Solution providers can help customers meet security monitoring, reporting and audit requirements by offering services built around security information and event management (SIEM) tools.
Service providers and VARs can enter the SIEM services market by expanding their own infrastructure and expertise, and/or partnering with managed security service providers (MSSP) that already have a strong SIEM managed service.
SIEM, also called SIM or SEM, has been a topic of interest this year due to regulatory compliance requirements -- specifically the Payment Card Industry Data Security Standard (PCI DSS) -- that prescribe security-related log monitoring and daily review. Gartner Inc. pegged the market at about $1 billion in 2008 with continued growth this year, and noted in an April report that MSSPs are beginning to adopt SIEM as a service.
However, SIEM is complex and expensive to deploy, and requires dedicated expert personnel to monitor and evaluate alerts and analyze reports. According to Pam Casale, chief marketing officer for Reston, Va.-based SIEM vendor Intellitactics Inc., the economy has put pressure on companies with SIEM projects, primarily because companies can't add enough staff required to run, implement and manage SIEM.
"I used to think of outsourcing as driven by cost only, but in security it's also a shortage of expertise," Casale said. "It makes sense to partner with a service provider that knows how to manage SIEM, knows how to connect to PCI devices that are in scope, and knows what reports are required."
SIEM services can take a variety of forms, starting with essential log management for compliance, probably the most common use case, to around-the-clock monitoring, analysis and incident management, said Kevin Prince, CTO for Milford, Conn.-based MSSP Perimeter eSecurity Inc., which offers a SIEM service using gear from Intellitactics.
A "SIEM light" approach, as Prince calls it, includes security event management in addition to log management. The customer relies on the MSSP to handle the 24x7 security operations center (SOC) monitoring, sending important alerts for the customer to deal with.
"For full SIEM, we correlate the data, send it to our SOC analysts and then handle all escalation procedures and manage work ticketing for [customers]."
There are several potential deployment models. If the customer already owns the SIEM product, it may choose to outsource some or all of the management, easing staffing issues. Increasingly, the MSSP often owns the appliance and deploys it on-premise as part of the service. This relieves customers of the capital expenses and allows them to implement SIEM as a managed service and funded as an operating expense, which is generally easier to budget and offers a more flexible long-term commitment.
In a third option, depending on the vendor, simple collector appliances gather the data on premise and send it via the Internet to the service provider's back-end SIEM. This is less expensive because it doesn't require deployment of "full" SIEM appliances; it reduces power consumption and doesn't take up rack and storage space on premise.
SIEM vendors and MSSPs say that with a broad portfolio of managed security services, MSSPs are in a good position to leverage their in-house security expertise and infrastructure to build SIEM service offerings.
"You need people who understand security," said John Menezes, president and CEO of Mississauga, Ontario-based MSSP Cyberklix Inc., which transitioned from a VAR to a SIEM-based MSSP centered around RSA's enVision products. "We found we needed people with hands-on experience with Windows and Unix applications, people who understand how to classify an event when it is generated by a system."
Menezes said his customers expect Cyberklix to sort through millions of events and "send them the eight to 10 that occur in a day that are of consequence to them."
Perimeter's Prince sees SIEM, which the company added as a service two years ago, as a natural progression from the managed security services the company had offered for years, including IDS, routers, switches and firewalls.
"At a high level, that was always SIEM," he said. "SIEM has allowed us to broaden the devices and systems we can fold into a holistic security view."
That's a "huge value," he said, as half of Perimeter's revenue now comes from up-selling to existing customers.
Traditional VARs can partner with SIEM MSSPs to offer services without making major investments in infrastructure and personnel. The VAR's role can vary depending on its business focus and expertise, Prince said. For example, the VAR may play a consulting role by determining what devices need to be monitored, interpreting reports for compliance and auditing, or delivering a fully branded SIEM service.
"Trying to do it on your own is daunting in terms of capital expenses, and expertise is tough," Prince said. "Simply retaining the right level of security engineer long term is difficult. It depends on the VAR. You can leave the whole thing to us or use whatever pieces are part of your core competency."
MSSPs that want to develop their own services should understand that SIEM is not a plug-and-play technology. Full SIEM service deployments, especially for enterprises, can take many months, said Cyberklix's Menezes, because it's necessary to establish scope, business requirements, device feeds and more. MSSPs should be prepared to put in the effort to develop knowledge and best practices to build repeatable processes that can be applied to each new customer.
Menezes said his company developed an approach that has cut deployment time for larger customers from 18 months to 3-9 months.
"We developed almost a cookie-cutter model of how to help customers," he said. This model works by asking a series of questions prior to deployment: "How do you get the solution up and running, what devices are in scope, what are the critical assets, what is required for compliance and what for security? What are business reasons for using SIEM?"