Book Review - Security Information and Event Management (SIEM) Implementation

In short – if you have been “doing” SIEM for any length of time you probably won’t get a whole lot out of this book. Conversely if you are starting to venture down the SIEM path you might want to pick it up.

I first read about this book on Dr. Anton Chuvakin’s blog. Even though his review was less than stellar, he did give it 4 stars (I'd give it 2.5). Similarly although the book’s title includes “implementation” and I have been using ArcSight for a little over two years now so I figured I would give it a shot. I was hopeful…and ended up sort of disappointed. Don’t get me wrong; I appreciate the time and effort the authors put into the book. There really isn’t a whole lot of SIEM type information “out there” which is one of the main reasons I started my own SIEM-esque blog. I think this book has the most value if you haven’t bought a SIEM through 3 or 4 months into your SIEM deployment as a way to level set the conversation (though the first part of the book is very basic).

Because of my background I started with the chapters on ArcSight. I was pretty disappointed when it quickly went into screenshots on actually installing the software. The other product chapters are a bit better but have similar issues. These chapters should have been pulled out of the book with the exception that each had a nugget or two that either didn’t show up in other places in the book or showed up in all. You don’t need to have each product chapter talk about the need to have project requirements/goals/expectations. In the Cisco MARS section (yes I even skimmed that chapter) there was actually good little blerb on the difference between SIEM and an IDS. Why tuck it away?

As an entry type book and instead of the product chapters as written, I would have liked to have seen more information comparing and contrasting the products themselves. Get a little into environmental scaling, console maturation/ease of use, deployment and sustainment levels of effort, levels of pain when it comes to integration or customization, etc. Heck come up with 2 or 3 use cases and try to show how each product might handle those scenarios. Was also disapointed with the chapter devoted to SMB.

(Amazon book link)