Showing 35 episodes for Siem And Soc
#271
April 9, 2026
EP271 Can AI-Native MDR Actually Fix Your Broken SOC Workflows or Just Automate the Mess?
Topics covered:
- “10X SOC” sounds great. But for an organization stuck in "SIEM 1.0" with poor data quality and manual workflows, is “AI-native MDR” a "leapfrog" opportunity or a recipe for disaster?
- We’ve seen the rise of "Decoupled SIEM" and security data lakes. Does a "Modern SIEM" even need to exist if an MDR platform has an agentic layer doing the heavy lifting?
- You’ve argued for AI-native over AI-bolted-on. For an end user, what are the tangible differences of using "AI inside a legacy SIEM" versus using an "AI-native separate product"?
- What is the one task you thought AI would handle by now that still requires a senior human analyst to step in?
- If a CISO is using an AI MDR, "Mean Time to Detect" (MTTD) starts to look like a vanity metric because the machine is instant. What is the new golden metric for an AI-powered SOC? Is it "Time to Context," "Reduction in Human Toil," or something else?
- How do you help a skeptical SOC Manager—who has been burned by false positives for a decade—trust an autonomous agent to perform a "containment" action at 3:00 AM?
#267
March 16, 2026
EP267 AI SOC or AI in a SOC? Cutting Through Hype, Pricing Models, and SIEM Detection Efficacy with Raffy Marty
Topics covered:
- You argue that declaring existing SIEM being obsolete is a "marketing slogan" rather than a true thesis. What is the real pain point and the actual gap in traditional SIEMs as opposed to the more sensational claims?
- You highlight that "correlation, state, timelines, and real-time detection require locality," making centralization a necessary trade-off. Can a truly federated or decoupled SIEM architecture achieve the same fidelity and real-time performance for complex, stateful detections as a centralized one?
- You call the rise of independent security data pipelines the "SIEM Trojan Horse." How quickly is this abstraction layer turning SIEM into a “swappable” component, and what should SIEM vendors have done differently years ago to prevent this market from existing?
- This "AI SOC" thing, is this even real? Is AI in a SOC a better label? Do you think major SIEM vendors will own this very soon, like they did with UEBA and SOAR?
- If volume-based pricing is flawed because it penalizes good security hygiene, what is a better SIEM pricing model that fairly addresses compute, enrichment, and retention costs without just shifting the volume cost to unpredictable query charges?
- You question the idea that startups can find a better way to release detection rules than large vendors with significant content teams. What metrics should security leaders use to evaluate the quality of a vendor's detection engineering (DE) output beyond just coverage numbers? Can AI fix DE?
#266
March 9, 2026
EP266 Resetting the SOC for Code War: Allie Mellen on Detecting State Actors vs. Doing the Basics
Topics covered:
- Your book focuses on the US, China, and Russia. When you were planning the book did you also want to cover players like Israel, Iran, and North Korea?
- Most of our listeners are migrating to or operating heavily in the cloud. As nations refine their “digital battlefield” strategies, does the "shared responsibility model" actually hold up against a nation-state actor?
- How does a company’s detection strategy need to change when the adversary isn't a teenager looking for a ransom, but a state-funded group whose goal might be long-term persistence or subtle data manipulation? How should people allocate their resources to defending against both of these threats?
- How afraid are you of a “bad guy with AI” scenarios? Mild anxiety or apocalyptic fears?
- Do you see AI primarily helping "Tier 2" nations close the capability gap with the "Big Three," or does it just further cement the dominance of the nations that own the underlying compute and models?
- You’ve spent a lot of time as an analyst looking at how enterprises buy and run security tech. For a CISO at (say) mid-tier logistics company, should 'nation-state cyberattacks' even be on their threat model? Or is worrying about the spies just a form of security theater when they haven’t even solved basic credential theft yet?
