We just published the second part of our SIEM guidance, “How to Operate and Evolve a SIEM Solution.” Our readers may recognize some of the content from our world-famous “Security Information and Event Management Architecture and Operational Processes,” but for the second part more has changed, including the way we organized SIEM operation guidance.
The abstract states: “Managing and using a SIEM is difficult, and many projects are stuck in compliance or minimal value deployments. Most SIEM challenges come from the operations side, not broken tools. This guidance supports technical professionals focused on security working to operate, tune and utilize SIEM tools.”
My favorite quotes (but literally the entire paper is one big favorite):
- “SIEM implementations often fail to deliver full value — and not only due to “broken tools,” but also due to broken processes and practices within the organization that owns and operates the SIEM tool.”
- “SIEM deployments without the required resources to produce and maintain detection content such as rules and algorithms often fall back to a centralized log management role. This leads to significant waste of resources.”
- “Co-managed SIEM is a way to achieve an effective operation without a full complement of in-house resources. Many are shifting focus to co-managed and SaaS SIEM models to concentrate resources on custom content and targeted monitoring, and away from running the tools.”
- “Develop the key operational processes for SIEM: run, watch and adapt. When necessary, fill the gaps with services such as MSS and co-managed SIEM.”
- “Although an organization can procure a SIEM tool from a vendor, buying a security monitoring capability is impossible. Even with managed security service provider (MSSP)-outsourced models, critical components of such security monitoring programs will remain in-house.”
- “Extensive metrics are only useful in a stable and mature SIEM operation with well-established workflows. In ad hoc or rapidly changing environments, measurement can produce meaningless or contradictory results.” <- this is a new insight we picked from some painful experiences 🙂
Posts related to paper publication:
- Our “How to Architect and Deploy a SIEM Solution” Publishes
- Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE!
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Posts related to SIEM research:
- 2018 Popular SIEM Starter Use Cases
- What Is “SIEM+” Or “Can We Have A Cyber Defense Platform?”
- Can You Do a SIEM-less SOC?
- SIEM Alternatives? What Are They? Do They Exist?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- Let’s Define “SIEM”!
- Is SIEM The Best Threat Detection Technology, Ever?
- The Coming UBA / UEBA – SIEM War!
- UEBA Shines Where SIEM Whines?
- SIEM or Log Management?
- SIEM Future: A UEBA Path or An MDR Way?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.