EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective

Guest: 

• Travis Lanham, Uber Tech Lead (UTL) for Security Operations Engineering, Google Cloud

Topics:

• There’s been a ton of discussion in the wake of the three SIEM week about the future of SIEM-like products. We saw a lot of takes on how this augurs the future of disassembled or decoupled SIEMs. Can you explain what these disassembled SIEMs are all about?
• What are the expected upsides of detaching your SIEM interface and security capabilities from your data backend?
• Tell us about the early days of SecOps (nee Chronicle) and why we didn’t go with this approach?
• What are the upsides of a tightly coupled datastore + security experience for a SIEM?
• Are there more risks or negatives of the decoupled/decentralized approach?  Complexity and the need to assemble “at home” are on the list, right?
• One of the 50 things Google knew to be true back in the day was that product innovation comes from technical innovation, what’s the technical innovation driving decoupled SIEMs?
• So what about those security data lakes? Any insights?

Resources:

• EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations
• EP190 Unraveling the Security Data Fabric: Need, Benefits, and Futures
• EP184 One Week SIEM Migration: Fact or Fiction?
• Hacking Google video series
• Decoupled SIEM: Brilliant or …. Not :-)
• UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
• So, Why Did I Join Chronicle Security? (2019)