One of the contributors (Chris Blask – thanks Chris) gave me a copy of this book to review and I was very excited to start reading it. Unfortunately, this book did not deliver. The content was light and the filler content, to make the total page count appear impressive, felt artificially inflated. The first 3 chapters have little to nothing to do with SIEM implementation but rather with general security concepts that really add nothing to the book. Those chapters echo content presented within some of Shon Harris’ other publications and made me feel as though I was studying for my CISSP all over again. The CIA triad… really? Not only is the CIA triad discussed but the importance of each three letters are mapped to each business vertical (or buyer) in which SIEM systems are used. These mappings (low, medium and high affinity) feel very subjective and I disagreed with many of them.
It took roughly 53 pages (the start of chapter 4) before the team even starts ‘talking SIEM’. Starting with Chapter 4, the authors review SIEM concepts and components. Chapter 5 talks about the pieces and technology that comprise a SIEM – such as data collection, parsing, normalization, correlation, rules and storage. Perhaps the most valuable (not to mention ‘SIEM’) part of this book has a grand total of 40 pages over 2 chapters. Chapter 6 talks about incident response (more theory and conceptual thinking) but fail to describe how using a SIEM makes this easier/better/good. The final chapter in the section (7) talks about using SIEM for Business Intelligence (BI) but barely tells the reader what BI and SIEM have in common. In fact, only 5 pages of the chapter talk about using SIEM for BI. The third part of the book (pages 139 through 381) detail specific SIEM tools such as AlienVault/OSSIM, Cisco MARS, Q1 Labs QRadar and ArcSight ESM with implementation tips and ‘advanced techniques’. When I first saw the section I thought ‘Cisco MARS? Really?!?’ Who needs 2 chapters dedicated to a defunct SIEM product that hasn’t been prominent for several years? The authors would have been better off including a relevant SIEM product that people a) can still buy and b) still use. Also, much of the information presented could be gleaned from the product documentation available from the vendors and, therefore, should not make up the bulk of the book.
I sat on this review several days after reading the book so that my review might be a little more lenient…but I couldn’t bring myself to give this book anything higher than 3 stars. The only reason I was able to give this book 3 out of 5 stars is that it’s really the only published reference on the topic out there. If there were a competing work, any competing work, this would likely have been a 2 star review. This book could have been so much better than it was and makes me reconsider writing a book on the topic myself.