Director, Security Intelligence Solutions
Peter Schawacker is the director of Optiv’s security intelligence solutions center of excellence. Peter is responsible for the development of SIEM, analytics and logging services for Optiv’s architecture and implementation consulting practice.
Navigating a Successful SIEM Strategy
It’s been my experience that deploying a successful SIEM strategy is like the “jump program” from The Matrix. Left on one’s own, without the help of the experienced experts, nearly all first attempts at SIEM fail. But, the good news is there are some steps you can take that will help ensure your organization achieves success.
1. Find the Right Partner -- First time SIEM buyers should work closely with experienced service providers. They should find a partner that they can trust to help them from early stages, before the procurement process begins. Such a partner should work regularly with multiple SIEM technologies, since there is no universal solution available today. Finding the right SIEM requires having a deep understanding of the whole market, something that few companies have in-house.
2. Understand Your Needs -- We see far too many companies making huge purchases of SIEM infrastructure without first deciding what they specifically want to get out of it. Having well defined requirements will help you navigate the available options – as there are different SIEM solutions for different types of organizations and different vertical industries.
3. Remember, It’s a Marathon, Not a Sprint -- Pacing is another critical issue. Too many companies overshoot the mark at first. There is a maturation process through which every organization grows. Getting SIEM right takes years, not months. Start small, define achievable, demonstrable goals and then build on your success. Don’t try to jump headlong into large-scale advanced analytics if you haven’t already successfully deployed basic log management and correlation.
4. Set Measurable Goals -- Realistic expectation and persistence matter most when it comes to SIEM. When you’re new at SIEM (or restarting a failed SIEM effort) define a small, achievable use case. For example, simply consolidating all critical security events into one event stream is often a good first step. Make sure that every use case has output that can be measured and demonstrated to management. If you track your progress in terms of completed use cases over time, and demonstrate the value of the solution, the resources that you need for the next phase will to be easier to obtain.
By following these steps, your organization can experience long-term SIEM success.