As promised, this next post from my SIEM research project is about people. Over the course of my 10+ year (!) experience with SIEM technology, I have come across organizations that assumed that buying and deploying a SIEM tool is all they need to do for security monitoring. I wish I can say that the number of such occurrences has decreased over time, but, in reality, it has increased (probably because less mature organizations are now buying SIEM tools en masse).
In any case, let me repeat what I’ve said many times in the past: your investment in SIEM will be completely, totally, absolutely wasted if you don’t have smart people operating the tool on an ongoing basis (yes, “ongoing basis” really does mean forever).
There are multiple ways to rephrase it so that more people will hopefully get it. My teammate Ramon Krikken once called SIEM “a force multiplier” for security. If your “force” of security analysts is 0 before SIEM, then using a force multiplier will still leave it at zero. Another way to say it is that SIEM is not and will not be a “set and forget” technology and everybody who even hints that their SIEM is “set and forget” is a liar. Yet another way of saying it is: a security monitoring project or a SIEM project isn’t … a project. It is a process that you start and then improve over time – and never “complete” by reassigning people to other things. Or, as my esteemed colleague said, “the end result is that your monitoring simply can’t work without a sufficient supply of carbon-based life forms.”
Still, I’m getting mixed reports about what percentage of organization buying SIEM tools only use them for simple log aggregation. Guess what, you can get log aggregation for 1/5-1/100 of a cost of SIEM. You can sometimes get it for free.
After this preface, let me follow with some questions that I’m trying to answer:
- Based on a use case and deployment size, how many people do I need to run a SIEM well and get full value out of it?
- What skills sets those people should possess?
- What skills should be inside the core “SIEM team” and what skills can be borrowed from other parts of the organization?
- What skills (such as an analyst and content developer) can and should be combined in one person?
- How do those people evolve over time and gain their expertise?
- Finally, where to go for help if you know you need the capability, but also know that you cannot hire, grow and retain those people?
As a final word, the best SIEM deployments I’ve seen that also brought the most value to organizations were run by teams of skilled, passionate, well-trained and dedicated intrusion analysts.
Any other questions I missed? Any answers?