1. Start with a baseline understanding of your security events. "You have to do a risk assessment before choosing a tool to know what you need. Look at every event in your environment, ask if it's normal and then what the threshold is within a certain time frame," says Matt Roedell, vice president of infrastructure and information security at TruMark Financial Credit Union in Trevose, Pa. In addition, be sure you understand your alert and mitigation strategies, he says. Skipping this step will render your security information and event management (SIEM ) product useless, he adds. (Compare SIEM products.)

This story is part of a special Security Trend Watch issue, in PDF format. Download now.

2. Don't bite off more than you can chew. The "start slowly" advice for IT deployments definitely applies to SIEM, says Denis Hein, senior information security engineer for Wells Fargo Bank in Chandler, Ariz. "First, bring the product in-house and test it. How it looks on paper can be quite different than how it runs in your environment," he says. Next, tackle perimeter security, he advises: "Stay conservative to make sure it holds up as you scale and add in more endpoints."

3. Establish a system for dealing with alerts. "If you don't already have processes in place for dealing with logs, then SIEM will not improve your security posture," says Kelly Kavanagh, principal research analyst at Gartner. Unless you have a plan in place before deployment, you're sure to waste your SIEM investment, he adds.

4. Make sure executives are onboard. "Properly define your mandate and have your executives endorse it," says Arlan McMillan, global head of information security operations at ABN AMRO, a Chicago financial services giant. "IT teams will have to cross internal organizational borders to secure logs that might be sensitive or confidential, so you need all your governance issues clearly laid out before you start deployment."

- Sandra Gittlen