mnemonic security podcast

SIEM is DEAD?

December 07, 2020 mnemonic
mnemonic security podcast
SIEM is DEAD?
Show Notes Transcript Chapter Markers

SIEM is DEAD?

Ready to time travel through the last 20 years of security monitoring? To guide us we have Dr. Anton Chuvakin, recognized security expert and the man behind the term EDR! Anton shares from his long experience in the field, among other as VP of Research and Distinguished Analyst at Gartner and working with security solution strategy at Google Cloud.

Anton chats with Robby about the evolution of Security Information Event Management (SIEM) technology, its mission and reputation. As you can imagine, he also has a lot to say about the future of security monitoring.

Technical level: 4/5

Host: Robby Peralta

Producer: Paul Jæger

https://www.mnemonic.no/podcast 

mnemonic:

From our headquarters in Oslo, Norway, and on behalf of our host Robby Peralta. Welcome to the mnemonic security podcast.

Robby Peralta:

Security information and event management - SIEM. It doesn't ring any bells to most of the world's population. But for others, well, imagine hearing a bell go off 300 times a day and let me know how you feel. Anyways, those of us familiar with this bell are aware that it was made to detect potential security incidents. Those same people are also aware that this detection is harder than the sales guys make it out to be, as it requires lots of people, data and triage. Does this mean our beloved SIEM is dead? Who better to ask the former Vice President and distinguished analyst at Gartner who is now the head of solution strategy for Google Chronicle Dr. Anton Chuvakin, welcome to the podcast.

Anton Chuvakin:

Thank you very much. Thanks for inviting me.

Robby Peralta:

It's a great honor having you here today with us. I wouldn't go as far to call you a god, but you're definitely a security guru.

Anton Chuvakin:

Oh, God, no, I made so much fun of people calling themselves security gurus. And now you're doing it to me

Robby Peralta:

Okay, we'll go with god then, a security god, I was stalking you a bit on LinkedIn, very impressive 20 year long resume in security monitoring area, where you've had the pleasure of calling us everything from a chief strategist, chief logging evangelist. We need more of those actually, we still need a lot more. And my favorite and most interesting in my opinion, is the Vice President of Research for Gartner.

Anton Chuvakin:

Distinguished analyst, I met made it all the way to VP distinguished analyst, which is like a top rank for an analyst of Gartner.

Robby Peralta:

Awesome, awesome. And so just to stop you right there, what does that entail? mnemonic has dealings with Gardner, and I imagine you traveling around and meeting all the the coolest cybersecurity companies and figuring out how they're doing stuff, is that sort of how it was?

Anton Chuvakin:

Well, not only that, that's one half the other half is, of course, to give advice to other other companies and right research, right. So if people don't know it, maybe people don't realize it. But a lot of the analysts from work is learning from clients so that we can then teach other clients very little, very little stuff is kind of made up because frankly, analysts don't make anything up, we typically synthesize from what we see. So it's kind of funny that the job is called the analyst. But you really mostly are a synthesizer, I guess, because we mostly come see patterns and kind of export them to other clients. It's kind of maybe I wouldn't say it's a dirty secret, but it's a secret. It's not a well kept secret that that's likely what the end of the job entails. So I used to learn from how people do things, and then kind of like processes and the research and the guidance. And then we help many other companies and organizations deal with their security operation problems.

Robby Peralta:

Hmm. Awesome. Well, that sounds like a very fun job.

Anton Chuvakin:

It was a very fun job. Yes.

Robby Peralta:

So if you look back at those 20 years, how did we get to where we are today, then? I know it's a very broad question,

Anton Chuvakin:

Well, my first encounter with my first close encounter with security monitoring technologies, like SIEM was in fact in 2002. And it's really slightly scary that some of the stuff we deal with today in 2020, is sort of very reminiscent of the stuff that I've seen back in 2002. So let me first state say that I'm not one of those curmudgeons, who basically says, oh, clouds, like a mainframe, there's nothing new. I'm not talking about that. I'm talking about the problems. technologies have changed. There's no debate about that we had, you know, we had thought we have cloud computing, we have distributed, we have more Well, we have lots, lots and lots of other tech. So tech changed, but some of the problems we face are kind of not changed. And so I remember many, probably around 2002, I was actually writing the correlation rule for a sim project that I've worked for back in the day. And one of the things was like, people are using default passwords and people doing password guessing. So it was a very popular and the very, you know, common Attack, attack type, password guessing or using the default password. So 2002, we naively thought it would be solved very soon, either by multifactor, or by, you know, some kind of futuristic technology or just by people become indebted with Bosler? I don't know. But, you know, I'm looking at the current detection content right today. And the other they're definitely password guessing rules. And there definitely rules for default passwords or standard passwords. So it's kind of peculiar. Maybe I'm picking the one area where the old stuff never got resolved. But after being a gardener, I became kind of uniquely attuned to the fact that a lot of our problems are pretty much just same problems we had for many, many years. Sure, there are new problems. But when I've tried to visualize how things have gone for those years, we sort of have a pile of problems. But you probably get thrown on top. I've used to challenge people sometimes. And by telling them, hey, name one security problem that was solved, like salt, salt God. And people obviously give me like some kind of a smartest, funny answers like Windows 3.1. Hacking by overflowing the network driver is solved. I'm like, probably. So when when I think about the security problems that got solved, you can pick something from, you know, hack in a particular technique of hacking a system that's no longer in use. I don't know, Windows 10.1. And but that's kind of a little bit of a cheating answer, just like, you know, maybe stealing typewriters in another very common crime nowadays, because nobody uses them. Sure. But like, if you think of a more systemic problem, it's really hard to name one that's just solved flat out. And, yeah, if you go, say, back to the 90s, and you try naming a type of an attack, or type of a threat that just like was, is that is not an existence today flat out? That's a hard question. And, frankly, I think you could name one. And maybe if I think really hard, they would name one. But the point is, it's a hard question to name a security problem is just flat out solved in 20 years, it is just gives you thought, right? It just gives you gives you a bit of a like, oh, what's going on here? Hmm.

Robby Peralta:

So if I've looked at a bunch of reports and stuff, and I've seen like the evolution of security monitoring, and in 2002 was like network traffic, and then you know, along the way, somewhere went into log management, SIEM and EDR. Now, it's cloud stuff, right? But one thing speaking of problems getting solved one thing that has not been solved yet is the whole SIEM, security information, event management sort of space. Yeah. So what are your thoughts around SIEM? Is it dead? Or is it alive?

Anton Chuvakin:

Okay, so this is that question. Is it dead? Okay, so short answer is not dead? It's a longer answer. A longer answer is this. I would say that when we started deploying, at the time, they were called either SIEM products with an I or SIEM products with an E. We started seeing even basically two types, and there was a debate which one's the right one, I'm talking maybe, maybe 2000 to 2003 type timeframe. So at the time, the mission for sim was at this time was clear for Sam and Sam for both. And so later on, I think Gartner in around 2004, my timing may be a little off a year, basically combined Siemens sim into one and called it si em. So the four letter acronym was born, why the product existed back then was clear. But over the years kind of changed slightly. For example, today, you sometimes see modern security monitoring vendors, I don't know some analytics vendors basically say, oh, Sam is for compliance. But I, I'm a guy who lived through the years of sim before compliance, and I could tell you for sure that Sam was born Well, before compliance, some of the US regulations, PCI 2006 2007, Sarbanes Oxley, nobody remembers now 2002, a bunch of international regulations are all much later. So the point is that sim as a technology was born before compliance, and you cannot say I will compliance, because frankly, it was designed to build originally when compliance didn't really exist or that much, a little bit in some industries. But later on, it did become associated with compliance and no debate here. So around maybe 2000 789, a lot of my work in this area, I was doing log management at the vendor back then, was connected to compliance, whether it's PCI, whether it's HIPAA, whether it's a bunch of, you know, us and non us standards, even ISO 27, double 01, all this exciting stuff was compliance, but that after that era, we kind of went, again, back to threats. I shouldn't say back to the roots, but I would say back to sim as a monitoring console threat detection, console, investigation, support console, I learned centralization, of course, and a little bit of rock flow, which is now growing. So to me, I don't want to write a book about the history of sim because there's not really that many clients for it. But but it's every evolution does teach us something that it's a technology that had a chance to adapt multiple times. And it's a technology that went through some years where its reputation was quite bad. No debate here. Yeah. Okay. reputation for complexity. And I've written enough both before Gartner at my old blog, and at Gartner and enough to Gardner about how some of the challenges really aren't about sim technology being done wrong, but they're about the mission being hard. If your mission is to detect threats, centralized alerts, support investigations. I mean, it's a hard mission, right? A

Robby Peralta:

lot of things. Yeah.

