This is not a blog about the recent upheaval in the magical realm of SIEM. We have a perfectly good podcast / video about it (complete with hi-la-ri-ous XDR jokes, both human and AI created).
This is about something that bothered me for a long time (since my Gartner days) and I finally figured out how to solve this complicated problem.
Of course, the answer is … A TWITTER POLL!
(source)
On a more serious note, pay attention to the wording “if you look at your SIEM, how many detections have you written.” By combining my Twitter and LinkedIn poll data (that displayed a similar trend), I have arrived at ~800 votes here, that tell a story…
.. so what is the story?
My hypothesis that this data reveals the existence of two worlds
On the left, we have “detection as code” , on the right, we have “EDR-ization of SIEM.” On the left, we fix FPs, on the right, we whine about the FPs to the vendor. On the left, we study threats and make detections. On the right, we pay…
Initially, I wanted to say that these are warring clans, but I think a better metaphor is parallel universes: Clan 1 (who engineer their detections) counts about 30% of the security population and most of their detection content is written by them. Clan 2 (who largely consume detections) is a bit larger at 35% and most of their detection rules are written by their vendors, consultants or whoever else and perhaps lightly tuned.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: