Vendor Selection Framework For Integration Of Threat Intelligence With SIEM

Here is a comprehensive checklist to Evaluate SIEM Vendors. We highly appreciate this community contribution.
by Sunil Soni, CISO, Punjab National Bank

Vendor Selection Framework For Integration Of Threat Intelligence With SIEM

Key Selection Criteria (Minimum):

Financial/business stability

  • Its legal status in India
  • Condition of financial health
  • Mode of presence in India (directly or through subsidiary or a Joint venture)
  • Is it an OEM (Original Equipment Manufacturer) or their authorized Representative in India
  • Financial turnover for last three years
  • Turn over from Information Security Business during last two years
  • Is there a legal action pending against them for any cause in any legal jurisdiction?
  • A minimum of 5 years of experience in Information Security Business (Including consulting, actual implementation and support thereafter)?
  • Availability of skilled staff to support proposed solution (CISA/CISSP/CISM and PMP)
  • Have they implemented at least one SIEM solution on the proposed solution, if not then on earlier versions of SIEM solution?
  • Unsatisfactory record in completion of any of the earlier contracts with the Bank ?
  • Have experience in implementation of enterprise-wide SOC?

( Read More: 5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution )

>> Compare Top SIEM Vendors: Click Here

Key Selection Criteria (Technical):


A. Capability

  • Capability to meet 24*7*365 support requirement
  • Availability of their DR Site?
  • Ability to handle any critical issue within least possible time?
  • The capability to monitor all kind of incidents?

B. Technical Criteria

  • Their ability to provide legal support
  • Capability to provide technical support on a continuous basis.
  • Their capability to scan all website of the Bank for malicious activities and its reporting using online dashboard
  • Ability to provide training to bank's staff
  • Capability to meet SLA as defined in RFP?

C. Tie-up arrangement with Service provider & Technical groups

  • How many Major leading browser developers (minimum 5), it has contact?
  • How many (Internet Service Providers) ISPs (Minimum 500). It has contact?
  • With how many ISPs (foreign countries) they have tie up with. (minimum 20 countries )
  • Is SI / OEM member of Anti Phishing Work Group / Data Security council?
  • Ability to provide training on SOC to at least 30 bank's official every 3 months
  • "Do they have Experience in Anti Phishing, Anti Pharming and anti Trojan services  (minimum 3 years)"

D. Validation of Customer Credentials

  • Provide number of customers using proposed / offered Anti Phishing services (minimum 5)
  • Provide number of phishing, pharming and Trojan incidents closed during last 1 year.
  • Provide number of Banking customers using proposed / offered malware scanning services.
  • Their readiness to adhere to secured flow of data from vendor to the client?
  • Their readiness to  provide undertaking to abide by security policy of the bank?
  • Ability to monitor the performance on a regular basis.

E. Responsiveness

  • How soon an incident can be closed by them?
  • How soon advisory service is provided by them on critical vulnerability?

( Read More: Comprehensive Salary Guide For Cyber Security Professionals: First Time Ever In India )

F. Communication

  • What is the native language spoken in the company? How many international languages, it is  able to communicate ?(minimum 9 languages should be supported)

G. Legal Service

  • Ability to provide legal support in the form of communication with CERT/Cyber Crime (with special permission from the Bank). 

H. Advisory Service

  • Ability to provide advisory service for online threats.
  • Ability to provide advisory service for intelligence alerts.
  • Ability to share article & white paper .
  • Ability to provide regular alerts on critical vulnerabilities.
  • Ability to provide advisory service for tools and other methods used by the fraudster against the Bank

I. DashBoard

  • Ability to provide display of high and low level reports
  • Ability to provide regular update of incidents
  • Ability to customized reports/ option to process adhoc queries
  • Capacity to download extracted data
  • Availability of screen shots of all phishing related incidents
  • Facility of case management with the flexibility to include comments from both the parties.
  • Ability to provide role based authentication to the dashboard .
  • Display of ongoing compliance status

J. Forensic Ability

  • Capability to provide forensics analysis
  • Ability to provide data for investigation purposes
  • Ability of extracting critical data
  • Ability to providing  critical information as per the nature of the incident
  • Ability to provide comprehensive analysis of incidents or data

K. Background Checking of Staff

  • Provide background of character & qualification of  proposed staff

L. Legal & Regulatory Compliance

  • Status of  compliance on income tax law and employment regulation
  • Status of complaine on  labour law i.e. minimum monthly pay salary, deduction, etc.

( Read More: Checklist To Evaluate A Cloud Based WAF Vendor )

>> Compare Top SIEM Vendors: Click Here

M. Capabilities of the Threat Intelligence Solution

  • Tapping Geo-location hopping vis-à-vis time zone
  • Ability to do device mapping (Screen resolution, Version of OS, Base Lining SDK)
  • Device identification vis-à-vis device mapping
  • Fraudlent devices to have an increased risk level
  • Global Information harvesting i.e. IP Reputaton, Web Reputation, Detail with respect to Drop zones, infection point, C & C servers controlling end points
  • Frequency of updation of rule in EFN (e-fraud network)
  • Services (Manuals or automated through scripts)
  • Blacklist feeds (General & specific to institution) & its frequency
  • Ability to check for web & mobile (SDK kit- Rogue mobile apps & ability to bring them down and Anti Rogue Apps
  • Checking of market campaign

N. Application Interface (API) Challenge

  • Issue / ability with API & its upgradation with SIEM dashboard
  • Ability to create a unified view

O. Solution Evaluation

  • To verify the working of offered solution at a live site (Cross check with the limited countries)
  • To validate technical adequacy of the offered configuration through a benchmark test. (Each  shortlisted vendor at his cost)
  • To get a bench marking test conducted, research/testing finding & report evaluated

How do you evaluate SIEM Vendors? Share with us in the comments below or write your own article here 

Views: 2279

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2019   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service