Anton Chuvakin:

Right. A lot of things and also, unlike, say, operational challenges, you know, back many, many, many Many years ago, people were trying to equate sim with like a massive network management systems. But for security, there's like a golden metaphor in 2002 was like, I would say was just like HP OpenView. But what security, which today sounds like a fairly new metaphor, but the point is that this was the original some of the original thinking was that, but the network monitoring mission is much simpler than a security 110 mission. So that's why I would kind of attribute some of the challenges with Sam, not to the fact that technology is broken and done wrong. But it with that with the fact that it's a broad growing and get an ever evolving mission.

Robby Peralta:

I mean, it's hard to do, it's a hard thing to do. And that reminds me of an article he recently wrote, right? Why detection is so hard. And you mentioned people data triage. And I want to start with the people part, because there's so many aspects of the why it's difficult in regards to people explain that a little more.

Anton Chuvakin:

So, I would say that, this, this blog post, why detection is hard, was kind of born out of me trying to put together a slide for a different presentation, about detection as well. And again, I thought, actually, why is it so hard? Why Why are Why are we facing so many years of like, challenges, and debating, and all that, and so on, it also reminded me of a blog post I've written in my garden, the days in my early gardener days, which was titled something like, why organization like buying security boxes, or something like why people like to buy boxes, appliances. And the point is that enough organizations today kind of still see security as we need to buy security to. And obviously, people who are enlightened, and people who vote for you know, managed service providers would kind of laugh at that. But that was true. Many years ago, that was true when I wrote the blog post around 2012. And, frankly, it's still true now, at many organizations, where they say, Hey, we have this security monitoring problem, we should buy security monitoring tool. And so the fact that monetary signals or detection signals would go to some kind of a human and that human has to make a call, and has to do something has to investigators to call somebody possibly do offline tasks, kind of slips from their minds, like they are not really, I mean, I can't say they're not aware of it, they're sort of not focusing on that. So they sort of assume that detection is kind of a binary detection tool problem. And that's what ruins this for now, because it's not, ultimately detection is uncovering something that is trying to hide. And it's not really about buying a better tool, it's kind of by supporting the detection personnel in the right way well, with tools to So to me, this is surprisingly hard, because you think that in 25 years, all security leaders will kind of know it. But my off the record explanation here is that enough people become security leaders after being IT leaders, rather than by going through a career in security, maybe, and they bring that type of IT operations thinking into security. And they say, Oh, well, we need network management, we're going to find different management tool, we need this, we're going to buy a tool, we need threat detection, we're going to buy a threat detection tool, but that's what's throwing this way. So this is why one of the I think it's a number two challenge I listed is that this is still isn't quite appreciated by enough of the mainstream companies. So again, don't get me wrong, anybody anywhere near enlightened, I don't know, top 10% of the pyramid top 30% the pyramid totally get for years. But then you start looking at more mainstream companies. And it's still like, our detection. Yeah, which is going to buy a detection tool we hear UVA is a good idea, they use machine learning, but it doesn't change the equation, it still makes signals signals just still have to go to humans. Hmm. And then the other challenge I noticed in this post is that in a lot of cases that terrain or there be the domain where we are the the IT infrastructure of a company is so messy is so unorganized ever changing layers of stuff from like mainframes to IoT piled on top that it's actually a really good place to hide, but it's a really bad place to seek sorry to use the kind of hide and seek metaphor here. So if you have you know, think of some kind of a, you know, post apocalyptic movie where there's like a abandoned factories like perfect cows, things, you know, you can hide there, but a lot of it environments to me remind me of that type of a post apocalyptic factory scene from some movie, a lot of stuff is broken, all the stuff is like propped by pull, something's wrong, something doesn't either some new shiny stuff left over, and it's just not a very good place to hide to look for an attacker and It made me mad, maybe my metaphor suck. But the point is, it is there it killed you can make places. And to find the company with a universally modern it is fairly rare. I mean, sure it companies that were born five years ago and grew quickly, they may have modernized it. But as somebody rightly pointed out, in a Twitter discussion, there is the technical depth of all stuff. But there's also technical depth from new stuff being done without much thinking. So sometimes if you look at a modern company that grew quickly, they also have chaotic it, not because it's legacy, but because it was done quickly without much thinking even by the top notch people. So but seen an environment which is very organized, predictable, well managed modern, no legacy stuff. Sure. detection, there is easy. But how many of those do they know? Very little? Yeah, yeah, that's so that's a lot. You know, a little that's a lot,

