If security information and event management (SIEM) is such a great tool, it begs the question: Why have so many organizations purchased it at great expense, only to have it end as shelfware? My own experience and that of my colleagues in the industry is that many companies have spent large amounts on a SIEM product, only to have it sit idle.
So why do so many SIEM deployments fail? In his series, Understanding and Selecting SIEM/LM: Selection Process, Mike Rothman of Securosis writes of the various details companies should approach in their SIEM procurement process. Since too many companies fail to use a detailed, systematic process, their deployment is bound to fail. For a VAR or solution provider, the failure of so many SIEM rollouts should be seen as a loud cry for help. VARs and solution providers that understand the reasons behind those failures can learn what needs to be done, helping customers avoid SIEM failures and turning the technology into future profits.
More on SIEM
Learn how SIEM services help customers with security monitoring.
See how intelligent use of SIEM and log management products strengthens security, and facilitates compliance.
The following tips will give you an understanding of the main items in which to turn a SIEM failure into a success:
Tip No. 1: Know your audience and its needs -- SIEM means different things to different organizations. Firms that are under heavy regulatory compliance directives (financial services, health care, pharmaceuticals, etc.) will often be driven by compliance mandates.
Often the SIEM implementation will be driven by audit and legal departments rather than IT. With that, VARs and solution providers must know, in detail, the various regulations and standards. Be it PCI DSS, HIPAA, HITECH, SOX, GLBA, FERPA, etc., they must be able to show customers how a SIEM tool can directly assist in making compliance easier. For example, you don't need to know PCI DSS like a QSA, but you need to be able to take the PCI DSS and show how the SIEM tool being proposed will help them meet specific requirements or demonstrate compliance during an assessment.
Tip No. 2: Know the SIEM tool you are selling -- While many VARs will sell a technology they don't really understand, the role of a solution provider is just that, to provide solutions; products should be merely part of the answer to a problem.
The first step is to be a guru at the specific SIEM product you are proposing. While SIEM products such as those from ArcSight (soon to be owned by HP) and netForensics do the same thing at a high level, the devil is in the details; at a lower level, the two products are quite different. Solution providers must understand their core products at the expert level, including what they do well, what their shortcomings are, and what types of companies have had success with them in the past.
As a benefit, solution providers should be able to contrast the differences between the SIEM product they sell and those offered by the competition. There are a lot of SIEM vendors selling their wares; in fact, 20 vendors met Gartner's inclusion requirements for the 2010 SIEM Magic Quadrant (the report is available for free at a number of vendor websites (.pdf)), and there are more that did not make it in. The plethora of products underscores the importance of knowing why your product is best and how it is different from the competition.
Tip No. 3: Have good salespeople, but have even better post-sales engineers -- When it comes to a SIEM deployment, the devil is in the details, and a successful SIEM deployment involves many details. SIEM products require a high level of technical expertise to deploy effectively. Most customers do not have the internal expertise to deploy a SIEM, and they reach out to solution providers specifically to assist them. Solution providers help the client ensure their SIEM deployment is a success and solves customers' unique business problems.
One of the best ways to showcase your expertise is with certification. Vendor certifications, such as the ArcSight Certified Integrator/Administrator (ACIA), are a great way to differentiate yourself from the competition. Make sure customers know that members of your team hold this certification, and explain why the training and experience that come with the certification will ensure the implementation will go as smoothly as possible.
While this point may seem intuitive, the reality is that just about any IT firm can pass itself off as a VAR or integrator, but the deep skills and experience are what separate a good firm from a poor firm. Those that have the product and industry expertise will find that those two factors are what keep their phones ringing as companies are desperate for SIEM assistance.
Tip No. 4: Project planning and avoiding the PnP term -- SIEM is the antithesis of plug-and-play (PnP) technology. The reason that there is so much money in it for solution providers is that an enterprise SIEM rollout takes significant time and effort to deploy, tune and manage. It doesn't work seamlessly "out of the box" as some security technologies do.
Providing detailed project plans is of incredible value to a firm. A good SIEM project plan will detail the requisite tasks along with a timeline. Such a timeline is good protection for the integrator, should the client company complain that it did not know how long the project would take. The most common client complaint VARs and solution providers receive from customers is that SIEM rollouts take much longer than they were lead to believe. Detailed project plans obviate that.
Tip No. 5: Project closure, training and hand-off -- Building on the previous tip, all good projects must come to an end. Ensure that the project plan has specifics about what constitutes closure of the project. As part of that, solution providers should make sure everything is appropriately delivered, documented and signed-off; a simple checklist can be enormously helpful. Training should be included as a part of the transition plan to ensure the client is able to effectively use the SIEM product.
Once the project is complete, that doesn't mean there is not more revenue that can be generated. There are often additional elements that need to be added to the SIEM; infrastructure changes, software updates, mergers and acquisitions, and other issues often create the new need for work.
This is only a brief look at how VARs and solution providers can successfully sell SIEM products. Many more tips could be written about the subject, but the most important thing to remember is that VARs and solution providers must be the experts, and that requires preparation. Clients are indeed desperate for help with SIEM. Follow these tips, and watch their desperation turn into satisfaction.
About the author:
Ben Rothke, CISSP, CISA, is a senior security consultant with BT Professional Services, and the author of Computer Security: 20 Things Every Employee Should Know .