In this episode of Abstract Canvas, I had the pleasure of discussing the evolution of SIEM with Jon Oltsik, a former ESG analyst and security operations expert. We took a look at the history of SIEM, starting from the early days of focusing on perimeter use cases to the current challenges of managing vast amounts of data, especially with the transition to the cloud.
Jon highlighted the importance of adopting an architectural approach in security operations and analytics, emphasizing the need for a common data service layer to handle the increasing volume and variety of data sources. We also discussed the shift towards platformization in the industry and the challenges of balancing specialization with the need for a comprehensive security solution.
We also touched upon the significance of standardization in cybersecurity, with a particular focus on the OCSF initiative and the importance of industry-wide support for such standards. And we highlighted the ongoing debates and challenges in the industry, such as the need for log health monitoring even after two decades.
It was a super insightful and thought-provoking conversation with Jon, shedding light on the current state of security operations and the need for real innovation and collaboration in the industry. Listen until the end for our shared vision for the future of security operations and a commitment to driving positive change in the field.
Colby:
Hey, everybody. I'm Colby DeRodeff, the CEO and co-founder of Abstract Security, and this is the Abstract Streamcast. I'm joined today by Jon Oltsik, former ESG analyst and security operations aficionado. Hey, Jon.
Jon:
Hi, Colby. How are you doing today? I'm great. How are you?
Colby:
Yeah, hanging in there, hanging in there. It's Wednesday, making it through the week. You know, it's great to be working with you. You're somebody I've been following throughout my career for a long time. Back, you know, when I was at ArcSight and at Anomaly, we worked together. And so I've just kept track of the work you do out there. It's, you know, not too many people out there that have been kind of kicking around in this sim space since its inception. But you really have had the catbird seat over the years with an amazing amount of insight into what customers are looking for and early access to technological advancements that are driving this market. So let's talk a little bit about the evolution of SIEM and kind of your perspective on how we landed here today having this conversation. I like to go back to the early days when we were talking about perimeter use cases, IDSs, firewalls, et cetera. So love to hear your perspective.
Jon:
Yeah, that was, that was the use case then because aggregating all those logs was difficult. And so it was basically a correlation engine just to say, okay, if the IDS is screaming at me, what's the firewall saying? And then it expanded from there. And as it did so, it had to scale quite a bit. And the events per second was a big metric. It shifted gears a little bit in the 2006 time frame or so with compliance. And over time, it's sort of been an overall kind of data management, log management, and analysis engine. And that's kind of where we stand today.
Colby:
Yeah, it seems like it's gotten almost a little less exciting with all the kind of data management aspects and the growth of the data that having to deal with that level of scale is really hard for a lot of organizations, especially with transition to the cloud. You know, you recently wrote an article on making a shift to more of an architectural approach. Is that kind of one of the drivers behind that? Can you talk a little bit about that?
Jon:
Yeah, it is. And I should say that in 2016, while I was at ESG, I recognized this and we came up with this acronym called SOPA, Security Operations and Analytics Platform Architecture. And in that, we talked about a common data service level. excuse me, data service layer. Now, at the time, we weren't thinking cloud, but we were thinking that there needs to be just common access to all the data and easy access for the analytics engines. Now, again, if you fast forward to today, the amount of data has just exploded. And collecting that, processing that, moving it around, and then dealing with new data sources, new data formats. It's gotten to be a major, major challenge to security analytics. So the thought always has been, well, why are we doing that? We've seen that in other parts of the technology market where there was a very strong data management engine and then analytics tools plugged into that. So it just seemed and still does seem logical to me that that would happen in security.
Colby:
Yeah. I mean, I think I've seen a very similar thing, especially with regards to, you know, the desire by customers to kind of want, you know, to leverage sort of best of breed analytics, best of breed components as they build out an architecture, the data volumes. I mean, going back, we used to do all of our performance. baselining around an event size, right? And an event size being 1K. And now you look at some events and they're like 2K. So just the size of the individual event has doubled. And this is partially due to different formats. I mean, you start putting things in JSON, there's a lot of extra data there that didn't used to be there. There's obviously the explosion of the volume of data itself. And I think we used to look at large systems as running 20,000, 30,000 events per second. This was a pretty big organization back in the day. And now we see that's kind of your average size organization. And you have the larger organizations looking at a million events per second, or 500,000 events per second, or even bigger in some cases. But it's like everything writes event logs these days.
