As I mentioned, I am working on two SIEM reports this quarter. Here are some of the questions I will be trying to answer:
- How do large enterprise SIEM deployments grow and evolve?
- What choices made early in the deployment process can make the whole project more successful?
- What is the best phased approach for growing a SIEM deployment?
- What data should be loaded first (based on a set of specific use cases)?
- What are large enterprise SIEM architecture choices? When each should be used?
- What are the processes and practices that MUST be in place to make a large SIEM deployment a success?
- Specifically, what is the absolute minimum “process bundle” without which a SIEM is guaranteed to FAIL? (think incident response, for example)
- What people (skills, roles, etc) should be involved in running and using a SIEM?
- In general, what do I need to run a SIEM productively over a long period of time?
- What ongoing product/content customization has to be in place?
- How do vendor product architecture/technology choices affect large customer deployments?
- What help is available if SIEM is needed, but resources are not available locally?
I’d love to chat with a few organizations who operate such large deployments and receive briefings, and product demos from vendors focused on the above.
BTW, my next post will focus on some architecture decisions, and SIEM architecture dimensions.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.