SIEM There, Done That: Rising Up in the SecOps Revolution

Posted on in Presentations

Yesterday’s tools barely help us today—and they won’t help us tomorrow. Slow, static security solutions like SIEM never solved SecOps challenges and can no longer carry us to the future. Through the power of automation and intelligence, we’ve ushered in a new era of cybersecurity. For the cyber industry, the revolution has finally arrived. Let’s build momentum and continue our great leap forward.

Video Transcript

>> ANNOUNCER: Please welcome Chief Executive Officer, Trellix, Bryan Palma.

>> BRYAN PALMA (On screen): Hey, everyone, Bryan Palma here, the real Bryan Palmer. Listen, if you want to see me deliver my keynote in person, I’m totally available. You just need to pay me a $10,000 ransom – I mean speaker fee immediately. I assure you, I’m worth every penny. All you have to do is send payment to the link below. I’ll accept Bitcoin, gift cards, whatever you got. Otherwise, you’re stuck with the video version, and no one wants that. So go ahead pay now –

>> BRYAN PALMA (IN PERSON): hold up, hold up, hold up? Please cut that video. Jeez, oh, man. Deepfakes. These things are everywhere today. And they are pretty convincing. Not perfect, but pretty darn good. Yes, that is me in the footage. But I never said those things. Those words never came out of my mouth.

Let me start for real this time. Ladies and gentlemen, today I want to talk to you about a revolution that is sweeping across the world of cybersecurity. It is called the SecOps Revolution and it is changing the way we approach security in our organizations. With the rise of sophisticated cyber threats, the need for a more integrative and proactive approach to security is necessary. It has become more pressing than ever before and that's exactly what the SecOps Revolution is all about.

By bringing together security and operations teams in a collaborative and streamlined way, we can better achieve security outcomes, faster incident response times, and a more resilient security posture overall. So, buckle up Because we are about to embark on a journey that could transform the way you think about security. Let me pause there again, I have a confession to make. That introduction, it was written by ChatGPT. Again, pretty good, right?

I normally wouldn't start off probably with ladies and gentlemen, and I don't think I would ever say buckle up. But why did I do this? I did it to illustrate a simple point, a mere show and tell of the powerful capabilities in the hands of our adversaries. Using advanced AI, they can produce realistic deepfakes of anyone they want. They can create phishing emails in any language, with perfect grammar. And novices can build zero-day malware. The fact of the matter is this, we have been barely staying ahead of the bad guys for years, and the tables just flipped again. We’ve entered an AI arms race and our enemies have taken the lead. Meanwhile, we seem to be stuck in time. Cybersecurity vendors aren't innovating fast enough with AI. Security operations teams are slow to adopt modern solutions. For example, one of the largest cybersecurity budget items is legacy SIEM. I talk with a lot of customers each week and this trend was disturbing to me. So, my company surveyed over 500 CISOs from all over the world. The results made me more concerned about the adoption of AI and the state of security operations.

First off, 51% of organizations expect to maintain or grow their investment in SIEM. That is higher than more advanced tools, like NDR and XDR. Look, I realize it's a top budget item, perceived as weaved into the security fabric, but for us to move forward as an industry, we cannot afford to look back. And there is no debate, we must leverage AI to drive strong detection, response, and remediation. That is the only way we will stay ahead of the curve. 96% of CISOs said they need better solutions to be more cyber resilient. Let's not be defensive as vendors about that feedback and let's not mince words. Today's SOCs are struggling to keep up. They are working hard to be effective but they are inefficient and relying on outdated technology. There is just too much complexity. The average SOC analyst uses 25 different security tools, and still, only 34% of CISOs say they have what they need to stay resilient. On top of being old and outdated, our tools are fractured and fragmented. The number one challenge for today's CISOs is too many different sources of information.

You could have an army of experts evaluating your data around the clock and they still wouldn't be able to make sense of it all. Instead of making critical security decisions, SOC analysts are too busy fighting with their SIEM to get the insights they need. Our continued dependency on legacy technology also comes with another consequence. It means relying too heavily on our staff, a staff that is already short on resources, training, and time. More and more our people are becoming severely overworked, even our best employees quickly go from burning bright to burning out, because they fill their days with tedious, painstaking tasks. 94% of security leaders said the right technology would save them significant time. And 81% said it would minimize over time.

