Gartner Blog Network


Fun Challenges with SIEM Use Cases

by Anton Chuvakin  |  November 11, 2015  |  6 Comments

Often I save the solutions for our Gartner GTP papers, but I blog about the challenges. No, this won’t be a post [eh…. a short trilogy of no more than 3000 pages?] on all the ways of SIEM FAIL (look here for this), the idea here is to focus on use case-related troubles and problems with SIEM and security monitoring.

  1. Canned or vendor-imposed SIEM use cases only — this essentially means that you are using the power of SIEM with one (well, maybe both?) hands tied behind your back. It will work, for sure, but it is most likely that the value won’t be maximized for you.
  2. No consistent mechanism for “converting” vague problems into precise SIEM use case — basically, a broken use case discovery process means you will solve only easy and specific problems (like “see if anybody connects to our payment card database at night”)
  3. Driving use case from available data alone — an input-driven SIEM (as opposed to “output-driven”) may work, with some luck, but overall we see more value and more happiness with an output-driven SIEM approach.
  4. Hero-driven use cases — while not truly problematic, this just does not pass the legendary “bus test”; if only one person owns all SIEM usage, and nobody else has a clue, what happens if this sole hero is hit by a bus – or ?
  5. Overly burdensome use case process — sure, some of us like “SIEM content as code” model, but this does not mean that a change to a correlation rule should take 3 weeks and 11 gates in the project….

What are YOUR SIEM use case challenges?!

Select recent blog posts related to SIEM:

Category: monitoring  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Fun Challenges with SIEM Use Cases


  1. Glen Sharlun says:

    Anton,
    If you really wanted to blow the roof off of this topic, I am fairly certain that I could assemble 4-5 of the best use-case engineers on the planet, from 15 years of in the trenches experience, for a 60 minute call.
    You and I should have a 15 minute conversation.
    Cheers & Godspeed,
    Glen

  2. As I see it, the huge roadblock to progress is still the digital marketing talent shortage. Most companies have a limited ‘talent puddle’ of skilled practitioners that are able to work on progressive market development strategies. Meanwhile, the majority of their old-school marketers have not attempted to learn the required new skills — so marketing organizations are dominated by staff that view the world through their legacy media-buyer mindset. To them, digital marketing merely means buying Google Ads or advertising placements on Facebook and LinkedIn. What can a CMO do when 80+ of their current team are not skilled for today’s demands? Clearly, it’s a big ongoing challenge.

  3. jeanette sjoberg says:

    Hi Anton,
    Regarding your blog back in July on Cloud SIEMs – did you do any further investigation on offerings and particularly those that support both Azure and AWS?
    Kind regards
    Jeanette
    07710461347



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.