In August 21, 2014, Gartner released a new Siem Report: Overcoming common causes for Siem deployment failures. The author is Oliver, a newcomer who has just jumped from HP to Gartner. He is currently in a team with Mark niclett.
The report provides six common causes for the current Siem deployment failure:The plan is not weekly, the scope is unclear, the expectation is too high, the noise is too high, the situation is insufficient, and the resources are insufficient.Original article: failure to plan before buying, failure to define scope, overly optimistic scoping, monitoring noise, lack of sufficient context, insufficient resources.
Oliver said that although Siem technology has improved significantly in recent years, there are still 20% to of the customers currently surveyed by Gartner ~ Some failed 30% cases did not reach the expected goal, and some were even shelved.
Of course, Oliver did not devalue Siem in the report, but summarized the cause of Siem failure, and believed that many failures could be avoided.
Oliver proposed to understand the decision (best practices): a set of stylized Siem planning, selection, procurement, deployment, and implementation processes. In fact, this set of best practices is not a new theory, and I have been promoting it all the time.
My point is: before purchasing a product, it is very important for the customer to understand what they want? It is not a simple vision or a virtual need (need). Instead, you should first set up a project team to be able to provide key resources and people for the involve project. Then, this project team should formulate a clearer project requirement, including determining the management objects (business, assets, and key devices)-defining the scope, the typical scenario (scenairo) to be implemented in the Design -- or define the scope, and find the most urgent and possible problem to be solved -- still define the scope. With clear requirements, you can select and purchase. Purchasing a product that meets your needs is more difficult than purchasing a product with advanced technologies. Advanced technology is often easier to compare, whether it is horizontal comparison or product testing. However, it is difficult to assess whether to meet your own needs, because you may not know what you need? This also highlights the importance of demand analysis. In the implementation phase, we have to maintain a cautious attitude and send a cautious and optimistic message to the management. A basic approach is to implement the use cases and scenarios one by one based on the established guidelines in the planning phase. Oliver said it would be nice to implement 5 to 7 use cases in the first six months of implementation. I think it is great to implement three in China. Of course, at the time of project establishment, whether the correct cognition and reasonable expectation for the Siem/Security Management Platform project have been established from the management layer to the implementation layer. In the maintenance phase, people are the key factor. I have already said it n times. In any case, a certain number of security analysts are essential.
After reading it, do you feel afraid of SOC/Siem? This is not necessary. In China, the best practices I have always advocated are summarized as follows:
Planning stage-overall planning, distribution implementation, and gradual implementation;
Construction phase-both technology and service, and both construction and O & M;
Use phase-make full use of the external brain and use the maintenance service.
Oliver concluded: not all organizations are suitable for Siem, which is related to the overall security building maturity of the Organization. I think the maturity here includes not only material, technical, but also consciousness and mechanism.
Gartner: FAQs about Siem deployment failure