Deliver to your Kindle or other device


Try it free

Sample the beginning of this book for free

Deliver to your Kindle or other device

Sorry, this item is not available in
Image not available for
Image not available

Security Information and Event Management (SIEM) Implementation (Network Pro Library) [Kindle Edition]

David Miller , Shon Harris , Allen Harper , Stephen VanDyke , Chris Blask
2.5 out of 5 stars  See all reviews (2 customer reviews)

Print List Price: £39.99
Kindle Price: £37.99 includes VAT* & free wireless delivery via Amazon Whispernet
You Save: £2.00 (5%)
* Unlike print books, digital books are subject to VAT.

Free Kindle Reading App Anybody can read Kindle books—even without a Kindle device—with the FREE Kindle app for smartphones, tablets and computers.

To get the free app, enter your e-mail address or mobile phone number.


Amazon Price New from Used from
Kindle Edition £37.99  
Paperback £39.99  
Kindle Daily Deal
Kindle Daily Deal: Up to 70% off
Each day we unveil a new book deal at a specially discounted price--for that day only. Learn more about the Kindle Daily Deal or sign up for the Kindle Daily Deal Newsletter to receive free e-mail notifications about each day's deal.

Book Description

Implement a robust SIEM system

Effectively manage the security information and events produced by your network with help from this authoritative guide. Written by IT security experts, Security Information and Event Management (SIEM) Implementation shows you how to deploy SIEM technologies to monitor, identify, document, and respond to security threats and reduce false-positive alerts. The book explains how to implement SIEM products from different vendors, and discusses the strengths, weaknesses, and advanced tuning of these systems. You’ll also learn how to use SIEM capabilities for business intelligence. Real-world case studies are included in this comprehensive resource.

  • Assess your organization’s business models, threat models, and regulatory compliance requirements
  • Determine the necessary SIEM components for small- and medium-size businesses
  • Understand SIEM anatomy—source device, log collection, parsing/normalization of logs, rule engine, log storage, and event monitoring
  • Develop an effective incident response program
  • Use the inherent capabilities of your SIEM system for business intelligence
  • Develop filters and correlated event rules to reduce false-positive alerts
  • Implement AlienVault’s Open Source Security Information Management (OSSIM)
  • Deploy the Cisco Monitoring Analysis and Response System (MARS)
  • Configure and use the Q1 Labs QRadar SIEM system
  • Implement ArcSight Enterprise Security Management (ESM) v4.5
  • Develop your SIEM security analyst skills

Product Description


8/10 Highly commended for people with a good technical knowhow who are looking to develop their own SIEMs and also good value for money.
--Chartered Institute of IT, 8th May 2011

About the Author

David R. Miller, SME, MCT, MCITPro Windows Server 2008 Enterprise Administrator, MCSE Windows NT 4.0, 2000, and Server 2003:Security, CISSP, LPT, ECSA, CEH, CWNA, CCNA, CNE, Security+, A+, N+, is an expert author, lecturer, and IT security consultant specializing in information systems security, compliance, and network engineering.
Shon Harris, CISSP, is the CEO of Logical Security, a computer security consultant, a former engineer in the Air Force’s Information Warfare unit, an instructor and an author. She has authored three best selling CISSP books, is a contributing author to the book Gray Hat Hacking, and developed a full digital information security product series for Pearson publishing. Shon was recognized as one of the top 25 women in the Information Security field by Information Security Magazine.
Allen Harper, CISSP, is founder and president of N2NetSecurity, Inc., a consulting company specializing in advanced security and vulnerability analysis, penetration testing, SIEM implementation, and compliance. He served as a security engineer in the U.S. Department of Defense, and is a coauthor of Gray Hat Hacking.
Stephen VanDyke, CISSP, BCCPA, BCCPP, MCSA, Security+, Network+, was a founding member of the U.S. Army Reserve global network Computer Emergency Response Team and helped design and deploy its NetForensics SIEM. He implemented high end, multi-tiered security systems for the Multi-National Force – Iraq (MNFI) network.
Chris Blask, Vice President of Marketing at AlienVault, is on the faculty at the Institute for Applied Network Security, Co-founded Protego Networks (now Cisco MARS) and founded Critical Infrastructure Cybersecurity company Lofty Perch. Chris invented the BorderWare Firewall Server in the early days of the Internet Security market and built the Cisco Systems firewall business

Product details

  • Format: Kindle Edition
  • File Size: 17385 KB
  • Print Length: 464 pages
  • Simultaneous Device Usage: Up to 4 simultaneous devices, per publisher limits
  • Publisher: McGraw-Hill Osborne Media; 1 edition (25 Oct. 2010)
  • Sold by: Amazon Media EU S.à r.l.
  • Language: English
  • Text-to-Speech: Enabled
  • X-Ray:
  • Word Wise: Not Enabled
  • Average Customer Review: 2.5 out of 5 stars  See all reviews (2 customer reviews)
  • Amazon Bestsellers Rank: #480,636 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  •  Would you like to give feedback on images?

