With many organizations building more complex, device-laden networks, a security event management (SEM) deployment can quickly balloon in scale and scope, resulting in cost overruns, lengthy implementation cycles, and results that fail to meet expectations. With a slew of SEM products on the market ranging from very complex solutions that require extensive customization to appliances proclaiming plug-and-play functionality, a company looking to deploy SEM for rapid results should take into consideration ease of installation and maintenance, support for security and network devices, ability to fine-tune correlation rules, real-time threat prevention and remediation, and cost effectiveness according to the size of the network.
Ease of installation and maintenance
The last thing IT teams that are already stretched thin need is a new security interface to learn how to use as well as being required to maintain hardware and software that is cumbersome and customization intensive. Therefore, an SEM solution should be part of a unified security management infrastructure and be readily integratable with existing network devices and configurations. Your staff should be able to easily install and operate an SEM system in a matter of hours without requiring external professional services from the vendor.
Security and network devices supported
An SEM solution should support the majority of your existing security devices, including firewalls, routers, intrusion detection systems, and vulnerability assessment and antivirus systems. Also, the later addition of new devices should be simple to perform without requiring extensive customization of the system.
Ability to fine-tune correlation rules
Each organization's network has a unique set of assets to protect with all the attendant security vulnerabilities. An SEM solution that comes with predefined correlation rules should be easily customizable in order to be able to identify events unique to each network and periodic changes in network activity. Ideally, an SEM solution should be able to "learn" or benchmark normal network activity and offer suggestions to administrators to fine-tune preexisting rules.
Real-time threat prevention and remediation
As a security administrator, you need accurate information that you can quickly interpret and immediately act upon in the event of a serious attack on your network. An SEM solution should have the capability to generate alerts in near real time, record event data for post-threat analysis, and provide automated responses so that you are able to shut down an attack when and where appropriate.
Cost effectiveness according to network size
Efficiency gains by your IT staff—which no longer has to manually review log files—and improved security resulting from heading off attacks in real time should be weighed against the total cost of ownership of an SEM system, including integration and maintenance costs. With appropriate predeployment planning and an initially limited scope, you can justify the cost of an SEM solution for even a small corporate network.
Overall, an SEM solution should be easy to deploy and maintain, yet flexible enough so that it can be scaled as your network grows in size and complexity.