SIEM Implementation Strategy & Plan

SIEM: A Guide to Successful Implementation, Strategy, and Planning

Stackify Insights for Dev Managers Leave a Comment

Security Information and Event Management (SIEM) allows you to get real time analysis on threats and security alerts that are created by network applications and hardware. It controls the storage, manipulation, analysis, and reporting of different security data and enables you to correlate different events and alerts.

SIEM plays a role in regulatory compliance and isn’t something that you should ignore. A well-implemented Security Information and Event Management solution enables you to stay one step ahead of cyber attacks by providing a centralized view of security-related events and information.

7 Components of SIEM

SIEM has several key components, or important functions that should be present in a successful SIEM implementation:

  1. Data aggregation, which includes log and event management. SIEM gathers together data and logs from a variety of sources to ensure that no important security event is missed.
  2. Correlation, which looks for common trends and attributes that would link different events together so that meaningful and useful information may be derived.
  3. Notification, which involves the automatic analysis of related events and creates alerts to notify IT managers of any potential issues.
  4. Dashboards, which includes tools that can process raw data into something that is easier to understand, such as charts, graphs, and bars.
  5. Compliance, which involves different tools that would automatically gather compliance-related data, as well as create reports that prove the company’s compliance to regulations.
  6. Retention, which addresses how the data and events are stored in the long run, as well as what to do with historical data.
  7. Forensics, which enables you to access events and log data residing in different nodes from different time periods and gather them all together, usually by using a specific set of criteria.

How to Successfully Deploy SIEM

1. Discovery and Planning Phase

As with any business and IT process, deployment of SIEM systems start with thorough planning and review.

When starting to implement SIEM for your organization, it is important to first review where you stand, and what you want SIEM to achieve for your business – establishing the business case. Begin by coming up with a list of goals and objectives and rank them by their importance to your organization. You should also understand which tasks and processes are critical in supporting the implementation and prioritize them accordingly.

You should also review your security policies, and, as usual, you need to know which of these policies are to be prioritized:


Free Download

  • which policies are important to your business,
  • which policies are important for your company’s compliance with rules, and
  • which ones are considered as best practices.

You should also have a clear view of your current controls (used to audit these security policies) that would help you ensure compliance. SANS.org outlines 20 critical controls in this guide, which is a good starting point for exploring your needs and identifying relationships between resources, controls, and business goals. “When an organization makes a plan to implement the 20 critical controls as a whole, SIEM should be one of the first controls implemented,” SANS.org explains. “Vulnerability scanners (based on SCAP), whitelisting tools, and other specific controls are important, but no specific control is more relied upon for effective control implementation than a SIEM. That’s because SIEM can take data from all these tools and more to help organizations understand their vulnerabilities, detect and troubleshoot security incidents and help improve security posture.”

The discovery phase typically involves SIEM implementation on a small but representative subset of the organization’s existing technology and policy, enabling you to gather critical data that can inform changes and improvements prior to a complete rollout. One primary goal is to identify weaknesses and gaps in the execution of controls and implementing plans for remedying them. Ideally, you should be able to plug any gaps before these security elements and controls are incorporated into your SIEM implementation. Otherwise, they won’t add value to your monitoring and alerting processes.

2. Pilot Phase

Starting with the implementation phase, you need to have two goals in mind:

  1. Demonstrating the SIEM systems brings in a return on investment, and
  2. Have a working model as well as a runbook.

During the discovery stage, you should be running SIEM on a small subset of technology that’s representative of all of your organization’s devices and policies. When you get to the pilot stage, you’re then able to apply lessons learned from the data collected during discovery and implement any improvements you’ve made on a larger subset of policies and devices – but the pilot phase is not yet a complete roll-out, either.

In the pilot phase, all assumptions that you have created during the discovery phase should be thoroughly tested, while you deal with a growing number of covered devices. After achieving satisfactory testing results, you should have all the data and information you need to go onto the controlled deployment phase.

3. Controlled Deployment Phase

SIEM deployment does not need to be done in one swift phase. You can gradually and steadily build capacity first as you go through the controlled deployment phase.

The controlled deployment phase is when you develop a deployment workflow that would allow you to build capacity for full deployment, as well as serve as the testing stage in a real production environment. During this phase, all processes, procedures, and operations should be clearly outlined in the runbook.

4. Continuous Improvement Phase

Successful SIEM deployments are not a one-time thing. After all, hackers never stop developing more sophisticated methods of attack, so you must continue to evolve in order to remain one step ahead of your would-be foes.

After the controlled development phase, and as you continue to roll out and deploy your SIEM system, you will get more data on how everything works in production. You should use these data and information to fine-tune your deployment and develop your organization’s security policies and processes. This means that your SIEM deployments are under constant change – and this process should never stop.

Best Practices for SIEM Implementation

The best way to implement SIEM? Gradually. A step-by-step approach will help you learn more about your current systems and implement your strategy piece-by-piece, allowing you to fine-tune it along the way. If there are mistakes or gaps in your implementation that leave vulnerabilities unaddressed, you can easily pinpoint where they are and how to correct them. You can also get more data for every step and use the information to improve deployment going forward.

Taking it slow is not the only best practice when it comes to SIEM deployments. Other best practices include:

  • Have a clear view of the use cases first before you start to review and evaluate solutions.
  • Prepare for the worst. Always come up with worst-case scenarios so that you can straightforwardly choose tools that can handle these.
  • Utilize IP reputation data to help you determine vulnerabilities coming from either outside or inside the network. This will also allow you to keep tabs of your own organization’s reputation and to prioritize alerts.
  • Make sure that your tools have the latest information on threats and are regularly updated.
  • Choose SIEM tools that can handle more than one purpose. Single-purpose tools will mean that there are numerous tools for you to manage, maintain, and supervise. There are now solutions that have several security detection tools already built-in, such as vulnerability assessment, asset discovery, wireless intrusion detection, network analysis, log management, and file integrity monitoring, among many others. Log management tools, for instance, are often included in the SIEM category, but log management combined with monitoring, metrics, and event reporting provides a deeper, more comprehensive view of critical data.

Additional Resources and Tutorials

For more information on implementing a security information and event management solution, visit the following resources and tutorials:

Today’s hackers are often multi-channel operators, meaning that even the best monitoring can fall short of proactively identifying threats if it’s focused only on a single channel. Centralizing alerts and other security-related information in a single, cohesive view enables you to more effectively identify potential threats from activity that, when viewed only in the context of one channel, may seem innocuous. This is what makes tools like Retrace more valuable for SIEM compared to stand-alone log management solutions. By combining logs, errors, metrics, monitoring, and even APM in a single suite of tools, Retrace centralizes essential data that can aid in SIEM.