#264
February 23, 2026
EP264 Measuring Your (Agentic) SOC: Two Security Leaders Walk into a Podcast
Topics covered:
- We’ve spent decades obsessed with MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond). As AI agents begin to handle the bulk of triage at machine speed, do these metrics become "vanity metrics"? If an AI resolves an alert in seconds, does measuring the "mean" still tell us anything about the health of our security program, or should we be looking at "Time to Context" instead?
- You mentioned the Maturity Triangle. Can you walk us through that framework? Specifically, how does AI change the balance between the three points of that triangle—is it shifting us from a "People-heavy" model to something more "Engineering-led," and where does the "Measurement" piece sit?
- Google is famous for its "Engineering-led" approach to D&R. How is Google currently measuring the success of its own internal D&R program? Specifically, how are you quantifying "Toil Reduction"? Are we measuring how many hours we saved, or are we measuring the complexity of the threats our humans are now free to hunt?
- Toil reduction is a laudable goal for the team members, what are the metrics we track and report up to document the overall improvement in D&R for Google’s board?
- When you talk to your board about the success of AI in your security program, what are the 2 or 3 "Golden Metrics" that actually move the needle for them? How do you prove that an AI-driven SOC is actually better, not just faster?
- We often talk about AI as an "assistant," but we’re moving toward Agentic SOCs. How should organizations measure the "unit economics" of their SOC? Should we be tracking the ratio of AI-handled vs. Human-handled incidents, and at what point does a high AI-handle rate become a risk rather than a success?
#263
February 16, 2026
EP263 SOC Refurbishing: Why New Tools Won’t Fix Broken Processes (Even With AI)
Topics covered:
- What is the right way for people to bridge the gap and translate executive dreams and board goals into the reality of life on the ground?
- How do we talk to people who think they have "transformed" their SOC simply by buying a better, shinier product (like a modern SIEM) while leaving their old processes intact?
- What are the specific challenges and advantages you’ve seen with a federated SOC versus a centralized one? What does a "federated" or "sub-SOC" model actually mean in practice?
- Why is the message that "EDR doesn't cover everything" so hard for some people to hear? Is this obsession with EDR a business decision or technology debt?
- How do you expect AI to change the calculus around data centralization versus data federation?
- What is your favorite example of telemetry that is useful, but usually excluded from a SIEM?
- What are the Detection and Response organizational metrics that you think are most valuable?
- Is the continued use of Excel an issue of tooling, laziness, or just because it is a fundamentally good way to interact with a small database?
#261
February 2, 2026
EP261 No More Aspiration: Scaling a Modern SOC with Real AI Agents
Topics covered:
- We ended our season talking about the AI apocalypse. In your opinion, are we living in the world that the guests describe in their apocalypse paper?
- Do you think AI-powered attacks are really here, and if so, what is your plan to respond? Is it faster patching? Better D&R? Something else altogether?
- Your team has a hybrid agent workflow: could you tell us what that means? Also, define “AI agent” please.
- What are your production use cases for AI and AI agents in your SOC?
- What are your overall SOC metrics and how does the agentic AI part play into that?
- It's one thing to ask a team "hey what did y'all do last week" and get a good report - how are you measuring the agentic parts of your SOC?
- How are you thinking about what comes next once AI is automatically writing good (!) rules for your team out of research blog posts and TI papers?
#252
November 17, 2025
EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success
Topics covered:
- Moving from traditional SIEM to an agentic SOC model, especially in a heavily regulated insurer, is a massive undertaking. What did the collaboration model with your vendor look like?
- Agentic AI introduces a new layer of risk - that of unconstrained or unintended autonomous action. In the context of Allianz, how did you establish the governance framework for the SOC alert triage agents?
- Where did you draw the line between fully automated action and the mandatory "human-in-the-loop" for investigation or response?
- Agentic triage is only as good as the data it analyzes. From your perspective, what were the biggest challenges - and wins - in ensuring the data fidelity, freshness, and completeness in your SIEM to fuel reliable agent decisions?
- We've been talking about SOC automation for years, but this agentic wave feels different. As a deputy CISO, what was your primary, non-negotiable goal for the agent? Was it purely Mean Time to Respond (MTTR) reduction, or was the bigger strategic prize to fundamentally re-skill and uplevel your Tier 2/3 analysts by removing the low-value alert noise?
