What do a $10 billion funding request for cybersecurity, a massive collection of 3.2 billion passwords hitting the web, and the godfather of threat detection have in common?
Among other things, they’re all featured in Episode 2 of our new SON OF A BREACH! podcast series, “Chuvakin be kidding me,” available now.
Tune in to hear host Randy Watkins, CRITICALSTART’s Chief Technology Officer, share his perspectives on recent news topics:
Joining Watkins for this podcast episode is threat detection and security expert, Dr. Anton Chuvakin, who currently focuses on security solution strategy for Google Cloud.
For several years, Dr. Chuvakin covered security operations and detection and response topics at Gartner, where he was Research Vice President and Distinguished Analyst at Gartner’s Technical Professionals (GTP) Security and Risk Management Strategies team. He has authored several books and published dozens of papers on the topics of security information and event management (SIEM), log management, and Payment Card Industry Data Security Standard compliance.
Watch Out for These to Get the Most Value From SIEM
Some organizations falter with SIEM utilization, log management, and detection correlation, Dr. Chuvakin says, due to a variety of reasons.
“I have encountered more projects killed by mismatched expectations than anything else,” he says, adding that lack of headcount, talent, and sufficient resources to keep SIEM running, and lack of a use case approach have “sunk a fair number of projects, too.”
He also observes, “Lately, the frustrations of trying to make good insights, good security insights, out of bad data have kind of boiled over.”
Tips for Approaching SIEM and Detection Use Cases
Dr. Chuvakin recommends organizations step back and consider use cases before they actually implement SIEM in their environment.
“Start thinking, okay, what are my use cases?” he advises. “Am I buying for compliance? Reporting? Am I buying it to support my incident responders? If I’m detecting threats, what kind of threats? … What sort of data do I need to get?”
Instead of approaching SIEM as a huge detection project, Dr. Chuvakin suggests coming at it as “a sequence of use cases where you iterate, you learn, you implement simpler ones, and then you grow to others.”
Perspectives on Detection and Response Models
While at Gartner, Dr. Chuvakin coined the term “endpoint threat detection and response” to describe what was then a new family of tools designed to increase visibility by using endpoint data. From that came extended detection and response (XDR), which uses multiple data sources for even more visibility in detection and response.
Asked for his thoughts on XDR, Dr. Chuvakin says his perspective has evolved over the years. “My initial reaction a couple of years ago about XDR was kind of annoyance. But at the same time, it was invented at a competing analyst firm, so it’s sort of a normal reaction.”
He says he remains a SIEM fan, but the starting point for detection can be EDR as a viable alternative. “If you expand from that point, you become extended from EDR, and that’s XDR. So, to me, the XDR is a security threat detection monitoring model where the EDR leads, and then other things extend from that.”
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.