Anton Chuvakin has been working with SIEM technology for a long time.  Twenty years in fact.  I've followed him online for many years, listening to his talks, and gained wisdom from his insights.  While I don't always agree with him.  I respect the breadth of his knowledge, experience, and contributions to the industry.  Which is why, when he posted his 20 Years of SIEM blog, I couldn't figure out why reading it made me angry.

But then it hit me:  I was frustrated because he clearly pointed out that we are dealing with many of the same problems in security that the SIEM was supposed to fix.

But I also think that realization is not as bad as it sounds.  What do I mean by that?

First, look at what he says were some of the problems back then that the first SIEM vendors claimed they solved:

        - Data Collection
        - Event Correlation
        - Alert Overload
        - Log Standardization

Fast forward to today and ask yourself, have any of these issues been resolved by the current tools? 

I say: Nope.

These are the same complaints I still hear from customers, see on mailing lists (yes, those all still exist), and read on twitter, slack, and discord. Sometimes it seems like for all of our new technologies, we haven't made any progress at all. Indeed, I hear that we in infosec are "failing" at security at least once per conference.

Now, I know what some of you are thinking.  Because you are a vendor who believes their tool has solved these problems or you are part of a SOC who has conquered them and you are calling me a fear monger or thinking I don't know what I'm talking about.  But hear me out; It's not that I think these problems can't be solved today, it's that I think that people underestimate the amount of resources (people, processes, and technology) that it takes to solve them.  Too often, vendors market their tool can be installed in the morning and by the afternoon, 95% of the problems above are fixed with with minimal interaction or manpower.  This misleading marketing has been proclaimed since the SIEM first debuted and for pretty much every tool released since: UBA, SOAR, Threat Intelligence Platforms, EDR, MDR, and now XDR to name a few.  However, I named these few for a reason as the goal of each of these tools is to help security teams make sense of all the data, reduce alert overload, and increase automated correlation. 

hmmmm...... Sound familiar?

So what does it say that the industry, years later and with all these tools, is STILL struggling with the same issues? 

Actually, I think two good things. 
(Ha! You thought I was going super negative didn't you?)

First, although we are facing the same issues, they are much more complex versions of the issues we faced 20 years ago. Look at it this way:  If we used today's tools in the same environments we were in 20 years ago, life in the SOC would have been a piece of cake.  Imagine how fast we would have detected and blocked the I Love You virus, Code Red worm, or the SQL slammer worm with a fully integrated SIEM, TIP, HIPS/AV, SOAR, and EDR?  We would have been home by 5pm every day. 

Second, we need to face the reality that solving these issues with technology isn't going to be what makes us succeed.  Improving people and processes along with our technology upgrades is what makes a SOC successful.  Organizations that create a plan that continually invests in and builds up people, process, and technology see continual progress in overcoming these perennial issues. 

So, while I'm grateful for the advances from the technology vendors in addition to  independent contributors that have been made over the years, I am part of the chorus that thinks we need to work harder in infosec to improve our processes and increase the knowledge and skills of our people.  Some of that increase is on us individually to improve ourselves and some of that is on companies to find ways to pay for training and be open to review and change inefficient processes.

And hopefully in the next 20 years, while we may be facing some of those same issues, we are more prepared and capable of finally conquering them.

[role_user]
srchIndexesDefault = *
srchMaxTime = 8640000
srchFilter = index!=<index>

[role_power]
schedule_rtsearch = disabled
srchIndexesDefault = *
srchFilter = index!=<index>
srchMaxTime = 8640000

[role_see_index]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
edit_monitor = enabled
edit_tcp = enabled
#srchFilter =
#importRoles = power;user
indexes_edit = enabled
srchIndexesAllowed = main;<index>
srchIndexesDefault = main;<index>
srchMaxTime = 0
use_file_operator = enabled
change_own_password = enabled
edit_search_schedule_window = enabled
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
accelerate_search = enabled
pattern_detect = enabled
list_metrics_catalog = enabled
export_results_is_visible = enabled
run_collect = enabled
run_mcollect = enabled
edit_input_defaults = enabled
edit_modinput_web_ping = enabled
edit_sourcetypes = enabled
edit_upload_and_index = enabled
list_settings = enabled