Aristotle put forth the idea in his Poetics that a drama has three parts — a beginning or protasis, middle or epitasis, and end or catastrophe. Far too many SIEM implementations are considered to be catastrophes. Having implemented hundreds of such projects, here are the three parts of a SIEM implementation which if followed will in fact minimize the drama but maximize the ROI. If you prefer the video version of this, click here.
The beginning or protasis
- Identify log sources and use cases.
- Establish retention period for the data set and who gets access to which parts.
- Nominate a SIEM owner and a sponsor for the project.
The middle or epitasis
- Install the SIEM Console
- Push out and configure sensors or the log sources to send data
- Enable alerting and required reporting schedules
- Take log volume measurements and compare against project disk space requirements
- Perform preliminary tuning to eliminate most noisy and less useful log sources and type
- Train the product owner and users on features and how-to use
The end or catastrophe
- Review log volume and tune as needed
- Review alerts for correctness and establish notification methods, if appropriate
- Establish escalation policy – when and to whom
- Establish report review process to generate artifacts for audit review
- Establish platform maintenance cycle (platform and SIEM updates)