In effect, SIEM improves the signal to noise ratio for IT teams, enabling them to more easily identify “real” threats from false alarms. This means a team of a given size can do the work of a larger (and possibly more skilled) team. It’s all about getting the most out of the people on the IT security team. So, before you begin, make sure everyone you’ll be working with is onside.

Team talk

SIEM deployments cut across organisations’ boundaries. In IT you can expect to involve stakeholders in architecture, operations, help-desk, and security functions. Within business management, you may need support from finance, HR, compliance, risk management, and the sponsoring C-level executive. It’s essential that any SIEM project secure buy-in from all stakeholders before work begins in earnest. Once the team is assembled, you’re then ready for the 4-step process to perfect SIEM preparation.

Step 1: assess

This step is all about gather as much relevant information on key stakeholder requirements and thoroughly auditing your existing IT and security arrangements.

The ultimate aim is to establish an acceptable known base line for security, from which you can build the rest of the project. So you should perform vulnerability assessments on existing systems and networks, identify current or potential weaknesses and fix them first. Then you can start to understand priorities, such as which critical systems to plug into the SIEM first, what levels of detail are needed, and which parts of the infrastructure are taking most heat.


This ensures your people and processes are ready to move to Step 2.

Step 2: simplify

Attempting to integrate SIEM with complex or contrived infrastructure will add time-consuming work and extra cost at each stage of the project.

So look for any opportunities to simplify your networks. Topologies may have changed significantly since your original deployment of firewalls, IDS, and other security products. Users may have relocated physically or migrated to new methods of accessing their applications and data. It may be possible to retire some of your security systems and consolidate networks and security policies associated because their functionality has now been added to other products.

To help with this, review the placement of security infrastructure in the light of the threats and vulnerabilities you catalogued in Step 1. Remove, redeploy, or reconfigure security products that serve little or no purpose in their current position. Take the opportunity to retire legacy access methods, and reduce the number of routes into your network. Again based on your work in stage 1, consider grouping high-value assets together in a high-security “green zone”.