Dear All,

Today, CISA, in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre and other international and U.S. partners, released new guidance for organizations seeking to procure Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms.

This guidance includes the following three resources:

Implementing SIEM and SOAR Platforms – Executive Guidance outlines how executives can enhance their organization’s cybersecurity framework by implementing these technologies to improve visibility into network activities, enabling swift detection and response to cyber threats.

Implementing SIEM and SOAR Platforms – Practitioner Guidance focuses on how practitioners can quickly identify and respond to potential cybersecurity threats and leverage these technologies to streamline incident response processes by automating predefined actions based on detected anomalies.

Priority Logs for SIEM Ingestion – Practitioner Guidance offers insights for prioritizing log ingestion into a SIEM, ensuring that critical data sources are effectively collected and analyzed to enhance threat detection and incident response capabilities tailored for organizations.

CISA encourages organizations to review this guidance and implement the recommended best practices to strengthen their cybersecurity. For access to the guidance documents,

Guidance for SIEM and SOAR Implementation

Question for discussion:

CISA's guidance aims to help organizations effectively implement SIEM and SOAR. In your experience, what is the single biggest challenge organizations face when trying to get real value out of their SIEM or SOAR investments, even with good guidance?

It's always great to learn from each other, share experiences, and stay updated. Let's learn and explore together!