Gartner Blog Network


My Upcoming SIEM Research

by Anton Chuvakin  |  July 13, 2012  |  4 Comments

Am I hallucinating or is SIEM really evolving back to its original security roots, slowly weaning off its compliance addiction?  We still see (SIEM MQ 2012) a large percentage of SIEM deployments is compliance driven and funded, but I have this uncanny feeling that more people are actually buying and using SIEM for detecting, investigating and even discovering malicious activities. More SOCs are getting built again (whether real or virtual ones) and more people do security data analysis  (not necessarily BIG DATA, by the way, but “small data” can be a bitch too if you are not used to that sort of thing).

Of course, I  predicted that it would happen a few years ago, but I admit that it was a bit of wishful thinking on my part. Compliance ailment progressed too far (BTW, this does not mean that compliance is bad – I just like the analogy) and I hoped, but not expected, that the patient will recover that quickly. I guess that Chinese medicine – sometimes called APT – helped. Smile

In any case, I am starting my Q3 research project, and I am back to my original stomping ground – Security Information and Event Management (SIEM). This quarter I will create two research reports related to SIEM deployment and operation to update the GTP/former Burton SIEM coverage.  One report will be more market-focused and the other will be more technology and architecture focused.

My key focus areas are emerging to be:

  • SIEM tool architecture and how vendor’s architecture decisions affect the deployment and operation of a SIEM tool.
  • Large scale SIEM deployment architecture, how it evolves, expands and what are the factors that make it deliver useful results.
  • Key SIEM operational processes, including the development of a minimum set of essential SIEM practices and processes (without which a SIEM project is guaranteed to FAIL).

So, here is my call to action:

  • Vendors, got anything to say about it?  Here is a briefing link … you know what to do Smile
  • Enterprises, got a SIEM story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
  • SIEM-focused consultants, got a SIEM story (“inspired by” your recent project) to share? I’d love to hear it as well!

And, yes, watch this space for more questions and comments, as I delve deeper into SIEM architecture.

Additional Resources

Category: announcement  logging  security  siem  

Tags: security  security-monitoring  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on My Upcoming SIEM Research


  1. Peter M says:

    What kind of wins are you looking for? Catching the bad guy wins or detecting operational issues that saved money? Or relative to what you will be researching, wins from setting up the roles and processes before implementing a SIEM?

  2. Actually, any kind – from successful tool deployment that works, to successful process/workflow designs, to catching the bad guys, to other useful results stemming from a SIEM.

  3. Addendum to my call to action:
    * SIEM-focused consultants, got a SIEM story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).

  4. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← My Upcoming SIEM Research […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.