Often I save the solutions for our Gartner GTP papers, but I blog about the challenges. No, this won’t be a post [eh…. a short trilogy of no more than 3000 pages?] on all the ways of SIEM FAIL (look here for this), the idea here is to focus on use case-related troubles and problems with SIEM and security monitoring.
- Canned or vendor-imposed SIEM use cases only — this essentially means that you are using the power of SIEM with one (well, maybe both?) hands tied behind your back. It will work, for sure, but it is most likely that the value won’t be maximized for you.
- No consistent mechanism for “converting” vague problems into precise SIEM use case — basically, a broken use case discovery process means you will solve only easy and specific problems (like “see if anybody connects to our payment card database at night”)
- Driving use case from available data alone — an input-driven SIEM (as opposed to “output-driven”) may work, with some luck, but overall we see more value and more happiness with an output-driven SIEM approach.
- Hero-driven use cases — while not truly problematic, this just does not pass the legendary “bus test”; if only one person owns all SIEM usage, and nobody else has a clue, what happens if this sole hero is hit by a bus – or ?
- Overly burdensome use case process — sure, some of us like “SIEM content as code” model, but this does not mean that a change to a correlation rule should take 3 weeks and 11 gates in the project….
What are YOUR SIEM use case challenges?!
Select recent blog posts related to SIEM:
- SIEM Use Case Discovery
- Discovering New Monitoring Use Cases
- SIEM Use Cases – And Other Security Monitoring Use Cases Too!
- Co-Managed SIEM Rising
- Research on Security Monitoring Use Cases Coming Up
- My “Evaluation Criteria for Security Information and Event Management” 2015 Update Publishes
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.