Six Questions to Ask Your Would-Be SIEM Provider

Gathering and deciphering data insights for usable solutions forms the foundation of a strong cybersecurity strategy. However, organizations are swimming in data, making this task complex. Traditional Security Information and Event Management (SIEM) tools are one method that organizations have tried to use, but these often fall short for several reasons—namely, cost, resources and scalability.

There’s no shortage of vendors on the market offering alternatives. Navigating the field of potential security solutions and vendors is increasingly difficult, though. How can you truly know what the best solution is? How do you determine what’s the best choice for your organization?

There are some key factors to focus on to help make that decision. To understand them, you must first know the challenges organizations today are having, where traditional solutions fall short, and key guidance on what questions to ask of would-be providers as you navigate your purchasing decisions.

The challenges with traditional SIEMs

Many security teams find it quite challenging to corral huge amounts of data from disparate sources. It’s vital to collect this information so that the SIEM can quickly detect threats and respond accordingly. However, as the amount of data increases, so does the cost – sometimes excessively.

What makes this even harder is the fact that compliance mandates may require data to reside in certain geographic locations or clouds. This creates additional cost and complexity to properly secure and analyze this data using encryption, access controls and retention policies. When an organization lacks total visibility across all its critical data, its ability to effectively carry out SecOps wavers – especially at enterprise scale, because that’s where costs can suddenly mushroom.

As organizations seek to harness and interpret data insights for actionable solutions, they need to bring vast volumes of disparate data together. Many have turned to SIEMs to help, but they’re still struggling. That’s because traditional SIEMs are plagued by some common challenges, including cost, scalability, lack of a unified view and information overload.

According to one recent report, 50% of those surveyed expressed dissatisfaction with their SIEM, with the primary reasons being scalability, cost and data management.

The next generation of SIEMs

Many organizations are finding that traditional SIEMs are inadequate and the increasing costs have prompted some to limit data ingestion in an attempt to reduce expenses. For instance, some might avoid bringing their Endpoint Detection and Response (EDR) data into the SIEM to reduce costs, but that’s a significant data source; without it, they’re not going to be as effective.

Organizations shouldn’t have to choose which data they will bring in and what they can’t based on cost; that ultimately defeats the point of a comprehensive solution. SecOps teams need a solution that can ingest critical data from any format or source and extract meaningful context in real time. And they need this to be done without hidden costs, in a way that is flexible and works with their other existing technology investments.

Today, there are better approaches – but knowing how to evaluate them from the sea of options can be a challenge.

Evaluating a new SIEM

When your SIEM solution is no longer delivering on its intended value, it’s time to switch. There are certain questions you need to ask to ensure that your organization will get the one that best serves your security goals. A few important things to consider when it comes time to evaluate a new solution are:

Does this solution provide the ability to optimize my data and/or prioritize our data sources for both cost savings and increased visibility?

What kind of risk prioritization abilities are included?

How much flexibility does this solution provide me? For example, can I choose my own data lake?

Does this SIEM vendor provide comprehensive understanding of scalability?  Businesses need a solution that can meet their needs today and tomorrow, but that’s not what all vendors provide. It’s important to understand what is being promised and how that vendor plans to deliver it.

Does the solution provide transparency and a detailed understanding of costs? All too often, organizations can feel like they’ve gotten the bait-and-switch when it comes to what they thought they’d be paying versus what they’re actually spending.

What are my deployment options? Organizations need options for deployment (on-prem, private cloud, public cloud, and SaaS) because it’s not a one-size-fits-all situation. For instance, some organizations may have to deploy on-prem for a variety of reasons, yet some SIEM vendors only provide cloud options. Conversely, others may have a cloud-first strategy, which could involve public, private, or hybrid scenarios as well as SaaS – and not all SIEM vendors accommodate all of those environments. Regardless of deployment type, companies need a solution that can scale with business needs.

The bottom line is that change is hard, which is why many organizations stay with their existing SIEM solution even when they’re dissatisfied with it. When considering a new solution, ensure the vendor will provide a clear migration path for your organization.

In search of a modern SIEM

Organizations must have data insights so that they can build a comprehensive security strategy. Legacy SIEMs can’t handle today’s data volumes or the rapid pace of evolving threats. Ingestion costs are high, leading to tough decisions about data prioritization and to an incomplete picture. SecOps teams struggle with the gaps in visibility and operational inefficiencies that come from decentralized data.

The result is that organizations end up with expensive, resource-heavy systems that are hard if not impossible to scale. This must change for the sake of security, so you need to know which questions to ask vendors. Refer to the list noted above as you seek out a SIEM that can become a true security partner.