The Importance of SIEM
Security Information and Event Management (SIEM) tools can automatically alert admins of malicious events in real time by detecting suspicious behavior in the logs of a single computer or networking device, or by correlating the events in the logs of multiple devices.
The Limitations of SIEM
SIEM tools require constant tuning as do most signature-based security controls because they miss some malicious activities (i.e., false negatives) and they erroneously alert on some non-malicious events (i.e., false positives). In addition, by employing an expensive SIEM solution and dedicating one or more employees to manage it, some organizations can experience a false sense of security that all threats are being found.
Vidder's SIEM Recommendations
Vidder strongly recommends using SIEM tools for automated log analysis.
Organizations should select a SIEM product based on organization size and number of remote offices. Larger enterprises with a number of remote offices will require a remote summarization feature. Smaller organizations on the other hand may require less expensive solutions with fewer features.
Organizations should also consider choosing a SIEM that doubles as an application availability and performance monitor.
Also, Vidder recommends that admins ensure that all log repositories have adequate storage space for the logs generated on a regular basis so that log files will not fill up between log-rotation intervals.