How to boil the ocean

I did a very (non)scientific experiment this morning with the idea of trying to see the best way to boil the ocean….well ocean by proxy anyway. I took a liter of water and slowly added it a bit at a time to a pan and timed how long it would take to come to a decent boil; was a little over 6 minutes. Cooled the pan down, filled it with another litter of water, set the heat at the same place, and timed it. This time it took just over 8 minutes to get to about the same state.

What’s the point other than having too much time on my hands? Am guessing you might have heard the cliché “don’t try to boil the ocean.” Relative to SIEM stuffs I take a few things away from my little experiment that are all interrelated:

 

• Start small / limit your scope – this will show some quick returns
• From an insider’s perspective there is a lot of things to wrap your arms around and it takes time to work through getting your processes up to speed (what are you going to react to?; how are you going to react?). It can be a little overwhelming
• From an outsider’s perspective not a whole lot seems to be happening if you are trying to do it all at once which leads into…
• “A watched pot never boils.” Companies and deployments vary but having just spent (management’s perspective) a relatively large sum of cash they are looking for some kind of return so they are probably are watching to see what is coming out of this little endeavor. Give them something to look at.

The kicker is the time to get a SIEM fully up and really humming along you are looking at 2 to 3 years. Don’t get me wrong here, you can start deriving value from it the moment you start sucking in events. Let me refer you back to a previous post which has some good links to follow.