It has been very interesting follow up the blog traffic initiated with the loglogic announcement of price lowering of their SEM capability, specially the responses from Loglogic to the comments at visiblerisk and the post at Log Talk "Is correlation killing the Log Market?"
I'm agree that the vendors promise too much with the out-of-the-box rules, most of them need to be tunning in order to provide real value. And that's exactly the point! I don't think that Correlation is not good enough, it's just that the people using it lack of the skill/TIME necessary to actually get a good outcome.
You need specialize people with time to work in your logs, to analyze them, to deal with the amount of generated alerts and make a proper tunning process. And it's there when the managed services get into the picture.
I'm not going to enumerate the advantages and disadvantages of manages services (there are plenty of posts out there). I'd just like to point it out that the selection of the provider needs to be carefully. I'm thinking in the example of a company who already has outsource its IT management, and it's looking for a provider for SIEM service. It makes sense to me that it's better to have a different provider for monitoring than for management. For example, the Military organizations have been doing it from long time ago; having a separated section, the "Military Police", to monitor the activities.
And that's make me think... in order to get real value from the Correlation capabilities we need skilled people with enough time. If you can't find it in your organization, you can hire it to a managed SIEM provider. This provider should be different from who is actually managing your systems to get a objective picture. But... who is gonna monitor this new monitoring provider?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment