As I mentioned, I am working on two SIEM reports this quarter. Here are some of the questions I will be trying to answer:
- How do large enterprise SIEM deployments grow and evolve?
- What choices made early in the deployment process can make the whole project more successful?
- What is the best phased approach for growing a SIEM deployment?
- What data should be loaded first (based on a set of specific use cases)?
- What are large enterprise SIEM architecture choices? When each should be used?
- What are the processes and practices that MUST be in place to make a large SIEM deployment a success?
- Specifically, what is the absolute minimum “process bundle” without which a SIEM is guaranteed to FAIL? (think incident response, for example)
- What people (skills, roles, etc) should be involved in running and using a SIEM?
- In general, what do I need to run a SIEM productively over a long period of time?
- What ongoing product/content customization has to be in place?
- How do vendor product architecture/technology choices affect large customer deployments?
- What help is available if SIEM is needed, but resources are not available locally?
I’d love to chat with a few organizations who operate such large deployments and receive briefings, and product demos from vendors focused on the above.
BTW, my next post will focus on some architecture decisions, and SIEM architecture dimensions.