SIEM Questions

When selecting a SIEM, there are three crucial questions:

1- Can I retain logs live (hot) for years (at least one year) and how much disk space would that require? What would be the cost of the disks?
In other words, does it have Forensic Analysis and Investigation capability?
2- How advanced is its threat detection capability?
3- Can it perform Real-Time Event Correlation?

Features such as Log Collection and Aggregation, Threat Intelligence Integration, Compliance Reporting,
Data Visualization and Dashboards, Scalability and Flexibility, and Automation and Orchestration are generally provided in a similar manner by top-tier SIEM solutions,
or at least the necessary support is available from the vendors.

Keeping live logs for years is now a best practice embraced by both governments and authoritative organizations in the field of cybersecurity [1,2,3].
Until a few years ago, these practices were not clearly articulated, leaving a gap. However, experts in the field are now aware of the importance.

When it comes to capturing threats, it takes some effort and time to delve into the details. On paper, every product may seem similar, but in practice, there are undoubtedly differences.
At this point, detailed technical analyses can be read [4,5].

Without real-time correlation, even SOAR (Security Orchestration, Automation, and Response) will be non-beneficial [6].

References:
[1] “Memorandum for the Heads of Executive Departments and Agencies” Executive Office of the President, Office of Management and Budget — https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf
[2] “11 Strategies of a World-Class Cybersecurity Operations Center” MITRE https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
[3] “The Untold Story of the Boldest Supply-Chain Hack Ever” KIM ZETTER, Wired https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/
[4] “The Math of SIEM Comparison” PeerSpot-https://www.peerspot.com/articles/the-math-of-siem-comparison
[5] “The Importance of SIEM List, Watchlist Management, and Product Comparisons” Dr. Ertuğrul Akbaş, Medium https://medium.com/@drertugrulakbas/the-importance-of-siem-list-watchlist-management-and-product-comparisons-3f7cc3395d3f
[6] https://tales-from-a-security-professional.com/soar-the-beating-heart-of-every-security-department-or-shouldnt-it-be-3ec8565be514