Jon:
Yeah, so true. And it goes back to what we started with. And that was when we were collecting events from perimeter devices, there was some limitations around how much we would have. And there was also, because most of those devices were either at the perimeter or in the DMZ, there was some type of logical connection between them. And now, if you think about security cyber attacks, Something may happen on your cloud that is related to an endpoint offshore in some country, and that network or that data traveled over multiple networks through lots of devices that are geographically distributed. it's a real chore to get all of that data and understand the ramifications of one event to another when things are happening all over the place.
Colby:
That's right. That's right. And yes, everything is more distributed these days, multi-cloud, you know, so you have a lot of the kind of, you know, big cloud players, right, saying, hey, use our use our sim, we'll give you some free storage. And, you know, it's like, that's great if you're using all the products from that particular vendor. But as you start trying to do multi-cloud and collect from other security devices. The feedback I've been hearing is that it's just not standing up to the challenge. And, you know, I really believe that, you know, the modular architecture where customers can leverage, you know, best of breed components, best of breed, you know, cloud service providers and really construct a system that works for their business needs, right?
Jon:
Yeah, exactly. Otherwise you end up with centers of excellence and which is fine, but it's a walled garden. So when a cyber event crosses from that walled garden to others, someone has to be able to put all the pieces together. And you can't do that if you're, if you're doing these walled gardens, these cloud-based approaches, and then the kind of analog to that is, is platforms. And we see that rising too. And I've got some opinions there too.
Colby:
Yeah, I definitely want to hear your opinions on that. I mean, I do, like part of me, I always believe in building a platform, right? I always want to build a technology stack that customers can build upon and build their own content. Anything I can build, they should be able to build on top of our platform, right? Because it needs to be extensible. We're never going to solve every use case out of the box, right? So I want customers, partners, et cetera, to be able to build upon a complete platform But lift and shifting your sim is a big job. This could be a one to two-year journey depending on the size of the customer. I think it's important to think about a crawl, walk, run approach when you're doing that. But yeah, we're definitely hearing a lot of talk about platformization. You know, it reminds me of like the semantics and the McAfees back in the 2000s, you know, you get your, get your AV, get your firewall, get your gateway, you know, get your SIM, if you could, you know, call it back that, call it a SIM back then. But yeah, what are your thoughts on some of the platformization talks we're hearing?
Jon:
Well, Platforms can be a great solution if you're an SMB or a small enterprise. But I think even those customers would have a choice between a platform and an outsource solution. So MDR or MSSP type solution, because they're probably resource constrained. They probably don't have the staff or skills that they need. And that's a lot to running even even if you get rid of all the point tools and platinum aggregate into a platform, you still need those dynamic skills you still need specialized skills so so that that's a choice for the mid market now for the enterprise. To me. If I could draw a curve, I would say, there's a curve of how quickly we can progress in security. And that, I think a platform can accelerate that. And maybe generative AI or AI in general can accelerate that. But I think the amount of change that's happening in the IT world, the amount of change that's happening in the adversary world, is much, the slope of the curve is much steeper than what we can achieve with a platform. And so how do you bridge that gap? You're gonna bridge that gap with specialization, specialized tools, specialized knowledge, and then you need to piece that together. And that's where I think platforms kind of will fail, is that regardless of who the vendors are, and there's some really strong vendors building platforms, I don't think they can run as fast as the requirements dictate. And that's to me, that's the danger up ahead.
Colby:
Yeah, absolutely. Absolutely. I mean, everything's changing quickly and being able to kind of build on a modern tech stack, make decisions quickly, move fast and adapt is obviously not something that larger companies are that good at has been proven kind of over the years. But, you know, I think there's a place for what they're doing. You know, if you're kind of medium enterprise and you already have your endpoint maybe from this provider and you just want to start collecting those logs and having some analysis done on your behalf. I think one of the things that some of these companies provide that is interesting is the MDR, the management of the alert triage and some investigation on their behalf. But as you get into kind of multi-cloud, you're already running multi-platforms from multiple vendors, you really need something that, I always like to compare it, it's like going back to being Switzerland, right? Like you really need a provider who is not going to be selling you their endpoint at the same time and really pushing you to you know, work with their tools, which always work better together, right? It's like, you start bringing in third party data, all of a sudden, it doesn't map to the schema, it doesn't correlate the same, you know, these kind of things we tend to run into. But yeah, Switzerland has always been kind of key for me as we've been building sim platforms over the last couple decades.
