We just finished our series on Log Management and SIEM. I learned a lot from our member CISOs over the past 4 weeks hitting all of our chapter cities and hearing similar stories of Log Management and SIEM challenges and successes. Here are the highlights of what I heard:
1. SIEM was mostly acquired to meet a regulatory requirement. Cost was very high and implementation was long and costly.
2. Use cases were not typically developed and continued value has been hard to justify. Bought purely for the compliance "check mark"
3. SIEM 1.0 (as its being called now) is too combersome and costly requiring as much as 2x or 3x of the license cost in professional services to implement.
4. SIEM does NOT reduce head count but does help focus "eyes on glass" for event monitoring.
5. Going the MSSP route for SIEM still requires a dedicated internal resource to review alerts in context to the enterprise becuase MSSPs, as hard as they try, don't have the internal view and context as an employee has
6. SIEM 2.0 promises a lot of automation and simpler implementation. Some CISOs are even considering wholesale "rip and replace" for SIEM 1.0 implmentations.
7. Some firms are seeking cyber threat analysts to man the internal SIEM - standing up their own cyber-threat-intel operations.
8. A debate exists about whether to claim ignorance and not maintain the log data since having the data but not reviewing it daily might be construde by the courts as being worse that not having the data in the event of a breach investigation. Lawyers warn this is a double-edged sword and say better to have.
9. Lawyers tell us that log data is often missing or woefully deficient when they get called in to help after breaches.
10. The log management and SIEM debate will go on for a long time and good vendors with easy to implement solutions will be the winners
I hope you got a chance to attend the session in your chapter city. If you did not, the materials are available on your chapter page.