Enhancing Detection Logic Through Code Management

Guest:

• Manan Doshi, Senior Security Engineer @ Etsy

Questions:

• In your experience, what are the biggest challenges organizations face when migrating to a new SIEM platform? How did you solve them?
• Many SIEM projects have problems, but a decent chunk of these problems are not about the tool being broken. How did you decide to migrate? When is it time to go?
• Specifically, how to avoid constant change from product to product, each time blaming the tool for what are essentially process failures?
• How did you handle detection content during migration? Was AI involved?
• How did you test for this: "Which platform will best enable our engineering team to build what we need?"
• Tell us more about the Detection as Code pipeline you use?
• "Completed SIEM migration in a single week!" Is this for real?

Resources:

• Google Cloud Security Summit (August 20, 2024) and "Etsy and the art of SIEM Migration" presentation
• "Ancillary Justice" book
• StreamAlert
• SIEM migration blog (spicy version / vanilla version / long detailed version)
• Can We Have "Detection as Code"?
• Google SecOps
• EP117 Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?