Gartner Blog Network

Our “How to Operate and Evolve a SIEM Solution” Publishes

by Anton Chuvakin  |  November 7, 2018  |  1 Comment

We just published the second part of our SIEM guidance, “How to Operate and Evolve a SIEM Solution.” Our readers may recognize some of the content from our world-famousSecurity Information and Event Management Architecture and Operational Processes,” but for the second part more has changed, including the way we organized SIEM operation guidance.


The new paper is shorter, and focuses on the Part 2 of your SIEM journey – operations, while the previous Part 1 focused on planning and architecting your SIEM deployment.

The abstract states: “Managing and using a SIEM is difficult, and many projects are stuck in compliance or minimal value deployments. Most SIEM challenges come from the operations side, not broken tools. This guidance supports technical professionals focused on security working to operate, tune and utilize SIEM tools.”

The paper is choke-full of new things, better co-managed SIEM guidance, “AI”/ML in SIEM, SOAR with SIEM, BAS for SIEM testing, and a lot more on content tuning. And many new beautiful visuals!

My favorite quotes (but literally the entire paper is one big favorite):

  • “SIEM implementations often fail to deliver full value — and not only due to “broken tools,” but also due to broken processes and practices within the organization that owns and operates the SIEM tool.”
  • “SIEM deployments without the required resources to produce and maintain detection content such as rules and algorithms often fall back to a centralized log management role. This leads to significant waste of resources.”
  • “Co-managed SIEM is a way to achieve an effective operation without a full complement of in-house resources. Many are shifting focus to co-managed and SaaS SIEM models to concentrate resources on custom content and targeted monitoring, and away from running the tools.”
  • “Develop the key operational processes for SIEM: run, watch and adapt. When necessary, fill the gaps with services such as MSS and co-managed SIEM.”
  • “Although an organization can procure a SIEM tool from a vendor, buying a security monitoring capability is impossible. Even with managed security service provider (MSSP)-outsourced models, critical components of such security monitoring programs will remain in-house.”
  • “Extensive metrics are only useful in a stable and mature SIEM operation with well-established workflows. In ad hoc or rapidly changing environments, measurement can produce meaningless or contradictory results.” <- this is a new insight we picked from some painful experiences 🙂


As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via

Posts related to paper publication:

Posts related to SIEM research:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: announcement  security  siem  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Our “How to Operate and Evolve a SIEM Solution” Publishes

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.