20 years of SIEM was prepared for the SANS webinar https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/ and offers Anton's reflection on SIEM past and future
7. SIEM Challenges Circa 2002
Note the themes:
● False alarms
● Too much data
● Missing data
● Hard to get data
8.
9. SIEM Challenges Circa 2020 (aka +20 years)
Note the themes
again:
● False alarms
● Hard to use
● Hard to create rules /
detect
10. Mini-Summary: Is SIEM Broken or Not?
● Many of the SIEM challenges are with us for 20+ years
● A pile of challenges makes some say that “SIEM is
broken”
● If something has been broken for 20 years, maybe it is
… just broken?
● So, is SIEM broken?
12. Products: How I Want It Now!?
1. SaaS, definitely. Not “fake cloud”, real SaaS.
2. SIEM in the cloud? Sure, but also FOR the cloud.
3. I don’t want “SIEM and SOAR”, I want “SIEM/SOAR”
4. EDR and NDR? Yes, please! I want their telemetry too
5. Curated threat intelligence in my SIEM
6. Rules, threat intel but also algorithms. You can say “ML”, I
won’t cringe
7. I want my SIEM to show what it is detecting well. Coverage!
13. Reminder: EDR or SIEM? Well, “AND” :-)
EDR is not a magical “better
answer”
It's a useful endpoint
visibility technology
Not security magic!
14. Processes: How I Want It Now!?
1. Telemetry collection - easy or “magically easy”
2. Alert triage - automated wherever possible
3. Use case management - from detection to response
4. Detection measurement - clear and transparent
5. Evolve to detection engineering - intentional detection
15. Reminder: Good Detection Eng is Hard
Detection content versioning
1
2
3
4
5
Proper “QA” for detection content”
Content (code) reuse and modularity
Cross-vendor and cross-tool content
Metrics, coverage and improvement
17. Recommendations: No SIEM?
● 7 days
○ Briefly evaluate how you are solving the problems
others solve with SIEM
● 30 days
○ Review your log management / log analysis / SIEM
approach vs your ongoing requirements
● 90 days
○ Refine the approach, acquire a SIEM if needed
18. Recommendations: Got a SIEM?
● 7 days
○ Review SIEM processes especially alert triage
● 30 days
○ Build or refresh use case management process
● 90 days
○ Become more intentional about detection in SIEM:
effectiveness, coverage, improvements
19. Recommendations: Zoom in on Detection
Become more intentional about detection in SIEM:
effectiveness, coverage, improvements
● What do I need to detect?
● What do I detect?
● Do I really detect it?
● Do I detect it well?
● Do I follow up / triage right?
21. Resources
● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog
● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS
webinar
● “On “Output-driven” SIEM” blog (2012)
● “Anton and The Great XDR Debate, Part 1”
● … and of course https://medium.com/anton-on-security
● and https://cloud.withgoogle.com/cloudsecurity/podcast/
https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/
Well-known as a SANS instructor and SIEM expert, Anton Chuvakin recently celebrated 20 years of architecting, deploying, maintaining, and tuning SIEMs.
In this webinar, he’ll review the future of SIEM – and how many of the problems that plagued early SIEM users are still with us today, such as:
The difficulty of operating SIEMs effectively with limited staff (e.g., "We have a small team and just enough people to keep the SIEM running – but no time left to go beyond basic use cases.")
Data collection and data quality issues (“We don’t have enough people to check that our collectors are still configured properly – so we don’t have visibility into blind spots.”)
Trusting that SIEM data structures, taxonomies, and out of the box detection rules (from SIEM vendors and MSSPs) will be effective and usable in your environment.
Hoping your custom detection rules are written correctly (e.g., hoping nobody mistyped “context.asset.vulnerability.severity” as “asset.context.vulnerability.severity” in a rule they wrote).
At the same time, let’s not forget that our essential SIEM mission – detecting and responding to threats – is a difficult one in today’s complex and messy environments (endpoints, cloud, micro-services, SaaS, rogue systems, etc.) with constantly-evolving security stacks (CASB, CSPM, CIEM, EASM, etc.).
So where are we going with SIEM? Anton will discuss how the scale and power of the cloud, plus how more contextual telemetry, global-scale threat intelligence, and new automation approaches have the potential of addressing some of these challenges in a meaningful way.
Anton will be joined by Yair Manor, CTO and co-founder of CardinalOps. Yair will describe data collected from real-world SIEM deployments showing answers to common challenges such as:
% of MITRE ATT&CK techniques covered by the average SIEM
Comparison with top 14 techniques actually used by adversaries in real-world attacks
% of broken or misconfigured rules in the average SIEM
The top missing log source type in the average SIEM
% of SIEMs that disable default out-of-the-box SIEM content
Log4 Shell: On average, how long did it take organizations to add new rules to detect it
Sponsored by CardinalOps: CardinalOps brings cloud-based analytics and API-driven automation enabling SOC engineering teams to stay ahead of constant change in their threat landscape and attack surface – and close the riskiest detection gaps that leave their organizations exposed.
Leveraging a proprietary, crowd-sourced, graph database of thousands of best practice detection rules — backed by human experts with nation-state expertise – the CardinalOps platform continuously delivers AI-based detection recommendations for your existing SIEM/XDR, mapped to MITRE ATT&CK and customized to your infrastructure and organizational priorities.
DECEMBER 7, 2001
https://web.archive.org/web/20011217055225/http://www.netforensics.com/netforensics.html
https://web.archive.org/web/20020208033727/http://www.intellitactics.com/html/products.html
https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization
(I only found my 2003 slide on log management challenges, but not on SIEM)
[also, I was wrong about some stuff:-)]
A: Hard challenge, market forces, tendency to go broad, messy environments, BUT …
… security telemetry analysis is needed, alternatives are comparable in challenges
Use https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/