Designing your security information and event management (SIEM) strategy can be very challenging, particularly in complex environments that depend on many systems and stakeholders. For security leaders, it may seem as though this work is never complete. Indeed, maintaining an effective SIEM program requires a cyclical approach of reviewing business objectives, planning detection and response processes, and constantly tweaking the system to account for gaps and future growth.

As shown in the illustration below, a successful SIEM strategy must include well-defined goals, thorough planning, requisite resources and capabilities, and mechanisms to measure effectiveness and promote continuous improvement.

Designing Your SIEM Strategy

To get a better idea of how this cycle impacts the organization’s threat detection and incident response capabilities, let’s take a closer look at the components listed above and outline the steps security professionals must take to build an effective SIEM strategy from the ground up.

Download the 2017 Gartner Critical Capabilities for Security Information and Event Management

Defining Goals

The first step toward designing your SIEM strategy is to establish your cybersecurity goals, which are usually defined in the corporate security policies, procedures and technical standards. Mature organizations may have security operations charters that specify objectives, guiding principles, strategies, and roles and responsibilities for IT professionals.

Your SIEM goals should also align with the corporate vision and mission for cybersecurity. Often this is a balancing act between the organizational mandate and practical outcomes. It is important to continuously identify and communicate risks to senior management through a formal security operations center (SOC) governance program.

Planning Around the Cyberattack Life Cycle

Once the goals are defined, it’s time start planning. An effective SIEM plan includes defense tactics, data sources and collection, reliable threat intelligence and monitoring, and incident response. It must also include a list of resources and capabilities, and a process to monitor and improve upon gaps and inefficiencies.

When planning your SIEM strategy, your top priority should be to identify a reference framework for cyberdefense. This means understanding the stages of the cyberattack life cycle. The table below outlines five models security professionals commonly reference to understand cybercriminal techniques and tactics during a breach.

Step 1


Initial Reconnaissance

External Reconnaissance


Internal and External Threats

Step 2


Initial Compromise


Weaponization and Delivery

Existing Access and Perimeter Compromise

Step 3


Establish Foothold



Escalate Privileges

Step 4


Escalate Privileges

Internal Reconnaissance


Perform Reconnaissance

Step 5


Internal reconnaissance

Lateral Movement

Command and Control

Move Laterally

Step 6

Command and Control

Move Laterally

Data Collection

Actions on the Objective

Exfiltrate Data

Step 7

Actions on Objectives

Maintain Presence

Data Exfiltration

Disrupt Business

Step 8

Complete Mission


Step 9



Lockheed Martin

Mandiant Consulting




Scroll to view full table

Cyberthreats can lurk on networks for days, months or even years. That’s why it’s important to monitor threats not just during an attack, but throughout all stages of the attack life cycle. Ideally, cyberattacks are detected and thwarted during the initial stages, but an effective SIEM can respond to malicious activity at any point during the life cycle. However, response efforts are much more resource- and skill-intensive during the later stages.

It’s also important to plan time for monitoring and responding to threats. The coverage decision is based on the size of the organization and the criticality of business transactions. The monitoring and response plan should consider the organization’s goals and the resources available. The time window should be based on the threat rate, handling time, target response time, target service level, rate of organizational growth, technological maturity and other factors.

Download the 2017 Gartner Critical Capabilities for Security Information and Event Management

Threat Intelligence Resources and Analysis Capabilities

The next activity is to rigorously plan for and prioritize data sources and data collection. The prioritization of the log source onboarding depends on the criticality of the asset and the organization’s event collection capabilities. The three key considerations for log source onboarding are:

  1. Event collection capabilities and the strategy for hosting event collectors according to the network and the organization’s security architecture;
  2. Asset criticality and prioritization; and
  3. Regulations that require certain logs to be maintained and reviewed.

Knowledge about threats, their evolution and their relevance to the organization’s environment is crucial. Structured threat data enables security analysts to spend less time searching and analyzing threats. The key to advanced threat detection, however, is buried beneath layers of unstructured data. Cogitive security solutions can help analysts reduce the time it takes to research unstructured information and minimize false positives. These tools search the web for threat intelligence and correlate it with structured information for effective insights into threats.

