Back

Showing 14 episodes for Siem And Soc

#191
September 23, 2024

EP191 Why Aren't More Defenders Winning? Defender’s Advantage and How to Gain it!

Guest:

29:29

Topics covered:

  • What is the Defender’s Advantage and why did Mandiant decide to put this out there?
  • This is the second edition. What is different about DA-II?
  • Why do so few defenders actually realize their Defender’s Advantage? 
  • The book talks about the importance of being "intelligence-led" in cyber defense. Can you elaborate on what this means and how organizations can practically implement this approach?
  • Detection engineering is presented as a continuous cycle of adaptation. How can organizations ensure their detection capabilities remain effective and avoid fatigue in their SOC?  
  • Many organizations don’t seem to want to make detections at all, what do we tell them?
  • What is this thing called “Mission Control”- it sounds really cool, can you explain it?
#190
September 16, 2024

EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures

Guest:

Topics:

SIEM and SOC
29:29

Topics covered:

  • What is this “security data fabric”?  Can you explain the technology? Is there a market for this? Is this same as security data pipelines?
  • Why is this really needed? Won’t your SIEM vendor do it?
  • Who should adopt it? Or, as Tim says, what gets better once you deploy it?
  • Is reducing cost a big part of the security data fabric story?
  • Does the data quality improve with the use of security data fabric tooling?
  • For organizations considering a security data fabric solution, what key factors should they prioritize in their evaluation and selection process?
  • What is the connection between this and federated security data search?
  • What is the likely future for this technology?
#187
August 26, 2024

EP187 Conquering SOC Challenges: Leadership, Burnout, and the SIEM Evolution

Guest:

  • Nicole Beckwith, Sr. Security Engineering Manager, Threat Operations @ Kroger

Topics:

SIEM and SOC
29:29

Topics covered:

  • What are the most important qualities of a successful SOC leader today?
  • What is your approach to building and maintaining a high-functioning SOC team?
  • How do you approach burnout in a SOC team?
  • What are some of the biggest challenges facing SOC teams today?
  • Can you share some specific examples of how you have built and - probably more importantly! - maintained a high-functioning SOC team?
  • What are your thoughts on the current state of SIEM technology? Still a core of SOC or not?
  • What advice would you give to someone who inherited a SOC? What should his/her 7/30/90 day plan include?
#184
August 5, 2024

EP184 One Week SIEM Migration: Fact or Fiction?

Guest:

Topics:

SIEM and SOC
27:27

Topics covered:

  • In your experience, what are the biggest challenges organizations face when migrating to a new SIEM platform? How did you solve them?
  • Many SIEM projects have problems, but a decent chunk of these problems are not about the tool being broken. How did you decide to migrate? When is it time to go? 
  • Specifically, how to avoid constant change from product to product, each time blaming the tool for what are essentially process failures?
  • How did you handle detection content during migration? Was AI involved?
  • How did you test for this: “Which platform will best enable our engineering team to build what we need?”
  • Tell us more about the Detection as Code pipeline you use?
  • “Completed SIEM migration in a single week!” Is this for real?
#181
July 15, 2024

EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams

Guest:

Topics:

SIEM and SOC
29:29

Topics covered:

  • What are the biggest challenges facing detection engineers today?
  • What do you tell people who want to consume detections and not engineer them?
  • What advice would you give to someone who is interested in becoming a detection engineer at her organization?
  • So, what IS a detection engineer? Do you need software skills to be one? How much breadth and depth do you need?
  • What should a SOC leader whose team totally lacks such skills do?
  • You created Detection Engineering Weekly. What motivated you to start this publication, and what are your goals for it? What are the learnings so far?
  • You work for a vendor, so how should customers think of vendor-made vs customer-made detections and their balance? 
  • What goes into a backlog for detections and how do you inform it?
#180
July 8, 2024

EP180 SOC Crossroads: Optimization vs Transformation - Two Paths for Security Operations Center

Guest:

Topics:

SIEM and SOC
29:29

Topics covered:

  • The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?
  • The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals?
  • You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done…
  • What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago?
  • Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?
#170
April 29, 2024

EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC

Guest:

Topics:

SIEM and SOC
29:29

Topics covered:

  • What are the different use cases for GenAI in security operations and how can organizations  prioritize them for maximum impact to their organization?
  • We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?
  • What are the challenges and risks associated with using GenAI in security operations?
  • We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?
  • Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?
#78
August 8, 2022

EP78 Classic SOC Meets Cloud: What Changes? What Stays the Same?

Guest:

23:29

Topics covered:

  • How do we get a legacy SOC team to think about the cloud?
  • How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same? 
  • How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud?
  • Do content/rules and detection engines need to be different to cover the cloud detection use cases?
  • What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections?
#75
July 18, 2022

EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

Guest:

  • Tim Nguyen, Director of Detection and Response @ Google
27:27

Topics covered:

  • I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google?
  • One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google?
  • A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey?
  • How do we automate security signal analysis, can you give us a few examples?
  • D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”?
  • How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good?
#73
July 5, 2022

EP73 Your SOC Is Dead? Evolve to Output-driven Detect and Respond!

Guest:

  • Erik Bloch,  Senior Director of Detection and Response at Sprinklr

Topics:

SIEM and SOC
29:29

Topics covered:

  • You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
  • Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
  • You refer to a federated approach for Detection and Response”  (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization? 
  • What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
  • Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
  • The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?
#64
May 9, 2022

EP64 Security Operations Center: The People Side and How to Do it Right

Guest:

Topics:

SIEM and SOC
25:25

Topics covered:

  • What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)?
  • How do you make SOC training realistic?
  • Should training be about the toolset or should it be about the analyst’s skills?
  • Should you primarily train for engineering skills or analysis skills?
  • Do you need to code to succeed in a modern SOC?
  • Are competitive events like CTFs effective for SOC training?
  • What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity?
#63
May 2, 2022

EP63 State of Autonomic Security Operations: Are There Sharks in Your SOC with Robert Herjavec

Guest:

Topics:

SIEM and SOC
34:57

Topics covered:

  • It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about?
  • How was the ASO story received by your customers? Any particular reactions?
  • Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed?
  • ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations?
  • What else can we do to evolve SOC faster than the threats and assets grow?
#58
March 28, 2022

EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond

Guest:

  • Alexi Wiemer,  Senior Manager at Deloitte Cyber Detection and Response Practice
  • Dan Lauritzen,  Senior Manager at Deloitte Cloud Security Practice.

Topics:

SIEM and SOC
25:25

Topics covered:

  • What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in? 
  • What is your best advice to SOCs that are permanently and woefully understaffed? 
  • Many SOC analysts are drowning in manual work, and it is easy to give advice that “they   need to automate.” What does this actually entail, in real life?
  • What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR? 
  • What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats?
  • Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions? 
#26
August 9, 2021

EP26 SOC in a Large, Complex and Evolving Organization

Guest:

Johnathan Keith, Director of Information Security (CISO) @ ViacomCBS Streaming / Digital (at the time of the recording)

Topics:

SIEM and SOC
23:27

Topics covered:

  • What is the mission for your SOC? Has it evolved in recent years?
  • How do you rate your state of maturity in security operations?
  • I hear that your organization is complex and decentralized, how do you run a SOC in such a case?
  • How do you approach the balance of people, process and technology in your SOC?
  • What is the role of outsourcing in your SOC?
  • Is cloud included in your SOC mission scope?
  • What are the immediate things you plan to improve?

Resources: