I just did a full-day SIEM workshop (a SAS day) for a large enterprise client. While I cannot show our specific agenda (it is covered by an NDA), I can share some of the ideas and topics we explored via a mix of presentations and facilitated group discussions (about 15 people were present).
- Introduction to logging and dealing with logs, reasons for takings logs seriously, common log types, etc
- Introduction to SIEM tools, their functionality, SIEM market (via Magic Quadrant), common use cases, tool deployment approaches, architecture
- Common and essential SIEM processes and practices, skills and roles for people involved with a SIEM, security monitoring process success tips
- Review of current logging and log management across the organization, who uses what data, who collects data and in what system
- Future goals for this area, requirements and challenges with what is logged and how logs are treated today (and of past log/SIEM projects)
- Discussion about current vs desired future state, challenges with current ways of dealing with logs, ultimate goals and “Phase 1” goals
- Logging and compliance, known regulatory and other external mandates, common requirement interpretations, what other organizations are doing
- Review of current compliance logging, log sources, tools used, processes in place, teams involved
- Discussion about “Mandate 1” and “Mandate 2” [sorry, cannot disclose the details] security monitoring requirements and SIEMs role in addressing these requirements at the organization
- SIEM/security monitoring delivery options: internal, outsourced, co-sourced, managed, hybrid; pros/cons, ways to compare and choose
- SIEM RFP elements and approaches to total SIEM program cost estimation, review of Gartner SIEM RFP toolkit
- Joint creation of project outline and approach to addressing the challenges, recommendations, conclusions, etc.
If you are a Gartner client and would like an in-depth full-day guidance on acquiring, deploying and/or operating a SIEM tool effectively, please get in touch with your friendly neighborhood Gartner sales person. I’d be happy to do a similar customized workshop for your organization as well. And, no, I don’t know how much we charge for it
Related SIEM posts:
- On SIEM Deployment Evolution
- On People Running SIEM
- On SIEM Processes/Practices
- On Large-scale SIEM Architecture
- Some of the Big SIEM Questions
- My Upcoming SIEM Research
- All posts tagged SIEM
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.