Yesterday afternoon I attended the June 2011 general meeting of the Milwaukee Chapter of the ISSA. The meeting was held at the New Berlin Ale House and was well attended by approximately 30-35 people.
The guest speaker for the meeting was Robert Clark, Eastern US Channel Manager for TriGeo Network Security, and the topic was, “What Can a SIEM do for You?” “SIEM,” of course, stands for “Security Information & Event Management.” Mr. Clark’s talk was relatively quick and not very technical, but he did bring up some useful questions to ask your SIEM vendor, including:
- What does the solution have to offer out of the box and does it require several modules to meet your requirements?
- Are there any ongoing professional services and what are the costs?
- Will you need to provide the hardware?
- Is the data evaluated in real-time or is it primarily a forensics solution?
- Does the correlation engine process events in memory or query the database?
- How intuitive is the interface? Can you easily build or customize rules, filters, etc.?
- How long is the implementation process and does it require on-site technicians?
Two of the attendees explained how they evaluated SIEM solutions. Their advice was to commit to developing an in-house expert; otherwise professional service fees will eat your budget and you’ll never get a proper ROI on a SIEM solution. One person suggested this might be a valid reason for some organizations to consider a Managed Security Services (MSS) solution.
One attendee also suggested following Anton Chuvakin’s Blog, as he frequently blogs about SIEM.
In all, it was another successful ISSA Milwaukee chapter meeting and a great opportunity to network with other information security professionals in the area.