We just published our “How to Architect and Deploy a SIEM Solution” paper. Avid readers of our research will recognize that some of the content actually comes from our world-famous “Security Information and Event Management Architecture and Operational Processes.” It was updated a few times – last in 2016, and then has gotten too obese at 60 pages of SIEM deployment and operations wisdom and there was not way to add new content. As a side note, in my 7+ years at Gartner, it remained one of my favorite papers. But obese papers don’t get love nowadays, so it needed to be cut into pieces and modernized …
The new paper is shorter, and focuses on the Part 1 of your SIEM journey – planning, architecting and deploying, while the upcoming Part 2 will focus on operations and evolution (very fun!)
The paper features a lot of amazing new visuals (and fewer gigantic tables!) – thanks to Anna. It has many brand new “Risks and Pitfalls” we’ve spotted recently, as well as more guidance on planning for analytics (UEBA-style) inside your SIEM.
My favorite quotes (but literally the entire paper is one big favorite):
- “SIEM is expected to remain a mainstay of security monitoring, but many organizations are challenged with deploying the technology.”
- “A SIEM project isn’t really a project. It is a process and program that an organization must refine over time. It is never “complete” and should never be left without attention.”
- “Plan the SIEM strategically, but deploy tactically, achieving “quick wins” as part of a phased approach. Avoid multiyear projects with no clear and immediate value.”
- “Adopt the “output-driven SIEM” model, where nothing comes into a SIEM tool unless there is a clear knowledge of how it would be used.”
- “SIEM implementations often fail to deliver full value — not only due to “broken tools,” but due to broken practices — including scoping, readiness and use-case design — within the organization that owns and operates the SIEM tool.” [A.C. – occasionally we DO see failure due to broken tools]
- “If your SIEM deployment is a “white elephant” megaproject, the chance of failure is very high.”
- “If you cannot find the personnel [for your SIEM effort], turn to SaaS SIEM, co-managed SIEM or MSSP models. Running or operating your own product SIEM is not for you.”
Posts related to paper publication:
- Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE!
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Posts related to SIEM research:
- 2018 Popular SIEM Starter Use Cases
- What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”
- Can You Do a SIEM-less SOC?
- SIEM Alternatives? What Are They? Do They Exist?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- Let’s Define “SIEM”!
- Is SIEM The Best Threat Detection Technology, Ever?
- The Coming UBA / UEBA – SIEM War!
- UEBA Shines Where SIEM Whines?
- SIEM or Log Management?
- SIEM Future: A UEBA Path or An MDR Way?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.