Am I hallucinating or is SIEM really evolving back to its original security roots, slowly weaning off its compliance addiction? We still see (SIEM MQ 2012) a large percentage of SIEM deployments is compliance driven and funded, but I have this uncanny feeling that more people are actually buying and using SIEM for detecting, investigating and even discovering malicious activities. More SOCs are getting built again (whether real or virtual ones) and more people do security data analysis (not necessarily BIG DATA, by the way, but “small data” can be a bitch too if you are not used to that sort of thing).
Of course, I predicted that it would happen a few years ago, but I admit that it was a bit of wishful thinking on my part. Compliance ailment progressed too far (BTW, this does not mean that compliance is bad – I just like the analogy) and I hoped, but not expected, that the patient will recover that quickly. I guess that Chinese medicine – sometimes called APT – helped.
In any case, I am starting my Q3 research project, and I am back to my original stomping ground – Security Information and Event Management (SIEM). This quarter I will create two research reports related to SIEM deployment and operation to update the GTP/former Burton SIEM coverage. One report will be more market-focused and the other will be more technology and architecture focused.
My key focus areas are emerging to be:
- SIEM tool architecture and how vendor’s architecture decisions affect the deployment and operation of a SIEM tool.
- Large scale SIEM deployment architecture, how it evolves, expands and what are the factors that make it deliver useful results.
- Key SIEM operational processes, including the development of a minimum set of essential SIEM practices and processes (without which a SIEM project is guaranteed to FAIL).
So, here is my call to action:
- Vendors, got anything to say about it? Here is a briefing link … you know what to do
- Enterprises, got a SIEM story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
- SIEM-focused consultants, got a SIEM story (“inspired by” your recent project) to share? I’d love to hear it as well!
And, yes, watch this space for more questions and comments, as I delve deeper into SIEM architecture.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.