Anton Chuvakin

A member of the Gartner Blog Network

Entries Categorized as 'SIEM'

SIEM/ DLP Add-on Brain?

by Anton Chuvakin  |  February 27, 2015  |  Submit a Comment

Initially I wanted to call this post “SIEM has no brains”, but then questioned such harshness towards the technology I’ve been continuously loving for 13 years In any case, my long-time readers may recall this post called “Pathetic Analytics Epiphany!” (from 5 years ago) [and this one from 8] where I whine incessantly about the […]

Submit a Comment »

Category: analytics big data future logging monitoring network forensics security SIEM     Tags:

Those Pesky Users: How To Catch Bad Usage of Good Accounts

by Anton Chuvakin  |  February 19, 2015  |  3 Comments

Gartner says “Malware Is Already Inside Your Organization; Deal With It.” But you know what? I wish it were just stupid malware (well, some is not so stupid): via a plethora of remote access methods, human attackers are also inside. BTW, I don’t mean the actual “insiders”, seemingly nobody cares about those nowadays :–) Result? […]


Category: analytics big data insider monitoring security SIEM     Tags:

Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?

by Anton Chuvakin  |  January 26, 2015  |  6 Comments

Now that I’ve taken a fair number of “security analytics” client inquiries (with wildly different meanings of the phase), I can share one emerging pattern: a lot of this newly-found “analytics love” is really old “SIEM hatred” in disguise. A 101% fictional and slightly over-dramatized conversation goes like this: Analyst: you said you wanted security […]


Category: analytics monitoring security SIEM     Tags:

Should I Use “SIEM X” or “MSSP Y”?

by Anton Chuvakin  |  December 16, 2014  |  4 Comments

Lately I’ve been surprised by some organizational decision-making as they think about their sourcing choices for security monitoring. Specifically, some organizations want to decide between “SIEM Brand X” and “MSSP Brand Y” before they decide on the model – staffed in-house, managed, co-managed, outsourced, etc. While on some level this makes sense (specifically, on a […]


Category: monitoring MSSP security SIEM     Tags:

My UPDATED “SIEM Technology Assessment and Select Vendor Profiles” Publishes

by Anton Chuvakin  |  September 19, 2014  |  Comments Off

My other SIEM paper is updated as well: “SIEM Technology Assessment and Select Vendor Profiles.” It contains updated SIEM technology overview, some fun new trends, and refreshed vendor profiles. Here is how you can use all my recent SIEM stuff: What Do You Want? My SIEM paper to read Figure how to buy the right […]

Comments Off

Category: announcement security SIEM     Tags:

My UPDATED “Security Information and Event Management Architecture and Operational Processes” Publishes

by Anton Chuvakin  |  September 15, 2014  |  5 Comments

Finally, I completed an epic update to my 2012 paper “Security Information and Event Management Architecture and Operational Processes.” I think of this paper, interchangeably, as of “SIEM’s missing manual” or a “SIEM bible” … It now has expanded SIEM process guidance, new detailed use cases, more SIEM metrics, updated SIEM maturity framework and other […]


Category: announcement security SIEM     Tags:

SIEM Real-time and Historical Analytics Collide?

by Anton Chuvakin  |  July 30, 2014  |  4 Comments

SIEM technology has evolved to a point where conflicting requirements are starting to tear it apart – and I am not the only one to observe that. See here: Just as at its birth in the late 1990s, today’s SIEM must excel at real-time analysis using rule-based correlation and other methods and analyze thousands of […]


Category: analytics monitoring security SIEM     Tags:

SIEM and Badness Detection

by Anton Chuvakin  |  July 24, 2014  |  5 Comments

A long time ago, in a galaxy far far away … at the very dawn of my security career I attended a presentation by somebody who is now a notable incident response expert. Well … who am I kidding? He was a notable IR expert back in 2000, way…way before IR was cool and way […]


Category: analytics security SIEM     Tags:

My Blueprint for Designing a SIEM Deployment Publishes

by Anton Chuvakin  |  July 22, 2014  |  4 Comments

Another new document on SIEM that I wrote just published: Blueprint for Designing a SIEM Deployment. “Planning a distributed enterprise SIEM deployment is challenging for information security teams at many organizations. This Blueprint shows the architecture and timeline for an enterprise security information and event management deployment and highlights key tasks for each stage. “ […]


Category: announcement security SIEM     Tags:

“Stop The Pain” Thinking vs the Use Case Thinking

by Anton Chuvakin  |  July 17, 2014  |  3 Comments

“Hello, I am your anti-virus program. Which specific viruses would you like me to kill today? Enter names here: [……..]” While I don’t recall the exact state of the art of anti-virus back in the late 1980s, I do not remember any anti-virus program ever asking such a question. The technology originated in response to […]


Category: philosophy security SIEM     Tags: