Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”

Well-known as a SANS instructor and SIEM expert, Anton Chuvakin recently celebrated 20 years of architecting, deploying, maintaining, and tuning SIEMs.

In this webinar, he’ll review the future of SIEM – and how many of the problems that plagued early SIEM users are still with us today, such as:

  • The difficulty of operating SIEMs effectively with limited staff (e.g., "We have a small team and just enough people to keep the SIEM running – but no time left to go beyond basic use cases.")
  • Data collection and data quality issues (“We don’t have enough people to check that our collectors are still configured properly – so we don’t have visibility into blind spots.”)
  • Trusting that SIEM data structures, taxonomies, and out of the box detection rules (from SIEM vendors and MSSPs) will be effective and usable in your environment.
  • Hoping your custom detection rules are written correctly (e.g., hoping nobody mistyped “context.asset.vulnerability.severity” as “asset.context.vulnerability.severity” in a rule they wrote).

At the same time, let’s not forget that our essential SIEM mission – detecting and responding to threats – is a difficult one in today’s complex and messy environments (endpoints, cloud, micro-services, SaaS, rogue systems, etc.) with constantly-evolving security stacks (CASB, CSPM, CIEM, EASM, etc.).

So where are we going with SIEM? Anton will discuss how the scale and power of the cloud, plus how more contextual telemetry, global-scale threat intelligence, and new automation approaches have the potential of addressing some of these challenges in a meaningful way.

Anton will be joined by Yair Manor, CTO and co-founder of CardinalOps. Yair will describe data collected from real-world SIEM deployments showing answers to common challenges such as:

  • % of MITRE ATT&CK techniques covered by the average SIEM
  • Comparison with top 14 techniques actually used by adversaries in real-world attacks
  • % of broken or misconfigured rules in the average SIEM
  • The top missing log source type in the average SIEM
  • % of SIEMs that disable default out-of-the-box SIEM content
  • Log4 Shell: On average, how long did it take organizations to add new rules to detect it

Sponsored by CardinalOps: CardinalOps brings cloud-based analytics and API-driven automation enabling SOC engineering teams to stay ahead of constant change in their threat landscape and attack surface – and close the riskiest detection gaps that leave their organizations exposed.

Leveraging a proprietary, crowd-sourced, graph database of thousands of best practice detection rules — backed by human experts with nation-state expertise – the CardinalOps platform continuously delivers AI-based detection recommendations for your existing SIEM/XDR, mapped to MITRE ATT&CK and customized to your infrastructure and organizational priorities.