The road to a successful implementation of SIEM and SOC

Implementing a SIEM and managed SOC is something that requires thorough research and preparation.

Having a SIEM solution or a managed SOC in place can be hugely rewarding, providing you with “eyes and ears” on what happens on your systems and network, while supporting your ongoing compliance efforts. But it can also be an extra expense that does not live up to your expectations, providing little true value, or even worse: a false sense of security.

I have highlighted some of the things that you need to consider before investing in a managed SOC or a SIEM solution, along with advice on how to successfully implement them and get the most possible value for your investment.. 

But for now, here’s nine steps to consider before you invest in a SIEM solution and a managed SOC:

1. Start by addressing the true value that you expect to get out of the solution – build the business case for your management team, based on how the solution will contribute to both operational security and to reducing business risk.
2. Formulate measurable goals for what you want to achieve. For instance, are you interested in reducing TTD and TTR (time to detect and time to respond), or do you simply need to meet certain compliance requirements? Using the CARTA model from Gartner can be a good way to determine what you want to accomplish, aligning your strategy to the four pillars of adaptive risk management (Predict, Prevent, Detect and Respond)
3. Evaluate whether you have the needed maturity of people, processes and technology that is required to make your SIEM an succes, and if you are able to use the enriched data and intelligence a managed SOC provides
4. If you are building your own SIEM tool and establishing SOC capabilities, you will need to decide whether you will use off-the shelf proprietary solutions or open-source software
5. Ask yourself, how does an in-house SIEM solution and managed SOC compare to a fully managed detection & response (MDR) service, in accordance with your actual needs (see point 1 & 2 above).
6. Determine the level of coverage that is right for your organization; i.e. which assets you need to log and monitor. Are you satisfied with monitoring core infrastructure only, or should you include certain (or all) business applications, cloud, devOps, serverless, etc.
7. Decide on the specific capabilities that are useful to your organization. For example, do you require capabilities such as active threat hunting, digital footprint assessments, threat intelligence capabilities, incident response, user and entity behavior analytics, SOAR, etc.?
8. Ensure that you have the necessary internal resources to drive and ensure quality of the onboarding process and the implementation and fine tuning of your SIEM and managed SOC
9. Define a staged approach for implementation with realistic and measurable milestones. A multi-phased approach with several project iterations within each phase is always preferable