More About the Authors

Discover books, learn about writers, and more.

Customer Reviews

5 star
4 star
1 star
2.5 out of 5 stars
2.5 out of 5 stars
Most Helpful Customer Reviews
2 of 2 people found the following review helpful
I was hoping for a general approach to the topic which is there, but at a high level. There is little detail of how to generically analyse or understand log sources and systems and a strong focus on a set of specific products. If you're using Alienvault, OSSIM, Cisco-Mars, Arcsight ot Qradar then you might have gotten more value from this book than I did. I'm not using those products so it seems like half the content isn't applicable to the general problem leaving a fairly bland introduction to the topic that doesn't provide much insight.

If you have no idea what SIEM is AND you are planning on using one of the products mentioned then this is probably a good book for you. However, as an experienced security practitioner using different products I got little value from this book.
Comment | 
Was this review helpful to you?
3.0 out of 5 stars Only an introduction to the subject 24 July 2014
Format:Paperback|Verified Purchase
Bit scary reading this how many 'consultants' have simply lifted entire chunks from the book and sold them to clients 'as-is'. Without any seeming consideration for the clients individual needs or in response to the specific threats their market sector attracts.

Correlation is key and it is the hopeless lack of any attempt to correlate security events received that completely bamboozle SIEM consultants who would use this book as a key resource. Reference to the need to correlate is provided and some very basic examples given, but I know from examining most customer configurations, those consultants never really had a clue how to get SIEM to do anything other than consume vast amounts of network bandwidth and disk space.

Unfortunately Miller et al aren't going to tell you what to correlate - if you are a SIEM consultant worth your salt, you should know in any case. The snag is, its obvious there are plenty of so-called consultants out there depending on the book.

For what it is it is very good. It is though just an introduction, not a workbook, and certainly not a 'how-to' guide.
Comment | 
Was this review helpful to you?
Most Helpful Customer Reviews on (beta) 3.3 out of 5 stars  9 reviews
22 of 23 people found the following review helpful
4.0 out of 5 stars Fun Read, but With Some Weaknesses 10 Jan. 2011
By Dr Anton Chuvakin - Published on
I was looking forward to reading this book for a few months - pretty much since the time I've heard that it is being written. Obviously, I has very excited when it arrived in my mailbox. Now have done reading it, I can say it left a mixed impression. Mostly positive -but still mixed. I definitely enjoyed reading it, despite (or maybe due to) the fact that I've been involved with SIEM for nearly 10 years.
Let me first go through other chapters and then give my overall impression. The book is organized in three big parts: "introduction to SIEM: threat intelligence for IT systems", "IT threat intelligence using SIEM systems " and "SIEM tools."
Chapter 1 covers security basics with minimum connections to SIEM. It might have that over-simplified refresher of what information security is about.
Chapter 2 can be summarized using the quote from the chapter itself: "the bad things that could happen." It contains another refresher on attacks, somewhat jumbled and somewhat dated. We're not really touching SIEM yet at this point.
Chapter 3 has an author view of regulatory compliance: the usual suspects I have mentioned - PCI DSS, HIPAA, FISMA, SB1386, SOX, GLBA, etc. HIPAA is not misspelled which counts as good news.
Chapter 4 has a bizarre name: "SIEM concepts: components for small and medium-sized businesses." It contains an overview of SIEM with little focus on SMB. It is mildly confusing (for example, it calls LogRhythm "a commercial syslog server"). It contains a few outright mistakes as well (like a mention of one log management vendor whose application reportedly covers "all 228 PCI controls"). The chapter tries to talk about everything (yes, even GRC) and makes a very weak impression.
Chapter 5 looks like a twin of the previous chapter. It also contains an overview of SIEM, but a different one - a better one, in fact. These two chapters don't contradict each other much, but joint their presence in the book is mysterious and somewhat confusing.
Chapter 6 is a sudden break from SIEM into incident response. It does contain a few useful - but high-level- flow charts for incident response. I doubt that it was written by somebody who did much incident response however.
Chapter 7 is both a curse and a blessing. I loved the ideas in the chapter - using SIEM for BI - but I hated the fact that its author didn't even bother to check what "SIEM" abbreviation stands for (see page 116)...

Chapter 8 and Chapter 9 are about OSSIM/AlienVault. From all the SIEM product chapters below, these are the weakest and the least useful. They offer little practical guidance and this - yes, really! - most the details you'd need to know before deploying OSSIM. I was especially annoyed by "screenshot-three lines of text-screenshot-three lines of text..." model that most of Ch 8 and Ch 9 follow. It makes pages 152-166 just wasted paper. Ch9 tries to be a bit more useful (has two case studies), but collapses under the load of too many screenshots as well.
Chapter 10 and Chapter 11 talk about Cisco MARS. Since nobody cares about MARS anymore, I won't be reviewing them here.
Chapter 12 and Chapter 13 cover Q1Labs SIEM. Unlike the above, these are actually useful for practical architecture planning of QRadar deployments. These chapters also contain useful SIEM insights - still, these can benefit from more real-world tuning tips. The case study in Ch13 is useful as well. If you are thinking of getting a Q1Labs SIEM, grab the book to quickly review what you will encounter when you get the product
Finally, Chapter 14 and Chapter 15 cover ArcSight SIEM. Despite minor mistakes and "vendor whitepaper feel," the chapters would be useful to people in the early stages of reviewing and deploying ArcSight SIEM. The chapters suffer a bit from trying to duplicate product help - you're more likely to learn how to patch ArcSight them how to use it well.. Sadly, no case studies are included in these chapters.
Overall, the book has unfortunate signs of being written by a team of others who didn't talk to each other. Despite the promises of implementation guidance, it leaves some of the very complex SIEM issues untouched. Very few case studies (some good ones are stashed in the appendix for some weird reason) and few tips and tricks for real-world SIEM implementation. Also, it is much stronger of the "what" then on "how." Still, I suggest that people buying, using and building SIEM products, get their own copy and read at least a few chapters relevant to them. You will likely not be disappointed!
7 of 9 people found the following review helpful
3.0 out of 5 stars Value relative to your SIEM experience 31 Jan. 2011
By M Runals - Published on
In short - if you have been "doing" SIEM for any length of time you won't get a whole lot out of this book. Conversely if you are starting to venture down the SIEM path it would probably be worth picking up.

I first read about this book on Dr. Anton Chuvakin's blog. Even though his review was less than stellar, he did give it 4 stars. Similarly although the book's title includes "implementation" and I have been using ArcSight for a little over two years now so I figured I would give it a shot. I was hopeful...and ended up sort of disappointed. Don't get me wrong; I appreciate the time and effort the authors put into the book. There really isn't a whole lot of SIEM type information "out there" which is one of the main reasons I started my own SIEM-esque blog. I think this book has the most value if you haven't bought a SIEM yet through 3 or 4 months into your SIEM deployment as a way to level set the conversation (though the first part of the book is very basic).

Because of my background I started with the chapters on ArcSight. I was pretty disappointed when it quickly went into screenshots on actually installing the software. The other product chapters are a bit better but have similar issues. These chapters should have been pulled out of the book with the exception that each had a nugget or two that either didn't show up in other places in the book or showed up in all. You don't need to have each product chapter talk about the need to have project requirements/goals/expectations. In the Cisco MARS section (yes I even skimmed that chapter) there was actually a good little blerb on the difference between SIEM and an IDS. Why tuck it away?

Instead of the product chapters as written, I would have liked to have seen more information comparing and contrasting the products themselves. Get a little into environmental scaling, console maturation/ease of use, deployment and sustainment levels of effort, levels of pain when it comes to integration or customization, etc. Heck come up with 2 or 3 use cases and try to show how each product might handle those scenarios. Was also disapointed with the chapter devoted to SMB as it really doesn't address integration issues of a product that is on 24x7 when you probably have fewer resources than a larger company.
1 of 1 people found the following review helpful
4.0 out of 5 stars Solid intro to SIEM 24 Feb. 2011
By Ben Rothke - Published on
With many different types of log and audit data, Security Information and Event Management (SIEM) attempts to fix that by aggregating, correlating and normalizing the log and audit data. The end result is a single screen that presents all of the disparate data into a common element. While great in theory, the devil is in the details; and there are plenty of details in deploying a SIEM on corporate networks.

Security Information and Event Management Implementation provides a solid introduction, overview and analysis of what a SIEM (also known as SIM, SEM, SEIM and others) is, and what needs to go into it for an effective deployment and operation.

