Output-driven SIEM — 13 years later
Output-driven SIEM! Apart from EDR and SOC visibility triad, this is probably my most known “invention” even though I was very clear that I stole this from the Vigilant crew back in 2011.
Anyhow, I asked this question on X the other day:
So, what year is this? Let me see … 2025! Anyhow, get a time machine, we are flying to 2012…. whooosh….
… we landed … no dinosaurs in sight so we didn’t screw the time settings.
Now, WTH is “output-driven SIEM”? Back then, I said that it stands for “deploying your SIEM in such a way that NOTHING comes into your SIEM unless and until you know how it would be utilized and/or presented.” This is not about “don’t collect unless you detect” as some have mis-interpreted it, because you may have some logs for context, or for IR or even … gasp … for compliance. Just not for the sheer heck of it 🙂
What changed?
Let’s see what is different 13 years later, in 2025.
- “Output driven SIEM” is still largely a good idea in 2025. Don’t collect unless you have “the WHY for it” sounds like common sense, that most uncommon of all senses. It is also closely related to thinking about the use cases around SIEM, something I also spent years evangelizing.
- Weirdly, I intuit that
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from Security BoulevardRead the original article: