EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect

Guest:

• Svetla Yankova, Founder and CEO, Citreno

Topics:

• Why do so many organizations still collect logs yet don’t detect threats? In other words, why is our industry spending more money than ever on SIEM tooling and still not “winning” against Tier 1 ... or even Tier 5 adversaries? 
• What are the hardest parts about getting the right context into a SOC analyst’s face when they’re triaging and investigating an alert? Is it integration? SOAR playbook development? Data enrichment? All of the above?
• What are the organizational problems that keep organizations from getting the full benefit of the security operations tools they’re buying?
• Top SIEM mistakes? Is it trying to migrate too fast? Is it accepting a too slow migration? In other words, where are expectations tyrannical for customers? Have they changed much since 2015?
• Do you expect people to write their own detections? Detecting engineering seems popular with elite clients and nobody else, what can we do?
• Do you think AI will change how we SOC (Tim: “SOC” is not a verb?) in the next 1- 3 -5 years? 
• Do you think that AI SOC tech is repeating the mistakes SOAR vendors made 10 years ago? Are we making the same mistakes all over again? Are we making new mistakes? 

Resources:

• EP223 AI Addressable, Not AI Solvable: Reflections from RSA 2025
• EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise
• EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines
• EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering
• “RSA 2025: AI’s Promise vs. Security’s Past — A Reality Check” blog
• Citreno, The Backstory
• “Parenting Teens With Love And Logic” book (as a management book)
• “Security Correlation Then and Now: A Sad Truth About SIEM” blog (the classic from 2019)