- As you built this out, were there any surprises along the way that left you shaking your head or laughing at the unexpected AI behaviors?
- We felt a major lack of proof - Anton kept asking for pudding - that any of the agentic SOC vendors we saw at RSA had actually achieved anything beyond hype! When it comes to your org, how are you measuring agent success? What are the key metrics you are using right now?
#250
November 3, 2025
EP250 The End of "Collect Everything"? Moving from Centralization to Data Access?
Topics covered:
- Are we really coming to “access to security data” and away from “centralizing the data”?
- How to detect without the same storage for all logs?
- Is data pipeline a part of SIEM or is it standalone? Will this just collapse into SIEM soon?
- Tell us about the issues with log pipelines in the past?
- What about enrichment? Why do it in a pipeline, and not in a SIEM?
- We are unable to share enough practices between security teams. How are we fixing it? Is pipelines part of the answer?
- Do you have a piece of advice for people who want to do more than save on their SIEM costs?
#249
October 27, 2025
EP249 Data First: What Really Makes Your SOC 'AI Ready'?
Topics covered:
- We often hear about the aspirational idea of an "IronMan suit" for the SOC—a system that empowers analysts to be faster and more effective. What does this ideal future of security operations look like from your perspective, and what are the primary obstacles preventing SOCs from achieving it today?
- You've also raised a metaphor of AI in the SOC as a "Dr. Jekyll and Mr. Hyde" situation. Could you walk us through what you see as the "Jekyll"—the noble, beneficial promise of AI—and what are the factors that can turn it into the dangerous "Mr. Hyde"?
- Let's drill down into the heart of the "Mr. Hyde" problem: the data. Many believe that AI can fix a team's messy data, but you've noted that "it's all about the data, duh." What's the story?
- “AI ready SOC” - What is the foundational work a SOC needs to do to ensure their data is AI-ready, and what happens when they skip this step?
- And is there anything we can do to use AI to help with this foundational problem?
- How do we measure progress towards AI SOC? What gets better at what time? How would we know?
- What SOC metrics will show improvement? Will anything get worse?
#244
September 22, 2025
EP244 The Future of SOAPA: Jon Oltsik on Platform Consolidation vs. Best-of-Breed in the Age of Agentic AI
Topics covered:
- You invented the concept of SOAPA – Security Operations & Analytics Platform Architecture. As we look towards SOAPA 2025, how do you see the ongoing debate between consolidating security around a single platform versus a more disaggregated, best-of-breed approach playing out?
- What are the key drivers for either strategy in today's complex environments? How can we have both “decoupling” and platformization going at the same time?
- With all the buzz around Generative AI and Agentic AI, how do you envision these technologies changing the future of the Security Operations Center (and SOAPA of course)?
- Where do you see AI really work today in the SOC and what is the proof of that actually happening? What does a realistic "AI SOC" look like in the next few years, and what are the practical implications for security teams?
- “Integration” is always a hot topic in security - and it has been for decades. Within the context of SOAPA and the adoption of advanced analytics, where do you see the most critical integration challenges today – whether it's vendor-centric ecosystems, strategic partnerships, or the push for open standards?
#242
September 8, 2025
EP242 The AI SOC: Is This The Automation We've Been Waiting For?
Topics covered:
- What is your definition of “AI SOC”?
- What will AI change in a SOC? What will the post-AI SOC look like?
- What are the primary mechanisms by which AI SOC tools reduce attacker dwell time, and what challenges do they face in maintaining signal fidelity?
- Why would this wave of SOC automation (namely, AI SOC) work now, if it did not fully succeed before (SOAR)?
- How do we measure progress towards AI SOC? What gets better at what time? How would we know? What SOC metrics will show improvement?
- What common misconceptions or challenges have organizations encountered during the initial stages of AI SOC adoption, and how can they be overcome?
- Do you have a timeline for SOC AI adoption? Sure, everybody wants AI alerts triage? What’s next? What's after that?
