I'm not a big fan of SIEM for many some reasons as follows:1. Difficult to determine best threshold level.2. Irregular things over the time become regular.3. One-Fit-All solution always has limitations.4. Not effective in Cloud Computing (SaaS).5. Privacy regulations (Yup)in some countries.6. Very expensive.
I guess, if you rely on vendors for everything, you will get lost, the implementation should be done by the guys who knows exactly what is on the network, and it will build up with time. but I have to admit that I did not see many satisfied customers. I would say it is suitable more for a large SOC, when the money is not a big issue.
Post a Comment