Security leaders who are considering a managed SIEM solution should have a clear understanding of requirements and use cases before considering a SIEM solution.
Finding the right SIEM solution involves weighing up your needs and matching them to the vendor and service who can best satisfy them, and at price that meets your budget.
Consider your longer-term roadmap when creating requirements but seek to deliver a set of tactical use cases in the short-term. These can be expanded to support more complex threat detection and response use cases in the mid to longer-term.
A good set of requirements are always well thought out, so our top tips are:
- Work out the overall corporate objective of the SIEM within the organisation, including future growth estimates;
- Understand the budget available ensuring it includes project costs, licensing and deployment, including internal IT support costs;
- Set the boundaries of project scope tightly – SIEMs projects we have managed have been security focused but interest grows quickly; many SIEMs are actually built on data platforms that can be used for other non-security purposes;
- Engage relevant internal SMEs to attend requirements workshops;
- Consider the key components for your requirements including:
- Data acquisition and management;
- Utilise the MITRE ATT&CK Enterprise Framework to develop Use Cases including what log data and events to collect;
- Follow your organisations Request for Procurement (RFP) model as an approach to vendor selection;
- MOSCOW (must have, should have, could have….) your requirements and define a vendor response scoring mechanism against them;
- Conduct a detailed requirements review workshop with your key stakeholders.