#241
September 1, 2025
EP241 From Black Box to Building Blocks: More Modern Detection Engineering Lessons from Google
Topics covered:
- On the 3rd anniversary of Curated Detections, you've grown from 70 rules to over 4700. Can you walk us through that journey? What were some of the key inflection points and what have been the biggest lessons learned in scaling a detection portfolio so massively?
- Historically the SecOps Curated Detection content was opaque, which led to, understandably, a bit of customer friction. We’ve recently made nearly all of that content transparent and editable by users. What were the challenges in that transition?
- You make a distinction between "Detection-as-Code" and a more mature "Software Engineering" paradigm. What gets better for a security team when they move beyond just version control and a CI/CD pipeline and start incorporating things like unit testing, readability reviews, and performance testing for their detections?
- The idea of a "Goldilocks Zone" for detections is intriguing – not too many, not too few. How do you find that balance, and what are the metrics that matter when measuring the effectiveness of a detection program? You mentioned customer feedback is important, but a confusion matrix isn't possible, why is that?
- You talk about enabling customers to use your "building blocks" to create their own detections. Can you give us a practical example of how a customer might use a building block for something like detecting VPN and Tor traffic to augment their security?
- You have started using LLMs for reviewing the explainability of human-generated metadata. Can you expand on that? What have you found are the ripe areas for AI in detection engineering, and can you share any anecdotes of where AI has succeeded and where it has failed?
#239
August 18, 2025
EP239 Linux Security: The Detection and Response Disconnect and Where Is My Agentless EDR
Topics covered:
- When it comes to Linux environments – spanning on-prem, cloud, and even–gasp–hybrid setups – where are you seeing the most significant blind spots for security teams today?
- There's sometimes a perception that Linux is inherently more secure or less of a malware target than Windows. Could you break down some of the fundamental differences in how malware behaves on Linux versus Windows, and why that matters for defenders in the cloud?
- 'Living off the Land' isn't a new concept, but on Linux, it feels like attackers have a particularly rich set of native tools at their disposal. What are some of the more subtly abused but legitimate Linux utilities you're seeing weaponized in cloud attacks, and how does that complicate detection?
- When you weigh agent-based versus agentless monitoring in cloud and containerized Linux environments, what are the operational trade-offs and outcome trade-offs security teams really need to consider?
- SSH keys are the de facto keys to the kingdom in many Linux environments. Beyond just 'use strong passphrases,' what are the critical, often overlooked, risks associated with SSH key management, credential theft, and subsequent lateral movement that you see plaguing organizations, especially at scale in the cloud?
- What are the biggest operational hurdles teams face when trying to conduct incident response effectively and rapidly across such a distributed Linux environment, and what's key to overcoming them?
#238
August 11, 2025
EP238 Google Lessons for Using AI Agents for Securing Our Enterprise
Topics covered:
- When introducing AI agents to security teams at Google, what was your initial strategy to build trust and overcome the natural skepticism? Can you walk us through the very first conversations and the key concerns that were raised?
- With a vast array of applications, how did you identify and prioritize the initial use cases for AI agents within Google's enterprise security?
- What specific criteria made a use case a good candidate for early evaluation? Were there any surprising 'no-go' areas you discovered?"
- Beyond simple efficiency gains, what were the key metrics and qualitative feedback mechanisms you used to evaluate the success of the initial AI agent deployments?
- What were the most significant hurdles you faced in transitioning from successful pilots to broader adoption of AI agents?
- How do you manage the inherent risks of autonomous agents, such as potential for errors or adversarial manipulation, within a live and critical environment like Google's?
- How has the introduction of AI agents changed the day-to-day responsibilities and skill requirements for Google's security engineers?
- From your unique vantage point of deploying defensive AI agents, what are your biggest concerns about how threat actors will inevitably leverage similar technologies?
#236
July 28, 2025
EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
Guest:
- Manija Poulatova, Director of Security Engineering and Operations at Lloyd's Banking Group
Topics covered:
- SIEM migration is hard, and it can take ages. Yours was - given the scale and the industry - on a relatively short side of 9 months. What’s been your experience so far with that and what could have gone faster?