Managing security incidents also adversely impacts how security experts feel. 60% feel worried or under pressure during an incident response. You should hear how some of these CISOs talk about the stress in their roles. One told us, in terms of an incident, it's not if, it's when. So, I am always looking over my shoulder for the grim reaper, waiting for something bad to happen. And, unfortunately, CISO is not only a stressful job, but a thankless one, too. It's a lot like being a goalkeeper for a football team. You could save 15 shots in a game, but if you let one ball slip past and your teams loses 1-nil, you shoulder all the blame.

Now, our survey really opened my eyes to the troubles of today's SOC but it wasn't enough. I wanted to see it for myself. So over the past few months, I went and visited half a dozen SOCs around the globe. It was an amazing experience and I gained some great insights from the front lines. From people just like you who do these jobs every single day; analysts, investigators, and responders are stressed. They face a perfect storm, a fast-expanding threat surface, the lack of modern tools, and fewer opportunities for teamwork. All of the SOCs I visited operated in a hybrid model. And some of the ingredients that make SOCs so special are in real jeopardy. The post COVID world means less time together, less collaboration, and less mentorship.

While remote work has increased productivity, it's unclear if it's improved morale. It comes with a cost to employee development, to on-the-job training, and to real-time collaboration. Maya, an analyst at a financial services firm in the D.C. area, told me her SOC sees an average of 7 million hashes a day. 7 million. How could anyone possibly detect all those threats with 7 million hashes staring them in the face? No wonder people miss things and are stressed. Kareem, the SOC manager at a retailer in Dubai recently bought his team noise canceling headphones. Why? Because the noisy alerts were driving them up a wall.

And just this month, I met Klaus, the CISO at a German manufacturer. Honestly, it was tough to talk to anyone on his SOC team. The demands of the job were so high they could barely drag themselves away from their screens, even for a second. I truly feel bad for their bladders. The point is this, today's SOC needs a makeover, and I know the security community is up for the challenge. We got into this business for a reason, we are protectors at heart. That is how one in three CISOs identify themselves and I can relate. Before I was a CEO, I was a CISO myself, protecting people is what drove me then and it's what drives me now. So, how do we fix today's SOC? I truly believe the only solution is a SecOps Revolution. One where we overthrow the outdated, challenge the status quo, rethink everything we know about security operations.

Now, I am no artist, but let me paint a picture for you of what tomorrow's SOC must look like. It's an aggressive vision, focused on three bold advancements. First, the SOC of the future fights back. Lately, I have been watching this Cobra Kai series on Netflix. Have you seen this? It's a reboot of those old Karate Kid movies from the '80s. And man, it takes me back, I spent a whole summer trying to catch flies with chopsticks after watching that first movie. I never quite got one, though. For those of you who don't know, the show is about two groups of teenagers from competing karate dojos. One group learns the teachings of Mr. Miyagi, inner peace, focus, and karate as a means of self-defense. The other group, Cobra Kai, has a different philosophy. Their motto is strike first, strike hard, no mercy.

Growing up, I was on the hero side. I backed Daniel LaRusso 100%. But there is a time to do things the Miyagi way and a time to do things the Cobra Kai way, especially when it comes to our line of work. 86% of CISOs in our study had experienced a major cybersecurity incident. The stakes are incredibly high for all those security teams working to protect their organization. Like one CISO told us, the bad guys only have to be right one. How long will we only play defense? We have to go on offense. Ransomware groups are attempting to destroy our businesses, yet, all we have is defensive tactics? Shouldn't we have an opportunity to not only strike back, but strike first?

Our industry boasts a powerful cyber intelligence community. If we collect ample evidence that our adversaries plan to attack us, it should be game on. We should have some ability to protect our organizations, strike hard, and preempt attacks. SOCs should aim to disable their enemies, eliminating them as present and future threats. We will give them a taste of their very own medicine, using the very same attack methods they use on us, social engineering, phishing, network scanning, vulnerability exploitation. I have got three words for you. Sweep the leg. Now, of course, I am being provocative, but does anyone imagine winning by only playing defense? Not likely. I definitely don't have all the answers on how we effectively leverage an offensive playbook. But what I do know is this, we need a mindset change. Let's challenge policymakers and politicians to reimagine the rules of engagement.

Now, the reality is even if we had access to an offensive playbook, we don't have the resources to stand up the new squad. Which leads me to my second advancement, the SOC of the future games the system. Let's be clear, cybersecurity is not a game. But maybe we should treat it like one. In Ender's Game, a classic sci fi novel, this is exactly how humanity wins a war against an alien race. Recruited to train as a military commander, Ender participating in a competitive war simulation, using novel tactics, he excels in the competitions and ultimately destroys the enemy planet. Ender is only informed after the battle that the simulations were real the whole time. Now I'm not suggesting we trick people into cybersecurity careers but there is a whole pipeline of talent to tap into, gamers. As you are well aware, we struggle to recruit cybersecurity professionals. We currently have a global deficit of 3.4 million people. Over a third of the CISOs in our report said they lack the skilled talent needed for their team. Simply put, we need more cyber warriors, that means building more pathways for future SOC analysts.

One CISO said, there is a dearth of skilled resources. Finding the right talent is very important, but it's a big challenge. Well, guess what? There just so happens to be 3 billion gamers worldwide. Let's assume we built an ecosystem fusing gaming platforms with SOC operations, through crowd sourcing, competition, and economic incentives, we could train the next generation of cyber warriors en masse. Realistically we could recruit the best of the best. Even targeting the top 1% provides 30 million potential analysts, investigators, and responders. Gamifying the SOC not only helps us appeal to the masses and recruit new talent, it helps us create better skills for existing employees. Tomorrow's SOC uses elements of gaming to onboard, engage, and motivate individuals with interactive training modules we could simulate real world security scenarios. As operators detect anomalies or remediate attacks, they earn money, prestige, and certifications. But the gaming does not end when the training ends. With gamification we could create the ultimate crowd source SOC and this army of gamers would work for everyone. They are not tied to a single organization, they are cyber mercenaries with a cause, they are doing soulful work.

One day, they would be protecting a private enterprise from the latest nation state attack. The next day they would be helping an NGO keep a hospital system up and running. As they rack up experience and climb the cybersecurity leaderboard, they raise their earning potential, professional reputation, and security skills. Keep in mind, not everyone is fit for this army of gamers. If you are like me and still can't get past the first level of Pac Man, you are probably not qualified. But that's okay, too, because the SOC of the future runs on robots. For years, Hollywood has been obsessed with films about artificial intelligence, namely machines that have been trained to think and act like humans. But one theme keeps popping up again and again, the idea of robots as protectors.

In real life, we have a chance to put these robots to work for us and create an autonomous SOC. Nearly one in three CISOs still crave more automation. In tomorrow's SOC, they will have what they want because the machines will lead the way. AI will power our future. Today we expect intelligent tools to augment humans but the time for that has come and gone. Training employees on an endless stream of best of breach tool is not scalable or sustainable. One CISO put it like this, your weak link is the human. The future is machine on machine. SOC robots would assume all the foundational cybersecurity work, virtually eliminating humans entirely from the detection business. Robots also assume most of the response work, through automation.

Think of it this way. The robots are on the field, playing the game. The humans are now up in the press box, coaching and calling all the right plays. Going forward, humans would act as arbiters, stepping in only when more strategic decisions are required. Transforming from a group of analysts monitoring systems and executing rogue procedures to supervising machine on machine warfare, coordinating remediation, and running offensive campaigns. Essentially, humans become the feedback in the security circuit. That is the future we have to march to, with a machine led SOC we can analyze all events, not just the critical ones. We can understand complex insights and know exactly what to do with that. And we can automate, response, and preempt attacks with swift precision. Imagine a SOC with robots like R2D2 and Optimus Prime in control. I would trust that SOC with my life.

So, that was a peek at tomorrow's SOC. But as we know, today's SOC doesn't look anything like that. It's failing our organizations and the committed cyber pros working tirelessly to battle our adversaries and it's urgent that we fix it. Oh, no.


>> BRYAN PALMA (ON SCREEN): Me again, the one and only Bryan Palma. Or OG VP as all my good friends like to call me. Guess you weren’t interested in hearing me speak, I only got one response to earlier offer. Some guy named Jeff who told me, “Go look for suckers on the Genesis Market.” Thanks Jeff, I appreciate that. Oh, well. I hope that imposer Bryan on stage right now isn’t boring you to death. If he does, keep me in mind for next years event. Trust me - $10,000 ransom – I mean speaker fee is a total bargain. Anyway, peace out.

>> BRYAN PALMA (IN PERSON): Imposture Bryan, unreal. Clearly, deepfake Bryan doesn't keep up with the pace of cybersecurity, taking down the Genesis Market was so three weeks ago. As I was saying, the clock is ticking. Time is running out. If we refuse to change our ways, if we neglect to take immediate action, if we fail to rise up in the SecOps Revolution, we lose and our adversaries win. So I don't know about you, but I choose revolution.

Bryan Palma


Chief Executive Officer, Trellix

Share With Your Community