SIEM solutions are hard.
Thankfully, technology research firm Gartner released their 2018 “How to Deploy a Security Information and Event Management Solution Successfully” which might provide the answers your enterprise is looking for.
SIEM is one of, if not the, most vital parts of any comprehensive enterprise-level cybersecurity platform in the modern age. Detection has taken precedence over prevention in modern cybersecurity paradigms. SIEM solution’s capability to collect, aggregate, and analyze data from disparate data sources throughout your enterprise’s IT environment makes it unparalleled in threat detection.
A Successful SIEM deployment is the key to overcoming the challenges of the solution and getting the most from it. But how do enterprises initiate a successful SIEM deployment? What should they prioritize?
Clearly Understand Your SIEM Solution…and Your Enterprise
First, a good SIEM deployment starts with picking the right SIEM solution for your enterprise. This may be easier said than done.
According to Gartner, your enterprise should first make a shortlist of potential SIEM solution providers and send each a request for proposal to evaluate what they can offer your enterprise specifically. After that, you should ask those vendors still in consideration for a proof of concept to obtain a better sense of the solutions in a practical, hands-on manner.
Simultaneously, Gartner points out that this extended evaluation process is only one half for choosing the right SIEM solution. The other half is evaluating your own enterprise. What is the scope your SIEM solution needs? What are your use-cases? What are your cybersecurity capabilities: staff, talent, and resources? Do you have the right IT architecture for a SIEM deployment?
These aren’t idle questions. Having an insufficient architecture or cybersecurity staff can result in inadequate disaster recovery capabilities, unfulfilled security objectives, and a skyrocketing cybersecurity budget. It can also limit your enterprise’s scalability, whether on-premises or on the cloud.
Other suggestions from Gartner include the examining number of log sources in your enterprise, determining your available bandwidth, and considering the regulatory compliance measures your enterprise must meet.
If your SIEM deployment seems far too daunting after these evaluations, Gartner recommends that you consider selecting a fully managed security service for SIEM or a co-managed SIEM service.
SIEM Deployment Requires Time. Make the Right Allowances
Among Gartner’s crucial recommendations, one of their most emphasized is that rushing into SIEM deployment—bombarding your new solution with all of your available data sources and event data—is the fastest way to fail at proper deployment.
The same applies to collecting all of the data from your enterprise and planning to sort it out later—a fast track to failure. Instead, Gartner recommends a phased, output-driven approach to your SIEM deployment. Your enterprise should determine its ideal scope and use-case, and build its SIEM requirements from those inputs.
Your enterprise needs to carefully consider what data sources they consider to be the most important. Then, you should onboard those sources during your SIEM deployment in a deliberate manner to slowly increase your solution’s capabilities.
Gartner states that a good gradual deployment model may be a use-case by use-case approach or by first implementing centralized log management. The latter can be deployed separately and relatively easily, and with more potential scalability.
In other words, Gartner recommends that you don’t think of SIEM deployment as a set-it-and-forget-it affair. Think of it as an ongoing process, one that takes commitment and investment.
Integrate Your SIEM Deployment into Your Enterprise
How will your users—employees and customers—interact with your selected SIEM solution?
That’s a critical question Gartner raises, and one that your enterprise should be raising as well. This question is in fact intertwined with others: how will users respond to the new security? How will your current security platforms mesh with your SIEM deployment? How will SIEM affect your business processes? SIEM is a resource and talent-intensive solution that can disrupt if not properly deployed. The interface needs to be intuitive so that users can adapt to it easily and learn to work with it, not against it. The alternative could constitute a major security hole.
Latest posts by Ben Canner (see all)
- Key Findings: 2020 Gartner Peer Insights Customers’ Choice for Security Information Event Management (SIEM) - July 10, 2020
- 2020 Vendors to Know: SOAR - July 8, 2020
- Should We Move to a New Definition of SIEM? - July 6, 2020