Blog post

On People Running SIEM

By Anton Chuvakin | August 09, 2012 | 8 Comments


As promised, this next post from my SIEM research project is about people. Over the course of my 10+ year (!) experience with SIEM technology, I have come across organizations that assumed that buying and deploying a SIEM tool is all they need to do for security monitoring. I wish I can say that the number of such occurrences has decreased over time, but, in reality, it has increased (probably because less mature organizations are now buying SIEM tools en masse).

In any case, let me repeat what I’ve said many times in the past: your investment in SIEM will be completely, totally, absolutely wasted if you don’t have smart people operating the tool on an ongoing basis (yes, “ongoing basis” really does mean forever).

There are multiple ways to rephrase it so that more people will hopefully get it. My teammate Ramon Krikken once called SIEM “a force multiplier” for security. If your “force” of security analysts is 0 before SIEM, then using a force multiplier will still leave it at zero. Another way to say it is that SIEM is not and will not be a “set and forget” technology and everybody who even hints that their SIEM is “set and forget” is a liar. Yet another way of saying it is: a security monitoring project or a SIEM project isn’t … a project. It is a process that you start and then improve over time – and never “complete” by reassigning people to other things. Or, as my esteemed colleague said, “the end result is that your monitoring simply can’t work without a sufficient supply of carbon-based life forms.

Still, I’m getting mixed reports about what percentage of organization buying SIEM tools only use them for simple log aggregation. Guess what, you can get log aggregation for 1/5-1/100 of a cost of SIEM. You can sometimes get it for free.

After this preface, let me follow with some questions that I’m trying to answer:

  • Based on a use case and deployment size, how many people do I need to run a SIEM well and get full value out of it?
  • What skills sets those people should possess?
  • What skills should be inside the core “SIEM team” and what skills can be borrowed from other parts of the organization?
  • What skills (such as an analyst and content developer) can and should be combined in one person?
  • How do those people evolve over time and gain their expertise?
  • Finally, where to go for help if you know you need the capability, but also know that you cannot hire, grow and retain those people?

As a final word, the best SIEM deployments I’ve seen that also brought the most value to organizations were run by teams of skilled, passionate, well-trained and dedicated intrusion analysts.

Any other questions I missed? Any answers?

Related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Elba Stevenson says:

    How many change can you make to the SIEM tool in 24 hours, and how long will it take to impact the company?

  • James Voorhees says:

    The question of who should have access also needs to be raised. I pose that question with the following in mind:

    A SIEM sees everything on the network. Consequently, it can have value beyond looking for intrusions. So who should be able to view it? Who should be able to develop content for needs outside a strict security function?

  • @elba Sorry, didn’t quite get the question. What kinda changes to a SIEM?

    @james It should indeed. And a messy question it is: while I saw successful SIEM installs where network ops looks it, these are (in my experience) more of an exception than the rule. Sec teams owns and runs exclusively (for better or for worse) in most cases..

  • Garth Schwer says:

    I’m interested in how many employee hours per week is required for tuning for (say) a 1000 node SIEM installation.

    I’m an analyst who spends approximately 50% of my time doing SIEM performance monitoring and tuning BEFORE I can get around to actually investigating possible incidents.

    It would also be very interesting to make a tuning hours comparison across SIEM products to make a more informed choice on purchase.

  • Garth, thanks a lot for your question. Indeed, I plan to provide a framework for planning FTE/employee needs for running a SIEM well. It will depnd not just on nodes, but also on use (e.g. PCI DSS reports 1/week vs near-Real-time threat monitoring 24/7)

    >50% of tuning and 50% usage.

    So, either you physically has more work than 1 person can handle (likely) or your SIEM is not the right one/”broken” (less likely) tuning hours comparison across SIEM products

    Do you mean “performance tuning” or customizing content (reports, rules, etc)?

  • Garth Schwer says:

    Hi Anton,

    Good points on the compliance angle. I work as part of a managed security service team, and SIEM maintenance and first level response is my primary role.

    I would consider writing custom parsing rules, checking that agents are reporting correctly, adjusting/ writing alert rules, and monitoring the performance of the SIEM host machines and databases to be under the banner of “tuning”.

  • Garth, thanks again for the comment.

    Well, if you are on the MSSP side, you really can’t complain 🙂 You do that so that others don’t have to.

    In my report, I will definitely cover all of the broadly define tuning types. However, some of them are VERY different from others: e.g tuning backend DB for optimum performance is very different from writing a custom correlation rule. Very different skills and likely not combined in one person….

  • ncorrea says:

    A few questions for thought:
    1) Where do these people sit within the org and who set’s the team’s direction?
    2) What is the ‘business purpose’ of the SIEM as that may impact that skill set the team must have (ie. compliance vs. security)
    3) ** What is the balance between ideal and realistic in terms of number and skills of the team members ie. the SIEM deployment ideally has 10 ninja’s but realistically can only have 5 members who are SME’s but not ninja’s (I don’t know if you can really answer that one but maybe a break down of must have’s vs. nice to have’s might help?)