Robby Peralta:

Some of the things you mentioned in that, in that article, data and triage.

Anton Chuvakin:

Data side is kind of more obvious. You mentioned for example, fascination with network monitoring and fascination with logs fascination with endpoint. So I'm, I've built a model around 2015, I build a model that I called soft nuclear triad. And that later became kind of soft visibility triad. And I kind of said, Hey, today, you probably need endpoint network and logs to have a good to have good coverage. And sure, they were years where NSM, or network monitoring or packet capture or flow capture was like, really the top top stuff, I don't know, a long time ago. And then of course, there was a dearth of EDR 2015? Well, I kind of think that that the term so I know that that date, wow. And the force, there was a login login era before and after that, when people said, Hey, I'm going to buy a sale, I'm going to follow the logs in there, and I got it. But you don't really get it in this case, you sort of have to still look at traffic, you still have to look at the endpoint to have good coverage. So to me, the reason I kind of pointed out data is that people would have limited data sources, and then it tried to do a good job with detection. And they can do the best possible job with detection. Given the data that they have, they may or may not succeed, and to truly have a high visibility or how it's trained to to say now observability in your environment, you do need application level stuff in your network and union endpoint, you need logs for sure. And then maybe you get together here the picture. That's why I mentioned data and triage is, is connected to the other point you probably want to make about the uncertainty and intent, many of the detection signals all the way back to traditional signature IDs, alerts to sim to modern machine learning based algorithms for detection. They give you an alert or a signal of different level of confidence or different levels of certainty. And you know, who gets to decide what it means? Well, guess who a human again. So it's kind of cycles back to people, right? Sure, you may have supported tools for, say orchestration tools can go pull more source of data, hit query, the attack destination, can query threat Intel sources, and you would get a better picture. But you still need to kind of figure out what the picture tells you. Right? And so that alert triage, confirming alerts is also very often a challenge with people. For a good number of years, I've been trying to create kind of a generic playbook for your triage, like how do you change it or as well, and frankly, it's not an easy task, it's probably a completely pointless task. Because a lot of geography does vary by company, like you see an alert, you call somebody in it ops and say, Is this your system that's doing it? Like, you're doing triage, but you're doing triage, but calling the person who you know, who owns the system and who you know, is knowledgeable? Hmm, how do you playbook it? How do you stick in Atlanta who can say called john, on the third floor, he knows, like, that's very hard. But if I do what I just did, maybe my triage activities will take five minutes. But if I don't have the junk to call, maybe I spent two hours to get it out. So a lot of is hard to formalize. And it's so hard to then improve. Now, I've seen companies that really well organized activities, some of them are very rigid, I think 60 - 70 Visio diagrams thi k, massive implementation of security orchestration too s, with lots of playbooks. ut frankly, they're kind of an exception, right? Go d, predictable, while Good, go d, predictable and effecti e. Alert. triage is also ot common. But if you don't conf rm the signals, your detection is no good. Yeah, again, sor y. Sorry for the rant. I gues I can talk about this for ho rs because it's been kind of my long, long term fascinati

Robby Peralta:

That is why you're here. You're here to read exactly why I wanted you on here. What do you have I mean, now you just mentioned, you know, EDR sort of sore. And you know, cm in my mind that's kind of like all these things fit into cm. What is like? What's, you know? Where is where's sore? And cm and EDR? Is it this? Where is where are we today? Now?

Anton Chuvakin:

So that's actually a good question. Because let's first time travel to. And I think 2012. And this would be like the heyday of sim as same as an attempted single pane of glass. Like, if you want to have a single pane of glass, if you're willing to try for it. Whether you succeed or not separate story, you're doing sim? Hmm, ah, I would say today, I've noticed people with security operation centers where their main tool is a sore, which then queries a SIM, or log management repository. I've seen operation centers security operation centers with EDR are they sometimes we'll call it x dr to kind of show an expanded mandate from it from EDR, where the EDR is the central console. Why say a sim or log storage is the exhilarate. So there is a bit more, a bit more fuzziness. And a bit more choices, perhaps in this, like as SOC of 2012 would be unquestionably organized around a sim sim would be your thing, sim would be a center of attention sim would be where you'd spend most of the time, not all the time, but most of the time. Today, I would say this is still true at many places. And it's not wrong if it's true. But I would say that there's there are more choices. I've seen people with a pretty robust deployment of a good EDR tool, where EDR is their primary console, while the log manager or sim is their secondary, then it was not around, maybe even five years ago. I also see sometimes that a sore where they do the workflow when they do orchestration is their central, but log repository or a sim is basically what sort of queries so I would say that today's world in this regard is kind of a little bit more dispersed from sim sexuality. Like, you may have a sim centric sock, but I may have an EDR centric sock or x Dr. centric, so and you may be even in soar most of the time and soar with query Sim, you may never see a sim console or we'll see pretty rarely. So this makes for an exciting time. I'm back in the garden. The days I had a debate with an analyst who said that, you know what, for me at Caspi, cloud access security broker to maybe a SIM, and my initial reaction was, wow, this is stupid. But then he said, Wait a second, what about the company that doesn't have a data center uses, you know, 50 or 100 different SaaS services, does not run anything in public cloud is or runs very little, and does not have a data center? Well, like, why isn't CASB be thei SIEM? Hmm. And my answer wa , huh, well, okay. If you a e almost a complete SaaS puri t, software as a service puri ts, and you don't have data enter space have very little in rastructure service. Yeah, cas ing kind of is your SIEM. Hey, hate to say it like this becaus the mission is somewhat d fferent. But ultimately, your c ntral threat detection and monit ring console for all your s able of SaaS apps, is a CAS , is not the same as on log m nager in CASB's can collect some logs, they do detection, the can store logs, some of them. And so you may live in a world admittedly pretty esoteric plac where CASB is your SIEM. So, so I could say sorry, I argued with you five years ago, but yo were kind of right. This wa some companies. Hmm

Robby Peralta:

And that kind of goes back to what you just earlier said it's not about the product. It's not about cm or EDR. sore, it's about the mission, right to be able to detect and respond to respond to things that's different from each organization, depending on who that position is.

Anton Chuvakin:

may be different. I mean, there's still patterns like I still say that if you're building a sock that is centered a sale, I don't think you're wrong. I mean, it's, it's been there, it's broken model, you may see certain areas where you get to fill the gaps. But I don't think you're wrong. I don't think that it's a traditional approach here isn't wrong. It's just well, traditional approach. You may be non traditional, or you may be traditional. So to me, this is not about, you know, same as dad don't use sim Nothing of that sort. seems not that same as a two almost $3 billion market people buy their happy customers they're getting you can say despite customers for modern sales for software service teams, and even for legacy seats. Sure, why not? Hmm.

Robby Peralta:

But the million dollar question. Where do we go from here? what's what's next?

Anton Chuvakin:

Okay, good one. So. So here's where my bias, you know, because I've worked for Google, specifically Google Cloud Security sort of business unit, and I came there to chronicle. I have a bit of a bias in favor of a software as a service sim or something as a service model for a lot of detection and response. Now, I have a funny story about that going back to the Gartner days, a few years, several years ago, I somebody told me that they think software service sim is going to grow. And I told them, well, doesn't it have to appear first, before it grows? Like, if you look at the Magic Quadrant, or just in the market of sim in 2015, there wasn't anybody with a credible software service model who wasn't the mq or even invite us. So software as a service model for say, vulnerability scanning was pioneered by qualis,

Robby Peralta:

20 years ago. How about that, huh.

Anton Chuvakin:

And the software service for sim is much younger. And it's been a bit of a mystery. I know, I was all almost involved in founding the software service sim vendor back in the day before my Gartner job, but the funny part is, software service sim was a slow start. But today it gets stuck. And today, I would say that unless you are in some kind of extreme, cloud adverse environment where you just absolutely hate the cloud, and you just insist on using data centers for everything. Most likely a lot of security, threat detection would go cloud. And it was a really, really slow journey for this. And I feel I feel like in the last two, three years, it really ramped up. Like if you look at the same mq 2020 Magic Quadrant, you'd see two three credible software services vendors, a couple of couple of vendors with hosted offerings, and you'll see that area finally go big. And to me, Chronicle is kind of our way of doing it. And to me that way, is surely I would say superior. But I'll back it out by saying that it is superior because of the pricing model, because we don't charge per per gigabyte we charge per employee. So to me, SaaS SIEM is a big part of the future. A d whether it would be called S EM or security analytics, or may e it would be called XDR, I on't know. I think that you ould probably not be doing on prem SIEM, in five years. And y u are very unlikely to be us ng on premise seven second 10

Robby Peralta:

And and the main reason that is just because it's less work for you, right, it's just easier to get their information that are what is one of the main reasons why that is the case.

Anton Chuvakin:

Today, we did a paper on this on kind of like a first Gartner paper on softer service Sim, our team did in 2017, or 18. I don't recall. So the point is that when we did the analysis for the paper, I kind of thought, hey, it would be all about analytics. And in reality, it was all about it's much easier to manage. So exactly like you just said, so people said, we asked him, Hey, why do you use test him? And they're like, I hate I hate patching redhead boxes. And he's like, what? And they said, Well, that's why we want to do they want to do cloud, we want to do SaaS, because we don't want t maintain hardware, we want t don't want to performance t hardware, we don't want to pa for hardware. And to me the tha has been a current motivator But I still feel that th analytic advantages of Saa , where you do have broad r visibility of the data, a d hence, higher chances f applying analytics to data to e ultimately a weighing argumen . And this is what happened o EDR, for example. EDR was bo n as an on premise softwar , carbon black 2000 to, you kno , what don't they call the date f probably 13 as well. Yeah. A d so later on most of the E R vendors kind of found a way o back end to the cloud, becau e analytic advantages, ease f management, ease of deploymen , lack of the need to mana e massive, scalable back en s well, at each client. So to m , that sounds sasses the answe . And again, in other domains f security, people have known t for 10 years. I mean, you're n t gonna do like secure ema l gateway appliance. This has be n kind of waiting for many, ma y years. webproxy What Gartn r call secure web gateways? I mean, almost nobody's usi g appliances anymore. I mean, it s shrinking. But sim has be n slower to uptake of the SaaS. nd I think that's kind of a ig deal for the next few yea s, next several yea

Robby Peralta:

Are there any other like, small, like, benefits that people wouldn't guess just by having, you know, see him in the cloud. One thing I read about Chronicle was that, you know, can store telemetry data in the cloud, and maybe is just going back to pricing model, they don't charge that way. And that's why that's

Anton Chuvakin:

not it's it's not only sure, but it's not only that, I think one of the hidden advantages is that when you own the cloud, or even if you purchase the I mean, we all in the cloud, obviously, our you know, friends from Microsoft do too. And when you only got babies, if you don't on the cloud, even if you buy the cloud to rent the cloud, you can do a lot more interesting things with performance, manage The resources. So, for example, if I want to run deep learning algorithms, or any kind of more top tier ml stuff, you may need a lot of resources for somewhat short amount of time. Like, it's expected that you get it in the cloud. But you absolutely cannot have on prem. Because imagine that you have 50 servers, but for two hours, you need 50,000 servers, and then you don't anymore. You cannot do that you there's no way to do it. So to me, this secret future advantage of this would be the writing the types of ml, that rely on that type of extreme compute for short period of time, but not all the time. Because like, you know, we can do it all the time, but then it would be a little bit costly. The point is that, if you're on pram, I would expect that certain algorithms you can never run. Now, you asked me a second question named specific algorithms, you mean, and I cannot I it's still a little bit of a hypothetical where I kind of fused some of my knowledge of a male with some of my knowledge of SIEM. And kin of, I kind of suspect that ther will be use cases where th algorithms require a lot o compute for short periods o time. And if you're on prem, yo can never ever match it. An this is algorithm gives you threat detection advantage. An on prem then there can neve replicate it never ever, ever So to me, I feel like a littl bit of this is happening toda in EDR. I see some EDR vendor that run pretty heavy workload for a few hours, kind of I don' know, probably at night, but o course in the cloud, it doesn' really matter. And they gaine some analytic advantages fro that which an on prem competito can ever match. Okay, maybe thi was a little bit too elaborate But the point is that if there' an algorithm that you can run i the cloud that you cannot o prem, that's a dramati advantage. Hmm

Robby Peralta:

And that's not possible on premise

Anton Chuvakin:

exactly as possible, because you cannot buy 10,000 times more servers for an hour. Hmm.

Robby Peralta:

One last question before I let you go. I haven't heard artificial intelligence named in a security conversation for a long time. And that surprises me. And you're talking about machine learning, where where are we with in terms of that? Why is that not like a big thing anymore? Or is this just because of Coronavirus and I'm not at conferences anymore.

Anton Chuvakin:

I prefer to stick to ML for this and not really go say the A word.. So one of the last papers me and my team had done at Gartner in 2019 was kind of assessing the impact of AI and ML on security. So we are basically looking to answer the same question, what's the real state of affairs in regards to ml and AI techniques. And by the way, in the finance side, Gartner has gone through its own transformation in regards to AI terminology. When we started writing about this, we actually did not use the term AI because we sort of preserved initially preserved AI for some kind of a future advance, you know, but later on, kind of under pressure from everybody else, you say, an AI to me narrow AI, essentially advanced machine learning, we sort of cave, I guess that's my reading of the tea leaves, I don't know how it really happened. And they started saying AI to indicate narrow AI. Basically, machine learning techniques utilized in a particular manner deep learning, too. So in the paper, we did say AI ml, the point that we made in the paper is that there are certain areas where ml has been effective. And of course, there are anti malware companies. I'm not going to name names, you know, for this, that substantially relied on ml to detect viruses quite effectively. Right. And to me, of course, there are sim vendors or UBA vendors that rely on them. Well, very often is an exhilarating Nic, or as a technique that works really well for some use cases, but not for others. So to me, I would say we are in the sort of a slow ramp up like you remember the classic hype cycle from Gartner.

Robby Peralta:

Yeah I was thinking that right now

Anton Chuvakin:

I'm sure there's a published piece on security ML with hype cycle so you just need to look it up. But my impression is that we are in the we're kind of creeping up from the, from the from the, from the deep, right? So two, three years ago, and you went to conferences, and I went to conferences, and it was really, really noisy. It was probably close to the peak of inflated expectations, right? So it has largely come down. And I feel like we're gonna be slowly creeping up to the plate of productivity, where it's effective, but not magical. Today we are in the we are starting to see areas where it's effective. And we are already mostly aware that it's not magical. Of course there are always idiotic vendors who will say that there is No AI can solve security higher world hunger, you know, your cancer, I think. And yeah, but that exists. And then there's frankly, there's one particular vendor I'm thinking about, but we will be in the finding areas where it's works and using it there. So to me, this is kind of how it's feel it feels very much creeping up from the deep is what's going on. Hmm.

Robby Peralta:

So to conclude our chat today, SIEM is not dead SIEM has just reached the end of its hype cycle, and it's no longer a buzzword, I guess.

Anton Chuvakin:

It's no longer buzzword, for sure. Well, Dr. Chuvakin

Robby Peralta:

thank you so much for your time today. I'm going to beg you to come back once I have another good topic for you. So look for that in your in your LinkedIn mailbox.

Anton Chuvakin:

Perfect figure in my show, looking forward to it.

Robby Peralta:

Yes. Take care, stay safe. Well, that's all for today, folks. Thank you for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you would like us to discuss on future episodes, please feel free to send us a mail [email protected] Thank you for listening, and we'll see you next time.

EDR and SOAR
The future of SIEM