In the course of ever new SIEM deployment, there comes a time when the team responsible for the new tool takes a step back and says "now what?" This comes after the appliances are racked, networked and configured, and initial logs are flowing serenely into the SIEM. Dashboards begin to populate with logs, canned correlation rules begin to fire, and the administrator sitting at the console becomes immediately overwhelmed by the magnitude of the problem they have tackled. With millions, or billions, of individual events flowing into the SIEM every day, it's a daunting task deciding what's urgent today, what trends are important to watch over time, and what can be safely ignored.
The McAfee SIEM Foundations program is designed as a roadmap to help users of McAfee SIEM build out their SIEM in a way that delivers value early, and is easy to expand over time in a predictable fashion. McAfee SIEM Foundations is based on a series of deployment stages that build directly on each other. The basic concepts and tactics outlined in McAfee SIEM Foundations may be applied to any SIEM deployment, however the bulk of this guide will focus on the details of implementing this program with McAfee Enterprise Security Manager (ESM).
This framework is a simple starting point to help as you begin your SIEM deployment. As you mature your SIEM deployment, you will discover your own tricks, techniques, and optimizations. This forum is an excellent place to share ideas with your fellow users. Please leverage the comment sections throughout to voice your thoughts, share your successes, and ask for help. Enjoy the journey.