top of page
Coding Station

Add a 2nd or 3rd layer of protection to your SIEM

Adding a second or third vendor to your SIEM (Security Information and Event Management) can be a complex process, but it can also be a very effective way to enhance the security of your organization.

By carefully researching and evaluating potential vendor solutions, integrating them into your landscape, monitoring and optimizing their performance, you can ensure that your SIEM(s) provides the best possible protection for your organization

In the 2022 Gartner magic quadrant for "Security Information and Event Management" (SIEM) there are a number of vendors that are leading the way in making IT Organisations a safer place. Regardless of which one you use, the role of each vendor is the same, they provide the data and evidence needed to remediate threats.

The mechanics of how each of the vendors do this is much the same. They collect your logs and events, aggregate, apply numerous sets of rules in an attempt to discover threat related activity. Some vendors develop proprietary rules, whilst at least half of the quadrant allow the use of an open and generic signature format known as "Sigma".

Can we make a SIEM more effective, do we just trust the vendors to get it right??

Before you make such decision, here are some factors you need to consider:

  1. Determine the need for additional vendors: Before you begin the process of adding more vendors to your SIEM, it's important to understand why you need them. Are you looking to add additional security capabilities? Are you looking to improve the performance of your SIEM? Understanding the reasons for adding more vendors will help you make informed decisions about which vendors to add and how to integrate them into your system.

  2. Research potential vendors: Once you have determined the need for additional vendors, you should start researching potential options. Look for vendors that offer the security capabilities you need, have a good reputation, and have experience working with SIEM systems. It's also important to consider the cost and complexity of integrating each vendor into your SIEM.

  3. Evaluate vendor capabilities and compatibility: Before you make a final decision on which vendors to add to your SIEM, it's important to thoroughly evaluate their capabilities and compatibility with your existing system. This may involve testing the vendor's products in a lab environment or conducting a pilot deployment.

  4. Integrate the new vendors: Once you have selected the vendors you want to add to your SIEM, it's time to integrate them into your system. This process may involve configuring the vendor's products to work with your SIEM, integrating their data feeds, and testing to ensure everything is working as expected.

  5. Monitor and optimize: After you have added the new vendors to your SIEM, it's important to monitor their performance and optimize their integration to ensure they are providing the security capabilities you need. This may involve adjusting the configuration of the vendor's products or fine-tuning the integration with your SIEM.

Points 3, 4 and 5 above sound easy enough on paper, but shifting live data from source to destination can be expensive and difficult to configure during an evaluation. However, offer something very unique on the market today that makes this process seamless and risk free.

  1. includes SIEM and SOAR capabilities, as your data is collected and forwarded, its vetted against SIGMA rules automatically and in real time.

  2. introduces a Data Pipeline that allows you to run multi vendor without additional cost.

Option 1. Add a Data Pipeline that includes SIEM capabilities (based on Sigma)

Don't worry, it's simpler than you think. By introducing pipelines, you can regulate your data flow without any risk. The process is easy - just update agents or forwarders on the data sources to transfer data through and onto your existing SIEM, without any additional delay! With the added processing time from the SIEM rules, it will still take no longer than 2-3 seconds for your data to get from its source and into your SIEM. The benefit here is that you get two revisions of your data - it's like getting a free second opinion! The pipeline allows you to clean and regulate before forwarding, so the heavy lifting is done by Collection and Aggregation can be handled by

Option 2. Add a Data Pipeline that allows you to run multi vendor

Using the approach of option 1, running multiple SIEM vendors in parallel is also possible. This gives customers an additional set of eyes for a better and more secure environment. It also provides redundancy to prevent false positives and eliminate single points of failure.

2nd + 3rd opinions and the many other benefits

Introducing a pipeline can have multiple benefits, such as cost savings. A Pipeline is an efficient way of managing high volumes of data or events, as compared to the vendors in the Gartner diagram who typically charge based on volume or EPS (Events Per Second). This makes Pipelines a more cost-effective solution for handling large amounts of data.

Running multiple SIEMs in parallel can provide an extra layer of security and data accuracy. With multiple systems working together, they can cross-check each other's results to improve accuracy and reliability while also detecting a greater variety of threats from a wider set of data.

So you have one system, or maybe two. But what if one goes down? What if you have to respond to a disaster? Running multiple systems will give you redundancy and a disaster recovery plan. All of your security data is safe in a central location and stored long before it makes it way to the SIEM, making your compliance teams much happier.

By introducing a pipeline, you could save up to 90% of your current ingest costs and here is a blog to show you how. Running two or three SIEM solutions in parallel might not be as expensive as you think, especially if your costs today are driven by ingest volume. Make the switch today and start experiencing the benefits!

Thank you for reading. Please email for more information.


bottom of page