Don't Get Blown Away By the SIEM Storm: AI-Powered Security Operations to the Rescue

Hi there. I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. Very pleased to welcome you to today's session.

The topic is don't get blown away by the sim storm, AI powered security operations to the rescue. Your presenter today is Matt Sayer. He's a principal product manager with Anomaly. Now before I bring Matt onto our virtual stage, a little bit of background on our session.

The SIEM market is facing unprecedented upheaval with legacy vendors being acquired, merged, or dismantled.

This chaos leaves organizations vulnerable with critical security operations at risk. Is your SIEM solution prepared to weather this storm? Well, in this session today, we're gonna offer you an eye opening discussion where we challenge the status quo of traditional SIEM systems. We'll dive into the real issues plaguing SIEM, including how recent market disruptions could jeopardize your security posture and why now is the ideal time to reevaluate your strategy, how to achieve total visibility across every attract surface, surpassing the limitations of outdated SIEM solutions, and, of course, how AI is revolutionizing threat detection, investigation, and response, transforming your security operations from reactive to proactive.

Now some background on my organization, Information Security Media Group is a global education and intelligence firm. We're based in the US and Princeton, New Jersey. And, of course, you may know us by any number of our thirty seven media properties. These include health care info security, data breach today, and one of our newest properties, a I today dot I o.

In all, we serve an audience of over one point three million security and technology leaders globally, and we give them a daily diet of news, analysis, research, events, and educational programs just like this one.

I do have a few notes of housekeeping. One, if you have any questions for Matt during the course of this session, you can submit those anytime by the chat window on your screen. We may not be able to get to every question today. In that case, any question you submit that we can't answer, we will get a response back to you later via email.

Should you encounter any technical issues while viewing today's webinar, take down the email address you see on your screen. If you write to webinars at I s m g dot I o, we've got support staff standing by to help. And a reminder, today's webinar is copyrighted material meant for today's session and individual study purposes only. If you'd like to use any of the information presented today or if you're looking for customized training materials, please contact us.

I am delighted to introduce our sponsor, Anomali. Anomali is headquartered in Silicon Valley. It is a leading AI powered security operations platform that is modernizing security operations. At the center of it is an omnipresent, intelligent, and multilingual anomaly copilot that automates important tasks and empowers your team to deliver the requisite risk insights to management and the board in seconds.

The Anomaly Copilot navigates a proprietary cloud native security data lake that consolidates legacy attempts at visibility and provides first in market speed, scale, and performance by reducing the cost of security analytics.

Anomaly combines ETL, SIM, XDR, SOAR, and the largest repository of global intelligence in one efficient platform. To protect and drive your business with better productivity and talent retention, do more with less, be different, be the anomaly. Learn more at anomaly dot com. Now let's meet our speaker, Matt Sayer.

He's a principal project manager at Anomaly, where he's helped lead development of Anomaly Copilot, a series of Gen AI solutions empowering security operation centers around the world. With that, let's bring on Matt Sayer. Matt, thanks so much for being here today for this discussion.

Yeah. Thanks so much for having me, Tom. Happy to be here.

We'll start here. In talking about the SIEM market, how is Cisco's acquisition of Splunk, Palo Alto Networks buy of the IBM QRadar SaaS assets, and the LogRhythm ExaB merger all impacted customer experience?

Well, I think first off, it all kind of happened at the same time, didn't it? It was a little earlier this year, and it was a big upheaval. You know? These legacy vendors had been around for a while.

All of a sudden, things just started changing. Right? So I think the biggest takeaway there is when you as a customer are evaluating what kind of tools you need to make your SOC work as efficiently as possible, you need to evaluate the vendor's business as a whole, not just their products. Right?

So you have to think about support, for example. You know, what's that gonna look like as these different companies acquire the companies? What about product longevity? You know?

When a a bigger fish eats a smaller fish, do they already have similar products? Is there some overlap in the, the Venn diagram there? Does that mean one product is gonna go away? Is one product gonna subsume another one?

There's a lot of different questions like that that you as, you know, a customer need to ask yourself. And, it's just it's it's extra work that you have to think about as you go and evaluate different vendors.

Beyond customer experience, Matt, would you say these deals have meant for pricing, for technology investment, and just the pace of innovation?

Yeah. I mean, well, that's mostly an economics question in my mind. Right? I I mean, just economics one zero one, less competition there is, less incentive there is to innovate. Right?

So, you know, what what'll happen to prices and technology investments, pace of like, I think, I I don't have a crystal ball, but maybe some things will slow down.

What you need to do is just evaluate the products as they are today. Right?

Again, understand the goals of the company that you're buying from so that you can understand kind of you know, you can peek into the future a little bit if you understand that, hey. You know, my product that we're using was acquired by, let's say, a PE firm. Maybe that's, you know, something you need to understand is is maybe the pace of innovation might slow down, and become more efficient if you will.

