On my way into the office this morning, I listened to a podcast interview of a well-known SIEM vendor. I got more and more frustrated at the wheel, but did make it to the office without incident. The focus of this conversation was the plethora of log sources that this vendor could ingest—system, network, endpoint—and the machine learning used to analyze the data.
This is backwards. Good security designs need to start with the CUSTOMER. Yes, the customer. Who are the specific people that want information and what exactly do they want to see? Users could be audit, security operations, CISO, security analysts, developer, etc. Any other log files collected are irrelevant.
This approach is just lean thinking applied to security. Lean itself has been discussed in many books; I discussed it in the context of security here. The first lean principle is “voice of the customer”. SIEM tool design needs to run backwards, starting with the user interface, not the sources of data. Another lean principle is “systems thinking”, in other words how does the product or tool under discussion fit into the larger needs of protecting information. Virtually every security product discussion I am part of focuses only on that product’s small part of the assurance puzzle. I think CISO’s are getting tired of this and I hope vendors will take notice.