Blog post

Some of the Big SIEM Questions

By Anton Chuvakin | July 18, 2012 | 0 Comments


As I mentioned, I am working on two SIEM reports this quarter. Here are some of the questions I will be trying to answer:


  • How do large enterprise SIEM deployments grow and evolve?
  • What choices made early in the deployment process can make the whole project more successful?
  • What is the best phased approach for growing a SIEM deployment?
  • What data should be loaded first (based on a set of specific use cases)?
  • What are large enterprise SIEM architecture choices? When each should be used?


  • What are the processes and practices that MUST be in place to make a large SIEM deployment a success?
  • Specifically, what is the absolute minimum “process bundle” without which a SIEM is guaranteed to FAIL? (think incident response, for example)
  • What people (skills, roles, etc) should be involved in running and using a SIEM?
  • In general, what do I need to run a SIEM productively over a long period of time?
  • What ongoing product/content customization has to be in place?


  • How do vendor product architecture/technology choices affect large customer deployments?
  • What help is available if SIEM is needed, but resources are not available locally?

I’d love to chat with a few organizations who operate such large deployments and receive briefings, and product demos  from vendors focused on the above.

BTW, my next post will focus on some architecture decisions, and SIEM architecture dimensions.

Related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed