Security Manager's Journal: Tracking the ROI on SIEM

A limited deployment of a security information and event management tool is paying off. Now to convince the suits.

By Mathias Thurman

May 23, 2011 06:00 AM ET

Computerworld - Our security information and event management (SIEM) tool tool has been on the job for nearly four months, and the bill has come due.

Not the literal bill; we already paid more than $200,000 for our limited deployment. But now the CIO and chief financial officer want to know what we're getting for our money. It's a great question, and I just need to formulate the right answer.

Trouble Ticket

At issue: The CIO and CFO want to know what they're getting for the $200,000 spent on SIEM.

Action plan: Show them how it has already helped safeguard IP.

Not that there's any question in my mind that we're getting our money's worth. But I'm going to need some hard facts to back that up.

Right now, I have an analyst spending about 20% of his time maintaining, tuning and analyzing our SIEM system and its data output, as well as responding to any security events it turns up. I wish he could devote more time to it, but I have an aggressive security program and limited human resources.

Nonetheless, our new infrastructure is making a difference. We can now see activity and formulate events based upon data previously unavailable to us. For example, we can positively identify PCs and servers that are infected with malware that opens back channels to command-and-control servers in places like Russia and China, and we can identify unauthorized attempts to access our critical financial and HR applications.

I'm putting together a PowerPoint presentation on vulnerability management for the CIO and CFO, with a special focus on the SIEM deployment. I want to be able to show them that the SIEM system doesn't just make us aware of security events, but that it also plays a crucial role in our "defense in depth" strategy.

That strategy arises from my sense, as a security professional, that there is no silver bullet. You need multiple technologies. So, besides collecting event data from our SIEM, we get information on security incidents from our firewalls, vulnerability scanners and antivirus software, as well as from third parties, including law enforcement. This is necessary, because no matter how much data we feed into the SIEM, there will always be things that slip through the cracks. And some of the other reports are simply more straightforward. For example, both the SIEM and the firewalls allow me to generate reports on violations of acceptable use, such as the use of unauthorized remote access software like pcAnywhere, but the firewalls' reports are more visually pleasing. With the SIEM, I would have to do a lot more fiddling to get the data into the right format.

My presentation will include some explanation of what SIEM is, to ensure that we're all on the same page. I'll then discuss the architecture and scope, the types of data being fed into the platform, and the types of events we're able to generate. I'll also explain who responds to what events.

Cut to the Chase

But the real meat will be describing, in monetary terms, how we are getting a return on our investment. This will be more difficult, since the ROI can only be measured over time. But I will show, for example, that if we didn't have the SIEM, certain events would have gone undetected, resulting in the loss of intellectual property. I won't need to explain to them the cost if our competitors were to get their hands on our source code, business plans or customer lists.

Related Reading

Join In!

For further discussion of security issues, visit Computerworld's security blog.

I can also show that proactively detecting malicious threats before they spread saves on help desk costs and reduces lost productivity (when we have to reimage an employee's PC, for instance). For raw numbers, I can highlight the events the SIEM discovered compared to all our other detection methods combined. This number alone justifies the SIEM investment and could get me the green light for the greenbacks to expand the deployment beyond monitoring just 40% of our overall traffic.

This week's journal was written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

More by Mathias Thurman

Red Alert for Child Pornography
Security Concerns Over a Data Center in the Cloud
Who's Got Your Mail?
Getting Validation at RSA
Plugging a SaaS Access Hole
Security Manager's Journal: Hackers Call Home, on Our Dime
Security Manager's Journal: You Can't Secure Every Home
Security Manager's Journal: BYOD Planning Gets a Boost
A Rush to Judgment on DLP
Sensitive Data, in the Wild

Security

Read more about Security in Computerworld's Security Topic Center.

Comments ()

Print

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

From CIO.com

15 Must-Have Android Apps, According to Twitter

12 Cool LinkedIn Features You Never Knew About

What Tech Issues Loom Large for Election 2012?

CIOs Don't Need to Be Business Leaders

From CSO Online

Inside online black markets

A security checklist for SaaS, IaaS and PaaS clouds

Security at the scene of the crime

7 great movies about social engineering

Additional Resources

WHITE PAPER

Enter the Security KnowledgeVault

Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

WHITE PAPER

Cut Communications Costs Once and for All

New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Top Stories

Microsoft's upgrade avalanche a test for IT pros

FAQ: The new push in Congress to increase STEM visas

Judge orders drug evidence suppressed in warrantless GPS tracking case

IE9 says Yahoo Axis slows down the browser

Free Insider Guide

Excel 2010 Cheat Sheet

Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.

Register for FREE now! »

Security White Papers

Driving Secure Enterprise File Sharing and Syncing in the Enterprise

GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...

The Enterprise File Sharing Option

Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...

Security Strategies to Virtualizing Internet-Facing Applications

The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....

Cloud Security Planning Guide

Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...

Cloud Security Vendor Round Table

This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions...
All Security White Papers

Security Webcasts

Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute

Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents...

Data Privacy and Protection in Production Environments: New Research from Ponemon Institute

Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents...

Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?

FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...

BlackBerry PlayBook OS 2.0 Security Overview

The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...

BlackBerry NFC Security Overview

The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...

Playing Defense: Staying on Top of Your Disaster Recovery Game

When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
All Security Webcasts

Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter

Computerworld Daily News

Security

Virus and Vulnerability Roundup

Security: Issues & Trends

View all newsletters | Privacy Policy

IT Jobs

See All Jobs Post a job for $295

Jobs by SimplyHired

Security White Papers | All Security White Papers

Driving Secure Enterprise File Sharing and Syncing in the Enterprise

Security Strategies to Virtualizing Internet-Facing Applications

Cloud Security Vendor Round Table

Cloud Security Insights for IT Strategic Planning

Creating the Enterprise-Class Tablet Environment

Optimizing and Securing Citrix XenApp and Xen Desktop

Ready Your Enterprise for the Next Generation of Client Computing

Streamlined Data Protection - The Pain of Managing Tape Backups in Branch Offices

How much security do you really need?

Security Strategy Roadmap for Cloud Computing

The Enterprise File Sharing Option

Cloud Security Planning Guide

Planning Guide - Technology for Tomorrow's Cloud

Demonstrate PCI Compliance through Better Change Management

Securing the Cloud

IT Managers Face Security, Management Challenges with Proliferating Mobile Devices

How to Improve Disaster Recovery for the Enterprise:

Obtaining Fortune 500 Security without Busting your Budget

Strategies for Assessing Cloud Security

Best Practice Guide "Taking a Proactive Approach to Patch Management"

Sponsored Links

IT works better together with HP Converged Infrastructure.

Better, more meaningful EMR/EHR solutions from Kodak Document Imaging.

Elevate storage agility and efficiency with HP 3PAR storage.

Easily create and manage custom iPad & iPhone apps for your business.

Redefine your data center with HP servers.

Protect against cyber attacks with a cybersecurity degree from UMUC.

Technology for Tomorrow's Cloud

Earn the law degree that works for I.T. management. Over 1,300 Grads.

Simplify your data center with HP. Download the case study now.

Learn the best approach for SMB data protection

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

FREE SSCP Webcasts - overview of each domain and how to study for the exam.

Protect your data now and down the road. Use LTO-5 Tape!

Connect with global CIOs now at Enterprise CIO Forum

Download Microsoft's latest Data Protection Management tool

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Easily create and manage custom iPad & iPhone apps for your business.

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Splunk translates machine data into "aha" moments for IT and the business.

New! Diskeeper Corporation is now Condusiv Technologies. Visit Our New Website For More Information!

Free SAP paper on managing mobility at the app level. Get yours today!

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free Whitepaper : Why Phones Are the Leading Authentication Device

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Webinar: A Practical Approach for Using DLP to Manage Risk to Information Assets

Virtualizing Your Infrastructure Just Got Easier

MIT Sloan Executive Education. innovation@work

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Introducing: Project Icebreaker

Resource Center

See your link here

Skip to top

About Us

Advertise

Contacts

Editorial Calendar

Subscribe to Computerworld Magazine

Help Desk

Newsletters

Jobs at IDG

Privacy Policy

Reprints

Site Map

Ad Choices

The IDG Network:

CFOworld

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

Copyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.