SIEM. Is It What Is “SIEMs”? Dr. Anton Chuvakin Chief “SIEM Advocatus Diaboli”  SIEM and Log Management Summit 35 th Annual CSI Conference

What is SIEM? SIM? /information/ SIM? /incident/ SEM? SIEM? “ ESM” – puuuulease 

SIM? /information/

SIM? /incident/

SEM?

SIEM?

“ ESM” – puuuulease 

Brief History of SIEM 1996 - first SIEM vendors launch 2000 – “ SIEM winner ” ArcSight launches 2002-2007 – some SIEM vendors are acquired 2002 – 2007 – more vendors launched What’s Next?

1996 - first SIEM vendors launch

2000 – “ SIEM winner ” ArcSight launches

2002-2007 – some SIEM vendors are acquired

2002 – 2007 – more vendors launched

What’s Next?

Questions to Think About Is SIEM relevant today, after 12 (!) years in biz? Is SIEM evolving fast enough? Is it evolving? What today’s problem does it solve? Is SIEM for everybody ? Every large company? Is SIEM a “ MUST HAVE ” now? Later? SIEM vs/with/same as Log Management ? Has SIEM over-reached what it can do? Do you believe SIEM promise of a single intelligent security observation pane ?

Is SIEM relevant today, after 12 (!) years in biz?

Is SIEM evolving fast enough? Is it evolving?

What today’s problem does it solve?

Is SIEM for everybody ? Every large company?

Is SIEM a “ MUST HAVE ” now? Later?

SIEM vs/with/same as Log Management ?

Has SIEM over-reached what it can do?

Do you believe SIEM promise of a single intelligent security observation pane ?

What I Wish More People “Get” About SIEM Vendors : STOP (!!!!!!!!!!!!!!!!!) overselling it Users : stop believing vendors that SIEM = ESM Vendors : solve problems that users have TODAY (ideally, “… and tomorrow”) Users: define what problems you plan to solve with SIEM before buying

Vendors : STOP (!!!!!!!!!!!!!!!!!) overselling it

Users : stop believing vendors that SIEM = ESM

Vendors : solve problems that users have TODAY (ideally, “… and tomorrow”)

Users: define what problems you plan to solve with SIEM before buying

Let The Games Begin! Comment! Interrupt! Criticize! Inflame! Ask! Go!

Comment!

Interrupt!

Criticize!

Inflame!

Ask!

Go!

Hour 1: Lessons Learned Who has the use cases? Problems vs use cases! Vendor: What problem do you have? – Customer: What problem do you solve? Human factor – SIEM is NOT a SOC in a box Business case – vendor helps, not “does it for you” NEVER talk “solutions” before you talk “problems” What do you want? SIEM. No!!! Tell me what pains you and we figure whether SIEM solves it! Making SIEM easy is NOT easy. Is it impossible?

Who has the use cases? Problems vs use cases!

Vendor: What problem do you have? – Customer: What problem do you solve?

Human factor – SIEM is NOT a SOC in a box

Business case – vendor helps, not “does it for you”

NEVER talk “solutions” before you talk “problems”

What do you want? SIEM. No!!! Tell me what pains you and we figure whether SIEM solves it!

Making SIEM easy is NOT easy. Is it impossible?

Hour 2: Lessons Learned Crappy SIEM product -> in-house development -> back to commercial is actually pretty common, if sad, route “ Fraud” is not just a remote future use case; people are starting to do it now Customer want to see a commitment from vendors to improve and develop “ahead of problems”, not just respond to problems

Crappy SIEM product -> in-house development -> back to commercial is actually pretty common, if sad, route

“ Fraud” is not just a remote future use case; people are starting to do it now

Customer want to see a commitment from vendors to improve and develop “ahead of problems”, not just respond to problems