Have you been confused about which SIEM solution to choose, or are you implementing SIEM for the first time in your organization? If so, This article focuses on offering you with a few suggestions and information to help you in making an informed decision.

Many people think of SIEM as being simple and easy to manage like the  availability monitoring tools (SolarWinds, Zabbix etc.) SIEM is in fact a complex process with the tool which requires a lots of effort, highly skilled expertise and time to make it successful. 

An effective SIEM is the one that provides a safe environment for a business to deliver on its core objectives in line with its strategic direction and vision. 

Here are the key factors to be taken into consideration before implementing an SIEM solution.

Pricing and Product Feature 

Designing, Sizing, and planning are the 3 crucial aspects for SIEM deployment. SIEM Products cost varies based on Log size, Events per second and additional features like AI/ML components etc., and If not planned properly you will either end up paying higher than the planned budget or end up compromising on certain features.

Most SIEM products claim to have tons of features including AI/ML and SOAR capabilities. Decide on the features that are only required for your organization/business, and ensure that you have the right SOC team, (In house or Outsourced) which can handle all alerts and act on it. 

Check with product vendors and get clarity in pricing, implementation and Integration effort and cost. Ensure all product features are covered within the price and no other additional/hidden charges are included.

If you are implementing SIEM for the first time, we would recommend starting with an open source based SIEM product such as Wazuh, SIEMonster etc. This helps prepare your environment for integration with different security devices/sources, reduce false positives, prepare processes, set up a SOC team and workflows.

Open Source products may not be feature rich in comparison to the commercial products but most of them do a decent job. Commercial SIEM products might have all the features which may be suitable for large enterprises as they have the budget to have a skilled SOC team to take care of any alert, Small and Mid-Size organizations may not have the budget to build a large SOC team.

SOC As a Service:

SOC as a Service is a better option for Small and Mid-size organizations. Product and Service are managed by the vendor. 

Start-up Companies thinks that SIEM is for large well-established organization, they fail to realise that this is equally important for them to provide vital services, either through their SaaS model products/services or by delivering services to organisations that provide critical services (Healthcare, Defence etc). However, at the end of the day, both the serving and receiving organisations should be bound by 24×7 security monitoring SOC services.

In case you are considering SOC as a Service, you should consider the below points before you take a decision:

1. Are you willing to ship your logs to the vendor system to process? Some organizations can`t share logs due to compliance and confidentiality issues.
2. What happens if you end the service with the vendor? Will they be ready to share the log history? 
3. Clearly chalk out the exit criteria before you sign an agreement.
4. If you are moving to another product vendor, you may need to reconfigure the entire SIEM setup to fit in with the new product/vendor. 

Conclusion:

Most beneficial option would be to deploy an open-source SIEM in your environment (Be it on cloud or on premise) and Outsource the SOC Services to a vendor who has skills and capabilities to process alerts and has the skill in integrating all security devices/systems/applications. 

How IARM can help you?

IARM is flexible when it comes to implementing SIEM products for customers. We provide SIEM consultancy to help customers select the best SIEM product for their needs based on their environment and requirements.

IARM has partnered with Wazuh’s Open Source SIEM technology to offer SOC as a Service (SOCaaS), enabling for faster SIEM and SOC setup while assuring proactive threat monitoring and appropriate response to keep Customer environments secure. For more, Read the Partnership Benefits Here!