While threat intelligence is a certainly key component of any good SIEM strategy, it is not sufficient by itself. Organizations looking to build robust cyberdefense capabilities need a defined process for proactive threat hunting and analysis. This enables security teams to identify threats that may circumvent security solutions deployed in the environment.

The use of machine learning can help analysts navigate through the large volumes of data and make faster, more accurate decisions during threat hunting activities. Efficiency is crucial since resources for performing threat analysis are often limited. The process involves formulating statistical hypothesis testing, investigating threats, discovering patterns, making inferences and accepting or rejecting the hypothesis accordingly. Machine learning algorithms require security professionals to have complex analytical skills. However, organizations can also opt to use threat hunting tools, which are commercially available and more user-friendly.

Evaluating Use Cases to Measure Effectiveness

Measuring the effectiveness of an SIEM solution starts with defining metrics and key performance indicators (KPIs) that align with business goals. Organizations can define the metrics and KPIs for prioritized focus areas rather than looking at the entire SIEM environment. These focus areas should be identified based on the risks, priorities and resources available.

The compilation of use cases represents another key activity in the SIEM strategy. The use case design should be methodical and aligned with business goals and capabilities. It should also include inputs from business stakeholders. During this stage, the formal use case life cycle is established to ensure that the defined cases are relevant and support the organization’s mission.

Fostering a Culture of Continuous Improvement

The threat landscape is constantly evolving and growing more complex. It is insufficient to simply deploy an SIEM solution — organizations must continuously improve their capabilities to keep pace with increasingly sophisticated cybercriminal techniques.

The metrics and KPIs set the tone for this continuous improvement. SOC managers should define a periodic plan for assessing and reviewing the deployment against business goals. This can also be a part of formal governance activities that are periodically performed as part of security operations.

Choosing the Right SIEM Solution

Selecting the right SIEM product is no easy task. Gartner’s Magic Quadrant for SIEM is a good starting point to help security leaders monitor market trends while they shop for the best solution to serve their organization’s needs.

When evaluating SIEM tools, security teams should look for solutions that:

  • Align with the organization’s defined goals and budget.
  • Prioritize data sources and events.
  • Account for organizational growth.
  • Support log onboarding for most systems.
  • Deliver services as hardware, software or cloud-based resources.
  • Support third-party threat intelligence feeds.
  • Support regulatory compliance efforts through reporting, use cases and forensics.
  • Enable faster detection with data analysis and visualization capabilities.
  • Deliver behavior profiling and anomaly detection capabilities.

Embracing a Platform Approach

With the right integrations, your SIEM system can dramatically reduce the effort and time required to respond to security events. Platform-based solutions integrate various products to provide better visibility and reporting. This platform approach streamlines the incident response process by delivering advanced analytical information and prioritizing relevant threats.

For example, an SIEM integrated with a vulnerability management system, network risk manager, incident response tool, log manager and configuration management database can provide security analysts with valuable structured data to help them contextualize threats accurately and efficiently. Analysts can use the extra time to research unstructured data, which is mostly a manual activity.

Behavioral Analytics and Anomaly Detection

While rule-based SIEM deployments are static in nature, modern systems are dynamic and able to identify suspicious activity in real time. Detecting advanced persistent threats (APTs) is next to impossible with a static SIEM configuration. Behavioral analytics and anomaly detection are crucial to help security professionals spot unusual patterns and abnormal traffic.

You Get What You Give

An SIEM strategy is only as good as the technology that surrounds it and as efficient as the analysts and processes that execute it. It’s neither a one-size-fits-all solution nor a magic bullet to solve all your security woes — it requires significant elbow grease from both security professionals and business executives to be effective. However, a strong SIEM strategy, complete with well-defined goals, careful planning, prioritized threat intelligence, regular reviews and a culture of continuous improvement, will repay your efforts tenfold and drastically reduce the time it takes to analyze and respond to threats lurking on your network.

Download the 2017 Gartner Critical Capabilities for Security Information and Event Management

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…