Jon:
Yeah, I totally agree. I mean, I've been advocating more standardization in terms of just cybersecurity, technical standards, standard API, standard data format, standard protocols, standard transfer protocols. I'm saddened that that hasn't progressed as quickly as I'd hoped. And I was hoping that either government agencies or large organizations would sort of demand that. of their security providers. That hasn't happened. The alternative that is the security provider saying, well, you don't have to worry about that because I have everything you need. And so one other point here, Colby, and I'm going to get up on my high horse here is security should never be driven by financial considerations. Meaning if a platform is cheaper that shouldn't be the driver for moving to that platform. Now, if it's better and cheaper, that's a different story. But cheaper, the CFO pushing this on the CISO, that should never be the way we go. The CISO and the CISO and the security staff needs to determine the best technology fits the best technology stack for their environment in their industry at a particular time and space. And as soon as we introduce, well, this one's cheaper and we're already doing business, we already have big contracts, there's going to be a sacrifice. And we've already seen that. So I'll get off my high horse now, but to me, that's a really important point.
Colby:
Yeah, I couldn't agree with you more. And I'm 100% on board with the standardization piece, right? I mean, that's something I've been involved with for years. I mean, even back at ArcSight, we created CEF, right? Common Event Format. And that was myself and Raphael Marty. We wrote that and it was great because everybody started using it and it actually made the collection of logs, whether you're using ArcSight or Splunk or Qt. It didn't matter, right? Everybody, we all just supported Ceph, right? And we didn't even call it ArcSight Ceph. We just called it Common Event Format. And it worked really well back then. Now there's lots of variations to it, and now everybody's kind of got their own. Palo Alto has theirs, and Splunk has theirs. And so we had something, and then we all moved away from it. And I'm not saying that it was perfect, and maybe there's reasons why we moved away from it. That's great. I am excited about what's going on with OCSF. That's definitely something that we support from a data input, data output perspective, and I think you know, say what you will about Styx Taxi, right? But that was a great effort being driven, you know, by MITRE and Oasis and FS ISAC and HISAC, all the ISACs really participating. And we did some great work to be able to share threat intelligence across organizational boundaries in a format that everybody understood. And I think we need to take OCSF with the same level of seriousness, and folks need to support it. I mean, I think that I really want to see the vendors that are behind it actually using it as well, right? So it's not just a hype cycle, but it's actually something that we are all using.
Jon:
I do too, I couldn't agree with you more. And as a security industry, we can't manage standards like the rest of the technology world does, where you have a number of engineers from different companies with different agendas and they get into technical debates. And we're talking about protecting our digital assets, our critical infrastructure and lives. And so we need to come to agreements on standards. We need to certainly improve them over time, but we can't get into the typical standard body bickering and development cycles and things like that. Again, I, I've been in security for over 20 years. I can't believe we're still, we still are having this debate.
Colby:
I know, right? You want to hear another one that's pretty funny along those lines? And I agree with you. This is something, this conversation has been going on for way too long. Here's another one that's really funny. So I talked to a lot of customers and they're like, so you can tell me when that device stops sending me logs? And I'm like, yeah. You can do log health? I can't believe 20 years later, we're still talking about log health, right? And that's a crazy one to me. And that was off the cuff. I mean, that was, you know, not something I was planning to bring up today, but you have conversations that have been going for a long time. Like that's one of them that really, you know, took me by surprise that that's not a problem that's just been like solved, but it's, yeah, it's crazy, crazy. So look, I think, you know, this was, this was a great conversation, Jon. I'm excited to be working with you. You know, I like to say. The future of security operations is abstract, you know, pun intended, you know, but seriously, I feel like we're at an inflection point. I think the customers are tired of the status quo. And I think as an industry, we're all kind of looking for what's next. Right. So I really, I really liked the paper you wrote and enjoyed the time we'd get to spend together. So yeah, I appreciate, appreciate you coming on today and having a chat with me.
Jon:
My pleasure, Colby. As you know, I'm pretty passionate about this topic. So have me back whenever you want.
Colby:
Absolutely. We should, we should catch up on a regular basis like this. I think it's good for the industry and we'll keep pushing on that OCSF and you know, some of these standards as well. Please do. All right, Jon. Thanks very much. And I'll chat with you soon. All right, Colby.
Be well.