5 steps for a smooth SIEM implementation

Key SIEM deployment steps

While every deployment is unique, the following key steps are advisable across most or all SIEM implementations.

1. Design the SIEM's architecture

The SIEM architecture includes all the supporting systems that SIEM relies upon and interacts with. In this phase, carefully consider the platform's current and future performance, resilience and security needs.

Identify and prioritize your organization's top SIEM use cases, which should inform decisions about the architecture. If you have use cases that SIEM doesn't address on its own, consider adopting additional complementary technologies or techniques. Organizations today commonly combine SIEM with other tools, such as SOAR and XDR, for example.

Note both primary and tangential costs when designing the SIEM architecture and planning its deployment. Possible unanticipated costs include the following:

• Cyber threat intelligence feeds the SIEM ingests.
• Migration of stored log data from the existing SIEM to the new SIEM.
• Parallel operation of the legacy SIEM and new SIEM due to a phased migration or log retention requirements.
• Long-term log data retention.
• Staff training on the new SIEM.
• Data ingestion-based pricing models, which can cause unforeseen cost increases. In the case of an unusual security event, for example, massive jumps in logging could result in skyrocketing costs.

2. Plan the deployment

The planning phase can be surprisingly complex due to the volume of systems that interact with SIEM. For example, a SIEM platform must integrate with all the technologies it relies on for information, including logs, intelligence feeds, vulnerability and asset management systems, and any other technologies that provide critical inputs.

Deployment also needs to include all the technologies the SIEM itself feeds -- for example, security orchestration, automation and response; endpoint detection and response; and other incident response tools.

If you have a legacy SIEM in place, you will also need to consider the following:

• Which custom dashboards, configurations and workflows will need to migrate to ensure continuity and ensure important security alerts don't fall through the cracks.
• Whether your organization needs to retain legacy log data, such as to meet regulatory requirements or establish performance baselines. If so, determine how and where the legacy data will live -- e.g., in the old SIEM, the new SIEM or a third-party data management platform.
• Whether known or unknown users exist beyond SecOps, with use cases that could broaden the scope of migration and introduce additional challenges.

3. Perform a phased deployment

Rapidly switching over to a new SIEM can result in chaos and confusion, making it nearly impossible to pinpoint the cause of a given problem and fix it in a timely manner.

It's best, therefore, to run the old and new SIEMs in parallel and gradually test and integrate more systems with the new platform. Address any glitches as they arise. Test the SIEM to gauge performance, resilience and security.

A caveat: Running two SIEMs in production for an extended time can overload staff. Security leaders will need to balance the need for methodical deployments against efficient ones.

4. Configure and tune

SIEMs require a lot of initial manual configuration -- with constant reconfiguration over time -- to keep false-positive and false-negative alerts at reasonable levels. Create and refine rule sets and filters; tune alerts, thresholds and triggers; and develop and refine dashboards and reports to meet the organization's needs.

5. Update policies, processes and procedures

Ideally, this work begins in the previous steps and concludes as SIEM nears full-production rollout. Train personnel on the use and maintenance of the new SIEM.

Karen Scarfone is a general cybersecurity expert who helps organizations communicate their technical information through written content. She co-authored the Cybersecurity Framework (CSF) 2.0 and was formerly a senior computer scientist for NIST.