Tip #1 – Ask your potential vendor if they are a SIM, SEM or SIEM solution, you most likely want a full SIEM solution even if you end up using one part more than the other.
Tip #2 – Ask your potential vendor if it is easy and intuitive for your personnel to create new behaviour rules, often referred to as Correlation rules
Security Information Management Tips
Tip #1 – Ask your potential vendor if the Log Management Layer stores logs in an ASCii flat file structure for scalable storage. If they don’t, run for the hills.
Tip #2 – Ask your potential vendor how many characters their indexing engine indexes down to, for example if the engine only indexes down to 3 characters you would NOT be able to find commands such as “SU root”, as the SU portion of the command would not be indexed.
Tip #3 – Ask your potential vendor how much disk space their index will consume, typically you will be looking for a 5-1 ratio, that is to say, for every 1gb of compressed stored log data, the index should take up to a maximum of 5gb of disk space.
Tip #4 – Ask you potential vendor if you can store the log data on a SAN or fiber connected disk storage.
Tip #5 – Ask your potential vendor if the log is still collected and indexed for reporting purposes even if they do not have a Regular-Expression processing rule for the log.
Tip #6 – Ask your potential vendor if the solution digitally signs collected logs at a minimum of 256bit SHA and optionally could encrypt the logs at rest.