This document outlines best and worst practices for security information and event management (SIEM) systems according to Dr. Anton Chuvakin. Some key worst practices include failing to properly define SIEM requirements, assuming the SIEM will run itself without support, and expecting vendors to decide what to log and detect. The best practices include taking a use case approach, starting with simple quick wins, deploying in phases while continually learning and expanding, taking log collection seriously, and preparing to create your own detection content.
Anton's 2020 SIEM Best and Worst Practices - in Brief
1. Anton's 2020 SIEM Best
and Worst Practices
Dr. Anton Chuvakin
@anton_chuvakin and https://medium.com/anton-on-security
Chronicle / Google Cloud
(ex-Gartner for Technical Professionals until 2019)
2. 2020 SIEM in Context
What is SIEM today?
Does SIEM matter today?
Do you still need it?
What will happen in the future?
4. A Recent SIEM Problems Poll
https://twitter.com/securitybrew/status/1283924416888479746
5. SIEM Worst Practices
1. Skip the SIEM requirements definition phase - just buy something
2. Assume that the SIEM will deploy/manage/run itself and security
value will just materialize
3. Expect that IT and other teams will always support your
SIEM/detection/monitoring project
4. Expect the vendor to decide what you need to log and what to
detect
5. Plan to rely on ML and other “magic” provided in the box
6. SIEM Best Practices
1. Practice a use case approach, and “output-driven” SIEM
2. Start with “quick wins” and simple use cases
3. Deploy using a phased approach, learn, expand, learn more
4. Take log collection seriously and review often
5. Expect the log/telemetry data grow faster than you expect :-)
6. Prepare to create your own detection content and/or tune
existing content
8. Just for Laughs - 2011 Version of the Same...
https://www.slideshare.net/anton_chuvakin/five-best-and-five-worst-practices-for-siem-by-dr-anton-chuvakin-8721331