People and Processes Key to Faster SIEM ROI, Secure Business

These five best practices will help deliver success more rapidly and ensure increasing return on investment.

by Joseph Magee

Ask security information and event management (SIEM) vendors and they’ll tell you their products are delivering more out-of-the-box value than ever before. That’s true. More vendors are producing compliance modules, insider threat modules, and other components that embed sophisticated intelligence about how to monitor for the right security controls. However, there is no such thing as a “standard environment,” so “out-of-the-box value” doesn’t mean you can light up the box, connect your data sources, and instantly realize improved compliance scores, threat detection, and operational efficiency!

Most SIEM customers are still struggling to derive measurable success a year or more after initial deployment. As with deploying any other great technology, SIEM products must be contextualized to the specific environment – and the “people” and “process” aspects of the SIEM solution are just as important as the tools themselves.

We’ll examine five best practices involving people and processes that will help deliver success more rapidly and ensure increasing return on investment (ROI) over time.

Best Practice #1: Don’t Boil the Ocean

Given the complexity of most environments and the far-reaching capabilities of SIEM to integrate virtually any kind of data source, one of the greatest pitfalls is starting a SIEM project with visions that are either too ambitious or lack clear focus. After all, the implementation challenges are not just about whether you’re collecting the right data or have the right rules and filters in place. You will need active cooperation from a range of business units and IT groups and adequate project resources. Set expectations: deploying SIEM is not a one-time, four-week engagement, but must be done in stages. ROI will accelerate over time.

Best Practice #2: Three Words: Measurable. Business. Impact.

Start with a project that will produce measurable business impact: a project that will secure a discrete set of systems supporting a critical business transaction or revenue stream, or avoid Payment Card Industry (PCI), SOX, or other regulatory fines. Establish clear, measurable objectives, both business-oriented and operational. Be thorough and careful to ensure that you’re collecting and correlating the right data, and use rules and filters that will produce streamlined reports that are truly meaningful to both the business and technical audiences. This will win quick confidence and help ensure cooperation and resources for future phases.

Best Practice #3: Make it Map

Document the relationship between security controls and program objectives. Of course, various security controls will map to multiple program objectives – likely, a combination of separate regulatory initiatives and security program objectives particular to your environment. As you progress from one SIEM project to another, you’ll find that some of the system controls you need for a PCI project, for example, were implemented last quarter for your SOX project, and you won’t have to worry about them next month when you start your security monitoring project for a new Web application. The better your documentation, the more streamlined your SIEM system configuration will be and the more mileage you’ll get out of work you’ve already done.

Best Practice #4: Accurate Asset Data is Paramount

Work from up-to-date, risk-weighted asset data. The intelligence provided by the SIEM is only as valuable as the data it collects and the richness of analytics it can perform on that data. Ideally, the SIEM deployment manager knows which assets are under management as well as the relative importance of those assets from a risk management perspective so that alerts and reports can be designed accordingly. Twenty instances of unauthorized access to a patient information database may have more impact to the overall risk posture than 20 instances of unauthorized access to an internal FTP server. Therefore, tracking the value of the SIEM system to the organization is part a task of tracking the percentage and relative risk value of the IT assets that are being monitored by SIEM at any given time.

Best Practice #5: Ask What the SIEM Might Not be Seeing

Blind spots can be an ROI-killer. Operating from outdated asset data can be dangerous both to the reputation of the SIEM project and to the security posture of the environment. Of course, data collection is not a static task. If you’re not continually modifying the SIEM to adjust to constant changes, it quickly becomes irrelevant. In the worst case, threats can be silently (or not so silently) impacting resources that are believed to be included in the monitoring scope but that are not even visible to the SIEM, perhaps creating the illusion that the business is more secure than it is.

If what you’ve missed is damaging enough, support for the project or future projects could be seriously jeopardized. Keeping the SIEM updated about the asset pool means ensuring that configuration changes on source devices don’t unwittingly shut down data collection. You must establish a process to light up or decommission data collection when devices are added or removed from the asset pool.

Paying the Price

Some companies that have rushed to roll out SIEM technology without the “people” and “process” groundwork have paid a hefty price. Consider the case of a multi-national financial services enterprise that had to end a failed SIEM project after a multi-year, multi-million dollar effort. Looking back, the SIEM deployment manager identified fatal flaws in the planning process:

  • Failure to build a staged roadmap with quantifiable and achievable business objectives at each stage
  • Failure to leverage asset risk classifications to prioritize monitoring of business-critical systems
  • A lack of deployment metrics to quantify the extent of coverage of those systems to identify key blind spots

With these lessons in mind, and millions of dollars spent, the business started over with a clean slate. They designed a phased-based SIEM program, with each phase focusing on a handful of well-communicated objectives. They integrated with existing asset inventory and asset risk classification processes to prioritize their deployment and enrich the alerts and metrics produced.

Success could have come at a lower price had they followed the best practices we’ve outlined, but they did end up with a successful SIEM project.

Joseph Magee is the co-founder and chief technology officer for Vigilant LLC, a managed security services provider that helps IT security teams defend and enable dynamic business by refining and extending their security information management infrastructure. You can contact the author at

Must Read Articles