- Anton might be a “reformed” analyst but I can’t resist asking a three legged stool question: of the people/process/technology aspects, which are the hardest for this transformation? What helped the most in solving your big challenges?
- Was there a process that people wanted to keep but it needed to go for the new tool?
- One thing we talked about was the plan to adopt composite alerting techniques and what we’ve been calling the “funnel model” for detection in Google SecOps. Could you share what that means and how your team is adopting?
- There are a lot of moving parts in a D&R journey from a process and tooling perspective, how did you structure your plan and why?
- It wouldn’t be our show in 2025 if I didn’t ask at least one AI question! What lessons do you have for other security leaders preparing their teams for the AI in SOC transition?
#234
July 14, 2025
EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect
Topics covered:
- Why do so many organizations still collect logs yet don’t detect threats? In other words, why is our industry spending more money than ever on SIEM tooling and still not “winning” against Tier 1 ... or even Tier 5 adversaries?
- What are the hardest parts about getting the right context into a SOC analyst’s face when they’re triaging and investigating an alert? Is it integration? SOAR playbook development? Data enrichment? All of the above?
- What are the organizational problems that keep organizations from getting the full benefit of the security operations tools they’re buying?
- Top SIEM mistakes? Is it trying to migrate too fast? Is it accepting a too slow migration? In other words, where are expectations tyrannical for customers? Have they changed much since 2015?
- Do you expect people to write their own detections? Detecting engineering seems popular with elite clients and nobody else, what can we do?
- Do you think AI will change how we SOC (Tim: “SOC” is not a verb?) in the next 1- 3 -5 years?
- Do you think that AI SOC tech is repeating the mistakes SOAR vendors made 10 years ago? Are we making the same mistakes all over again? Are we making new mistakes?
#233
July 7, 2025
EP233 Product Security Engineering at Google: Resilience and Security
Topics covered:
- Could you share insights into how Product Security Engineering approaches at Google have evolved, particularly in response to emerging threats (like Log4j in 2021)?
- You mentioned applying SRE best practices in detection and response, and overall in securing the Google Cloud products. How does Google balance high reliability and operational excellence with the needs of detection and response (D&R)?
- How does Google decide which data sources and tools are most critical for effective D&R?
- How do we deal with high volumes of data?
#231
June 23, 2025
EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise
Topics covered:
- Detection as code is one of those meme phrases I hear a lot, but I’m not sure everyone means the same thing when they say it. Could you tell us what you mean by it, and what upside it has for organizations in your model of it?
- What gets better for security teams and security outcomes when you start managing in a DAC world? What is primary, actual code or using SWE-style process for detection work?
- Not every SIEM has a good set of APIs for this, right? What’s a team to do in a world of no or low API support for this model?
- If we’re talking about as-code models, one of the important parts of regular software development is testing. How should teams think about testing their detection corpus? Where do we even start? Smoke tests? Unit tests?
- You talk about a rule schema–you might also think of it in code terms as a standard interface on the detection objects–how should organizations think about standardizing this, and why should they?
- If we’re into a world of detection rules as code and detections as code, can we also think about alert handling via code? This is like SOAR but with more of a software engineering approach, right?
- One more thing that stood out to me in your presentation was the call for sharing detection content. Is this between vendors, vendors and end users?
#228
June 2, 2025
EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines
Guest:
- Alan Braithwaite, Co-founder and CTO @ RunReveal
Topics covered:
- SIEM is hard, and many vendors have discovered this over the years. You need to get storage, security and integration complexity just right. You also need to be better than incumbents. How would you approach this now?
- Decoupled SIEM vs SIEM/EDR/XDR combo. These point in the opposite directions, which side do you think will win?
- In a world where data volumes are exploding, especially in cloud environments, you're building a SIEM with ClickHouse as its backend, focusing on both parsed and raw logs. What's the core advantage of this approach, and how does it address the limitations of traditional SIEMs in handling scale?
