Implementing a SIEM can be a complex and costly process. Many organizations fail to realize the full potential of their SIEM because they fail to capture the right logs. Others get mired in voluminous logs of little significance. Most also miss out on what is potentially the most useful log source of all, individual endpoints. SIEM vendors are equally to blame for failing to deliver on their promises to interpret and correlate logs.
Two years ago we started on a SIEM implementation project with a lofty goal: to collect logs from every endpoint on our network. We have nearly reached our goal and learned a lot of lessons along the way. In this presentation we will present lessons learned, unique correlations we have devised, suggestions for vendors to improve their logging, and suggestions for SIEM vendors to improve their products without using the words threat intelligence.