Cebreros - Fotolia

What are the secrets to SIEM deployment success?

Many organizations deploy security information and event management systems without the proper planning and therefore can't reap the proper rewards. Expert Kevin Beaver offers tips for a successful implementation.

A recent Gartner report revealed that without the proper planning, many organizations fail to deploy SIEMs properly...

because they lack the adequate resources to integrate and manage these systems. What kind of resources and support do SIEM systems need?

There's a saying that experience is something you don't get until just after you need it. I can't begin to tell you how many information security controls -- security information and event management systems included -- I've seen deployed first and planned for later. It happens in organizations both large and small, and I believe it's driven by two main things:

  1. The tendency for humans to be expedient and the immediate gratification payoffs gained by "checking that checkbox" in the name of compliance. The approach is often "hurry up and get it out there so we can please our auditors, regulators, business partners or whoever -- and then we'll fix it later."
  2. The realization by IT and security professionals that they don't have enough time to dedicate to the shiny, new system they just deployed and committed to managing.

I haven't met a single person in IT and security that's incompetent. I truly believe that if IT and security teams could step back, look at the bigger picture of what they're trying to accomplish, and then use their intellect to develop a smart approach to SIEM, they can make it happen. Time management experts say that for every minute you spend planning you can save you five minutes in execution. Anyone would be crazy to not take this approach.

Furthermore, regardless of what the vendors promise, SIEM is just like any other enterprise security control, it's going to take time and effort to install, tweak and manage -- likely more than you've bargained for. There's a law of time management that says if you take on something new, you're going to have to give something up; or hire someone to help. Your best bet will likely be to outsource SIEM altogether. Otherwise, if your organization chooses to handle it in-house, it will need to plan on adding some part- or full-time resources to manage such a system.

If your business is going to go it alone, it'd be well-served by working closely with the product vendor and/or outside consultant to ensure the system is properly designed, installed and implemented. Otherwise, odds are good you won't get the value out of the system that you're seeking.

Ask the Expert:
Want to ask Kevin Beaver a question about network security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Quiz: Is your enterprise getting the most out of its SIEM deployment?

Learn why SIEM processes matter more than SIEM products

This was last published in March 2015

Dig Deeper on Security analytics and automation