- Cribl, Bindplane and “security pipeline vendors” are all the rage. Won’t it be logical to just include this into a modern SIEM?
- You're envisioning a 'Pipeline QL' that compiles to SQL, enabling 'detection in SQL.' This sounds like a significant shift, and perhaps not to the better? (Anton is horrified, for once) How does this approach affect detection engineering?
- With Sigma HQ support out-of-the-box, and the ability to convert SPL to Sigma, you're clearly aiming for interoperability. How crucial is this approach in your vision, and how do you see it benefiting the security community?
- What is SIEM in 2025 and beyond? What’s the endgame for security telemetry data? Is this truly SIEM 3.0, 4.0 or whatever-oh?
#227
May 26, 2025
EP227 AI-Native MDR: Betting on the Future of Security Operations?
Topics covered:
- Why is your AI-powered MDR special? Why start an MDR from scratch using AI?
- So why should users bet on an “AI-native” MDR instead of an MDR that has already got its act together and is now applying AI to an existing set of practices?
- What’s the current breakdown in labor between your human SOC analysts vs your AI SOC agents? How do you expect this to evolve and how will that change your unit economics?
- What tasks are humans uniquely good at today’s SOC? How do you expect that to change in the next 5 years?
- We hear concerns about SOC AI missing things –but we know humans miss things all the time too. So how do you manage buyer concerns about the AI agents missing things?
- Let’s talk about how you’re helping customers measure your efficacy overall. What metrics should organizations prioritize when evaluating MDR?
#202
December 9, 2024
EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering
Guest:
- Amine Besson, Tech Lead on Detection Engineering, Behemoth Cyberdefence
Topics covered:
- What is your best advice on detection engineering to organizations who don’t want to engineer anything in security?
- What is the state of art when it comes to SOC ? Who is doing well? What on Earth is a fusion center?
- Why classic “tiered SOCs” fall flat when dealing with modern threats?
- Let’s focus on a correct definition of detection as code. Can you provide yours?
- Detection x response engineering - is there a thing called “response engineering”? Should there be?
- What are your lessons learned to fuse intel, detections, and hunting ops?
- What is this SIEMless yet SOARful detection architecture?
- What’s next with OpenTIDE 2.0?
#191
September 23, 2024
EP191 Why Aren't More Defenders Winning? Defender’s Advantage and How to Gain it!
Topics covered:
- What is the Defender’s Advantage and why did Mandiant decide to put this out there?
- This is the second edition. What is different about DA-II?
- Why do so few defenders actually realize their Defender’s Advantage?
- The book talks about the importance of being "intelligence-led" in cyber defense. Can you elaborate on what this means and how organizations can practically implement this approach?
- Detection engineering is presented as a continuous cycle of adaptation. How can organizations ensure their detection capabilities remain effective and avoid fatigue in their SOC?
- Many organizations don’t seem to want to make detections at all, what do we tell them?
- What is this thing called “Mission Control”- it sounds really cool, can you explain it?
#190
September 16, 2024
EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures
Topics covered:
- What is this “security data fabric”? Can you explain the technology? Is there a market for this? Is this same as security data pipelines?
- Why is this really needed? Won’t your SIEM vendor do it?
- Who should adopt it? Or, as Tim says, what gets better once you deploy it?
- Is reducing cost a big part of the security data fabric story?
- Does the data quality improve with the use of security data fabric tooling?
- For organizations considering a security data fabric solution, what key factors should they prioritize in their evaluation and selection process?
- What is the connection between this and federated security data search?
- What is the likely future for this technology?
#187
August 26, 2024
EP187 Conquering SOC Challenges: Leadership, Burnout, and the SIEM Evolution
Guest:
- Nicole Beckwith, Sr. Security Engineering Manager, Threat Operations @ Kroger
Topics covered:
- What are the most important qualities of a successful SOC leader today?
- What is your approach to building and maintaining a high-functioning SOC team?
- How do you approach burnout in a SOC team?
- What are some of the biggest challenges facing SOC teams today?