So, So, again, just understanding your business as a whole would kinda give you a little bit of insight into where that product where your product might be going.

Now talk about the technology a bit. Why has integrating adjacent technologies into SIM caused what you would call a collapse of the security stack?

So you say collapse of the security stack. I think, you know, SIEM is is the gravitational center of security, and and it's gonna be that way for a while.

I think there's there's legal regulations that you basically have to now. Right? Like, it's if you wanna be, you know, pick your acronym compliant, you need to have a SIM. Right?

It's it's this dumping ground for all your data. It's real easy to just have it there for auditing purposes.

But the more ways you can find value in that data, the better. Right? And that's why all these different things exist to help you analyze and run correlations and detections.

But when you say having adjacent technologies collapse the security stack, has it? Because, you know, many SIMs have acquired different types of integrations like source and what have you. These acquisitions are hard. Right?

Non native integrations are hard. They eventually become more of a bolt on type of expansion.

And, you know, depending on, again, the goals of the vendor, maybe it'll kinda be that way into the future. Maybe they will try and integrate it more natively.

Who knows? Again, acquisitions are hard, especially from a people perspective. Right? You have people that stick around that may not be as motivated as they were pre acquisition.

You know, maybe some people have, let's be honest, maybe some golden handcuffs. So motivation there is, is fleeting.

And, of course, there's usually, like, a, kind of a morale hit from any kind of layoffs that happen from certain redundancies.

So when you say these integrations via acquisitions causing a collapse in security stack, I I would say that, it's it's a little more nuanced than that.

Yeah. Talk about the new cloud world. What does being cloud native mean for scalability, for visibility, and for data analysis speed?

Yes. I mean, so real simply, like, you know, each one of those, scalability, ingesting new data, more data, it's it's not a project. It's a click. Right? It it should be that easy.

You talk about visibility.

You shouldn't with with a cloud native environment, you shouldn't need to pick and choose the type of data you're ingesting. You should get all the visibility you need, and cloud lets you do that. And then you said data analysis speed.

You should be able to form perform searches in seconds, not days. And you can only do that if you have, you know, the tenants of of cloud. Right? You need speed, scalability, resiliency, rapid elasticity.

All those things combined are what make cloud native products as good as they are.

Fair to say then, Matt, that cloud native architectures are far better suited to manage large volumes of security data, which, of course, is our world today.

Yeah. Absolutely. Because, again, you know, tenants of cloud, speed, scalability, resiliency, rapid elasticity. And then on top of that, security and cost.

Right? You know, when you are able to build, in the cloud, and have your own data lake not built on top of any other vendors, you can pass those costs on to customers. Right? You can, that that that's the whole point of the cloud.

Right? You're all sharing resources and, again, keeping the security of of your tenants, as separate as possible. And so you don't have servers sitting around running at half capacity waiting for the holiday rush. You know?

It's you're using it all as as necessary.

Okay. We're ten minutes into the conversation. It's fair time to bring up AI for the first time.

Surprised it took this long.

Exactly. Well, you talked about speed. Talk about how AI driven processes allow SIEM tools to search through vast datasets at far faster speeds than we've seen before.

Yeah. Absolutely. So it's it comes down to, sifting through the noise. It's it's always been about trying to find find needles in a haystack. Right? And AI can do that. It is really good at taking a lot of information and processing it way faster than any human could possibly ever do so it can surface those needles in the haystack.

And right now, you know, these today, these AI tools, these copilots, they really are true copilots. They're helping you enrich alerts, recommend next steps, predict an attacker's next move, and they they can do it faster than it took me to say that. Right? Whereas, you know, you know, a sociologist walks into, you know, in front of their computer. They have to get their coffee first and, you know, not hating on coffee or or the need of it. It's just that's how computers are. We want them to help you be faster.

Is it an understatement to say that generative AI can reshape threat detection in SIM platforms?

I think that's that's perfectly an accurate thing to say. I mean, it doesn't matter how fast your SIM is. You don't do something with that data. Right?

And because we have these, AI models out there with gigantic context windows, I think, you know, Claude three series and new Google Gemini stuff. Like, we're talking million plus token context windows that can help you spot patterns in in your alerts and help you correlate all these different threat actor type activities. And if you have all of your log data in one place, including that threat intelligence data, you don't have to pivot between multiple platforms. You don't have to do any context switching.

You can get that information in literally seconds.

Matt, you're right in the middle of the evolution. What tangible speed and performance gains have you seen with generative AI?

Absolutely. So, I mean, copilots, they boost your performance immensely.

It's all about driving down that, you know, mean time to detect, mean time to respond.

So one example I can give you, in our platform, summarizing large amounts of data. It's the low hanging fruit of generative AI type technologies. Right? Take all this information, condense it into this little bit of information. We have, a lot of threat intelligence feeds that are available in our platform. And, for the month of September, just one particular feed I've looked at.

