How would YOU architect a SIEM deployment for this FICTITIOUS (but real-world-inspired …) large corporate environment:
- About 30,000 events/second ongoing rate (this is NOT a peak rate, but a rate measured and then averaged over the course of 24 hours)
- 15 separate sites, most in US but some in Europe and Asia; a few datacenters and a few regional offices (large and small)
- Log source mix is a diverse blend of firewalls, network devices, NIPS, Windows servers, Unix/Linux servers, web proxies, and also web servers and select database servers
- Retention policy is 30 days for log data used for operational security analysis and 1 year for searchable full archives
- The use case is a combination of near-real-time monitoring (via correlation rules and whatever other analytic features the SIEM has) AND incident investigations (via searches, reports and whatever store data analytics the SIEM has) + maybe some compliance reports to spice it up The monitoring efforts will focus on both outside attackers, malware as well as possible insider abuse.
- A few analysts will be using the tool simultaneously most of the time.
So, here is a mental exercise for you:
- How would you architect it?
- Where would you place the collectors? How many?
- How would you plan storage – single or distributed?
- Where the main correlation system (or systems) will be deployed?
- How will the system deal with outages in collection and maybe even storage?
- How will its performance be tracked over time?
- How will it scale with increasing volumes (logs tend to grow)?
- What OTHER information will you need to architect it?
By the way, if you tell me that one appliance will handle the entire environment and no other software/hardware will be needed, a filter will be implemented to send further communication to /dev/null
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.