Gartner Blog Network


Starting A SIEM Project from Vendor Use Case Content: WIN or FAIL?

by Anton Chuvakin  |  December 2, 2015  |  7 Comments

Can I run my SIEM project exclusively with the use case content (including rules, reports, alerts, dashboards, algorithms) provided by my SIEM vendor?

Short answer: YES, as long as you START there, rather than FINISH there.

Longer answer: Indeed, many organizations have successfully implemented their monitoring capabilities (whether SIEM-centric or focused on other monitoring and security analytics tools) starting from canned content delivered with their SIEM or other tool. Better SIEM vendors spent 15+ years serving customers, even if for some of them they served primarily their compliance needs (a useful reminder: SIEM tech predates The Compliance Years of Infosec, which are roughly 2003-2008 in my estimation) and a lot of great content got developed. Some of it, BTW, is pretty “evergreen”; after all, a pattern of login failures followed by a successful login was relevant in 1999 and is relevant in 2015.

However, WIN happens if you start there, while FAIL [at least failure to realize full value of SIEM technology] happens when you assume that vendor content is all you ever need with SIEM. Most mature SIEM users report that their most valuable use cases were site-specific, custom or at least heavily customized. If “SIEM saved your bacon” too, think about those situations: was it canned vendor content that did it or something you put together in a coffee-fueled haze? :-)

Now, think about these two EXTREME approaches to use case development:

  1. PRIORITY-CENTRIC: we will do first what is of TOP PRIORITY. This leads to people starting with, say, SAP logs and learning FAIL first-hand because it is so damn hard to start there. And then questioning SIEM value.
  2. FEASIBILITY-CENTRIC: we will do first what is EASY, does not require any changes to the tool, log sources etc. This leads to people solving problems they don’t really care to solve, and then questioning SIEM value.

One vendor recently told me the story of a customer who wanted to know the best use cases for SIEM if he has “only firewall logs and only two hours” (see also this classic post)…

If both extremes are bad, what works? This:

SIEM-prio-vs-feas

So, yes, START from vendor use case content, but DO rank them by means of your risk/threat assessment, compliance, etc – see this for details! Also, link the use cases you keep to your security operations processes, such as alert triage and/or, ultimately, incident response (IR). Decide which ones you will actually act on and keep (and refine) those. Next, as you learn the tool, move to juicier problems that require more content authoring. And, no, not all of them will need a SIEM – you may need UBA / UEBA, EDR / ETDR, etc. Ahem..even DLP… maybe.

Select recent blog posts related to SIEM:

Category: monitoring  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Starting A SIEM Project from Vendor Use Case Content: WIN or FAIL?


  1. […] answer: Why am I even writing about EDR, for gods’ sakes?! Shouldn’t I be focused on SIEM use cases? Well, I am – but one of the recent EDR-focused clients calls (and, mind you, they happen very […]

  2. Dori Fisher says:

    From my experience the big question is if you are implementation a SIM or a SEM.
    As SEM is about responding to alerts, out of the box will give to too much false positives and won’t allow you to de-clutter your environment.
    As SIM is about reporting and forensics, that can actually work.
    The first thing we do in every SIEM implementation is to turn off the out of the box content in order to focus on relevant actionable alerts.

    • Thanks for the comment. While I’ve done much the same thing (“kill all canned content day 1”) in some past engagements, this works when a smart SIEM consultant [like, well, you or me in the past :-)] is present on-site. FOr many less mature client, this is not an option. They need usable content day 1….

      • Dori Fisher says:

        Anton – I think it all depends on what content you are enabling, enabling OOB dashboards and reports is fine, but rules require more thought as getting too many alerts won’t really help.
        Also, IMHO, orgs that do not plan a minimum of 200 hours for planning/implemetation (very small turn key project), shouldn’t invest in a SIEM – but that’s just my opinion.

  3. Dori Fisher says:

    Anton, i guess 200 hours for organizations that plan OOB content SIEM implementation.;)

    Also, btw as we both know, there are very large clients with small SIEM implementation and some very small clients with large SIEM implementation, also what you choose to audit and your audit policy can change 1000 servers 1000 eps to 100,000 eps.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.