EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect
Digest
This podcast explores the challenges and pitfalls of Security Information and Event Management (SIEM) implementation. It highlights the frequent disconnect between vast log collection and effective threat detection, attributing this to poor operationalization, inadequate data modeling, and a lack of contextual awareness in alerts. The discussion emphasizes the critical need for semantic interpretation and correlation between diverse data sources to move beyond simple keyword searches. Significant organizational hurdles are also addressed, including talent acquisition and retention difficulties, and the necessity for strong collaboration between security engineering and operations teams. Common mistakes, such as poor product selection, over-automation leading to alert fatigue, and the isolation of log sources, are examined. The podcast further explores the role of detection engineering, advocating for a risk-based approach focused on high-value assets and a balanced strategy combining out-of-the-box and custom-built detection rules. Finally, the potential impact of AI on SIEM is discussed, acknowledging its promise while cautioning against expecting a complete solution to existing data challenges. Data hygiene and effective data modeling remain paramount, regardless of AI implementation.
Outlines
SIEM Failures: Operationalization and Contextual Challenges
The podcast discusses why many SIEM implementations fail to effectively detect threats, focusing on operationalization challenges, the need for proper data modeling and semantic interpretation beyond keyword searches, and the critical lack of context in alerts. This includes organizational challenges in SIEM adoption, common mistakes in implementation (poor product selection, over-automation), and the importance of detection engineering.
Context and AI in SIEM
This section delves into the persistent difficulty of providing sufficient context for effective alert investigation, exploring the need for data source correlation and human interaction to improve automation. It also examines the potential and limitations of AI in revolutionizing SIEM, emphasizing that AI alone cannot solve all data challenges; data hygiene and effective modeling remain crucial.
Detection Engineering and Risk-Based Approaches
This segment focuses on detection engineering, balancing pre-built and custom rules, and the importance of risk-based modeling prioritizing high-value assets.
Keywords
Security Information and Event Management (SIEM)
A system collecting and analyzing security logs to detect and respond to threats. Key aspects include log collection, data normalization, correlation, alert management, and reporting.
Contextual Awareness
Understanding relationships between security data for meaningful insights, including asset information, threat intelligence, and historical data.
Detection Engineering
Designing, building, and maintaining security detections, involving understanding attack techniques, developing effective rules, and tuning for optimal performance.
Over-automation
Excessive automation leading to alert fatigue and inefficient workflows; a balanced approach is crucial.
AI in Security Operations
Applying AI and machine learning to improve security operations, including threat detection and incident response.
Log Management
Collecting, storing, and analyzing security logs; crucial for SIEM success.
Data Modeling
Structuring and organizing security data for effective analysis and correlation.
Alert Fatigue
The state of being overwhelmed by excessive security alerts, leading to missed threats.
Threat Detection
The process of identifying and responding to security threats.
SIEM Implementation
The process of deploying and configuring a SIEM system.
Q&A
Why do so many organizations collect massive amounts of logs but fail to effectively detect threats using their SIEM?
Organizations struggle with SIEM operationalization, lacking proper data modeling and semantic interpretation, relying on basic keyword searches instead of sophisticated correlation techniques.
What are the biggest organizational challenges hindering successful SIEM implementation?
Talent acquisition and retention are major obstacles, along with the need for effective collaboration between security engineering and operations teams.
What are some common mistakes organizations make when implementing SIEM?
Common mistakes include poor product selection, over-automation, neglecting proper data modeling, and treating each log source in isolation.
How can organizations leverage AI to improve their SIEM capabilities?
AI can enhance threat detection, automate incident response, and provide better contextual awareness, but underlying data challenges must be addressed first.
What is one key tip for organizations to get more out of their SIEM tooling?
Move beyond a "lift and shift" mentality; plan and design implementation focusing on data modeling, context, and risk-based approaches.
Show Notes
Guest:
- Svetla Yankova, Founder and CEO, Citreno
Topics:
- Why do so many organizations still collect logs yet don't detect threats? In other words, why is our industry spending more money than ever on SIEM tooling and still not "winning" against Tier 1 ... or even Tier 5 adversaries?
- What are the hardest parts about getting the right context into a SOC analyst's face when they're triaging and investigating an alert? Is it integration? SOAR playbook development? Data enrichment? All of the above?
- What are the organizational problems that keep organizations from getting the full benefit of the security operations tools they're buying?
- Top SIEM mistakes? Is it trying to migrate too fast? Is it accepting a too slow migration? In other words, where are expectations tyrannical for customers? Have they changed much since 2015?
- Do you expect people to write their own detections? Detecting engineering seems popular with elite clients and nobody else, what can we do?
- Do you think AI will change how we SOC (Tim: "SOC" is not a verb?) in the next 1- 3 -5 years?
- Do you think that AI SOC tech is repeating the mistakes SOAR vendors made 10 years ago? Are we making the same mistakes all over again? Are we making new mistakes?
Resources:
- EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025
- EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise
- EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines
- EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering
- "RSA 2025: AI's Promise vs. Security's Past — A Reality Check" blog
- Citreno, The Backstory
- "Parenting Teens With Love And Logic" book (as a management book)
- "Security Correlation Then and Now: A Sad Truth About SIEM" blog (the classic from 2019)
Table of contents
United States
