Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Rates IBM's Q1 Labs Top SIEM Performer: Page 3 of 3

SIEM Challenges

While a SIEM system can be useful, it can also be complex to deploy and operate. Security teams have to set up links between the SIEM system and the devices that feed it events and log data. They also need to build and refine the correlation rules that govern how the SIEM system will respond to the data it gathers and analyzes. And of course, IT must monitor the system and investigate the alerts and notifications.

These difficulties are reflected in our survey. Survey respondents say the top challenge faced with SIEM is managing general complexity (see chart, below). Respondents also cite a lack of integration with other network management tools and building correlation rules. For companies evaluating a product, don't underestimate operational complexity; look for products that offer a user interface that's intuitive and easy to understand and traverse.

Cost also can be a concern with SIEM. Many products are expensive, but the full cost isn't just the hardware and software. You also must account for staff hours and possibly consultant fees for installation and configuration, as well as for the extensive integration required. SIEM products rely on databases for event and log analysis, which means DBA expenses must also be considered, not only for the initial configuration of the product but also ongoing maintenance and tuning.

And of course, IT and security teams will need to be trained to use the product. These factors affect your total SIEM cost. As one respondent commented "Total cost of acquisition and operating is elusive. When you purchase a SIEM solution, the work is just beginning."

Forty-nine percent of respondents who use SIEM say they have no plans to add another vendor or replace the one they're using. Yet when asked what it would take to get them to replace a vendor, the top two factors are substantial savings in capital and operational costs. All things being equal, even those who are hesitant to make a vendor change are willing to consider it if it means a less-expensive product.

And what about the 51% who are considering replacing or adding a vendor? Their top priorities are better performance and operational cost savings. That said, most IT shops aren't rushing to replace incumbent vendors. That's because SIEM products are tightly woven into a larger security management infrastructure and would be difficult to disentangle.


What challenges do you expect with your SIEM system?

Dean Francis is an enterprise architect at Fusion PPT, a consultancy. Write to us at [email protected].