Imagine you're an analyst and you, you know, read every article and you wrote a short report about it. What we've done with our copilot is, again, for the entire month, we've saved you six hours and fifty three minutes of reading and thirteen hours and fifty four minutes of processing and writing out a report about it. That's just one example.

And when it comes to, you know, all the other, like, non quantitative things that, these copilots can help you with, I mean, you don't have to Google so much. Right? You can, just ask the questions right there. And a really hard thing to to really, you know, a a very good qualitative, time saver, I should say, you can ask it all the dumb questions you want without judgment. You don't have to worry about wasting, you know, the senior analyst's time because they're so busy with other things. You can you can you know, that's two people's time saved right there. And then, again, it helps you enrich those kinds of alerts immediately, less context switching costs, you know, all those qualitative things.

You know, hard to nail down exact numbers, but I think anyone using these tools understand the massive benefits there.

Fair to say that the ability to detect and respond to threats in real time is now a critical differentiator?

Yeah. Yeah. Absolutely. Again, if you have all the information in one place, your threat information, your log information, you know, someone's doing that hacking. And, knowing who's behind threat helps you detect those threats faster because you know what to look for and respond appropriately. Because these these actors, they they have MOs, modus operators. They the faster that you can detect it, the faster you can shut it down, protect your organization, and, be on your merry way, as a business.

Well, as you say, shutting down. How do organizations go about shutting down threats before they can cause significant damage?

Yeah. Absolutely. So the sooner you can detect, the sooner you can respond. Right?

I think I read a in a report. I think it came from Mandiant. Twenty twenty three global median dwell time was was ten days. A year before that, it was sixteen days. So you would think, oh, the time went down. That's a good thing.

Generally, yes, because that means, you know, we as, you know, cybersecurity analysts are able to detect and find these things sooner. But it also means an attacker is actually able to potentially accomplish their goals even faster than before. Right? So it takes them ten days to get in your network, ransomware everything up, and, or exfiltrate data faster than ever before.

But, again, if you can detect that sooner using all the threat information you have available, using the copilots you have available, You can be swift with your actions. You can lock accounts. You can block IPs. You can block hashes.

Get all your tools working, you know, automate it, orchestrate it as fast as you can. So when you have that generative AI, when you have that copilot that knows your team's processes, knows your team's runbooks, can really speed up your analyst response because, again, time is money, and the seconds matter.

All said. Matt, that takes care of my questions. I have some questions from the audience. Are you ready for those? Yeah.

Let's see them.

Let me remind the attendees as well. If you have questions you haven't submitted yet, do so now via the chat window on your screen. If I can't get to them all today, we'll get responses back to you later via email.

Matt, first question. It's about anomaly. What are you offering to meet today's unique SIEM needs to deal with everything we've just talked about in the last twenty, thirty minutes?

Yeah. Well, coincidentally, we just happen to have a solution that helps address all these kinds of things. Right? We have a giant data lake, which, I mean, you you said it at the top, you know, helps you extract, transform, load, get your data in, let you search it in literal seconds, petabytes of data in literal seconds, Find out if you've been a victim of an attack with just asking natural language. Right? Just has this ransomware affected me yet before, you know, they actually lock all your stuff.

We have the information, the oldest threat repository that can, again, take a question in natural language and give you an answer in seconds.

And that's just the tip of the iceberg. You know, we let users take advantage of this cloud native architecture, expand rapidly or scale up rapidly, elastically, and do all the things that, you know, you kinda wish your legacy tools could do just out of the box.

Matt, important question from the customer's perspective. What are the skills I need in house to work best with your solution and with your team?

How do you have the best talent? That's that's always, a hard question because everything we just said, it comes down to the people. Read any book about cybersecurity, any guide, you know, MITRE has this great guide about the the eleven the eleven strategies of a world class SOC. It always comes down to the people.

You need people that care, people that wanna win, if you will, against the adversary. And so once you have a team, you need to keep them happy. And part of keeping them happy is is giving them the tools that they're not fighting against. Give them the tools that they need to do their job and protect the organization.

Now well said. Where can our attendees go to learn more about this evolving state of sin?

Yeah. Absolutely. Please visit our website, anomaly dot com. Happy to schedule a demo.

I'd love to meet with you and see how we can make your lives easier.

Matt, a terrific conversation. Thank you for your insight, and thanks for answering the questions we've had.

My pleasure, Tom. Thank you.

We thank our attendees as well. We know you took time out of your day to attend this session. We're grateful for that, and I trust that you're walking with some excellent new insight on the evolving state of the SIEM.

As always, I look forward to seeing you again at one of our upcoming sessions. And until then, for information security media group, I'm Tom Field. Thank you for giving us your time and attention today.

‍