Cygilant Blog

10 Tips for a Successful SIEM Deployment

Posted by Shawn O'Brien on Dec 28, 2015

Many organizations turn to security information and event management (SIEM) to meet their cyber defense needs, but they often end up with a disappointing experience. While SIEM can be a great tool in handling cyber attacks, it’s only helpful when deployed well.

In the webinar “10 Tips for a Successful SIEM Deployment,” for the SC Magazine SIEM eSymposium, Cygilant Product Manager Kevin Landt talks about common challenges organizations face when deploying SIEM, and offers tips for how to successfully set it up. Here are the key takeaways from the webinar:

What's the Purpose of SIEM?

The purpose of SIEM is to collect log data from separate silos all across an organization and bring it together in a central repository where the security team can analyze data in order to detect advanced threats. It’s also useful in meeting regulatory requirements—such as PCI and HIPAA—in order to achieve compliance.

The Biggest Challenge: Product Complexity

In a 2012 InformationWeek survey, 44% of organizations cited product complexity as the biggest challenge in SIEM deployment. Users can find themselves overwhelmed with thousands of confusing event messages.

Three Tips to Ease Complexity

  1. Plan ahead by considering what security/compliance cases they need to address and what type of data is appropriate
  2. Talk with SIEM vendors about integration, agents, and other components
  3. Tune SIEM data collection to their specific use cases

The Hidden Costs of SIEM Infrastructure

Organizations might underestimate the cost of hiring qualified IT staff for network security monitoring. There are also ongoing costs, such as server administration and software maintenance, for running SIEM infrastructure across time.

Three Tips to Reduce Costs

Based on their needs, companies can explore their options by considering the following:

  1. Deployment model: on-premises software, cloud SaaS, or hybrid SaaS
  2. Staffing model: DIY, managed security services, or a mix of both
  3. Device integration: vendor add-on cost, universal parser, or included in service

The Security Value of SIEM Deployment

Defense teams need to make sure they get real security value out of their SIEM deployment. Otherwise, it might flood them with too much unusable information, defeating the tool's purpose in the first place.

Three Tips to Ensure Value

  1. Think like a hacker in order to look at the SIEM data with a more honed perspective
  2. Collect the data that matches the threat model, and not just the perimeter tools (such as firewalls)
  3. Assess security skills and time—qualified staff should have knowledge of the product

How to Become Proactive With SIEM

Security teams also need to overcome the reactive security posture generally associated with SIEM. Security tools tend to create a mentality of responding to incidents, not preventing them.


Security teams can implement security controls, such as active malware protection, configured firewalls/servers, and vulnerability management that will address potential problems before they create real damage.


Businesses can also succeed with their SIEM deployments by using EiQ's security services. SOCVue combined people, process, and technology to help midmarket organizations improve their security posture at a fraction of the cost of alternate solutions.


To find out more about how Cygilant can help with SIEM, watch “10 Tips for a Successful SIEM Deployment.”

Photo: niroworld / Shutterstock

Tags: SIEM, InfoSec

Most Recent Posts

Subscribe to Email Updates