As a technology, SIEM provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more. Many firms have deployed SIEM as a method to address regulatory compliance reporting requirements, in addition to using it as a mechanism in which to build a robust information security operation, integrating the SIEM into their security management and incident response areas.

With that, the good news is that the SIEM market is now at a mature state, with numerous vendors competing off each other. Combined with the level of SIEM adoption, it's ready for prime time. But ensuring it works in prime time is heavily dependent upon the requirements definitions and planning.

The books 15 chapters are organized in three parts: Introduction to SIEM: Threat Intelligence for IT Systems, IT Threat Intelligence Using SIEM Systems and SIEM Tools. Part 3 (chapters 8-15) provides the bulk of the reading.

Part 1 provides a high-level overview of the topic and covers information security fundamentals. Chapter 2 details the various threats that the SIEM will be used to defend against. While chapter 3 gets into regulatory compliance, which is a key driver for many SIEM rollouts.

Part 2 details four SIEM vendors. The products the authors selected to showcase are: OSSIM, ArcSight ESM, Cisco Mars and Ounce Labs QRadar. While it is debatable if OSSIM is a SIEM, I am not sure why the authors did not include the netForensics product. This is especially true since the nFX SIM One software is one of the better tools which works on large deployments in which customization is needed.

A mistake many firms makes when considering a SIEM is spending too much time selecting a specific SIEM vendor and not enough time defining their specific security requirements for the SIEM product. The book does a good job of communicating the important of effective requirements definition. An important notion around requirements definition is that it must not involve just IT and security groups alone. Other groups including audit, regulatory, legal, administration, applications and more must be involved.

The book provides examples of real-world advice. A good point made in chapter 11 is the need to realize that a SIEM takes time to develop and is an out of the box solution. The authors note that one should not expect full inventory activity and actionable information immediately. It often may take a few weeks for that information to be normalized into data that is actionable.

Part 3 goes into the various products. In chapter 12, while about QRadar, lists 10 highly detailed questions that must be answered irrregardless of what SIEM vendor will be used. These 10 questions (for a formal SIEM definition, there are a good 30 or more that can be asked) require a firm to truly understand their infrastructure and environment, before they deploy a SIEM. The authors note that these questions are meant to facilitate a firm doing their homework around the SIEM. Detailed answers to these questions should not be underestimated, as failure to do them in advance can lead to a SIEM deployment that will ultimately fail.

For many readers, the screen print of a QRadar system settings console on page 278 may be enough to scare them away from a SIEM. This screen, of which there are many in QRadar, list over 50 settings that must be configured in order to effectively use the software. While many of the default settings can be used; firms should know exactly what their settings should be if they want to get the most out of SIEM solution.

In many books, the appendix is often public information which is simply added as filler to increase the page count. The appendix The Ways and Means of the Security Analyst is superb. It details the human element of the SIEM, the security analyst, which is often what will make or break the SIEM. The analyst is the one who will use the SIEM and attempt to make sense of it. A SIEM deployment without good analysts is ultimately useless.

It should be noted that even though the book has the term implementation in the title, it is not really a full implementation reference. It should be viewed as a comprehensive introduction to SIEM. The reason is that when one digs into the deeper layers of a SIEM deployment, there are significant complexities that must be dealt with. Anyone who attempts to deploy SIEM based on this guide alone will likely be disappointed. This is not a fault of the book; rather a reality of the complexity of a SIEM, and the amount of pages it requires to be written.

While the book does have implementation guidelines around the insulation and configuration of 4 SIEM products, the real challenge in a SIEM is the post-installation configuration issues, and not simply the installation. Perhaps the authors will take this as a challenge to create a second volume of this book detailing those issues.

With that, the book does provide an excellent overview of the topic and will be of value to those reading looking for answer around SIEM. Those looking for a solid introduction to the world of SIEM should definitely get a copy. Don't think about a SIEM without it.
3.0 out of 5 stars for novices only 2 Nov. 2014
By J. Chi - Published on
Format:Kindle Edition|Verified Purchase
Good as a quick intro to log management and for single place to get demo version SIEM tool setup instructions (which you can get from the vendors themselves). If you're anything but a nivice, thus book is not for you.
4.0 out of 5 stars siem 4 Jan. 2014
By Richard knutson - Published on
Format:Paperback|Verified Purchase
I liked reading about SIEM and learn a lot. some things are out of date but good overall learning about SIEM and network monitoring.
Were these reviews helpful?   Let us know
Search Customer Reviews
Only search this product's reviews

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
First post:
Prompts for sign-in

Search Customer Discussions
Search all Amazon discussions

Look for similar items by category