence streams, for example.
• Open-source SIEM: These SIEM systems were created with open-source code and are freely accessible to the public, but freely accessible doesn’t mean "free."  These SIEMs demand greater technical know-how to set up and keep up. Although the platforms are typically free to use depending on their license agreement, setting them up and keeping them maintained may require more staff, time and resources.
• Hybrid SIEM: These SIEM platforms let businesses utilize the advantages of both on-premises and cloud-based solutions. The price of a hybrid SIEM platform will vary depending on how it is configured, but it may involve a mix of up-front hardware and software charges as well as continuing subscription fees.

Considerations When Choosing a SIEM

Selecting a SIEM tool that is appropriate for their organization is one of the CISO's most crucial decisions, and several factors play into this commitment:

1. Risk Tolerance: The CISO must guide the business leadership team to understand and acknowledge the risk tolerance of the business. Total risk aversion typically means that the cost of the SIEM and overall security can be extremely high. Does a company really need to have the monitoring system of Fort Knox? A balanced risk tolerance allows the CISO to choose the appropriate elements that enable the SIEM selection in alignment to a commensurate security and SIEM cost.
2. Complexity:  Complexity of the business systems and information systems in place could play a significant part in what SIEM can be selected and what the related cost factors could be. A highly complex business system and infrastructure architecture might have to be segmented with trade-offs made for what to cover first with the SIEM. The amount of data that must be absorbed by the SIEM from highly complex systems could add to the overall costs.
3. Cost: Businesses are often shocked by the amount of data that their back-end systems generate that must be shared with the SIEM for the protection of the organization. Trade-offs in the log sources and data become critical discussions and may create gaps in the ability of the SIEM to "see" what is happening in an environment. None of the choices for platforms are completely devoid of operational costs to set up and collect information from back-end systems. Each business is unique in how and what data is important for their protection, and services add to the cost, but get the business up to a security standard faster.
4. Alert Tuning: This is crucial for contemporary security, especially for businesses. Millions of alerts can be generated daily by large organizations, most of which are unrelated to actual threats. The task would be unfeasible if humans were expected to manually sort through all the logs to understand what is occurring on the infrastructure, especially in real-time. Ongoing tuning is a hard requirement for all security teams and must be factored into the equation.
5. The Rise of Artificial Intelligence (AI) and Machine Learning (ML): Machine learning can be used to understand the environment and the behaviors of systems, people and the network (User, Entity Behaviors Analysis (UEBA) and Network Detection and Response (NDR)). AI is one of the most significant recent advancements in SIEM technology. High-end computer power is used by AI to analyze all the data flowing through the system and determine which behaviors and alarms are real hazards that require human investigation. AI is not a final remedy in the SIEM world yet, but should be something that is being considered for integration. At some point in the near future, AI must be used to combat the AI that bad actors are deploying.

Each organization is different in how they should be protected. The business must be fully engaged in the conversation and the CISO must drive home the fact that security is not a project that has a defined start and stop. Security is an ongoing cost to doing business and must be adapted to suit the changing threat landscape. While it is a business cost, security has also become a business enabler. A solid security program can be used to the advantage of the business in their dealings with clients and customers. 

The SIEM tool that the CISO selects for the business should be representative of the business in terms of cost, complexity and flexibility. If the wrong choice is made or the trade-offs cut too deep, the CISO and the security team will not be able to protect the business.

Photo credit: Den Rise / Shutterstock

Kevin Kirkwood is Deputy CISO at LogRhythm.