Cloud Security Podcast by Google

EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective

Nov 4, 2024

Travis Lanham, Uber Tech Lead for Security Operations Engineering at Google Cloud, dives deep into the future of SIEM-like products. He discusses the concept of disassembled SIEMs and their potential advantages, like separating security capabilities from data backends. Lanham reflects on the early days of SecOps and shares why a tightly coupled approach was preferred. He examines the complexities of decentralized systems and their implications. The conversation also touches on innovations driving decoupled SIEMs and insights into security data lakes.

29:34

Creator website

Episode guests

Travis Lanham

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The ongoing debate in Security Information Management centers on the trade-offs between disassembled, modular systems and tightly integrated solutions for effective security operations.

Centralizing data storage in security systems enhances visibility and responsiveness, while decentralized approaches often complicate incident response and operational efficiency.

Deep dives

Integration vs. Disassembly in Security Information Management

The ongoing debate in the field of Security Information Management (SIM) centers on two opposing approaches: disassembling SIM into smaller, specialized components versus integrating it for a more unified experience. Proponents of the disassembled approach argue that modular systems, which can adapt to specific needs, provide greater flexibility and agility. Conversely, advocates for an integrated system suggest that combining various functionalities into a single system enhances efficiency and accessibility. This clash reflects a broader discussion on whether specialization or integration will ultimately deliver more effective security solutions.

Intro

2min

The Evolving Landscape of Security Information and Event Management Systems

3min

Navigating Centralized Security Visibility

11min

Enhancing Security Data Visibility Through Aliasing and Data Fusion

2min

Navigating the Complexities of Security Data Management

11min

Guest:

Travis Lanham, Uber Tech Lead (UTL) for Security Operations Engineering, Google Cloud

Topics:

There’s been a ton of discussion in the wake of the three SIEM week about the future of SIEM-like products. We saw a lot of takes on how this augurs the future of disassembled or decoupled SIEMs. Can you explain what these disassembled SIEMs are all about?
What are the expected upsides of detaching your SIEM interface and security capabilities from your data backend?
Tell us about the early days of SecOps (nee Chronicle) and why we didn’t go with this approach?
What are the upsides of a tightly coupled datastore + security experience for a SIEM?
Are there more risks or negatives of the decoupled/decentralized approach? Complexity and the need to assemble “at home” are on the list, right?
One of the 50 things Google knew to be true back in the day was that product innovation comes from technical innovation, what’s the technical innovation driving decoupled SIEMs?
So what about those security data lakes? Any insights?

Resources:

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Cloud Security Podcast by Google

EP197 SIEM (Decoupled or Not), and Security Data Lakes: A Google SecOps Perspective

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Integration vs. Disassembly in Security Information Management

Value Proposition of Modern SIM

Challenges of Decentralization in Security Management

Innovative Opportunities in Security Technology

Remember Everything You Learn from Podcasts