I just did a full-day SIEM workshop (a SAS day) for a large enterprise client. While I cannot show our specific agenda (it is covered by an NDA), I can share some of the ideas and topics we explored via a mix of presentations and facilitated group discussions (about 15 people were present).
- Introduction to logging and dealing with logs, reasons for takings logs seriously, common log types, etc
- Introduction to SIEM tools, their functionality, SIEM market (via Magic Quadrant), common use cases, tool deployment approaches, architecture
- Common and essential SIEM processes and practices, skills and roles for people involved with a SIEM, security monitoring process success tips
- Review of current logging and log management across the organization, who uses what data, who collects data and in what system
- Future goals for this area, requirements and challenges with what is logged and how logs are treated today (and of past log/SIEM projects)
- Discussion about current vs desired future state, challenges with current ways of dealing with logs, ultimate goals and “Phase 1” goals
- Logging and compliance, known regulatory and other external mandates, common requirement interpretations, what other organizations are doing
- Review of current compliance logging, log sources, tools used, processes in place, teams involved
- Discussion about “Mandate 1” and “Mandate 2” [sorry, cannot disclose the details] security monitoring requirements and SIEMs role in addressing these requirements at the organization
- SIEM/security monitoring delivery options: internal, outsourced, co-sourced, managed, hybrid; pros/cons, ways to compare and choose
- SIEM RFP elements and approaches to total SIEM program cost estimation, review of Gartner SIEM RFP toolkit
- Joint creation of project outline and approach to addressing the challenges, recommendations, conclusions, etc.
If you are a Gartner client and would like an in-depth full-day guidance on acquiring, deploying and/or operating a SIEM tool effectively, please get in touch with your friendly neighborhood Gartner sales person. I’d be happy to do a similar customized workshop for your organization as well. And, no, I don’t know how much we charge for it
Related SIEM posts:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.