Gartner Blog Network


Our “How to Architect and Deploy a SIEM Solution” Publishes

by Anton Chuvakin  |  October 18, 2018  |  3 Comments

We just published our “How to Architect and Deploy a SIEM Solution” paper. Avid readers of our research will recognize that some of the content actually comes from our world-famousSecurity Information and Event Management Architecture and Operational Processes.” It was updated a few times – last in 2016, and then has gotten too obese at 60 pages of SIEM deployment and operations wisdom and there was not way to add new content. As a side note, in my 7+ years at Gartner, it remained one of my favorite papers. But obese papers don’t get love nowadays, so it needed to be cut into pieces and modernized …

The new paper is shorter, and focuses on the Part 1 of your SIEM journey – planning, architecting and deploying, while the upcoming Part 2 will focus on operations and evolution (very fun!)

The paper features a lot of amazing new visuals (and fewer gigantic tables!) – thanks to Anna. It has many brand new “Risks and Pitfalls” we’ve spotted recently, as well as more guidance on planning for analytics (UEBA-style) inside your SIEM.

My favorite quotes (but literally the entire paper is one big favorite):

  • “SIEM is expected to remain a mainstay of security monitoring, but many organizations are challenged with deploying the technology.”
  • A SIEM project isn’t really a project. It is a process and program that an organization must refine over time. It is never “complete” and should never be left without attention.”
  • Plan the SIEM strategically, but deploy tactically, achieving “quick wins” as part of a phased approach. Avoid multiyear projects with no clear and immediate value.”
  • Adopt the “output-driven SIEM” model, where nothing comes into a SIEM tool unless there is a clear knowledge of how it would be used.”
  • “SIEM implementations often fail to deliver full value — not only due to “broken tools,” but due to broken practices — including scoping, readiness and use-case design — within the organization that owns and operates the SIEM tool.” [A.C. – occasionally we DO see failure due to broken tools]
  • “If your SIEM deployment is a “white elephant” megaproject, the chance of failure is very high.”
  • “If you cannot find the personnel [for your SIEM effort], turn to SaaS SIEM, co-managed SIEM or MSSP models. Running or operating your own product SIEM is not for you.”

Enjoy!

As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via http://surveys.gartner.com/s/gtppaperfeedback

Posts related to paper publication:

Posts related to SIEM research:

Category: announcement  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our “How to Architect and Deploy a SIEM Solution” Publishes


  1. […] Our “How to Architect and Deploy a SIEM Solution” Publishes (SIEM research) […]

  2. […] Our “How to Architect and Deploy a SIEM Solution” Publishes […]

  3. […] Anton already mentioned here and here, our update of the big SIEM paper was turned into two new […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.