- Can you share some specific examples of how you have built and - probably more importantly! - maintained a high-functioning SOC team?
- What are your thoughts on the current state of SIEM technology? Still a core of SOC or not?
- What advice would you give to someone who inherited a SOC? What should his/her 7/30/90 day plan include?
#184
August 5, 2024
EP184 One Week SIEM Migration: Fact or Fiction?
Topics covered:
- In your experience, what are the biggest challenges organizations face when migrating to a new SIEM platform? How did you solve them?
- Many SIEM projects have problems, but a decent chunk of these problems are not about the tool being broken. How did you decide to migrate? When is it time to go?
- Specifically, how to avoid constant change from product to product, each time blaming the tool for what are essentially process failures?
- How did you handle detection content during migration? Was AI involved?
- How did you test for this: “Which platform will best enable our engineering team to build what we need?”
- Tell us more about the Detection as Code pipeline you use?
- “Completed SIEM migration in a single week!” Is this for real?
#181
July 15, 2024
EP181 Detection Engineering Deep Dive: From Career Paths to Scaling SOC Teams
Topics covered:
- What are the biggest challenges facing detection engineers today?
- What do you tell people who want to consume detections and not engineer them?
- What advice would you give to someone who is interested in becoming a detection engineer at her organization?
- So, what IS a detection engineer? Do you need software skills to be one? How much breadth and depth do you need?
- What should a SOC leader whose team totally lacks such skills do?
- You created Detection Engineering Weekly. What motivated you to start this publication, and what are your goals for it? What are the learnings so far?
- You work for a vendor, so how should customers think of vendor-made vs customer-made detections and their balance?
- What goes into a backlog for detections and how do you inform it?
#180
July 8, 2024
EP180 SOC Crossroads: Optimization vs Transformation - Two Paths for Security Operations Center
Topics covered:
- The paper outlines two paths for SOCs: optimization or transformation. Can you elaborate on the key differences between these two approaches and the factors that should influence an organization's decision on which path to pursue?
- The paper also mentions that alert overload is still a major challenge for SOCs. What are some of the practices that work in 2024 for reducing alert fatigue and improving the signal-to-noise ratio in security signals?
- You also discuss the importance of automation for SOCs. What are some of the key areas where automation can be most beneficial, and what are some of the challenges of implementing automation in SOCs? Automation is often easier said than done…
- What specific skills and knowledge will be most important for SOC analysts in the future that people didn’t think of 5-10 years ago?
- Looking ahead, what are your predictions for the future of SOCs? What emerging technologies do you see having the biggest impact on how SOCs operate?
#170
April 29, 2024
EP170 Redefining Security Operations: Practical Applications of GenAI in the SOC
Topics covered:
- What are the different use cases for GenAI in security operations and how can organizations prioritize them for maximum impact to their organization?
- We’ve heard a lot of worries from people that GenAI will replace junior team members–how do you see GenAI enabling more people to be part of the security mission?
- What are the challenges and risks associated with using GenAI in security operations?
- We’ve been down the road of automation for SOCs before–UEBA and SOAR both claimed it–and AI looks a lot like those but with way more matrix math-what are we going to get right this time that we didn’t quite live up to last time(s) around?
- Imagine a SOC or a D&R team of 2029. What AI-based magic is routine at this time? What new things are done by AI? What do humans do?
#78
August 8, 2022
EP78 Classic SOC Meets Cloud: What Changes? What Stays the Same?
Topics covered:
- How do we get a legacy SOC team to think about the cloud?
- How to think about cloud threat detection, in general? What is different … threats, the environment, what else? What is the same?
- How do we know which TTPs are relevant for the new environments? What to bring with us to the cloud?
- Do content/rules and detection engines need to be different to cover the cloud detection use cases?
- What cases are appropriate for machine learning (ML) in the cloud? Does cloud threats drive the need for new ML detections?
#75
July 18, 2022
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil
Guest:
- Tim Nguyen, Director of Detection and Response @ Google
Topics covered:
- I know we don’t like to say “SOC” here, so why don’t we talk about the role of automation in detection and response (D&R) at Google?
