How would YOU architect a SIEM deployment for this FICTITIOUS (but real-world-inspired …) large corporate environment:
- About 30,000 events/second ongoing rate (this is NOT a peak rate, but a rate measured and then averaged over the course of 24 hours)
- 15 separate sites, most in US but some in Europe and Asia; a few datacenters and a few regional offices (large and small)
- Log source mix is a diverse blend of firewalls, network devices, NIPS, Windows servers, Unix/Linux servers, web proxies, and also web servers and select database servers
- Retention policy is 30 days for log data used for operational security analysis and 1 year for searchable full archives
- The use case is a combination of near-real-time monitoring (via correlation rules and whatever other analytic features the SIEM has) AND incident investigations (via searches, reports and whatever store data analytics the SIEM has) + maybe some compliance reports to spice it up The monitoring efforts will focus on both outside attackers, malware as well as possible insider abuse.
- A few analysts will be using the tool simultaneously most of the time.
So, here is a mental exercise for you:
- How would you architect it?
- Where would you place the collectors? How many?
- How would you plan storage – single or distributed?
- Where the main correlation system (or systems) will be deployed?
- How will the system deal with outages in collection and maybe even storage?
- How will its performance be tracked over time?
- How will it scale with increasing volumes (logs tend to grow)?
- What OTHER information will you need to architect it?
By the way, if you tell me that one appliance will handle the entire environment and no other software/hardware will be needed, a filter will be implemented to send further communication to /dev/null
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.