We just published our “How to Architect and Deploy a SIEM Solution” paper. Avid readers of our research will recognize that some of the content actually comes from our world-famous “Security Information and Event Management Architecture and Operational Processes.” It was updated a few times – last in 2016, and then has gotten too obese at 60 pages of SIEM deployment and operations wisdom and there was not way to add new content. As a side note, in my 7+ years at Gartner, it remained one of my favorite papers. But obese papers don’t get love nowadays, so it needed to be cut into pieces and modernized …
The new paper is shorter, and focuses on the Part 1 of your SIEM journey – planning, architecting and deploying, while the upcoming Part 2 will focus on operations and evolution (very fun!)
The paper features a lot of amazing new visuals (and fewer gigantic tables!) – thanks to Anna. It has many brand new “Risks and Pitfalls” we’ve spotted recently, as well as more guidance on planning for analytics (UEBA-style) inside your SIEM.
My favorite quotes (but literally the entire paper is one big favorite):
- “SIEM is expected to remain a mainstay of security monitoring, but many organizations are challenged with deploying the technology.”
- “A SIEM project isn’t really a project. It is a process and program that an organization must refine over time. It is never “complete” and should never be left without attention.”
- “Plan the SIEM strategically, but deploy tactically, achieving “quick wins” as part of a phased approach. Avoid multiyear projects with no clear and immediate value.”
- “Adopt the “output-driven SIEM” model, where nothing comes into a SIEM tool unless there is a clear knowledge of how it would be used.”
- “SIEM implementations often fail to deliver full value — not only due to “broken tools,” but due to broken practices — including scoping, readiness and use-case design — within the organization that owns and operates the SIEM tool.” [A.C. – occasionally we DO see failure due to broken tools]
- “If your SIEM deployment is a “white elephant” megaproject, the chance of failure is very high.”
- “If you cannot find the personnel [for your SIEM effort], turn to SaaS SIEM, co-managed SIEM or MSSP models. Running or operating your own product SIEM is not for you.”
Posts related to paper publication:
- Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE!
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Posts related to SIEM research:
- 2018 Popular SIEM Starter Use Cases
- What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”
- Can You Do a SIEM-less SOC?
- SIEM Alternatives? What Are They? Do They Exist?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- Let’s Define “SIEM”!
- Is SIEM The Best Threat Detection Technology, Ever?
- The Coming UBA / UEBA – SIEM War!
- UEBA Shines Where SIEM Whines?
- SIEM or Log Management?
- SIEM Future: A UEBA Path or An MDR Way?