Our “How to Architect and Deploy a SIEM Solution” Publishes

We just published our “How to Architect and Deploy a SIEM Solution” paper. Avid readers of our research will recognize that some of the content actually comes from our world-famous “Security Information and Event Management Architecture and Operational Processes.” It was updated a few times – last in 2016, and then has gotten too obese at 60 pages of SIEM deployment and operations wisdom and there was not way to add new content. As a side note, in my 7+ years at Gartner, it remained one of my favorite papers. But obese papers don’t get love nowadays, so it needed to be cut into pieces and modernized …

The new paper is shorter, and focuses on the Part 1 of your SIEM journey – planning, architecting and deploying, while the upcoming Part 2 will focus on operations and evolution (very fun!)

The paper features a lot of amazing new visuals (and fewer gigantic tables!) – thanks to Anna. It has many brand new “Risks and Pitfalls” we’ve spotted recently, as well as more guidance on planning for analytics (UEBA-style) inside your SIEM.

My favorite quotes (but literally the entire paper is one big favorite):

• “SIEM is expected to remain a mainstay of security monitoring, but many organizations are challenged with deploying the technology.”
• “A SIEM project isn’t really a project. It is a process and program that an organization must refine over time. It is never “complete” and should never be left without attention.”
• “Plan the SIEM strategically, but deploy tactically, achieving “quick wins” as part of a phased approach. Avoid multiyear projects with no clear and immediate value.”
• “Adopt the “output-driven SIEM” model, where nothing comes into a SIEM tool unless there is a clear knowledge of how it would be used.”
• “SIEM implementations often fail to deliver full value — not only due to “broken tools,” but due to broken practices — including scoping, readiness and use-case design — within the organization that owns and operates the SIEM tool.” [A.C. – occasionally we DO see failure due to broken tools]
• “If your SIEM deployment is a “white elephant” megaproject, the chance of failure is very high.”
• “If you cannot find the personnel [for your SIEM effort], turn to SaaS SIEM, co-managed SIEM or MSSP models. Running or operating your own product SIEM is not for you.”

Enjoy!

As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via http://surveys.gartner.com/s/gtppaperfeedback

Posts related to paper publication:

• Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes
• The “How To Build a SOC” Paper Update is OUT! (by Augusto)
• New Paper Published: “How to Start Your Threat Detection and Response Practice”
• Our Threat Testing and BAS Papers Are Out!
• Our Security Orchestration and Automation (SOAR) Paper Publishes
• Our Updated MSSP and MDR Guidance Publishes
• Security Monitoring Use Cases, the UPDATE!
• Our 2017 SIEM Research Papers Publish
• All My Research Published in 2017

Posts related to SIEM research:

• 2018 Popular SIEM Starter Use Cases
• What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”
• Can You Do a SIEM-less SOC?
• SIEM Alternatives? What Are They? Do They Exist?
• Next Research: SOC, SIEM, and Again Overall Detection and Response
• Let’s Define “SIEM”!
• Is SIEM The Best Threat Detection Technology, Ever?
• The Coming UBA / UEBA – SIEM War!
• UEBA Shines Where SIEM Whines?
• SIEM or Log Management?
• SIEM Future: A UEBA Path or An MDR Way?