Blog post

My Upcoming SIEM Research

By Anton Chuvakin | July 13, 2012 | 3 Comments


Am I hallucinating or is SIEM really evolving back to its original security roots, slowly weaning off its compliance addiction?  We still see (SIEM MQ 2012) a large percentage of SIEM deployments is compliance driven and funded, but I have this uncanny feeling that more people are actually buying and using SIEM for detecting, investigating and even discovering malicious activities. More SOCs are getting built again (whether real or virtual ones) and more people do security data analysis  (not necessarily BIG DATA, by the way, but “small data” can be a bitch too if you are not used to that sort of thing).

Of course, I  predicted that it would happen a few years ago, but I admit that it was a bit of wishful thinking on my part. Compliance ailment progressed too far (BTW, this does not mean that compliance is bad – I just like the analogy) and I hoped, but not expected, that the patient will recover that quickly. I guess that Chinese medicine – sometimes called APT – helped. Smile

In any case, I am starting my Q3 research project, and I am back to my original stomping ground – Security Information and Event Management (SIEM). This quarter I will create two research reports related to SIEM deployment and operation to update the GTP/former Burton SIEM coverage.  One report will be more market-focused and the other will be more technology and architecture focused.

My key focus areas are emerging to be:

  • SIEM tool architecture and how vendor’s architecture decisions affect the deployment and operation of a SIEM tool.
  • Large scale SIEM deployment architecture, how it evolves, expands and what are the factors that make it deliver useful results.
  • Key SIEM operational processes, including the development of a minimum set of essential SIEM practices and processes (without which a SIEM project is guaranteed to FAIL).

So, here is my call to action:

  • Vendors, got anything to say about it?  Here is a briefing link … you know what to do Smile
  • Enterprises, got a SIEM story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
  • SIEM-focused consultants, got a SIEM story (“inspired by” your recent project) to share? I’d love to hear it as well!

And, yes, watch this space for more questions and comments, as I delve deeper into SIEM architecture.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Peter M says:

    What kind of wins are you looking for? Catching the bad guy wins or detecting operational issues that saved money? Or relative to what you will be researching, wins from setting up the roles and processes before implementing a SIEM?

  • Actually, any kind – from successful tool deployment that works, to successful process/workflow designs, to catching the bad guys, to other useful results stemming from a SIEM.

  • Addendum to my call to action:
    * SIEM-focused consultants, got a SIEM story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).