Tracking the ROI on SIEM

A limited deployment of a security information and event management tool is paying off. Now to convince the suits.

Our security information and event management (SIEM) tool tool has been on the job for nearly four months, and the bill has come due.

Not the literal bill; we already paid more than $200,000 for our limited deployment. But now the CIO and chief financial officer want to know what we're getting for our money. It's a great question, and I just need to formulate the right answer.

Not that there's any question in my mind that we're getting our money's worth. But I'm going to need some hard facts to back that up.

Right now, I have an analyst spending about 20% of his time maintaining, tuning and analyzing our SIEM system and its data output, as well as responding to any security events it turns up. I wish he could devote more time to it, but I have an aggressive security program and limited human resources.

Nonetheless, our new infrastructure is making a difference. We can now see activity and formulate events based upon data previously unavailable to us. For example, we can positively identify PCs and servers that are infected with malware that opens back channels to command-and-control servers in places like Russia and China, and we can identify unauthorized attempts to access our critical financial and HR applications.

I'm putting together a PowerPoint presentation on vulnerability management for the CIO and CFO, with a special focus on the SIEM deployment. I want to be able to show them that the SIEM system doesn't just make us aware of security events, but that it also plays a crucial role in our "defense in depth" strategy.

That strategy arises from my sense, as a security professional, that there is no silver bullet. You need multiple technologies. So, besides collecting event data from our SIEM, we get information on security incidents from our firewalls, vulnerability scanners and antivirus software, as well as from third parties, including law enforcement. This is necessary, because no matter how much data we feed into the SIEM, there will always be things that slip through the cracks. And some of the other reports are simply more straightforward. For example, both the SIEM and the firewalls allow me to generate reports on violations of acceptable use, such as the use of unauthorized remote access software like pcAnywhere, but the firewalls' reports are more visually pleasing. With the SIEM, I would have to do a lot more fiddling to get the data into the right format.

My presentation will include some explanation of what SIEM is, to ensure that we're all on the same page. I'll then discuss the architecture and scope, the types of data being fed into the platform, and the types of events we're able to generate. I'll also explain who responds to what events.

Cut to the Chase

But the real meat will be describing, in monetary terms, how we are getting a return on our investment. This will be more difficult, since the ROI can only be measured over time. But I will show, for example, that if we didn't have the SIEM, certain events would have gone undetected, resulting in the loss of intellectual property. I won't need to explain to them the cost if our competitors were to get their hands on our source code, business plans or customer lists.

I can also show that proactively detecting malicious threats before they spread saves on help desk costs and reduces lost productivity (when we have to reimage an employee's PC, for instance). For raw numbers, I can highlight the events the SIEM discovered compared to all our other detection methods combined. This number alone justifies the SIEM investment and could get me the green light for the greenbacks to expand the deployment beyond monitoring just 40% of our overall traffic.

This week's journal was written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at


Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon