SIEM tools that ingest and analyze data are ubiquitous in security operations centers. But just knowing what’s happening in your environment is not enough. For competitive reasons, must SIEM tools expand and offer more automation, intelligence, and the ability to act on that intelligence?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest Chris Grundemann (@ChrisGrundemann), category lead, security, GigaOm.

GigaOm SIEM Report

GigaOm SOAR Report

Got feedback? Join the conversation on LinkedIn.

Our sponsor for this week’s podcast is Keyavi

Cyber criminals who attack healthcare systems know medical record information has tremendous value for stealing identities. If you infuse personally identifiable information with geographical awareness and intelligence, you dramatically reduce the risk of patient identity theft. Join a live demo session on www.keyavi.com/sessions to learn more.

Full transcript

David Spark

SIEM tools that ingest and analyze data are ubiquitous in security operation centers. But, just knowing what’s happening in your environment is not enough. For competitive reasons, must SIEM tools expand and offer more automation, intelligence, and the ability to act on that intelligence?

Voiceover

You’re listening to Defense In Depth.

David Spark

Welcome to Defense In Depth, my name is David Spark, I am the producer of the CISO Series. And joining me for this very episode is Geoff Belknap, CISO over at LinkedIn. Geoff, say hello to our good friends.

Geoff Belknap

Hey friends and an exciting topic we have today, I’m excited to get into this.

David Spark

It is a good topic, but first before I mention our topic, I do want to mention our sponsor Keyavi Data. Keyavi Data has been a spectacular sponsor of the CISO Series and we’re thrilled to have them back, yet again. Now let’s get onto our topic which is what appears to be an inevitable convergence of SIEM and SOAR products, and we are going to get into the specifics of what these two categories are if our listeners are not fully aware of that, don’t feel that we are going to leave you in the dark. So SIEM products are numerous, they may seem to be like a commodity because it is just sort of taking and ingesting data and spitting out results from what it is ingesting. Security Orchestration, Automation and Response, or SOAR, that’s the acronym, provides both intelligence, automation and a means for a security team to act on the data from the SIEM. So my question to you, Geoff, will products from these two categories just merge as one? Or will they stay separate? And does it even matter what happens one way or the other?

Geoff Belknap

I think that’s the $64m question.

David Spark

Oh we’ve raised the price tag.

Geoff Belknap

Yes it used to be $62m, but inflation.

David Spark

$64,000 not millions.

Geoff Belknap

Hyper inflation. So, I think the $64m question here is really just that. Does it matter? And I think the interesting question for people like our guests and I is, the inside baseball of like, does it matter, like how is this going to impact how security does what it needs to do? And it’s also really interesting to see which way the market goes, and in this case, I have some thoughts but I’m really interested to see where this conversation goes. I’m interested to talk to our guests today about that.

David Spark

Our guest is a perfect guest for this topic because he’s actually the one who started this conversation on LinkedIn, and he’s with our research partner which is GigaOm and he happens to be the category lead for security, so we couldn’t get a more perfect guest for this subject. It is Chris Grundemann. Chris, thank you so much for joining us today.

Chris Grundemann

Thanks for having me, I’m excited about the conversation.

Why are they behaving this way?

00:02:53:05

David Spark

Micheal Delzer said, “SIEM and SOAR will combine as the data model and AI process get adopted in the market. SOAR vendors will need to grow their value which is easier to move to include SIEM than AI Ops, AI Operations.” and Daniel Lakier of IP Fabrics said “The question isn’t really will they remain separate but rather will the standalone SOAR vendors offer enough differentiation in value for them to remain a viable option as a standalone product offering.” Now, Daniel takes it from the opposite side that I thought, I thought the issue was the SIEM vendors were so ubiquitous and there were so many of them that they needed the SOAR, but he’s arguing it’s the other way around.

Geoff Belknap

I think that’s really interesting, I never really thought about it that way. I definitely think about it the way Daniel thinks about it. I’m really interested to see if SOAR vendors can stand on their own, and I think, I’d be really interested in Chris’s perspective, that there’s very few SOAR vendors that are still standing on their own, but it’s very clear that SOAR adds value to what a security operation team does, and then it adds a lot of value to what a SIEM offers your organization. So I’m curious Chris, what do you think here, are there a lot of SOAR vendors that are standalone still?

David Spark

And let me just add to your question, because that is a good question, how could they, being that they have to integrate with something?

Chris Grundemann

Well, I think the genesis of SOAR as a product category really came from succumbing to it’s own success, and so what happens is, you throw all your alerts, all your logs, everything into a SIEM and it’s spitting out alerts, but if those alerts aren’t things that humans actually need to deal with then they’re not good alerts, they may be even bad alerts. And so that’s where SOAR came from, was okay how do we deal with all these alerts that are coming out of the SIEM tool? And so it started as an add-on, and that’s why we saw some standalone SOAR vendors pop up, to kind of solve the problems with SIEM, yes it does have to integrated, but it can also standalone as another interface to pass that data through. And what we’re seeing, I think, is more and more SIEM vendors are either buying a SOAR vendor and integrating it completely, or building their own SOAR tools into their seam offering, which both of those things seem to be going down a path where it will be really hard for a standalone SOAR vendor to last.

Geoff Belknap

It feels like the SOAR vendors have never really helped the customers answer the question of, great I have this Genie in a bottle that will grant all these wishes and automate all these things for me, but what should I automate and how? Because when it really comes down to it, automating security tasks in your environment can be a little scary if it’s running on its own. Now connecting that to your SIEM makes a little bit more sense because you can act on signal that comes in form your SIEM. But I have always thought SOAR really could stand on its own, it just really depends on your process and the way that you operate security in your organization to be pretty mature. And I’m not sure everybody really is at that level of maturity that they think they are.

David Spark

That is actually a really good point, and I’ll throw this to you Chris. I think a lot of people are aspirational when they purchase a SOAR product, in that they’re buying it before they’re even ready to actually use it. Do you find that in the market?

Chris Grundemann

I think so, I think that’s true of a lot of security products. I think that we tend to throw tooling at problems that are really fundamental, and that some security awareness training and a more equipped security team would be able to deal with less tooling perhaps. It doesn’t mean that all the tooling is wrong but we over tool I think.

Geoff Belknap

100%. But I really think this gets to the heart of the real matter, which is, can we solve cultural and organizational problems with tooling? And the answer is, not really, we can whittle away at them but not really.

David Spark

And let me also throw this at it, we talked about this on the other podcast. The way automation has been sold for God knows how many years is, this will alleviate your team, they’ll have to work less, you’ll need less staff and I don’t know of one company that that’s happened to, zero. In fact we saw research that companies that wanted to implement automation had to actually increase their staff to be able to do something like that. Geoff?

Geoff Belknap

I absolutely have experienced this, I mean it takes more work to implement automation, upfront at least, I think that’s the important differentiator. Upfront, not matter what you do, it’s going to take more work to implement that automation than it is to do it manually. But the hope, and I think this is where there would be some interesting long term studies, the hope is that once you have implemented it, that should tail off, or you should at least be able to focus on more. You can make more decisions or more assessments of the surface area you have had before than you could before you had automation. Does that play out? I think the verdict is still out on that.

What’s going on?

00:07:37:23

David Spark

Daniel Lakier, again from IP Fabrics, “The problem hasn’t been whether we have the data but how to make the data meaningful and then act upon it.” And by the way, that is in the most simplistic sense, perfectly isolates everything here, I think he nails it on the head right there. And Paul Stringfellow of Gardner Systems said “Standalone monitoring is not enough. Our over-stressed security and IT pro’s need all the help they can get.” And I think that’s probably the sales tactic of SOAR, yes Chris?

Chris Grundemann

Absolutely. And I think to varying degrees vendors are bringing that to bear, and so with out of the box integrations and potentially built-in, automated alert prioritization and triage and curation, there are some things that can come pre-built in the SOAR package along with it, especially if you are relating that to some of the new MITRE ATT&CK framework and things like that where you can organize this around frameworks that make sense to people and that are useful in threat hunting, and even in red teaming in some cases. Those built in integrations and automations that you can use out of the box, help lower that buried entry and allow this to actually improve operations without costing a bunch of extra time and effort.

Geoff Belknap

The trick is, every time you put in a good piece of tooling, and I mean that earnestly, a good piece tooling, what you start with is this concept that this is going to reduce my mental workload, and the reality is, no, it’s not. If it works really well it’s going to increase the amount of things you have exposure to. Either by decreasing the amount of time you spend on some manual, rote task, or by raising some signal out of the noise that you didn’t know you were missing before. So I feel like there are some things you can do that reduce the ‘toil’, like the pain of doing some of the manual work. But once that stuff is gone and you’re replacing it with higher order stuff that you have to spend time thinking about, which is why I think it’s interesting that the next thing every goes to is AI and machine learning, so that they can offload some of that decision making. Which I think honestly is a bit of a mistake because humans make great decisions, mostly, when they have good information and I think good tooling will give you better information on which to make decisions.

David Spark

But also isn’t there, you tell me Geoff, isn’t there maybe a low level of stuff that can be automated that does not need to be done by hand? We’re not saying automate everything, or we need a tool that can automate everything. But isn’t there something, and maybe you could give us examples of what could be?

Geoff Belknap

I think there’s some basic things that help here. I mean in the early stages when some of the first SOAR tools were coming out, I’ll lean on Demisto as an example, it was really exciting to think about automating a way, the basic tasks that you do in the early phase of the Phishing investigation and then building an automated pipeline around that. But now most everybody has done that one way or another, and it’s really hard to imagine automating in a way an investigation. And I think the analogy here, which is not wrong, is like, how would you automate a murder investigation? There’s a lot there that’s context sensitive, that really requires a human to understand what’s going on and an infosec incident is very complex and dynamic and there’s always something different about in many cases, and it’s really hard to just think that AI or machine learning or SOAR is going to offload enough of that so that humans don’t have to get involved at the early stages.

Geoff Belknap

I don’t think you can totally take it away, but I do think that there’s some areas of, call it threat enrichment and bring in additional context in, and maybe it’s not even automation, it’s just advanced correlation where you’re bringing in multi data sources and pulling these things together and helping point the arrow to, here’s where the problem really is.

Chris Grundemann

Yeah I think that’s right. I think there’s a lot of context building, and I think there are connections that you can expect your automation, or some of your tooling, to bring for you that maybe an analyst would have missed or an analyst wouldn’t have thought to look there. And I think, again, that adds a lot of value, I think it’s just slightly off of where the marketing takes us in some cases.

Sponsor – Keyavi

00:11:54:01

Steve Prentice

Keyavi is a company with a very unique product. Self intelligent, self protecting data that makes itself disappear the moment it finds itself in the wrong place, whether by accident or through theft. Not being a company content to sit back on its heels, Keyavi continues to innovate to keep pace with the times and as the CEO, Elliot Lewis shows us, the industry is taking notice.

Eliot Lewis

We have won several awards at the Black Hat Conference, including one of the Top 10 Cyber Security Start-ups of the year, as well as awards for myself and my Chief Marketing Officer and our CISO, so that was very exciting. And also we actually are able to stop Ransomware Phase 2 and Phase 3. So that if you update that it’s stolen and extricated, that data is now self protecting and it won’t allow itself to be Ransomed or sent or sold to a third party, so we just took all the money out of Ransomeware control.

Steve Prentice

Okay so let’s back up a second. Which awards at Black Hat?

Eliot Lewis

So, there are four awards that we won at Black Hat. The first one was Top 10 Cyber Security Start-ups of the year. The second one, for myself, was Top 10 Cyber Security Experts at 2021. And then Jocelyn King, our Chief Marketing and Growth Officer, won Top women in Cyber for the year of 2021. And then our CISO, TJ Minichillo, won Top 10 CISO of the for year 2021.

Steve Prentice

Okay then, well congratulations.

Eliot Lewis

Thank you.

Steve Prentice

To learn why the Keyavi Team is being recognized in this way, go to Keyavi, Keyavi.com.

What are the best ways to take advantage of this?

00:13:38:02

David Spark

Michael Delzer said, “In sales there is the concept of land and expand, this type of sales pattern will keep these as modules companies will sell to allow them to grow revenue per client over time.” And Ron Williams of GigaOm said, “Security data ingestion, deduplication, correlation and analysis will eventually be added to the mix, even if vendors push one direction or another in the pursuit of revenue.” So I thought this was interesting, there’s an advantage to keep them separate in just good old fashioned sales. Chris, what do you see?

Chris Grundemann

That is definitely fair and I think there’s lots of areas in IT, and especially IT operations, where we see product suites, and whether it’s a monitoring suite or any kind of automation suite, there’s a lot of times there’s different pieces and parts of it. And on the one hand it’s a good way to add extra skews to a quote and maybe make some extra money, but the less cynical view there is that you’re actually making the product platform more modular, where I can pick it and choose the pieces that I need for my team. And so I think from both aspects it is an advantage potentially to keep them as separate products, even if they’re integrated into a holistic platform or suite of products.

Geoff Belknap

I think that’s right. I mean this is where we’re going and both Mr Delzer and Mr Williams here I think make great points, but separately it’s like, yes this is definitely how product managers are thinking about it right now, how do I make this modular so I can bolt on some different features. And let’s be honest, they’re different features, they’re not really different products at this point. Although I think they could be, but we had that discussion already. The interesting thing that I want to pull out that Ron Williams says here is, yes 100% I agree with Ron, this is where the future is going, however, seeing this be executed in a commercially viable way, I haven’t seen it yet. And I think the closest we came to this kind of thing is Google’s prodigal product the Cloud and then sort of re-brought back in to the company. They had a really fantastic, very unique opportunity to say, we’ll do all the deduping, we’ll do all the correlation on Google’s back end, which amazing and high scale. But they couldn’t execute up, they couldn’t convince people to do that and they were very uniquely positioned to be good at that. So, I think, maybe they were just wrong product market fit, wrong timing. But I think it goes to show you, we have SIEM, we clearly need some additional stuff on top of SIEM to make it effective for people. SOAR adds some really exciting stuff, but it might be too early in peoples journey from security to make that valuable. But it’s great to see this stuff and where it’s going and it will be really interesting to see where it lands for a commercially viable prospective.

Chris Grundemann

I agree and it adds into a bunch of other pieces and parts I think, which is the new kind of XDR things, there is potentially some overlap here where those things–

David Spark

Well that seems inevitable actually, with XDR. Give us a little bit more on that. Where do you see that happening and why?

Chris Grundemann

To me still, XDR seems very marketing from most companies.

David Spark

Just explain what XDR is?

Chris Grundemann

It’s basically an extension of Detection and Response but to any device anywhere, any user.

David Spark

Into the Cloud mostly?

Chris Grundemann

Into the Cloud specifically.

Geoff Belknap

I haven’t even heard of XDR.

David Spark

You know what, Palo Alto seemed to brand it and then there is a bunch of other start-ups that came around with XDR. What happens is Gartner keeps coming up with new categories, and I hear from CISO’s that I’m looking to solve problems not by product category.

Geoff Belknap

And this is my point, I’ve never heard of XDR so it’s not like XDR is the solution to some problem that I’m having on some regular basis, this is a solution to, how do we get away from the noise in the sales space of security solutions? And I don’t ding anybody for doing that, but I do think there’s a big different between a new class of solution and a new class of how we’re going to market to the space.

Chris Grundemann

I think that is totally fair. And I think the point here is that, all these pieces and parts really at the core, rather than just classifying them as, is this a SIEM, is this a SOAR, are they coming together? Perhaps the better way to look at it, what functionality am I actually getting and how much do I have to pay for it?

What are the complaints?

00:18:01:04

David Spark

Paul Stringfellow of Gardner Systems, “A potential blocker may be our ability to trust this level of integration and automation, how good is our SOAR analysis engine, how accurate is it? Do we trust it to allow full automation of retrospective or even pro-active actions to protect our systems? The technology needs to be “bulletproof” if we are going to allow that.” I’m going to question the “bulletproof” comment but what if anything is bulletproof? But here is some validity to it’s argument here. Now I’m going to go to Michael Delzer’s comment on deploying discrete SIEM and SOAR solutions, “This will happen if separation of duties, or organizational structure cause the funding and staffing to be distinct groups that have conflicting agendas.” So, I like Michael’s comment there saying, hey this isn’t going to be about the market, it’s going to be about the individual buyers and how the makeup of their company operates. What do you think Geoff?

Geoff Belknap

I mean, that could be true. I don’t know anybody that’s running into that problem where they’re not buying their own security solution, some other vendor is. You kind of run into this between security and traditional IT shops. But, and I’ll expand on that, and just say where you’re looking at MDM, Mobile Device Management, a traditional IT team, and I’ll put that in air quotes because everybody treats that set of services differently. A traditional IT team is looking to manage devices that they are responsible for, and then a lot of times their security value and add-on in the features of the product they buy for that. But I rarely see something as SIEM and SOAR where it is like very uniquely a security solution set up that would be bought by some other part of the organization. I think what is really interesting to talk about really quick is what Paul Stringfellow said, the blocker on adoption of SOAR is really, how much do we trust it and how much do we trust ourselves? Because, if I’m honest, I don’t know anybody who trusts SOAR to take proactive actions. But it’s not because they don’t trust the SOAR software, it’s because they don’t trust their own infrastructure or their own knowledge about how their infrastructure works, such that they would let a piece of automation go out and make changes by blindly assuming that everything was homogeneous to the environment. Because it’s not.

Chris Grundemann

That’s a really good point. When I think automation these days I start thinking about AI which isn’t necessarily all automation, but I think that’s where a lot of this is going, and this gentleman gave a talk a while back where he talked about Tesla, for example, claims about all these billions of miles they’ve driven and it brags about the fact they’ve got all these miles and that’s why they’re the best car company. But, my 18 year old, who has 1,000 miles under his belt, drives better in most conditions than a Tesla, and so there are definitely things that automation just can’t quite get. So maybe it’s not just distrust of the product, but just distrust of how much power can we put in the hands of software in general in these kind of security operation scenarios.

David Spark

This is just a general problem with automation in general, for automation to work you have to trust it, but people are very bent out of shape with self-driving cars, but we go into self-driving elevators all the time. Now, elevators literally have a linear traffic pattern so they’re far more simple than a car, obviously, but it’s what we feel comfortable with and to what degree is the automation. If it screws up how much crap are we in? Geoff?

Geoff Belknap

I never thought about elevators as self-driving, so that’s given me some pause for reflection. I think you’re exactly right David. We have to narrow the set of things that we’re going to trust AI or some decision engine to decide for us. And I think the scope of security, if we are using capitalized security as the defining definition of scope here, that’s just way too broad. And this is what I was talking about earlier, if we can narrow it to Phishing investigation, or an end-point breach investigation, something like that, I think in some of those limited cases, absolutely, you can build a level of trust to let some automation run on it. I think if we zoom the scope back out to the original point of the conversation, what’s going on with SIEM and SOAR? I think the bottom line is, SOAR has a lot of value, not sure it has enough value on its own, and I think that’s part of what is limiting, and that is part of what you’re seeing in some of the activity in the industry about consolidation. But SIEM also doesn’t have enough legs on its own, but it certainly seems to be able to survive as a standalone product. And I think there are some interesting things there about just how complicated those problem sets are and where peoples dollars are going in terms of the problems that they need to solve. Clearly the SIEM is a problem that they need to solve and that’s a high order problem than the automation today. What do you think Chris?

David Spark

Last word Chris?

Chris Grundemann

I really do believe that SOAR, again, the genesis was to solve some problems that SIEM had created. I think that’s happened, and I think we’re seeing SOAR functionality fold back into SIEM as features across the board. I don’t think that will be 100% of the case, but I do think it’s a nature evolution and that’s where we’re headed.

David Spark

By the way I’m just going to point out that you have no problem changing the pronunciation of the acronym SIEM from SIEM to SIEM. You seamlessly transfer from one to the next.

Chris Grundemann

I’ve got multiple audiences here David.

Geoff Belknap

Just pick one folks, it doesn’t matter.

David Spark

We did a live show in Australia and they pronounced it CISO in Australia, so the women who does the bumpers, I had her do another bumper that said the CISO vendor relationship podcast.

Geoff Belknap

Localization, it’s important.

Closing

00:23:49:20

David Spark

We’ve come to the point of the show where I’m going to ask the two of you to give me your favorite quote and why, and I’m going to start with you Geoff. What was your favorite quote and why?

Geoff Belknap

I think my favorite quote here is from Daniel at the very beginning of the conversation. I think he’s exactly right. The question really isn’t about whether SIEM and SOAR remain separate, but whether there’s enough standalone value in a standalone SOAR solution to make it worthwhile for these things to live on their own.

David Spark

Chris, your favorite quote and why?

Chris Grundemann

I was actually going to choose the same one, but I’m going to pivot here quickly and I’m going to say that I think that, to Michael Delzer’s point in the middle there, where he talked about the sales aspect of this and whether or not this needs to be two skews just from a sales motion perspective or not? And I think that might actually be the determining factor at the end of the day, is how does this fit together in a sales strategy and how do companies want to go to market versus just the functionality itself.

David Spark

And I think really, that’s what is going to be telling. That’s how it’s going to play out. How the companies are actually going to sell this darn product, to make more money and actually just get a foothold. The land and expand, which I think that was the line. Well that brings us to the end of our conversation. I want to thank our sponsor again, Keyavi Data. Thank you so much Keyavi for sponsoring us, more about them at keyavidata.com. Chris I’m going to let you have the last word. Any last thoughts Geoff on your side?

Geoff Belknap

We’re still hiring.

David Spark

You are always hiring.

Geoff Belknap

LinkedIn is always hiring, either for ourselves or for many of our valuable members and customers. Come take a look.

David Spark

You can find a job through LinkedIn.

Geoff Belknap

linkedin.com everybody.

David Spark

Chris any last words, and by the way do you have any reports yourself, or any of your teammates coming out with that we should have an eye on?

Chris Grundemann

We’ve recently published reports on both SIEM and SOAR, or SIEM if you like it.

David Spark

So you can read and pronounce it any way you like?

Chris Grundemann

That’s right.

Geoff Belknap

It costs the same for the report, whether you pronounce it SIEM or SIEM.

Chris Grundemann

And then there is tons more coming out and also I do some other things with other hats other than GigaOm, so definitely you can take a look at chrisgrundemann.com and see if anything tickles your fancy.

David Spark

I will link to that, make sure you give me the link and I will link to your personal site, and also any reports you wanted to point to as well. GigaOm is gigaom.com. Thank you so much to Chris Grundemann, thank you very much to my co-host Geoff Belknap and I want to thank our listeners for being always phenomenal, we greatly appreciate your contributions and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.