Our “How to Architect and Deploy a SIEM Solution” Publishes

We just published our “How to Architect and Deploy a SIEM Solution” paper. Avid readers of our research will recognize that some of the content actually comes from our world-famousSecurity Information and Event Management Architecture and Operational Processes.” It was updated a few times – last in 2016, and then has gotten too obese at 60 pages of SIEM deployment and operations wisdom and there was not way to add new content. As a side note, in my 7+ years at Gartner, it remained one of my favorite papers. But obese papers don’t get love nowadays, so it needed to be cut into pieces and modernized …

The new paper is shorter, and focuses on the Part 1 of your SIEM journey – planning, architecting and deploying, while the upcoming Part 2 will focus on operations and evolution (very fun!)

The paper features a lot of amazing new visuals (and fewer gigantic tables!) – thanks to Anna. It has many brand new “Risks and Pitfalls” we’ve spotted recently, as well as more guidance on planning for analytics (UEBA-style) inside your SIEM.

My favorite quotes (but literally the entire paper is one big favorite):

  • “SIEM is expected to remain a mainstay of security monitoring, but many organizations are challenged with deploying the technology.”
  • A SIEM project isn’t really a project. It is a process and program that an organization must refine over time. It is never “complete” and should never be left without attention.”
  • Plan the SIEM strategically, but deploy tactically, achieving “quick wins” as part of a phased approach. Avoid multiyear projects with no clear and immediate value.”
  • Adopt the “output-driven SIEM” model, where nothing comes into a SIEM tool unless there is a clear knowledge of how it would be used.”
  • “SIEM implementations often fail to deliver full value — not only due to “broken tools,” but due to broken practices — including scoping, readiness and use-case design — within the organization that owns and operates the SIEM tool.” [A.C. – occasionally we DO see failure due to broken tools]
  • “If your SIEM deployment is a “white elephant” megaproject, the chance of failure is very high.”
  • “If you cannot find the personnel [for your SIEM effort], turn to SaaS SIEM, co-managed SIEM or MSSP models. Running or operating your own product SIEM is not for you.”


As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via

Posts related to paper publication:

Posts related to SIEM research:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: