A Step-by-Step Guide to a Successful SIEM Deployment

SIEM (Security Information and Event Management) deployment based on firsthand experience implementing SIEM for a broad range of customers.



Discovery Phase - Laying the Groundwork

  1. Review the organizational security posture and the initial business case for SIEM. Then prioritize the goals of the SIEM implementation from the most critical to the optional—taking into account the tasks that must be performed in order to support the effort.
  2. Review in detail the organizational security policy to consider the intent behind the policy. Separate those policies from a priority standpoint. Determine what’s critical, what’s necessary for mandatory compliance and what policies are best practices to ensure a secure environment.
  3. Identify current controls that are auditing those policies to determine compliance level. Ideally, a SIEM implementation should not be the first time the organization identifies that its security policy or how it’s implemented isn’t working according to plan. The reality is that these deployments often expose gaps in security execution that must be remediated before those elements can be integrated into a daily alerting and reporting structure.  
  4. Identify a smaller representative subset of the current policy and devices where SIEM can be applied and enough data can be gathered to determine what changes need to occur.

Pilot Phase - Beginning the Implementation

The primary goal of this phase is to determine which specific SIEM project goals can be implemented in order to establish initial ROI while creating a baseline operational model and run-book.

  1. The lessons learned from the discovery phase are used to implement a larger subset of technology.
  2. The assumptions developed during the discovery phase are tested in real time.
  3. The list of devices should be expanded to incorporate a wider set of technologies and numbers.
  4. The information developed from this phase is used to determine the final steps of controlled deployment and maturity phase.

Controlled Deployment Phase - Building Capacity

The primary goal of this phase is to develop a deployment workflow that enables the organization to build capacity as full deployment approaches. This phase also serves as the initial production test run and the completion of operational run-books necessary to manage a full deployment.

Maturity Phase - Continuing to Evolve

Significant work must be performed in order to mature the organization’s security posture and implement the finer points of the deployment. This phase never has an end point—since SIEM must continually evolve.