- One SRE concept we found useful in security operations is “toil” - How do we squeeze toil out of D&R practice at Google?
- A combined analyst and engineer role (just like an SRE) was critical for both increasing automation and reducing toil, how hard was it to put this into practice? Tell us about that journey?
- How do we automate security signal analysis, can you give us a few examples?
- D&R metrics have been a big pain point for many organizations, how does SRE thinking of SLOs and SLIs (and less about SLAs) helps us in our “not SOC”?
- How do we avoid falling into the “time to respond” trap that rewards fast response, sometimes at the cost of good?
#73
July 5, 2022
EP73 Your SOC Is Dead? Evolve to Output-driven Detect and Respond!
Guest:
- Erik Bloch, Senior Director of Detection and Response at Sprinklr
Topics covered:
- You recently coined a concept of “output-driven Detection and Response” and even perhaps broader “output-driven security.” What is it and how does it work?
- Detection and response is alive (obviously), but sometimes you say SOC is dead, what do you mean by that?
- You refer to a federated approach for Detection and Response” (“route the outcomes to the teams that need them or can address them”), but is it workable for any organization?
- What about the separation of duty concerns that some raise in response to this? What about the organizations that don’t have any security talent in those teams?
- Is the approach you advocate "cloud native"? Does it only work in the cloud? Can a traditional, on-premise focused organization use it?
- The model of “security team as a decision-maker, not an implementer” has a bit of a painful history, as this is what led to “GRC-only teams” who lack any technical knowledge. Why will this approach work this time?
#64
May 9, 2022
EP64 Security Operations Center: The People Side and How to Do it Right
Topics covered:
- What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)?
- How do you make SOC training realistic?
- Should training be about the toolset or should it be about the analyst’s skills?
- Should you primarily train for engineering skills or analysis skills?
- Do you need to code to succeed in a modern SOC?
- Are competitive events like CTFs effective for SOC training?
- What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity?
#63
May 2, 2022
EP63 State of Autonomic Security Operations: Are There Sharks in Your SOC with Robert Herjavec
Topics covered:
- It’s been a few months since we launched Autonomic Security Operations (ASO) and it seems like the whitepaper has been going viral in the industry. Tell us what ASO is about?
- How was the ASO story received by your customers? Any particular reactions?
- Will the ASO narrative inspire the next generation of practitioners? Where do you envision the market headed?
- ASO is about transforming the SOC, and that often involves culture change. How do you change the culture and deeper approaches common in security operations?
- What else can we do to evolve SOC faster than the threats and assets grow?
#58
March 28, 2022
EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond
Guest:
- Alexi Wiemer, Senior Manager at Deloitte Cyber Detection and Response Practice
- Dan Lauritzen, Senior Manager at Deloitte Cloud Security Practice.
Topics covered:
- What is your key learning about the state of SOC today? What one SOC trend are you hearing the most or most interested in?
- What is your best advice to SOCs that are permanently and woefully understaffed?
- Many SOC analysts are drowning in manual work, and it is easy to give advice that “they need to automate.” What does this actually entail, in real life?
- What is, in your view, the most critical technology for a modern SOC? Is it SIEM? Is it SOAR? Is it EDR?
- What is the best advice for a SOC that was handed cloud on a platter and was told to monitor it for threats?
- Occasionally, we hear that “SOC is dead.” What is your response to such dire SOCless predictions?
#26
August 9, 2021
EP26 SOC in a Large, Complex and Evolving Organization
Guest:
Johnathan Keith, Director of Information Security (CISO) @ ViacomCBS Streaming / Digital (at the time of the recording)
Topics covered:
- What is the mission for your SOC? Has it evolved in recent years?
- How do you rate your state of maturity in security operations?
- I hear that your organization is complex and decentralized, how do you run a SOC in such a case?
- How do you approach the balance of people, process and technology in your SOC?
- What is the role of outsourcing in your SOC?
- Is cloud included in your SOC mission scope?
- What are the immediate things you plan to improve?
